Merge pull request #1007 from cappyzawa/remove-servername-pinning

runtime/secrets: remove ServerName pinning from TLS config

.github/CODEOWNERS

@@ -1,3 +1,14 @@
-git/* @stefanprodan
-ssh/* @hiddeco
-testserver/* @hiddeco
+# These owners will be the default owners for everything in
+# the repo. Unless a later match takes precedence.
+*                   @fluxcd/core-maintainers
+
+# The following have a bit more specific owners and require e.g.
+# specific domain expertise.
+/actions/           @stefanprodan
+/apis/              @hiddeco @stefanprodan
+/ssa/               @stefanprodan
+/runtime/           @hiddeco @stefanprodan
+/sourceignore/      @hiddeco
+/kustomize/         @stefanprodan
+/git/               @aryan9600 @hiddeco
+/oci/               @stefanprodan

.github/dependabot.yaml

@@ -0,0 +1,16 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    labels: ["area/ci", "dependencies"]
+    groups:
+      # Group all updates together, so that they are all applied in a single PR.
+      # Grouped updates are currently in beta and is subject to change.
+      # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
+      ci:
+        patterns:
+          - "*"
+    schedule:
+      # By default, this will be on a monday.
+      interval: "weekly"

.github/labels.yaml

@@ -0,0 +1,30 @@
+# Configuration file to declaratively configure labels
+# Ref: https://github.com/EndBug/label-sync#Config-files
+
+- name: area/actions
+  description: GitHub Actions related issues and pull requests
+  color: '#00b140'
+- name: area/git
+  description: Git and SSH related issues and pull requests
+  color: '#863faf'
+- name: area/helm
+  description: Helm related issues and pull requests
+  color: '#1673b6'
+- name: area/http
+  description: HTTP transport related issues and pull requests
+  color: '#006b75'
+- name: area/oci
+  description: OCI related issues and pull requests
+  color: '#c739ff'
+- name: area/kustomize
+  description: Kustomize related issues and pull requests
+  color: '#00e54d'
+- name: area/runtime
+  description: Controller runtime related issues and pull requests
+  color: '#00e54d'
+- name: area/server-side-apply
+  description: SSA related issues and pull requests
+  color: '#2819CB'
+- name: area/testserver
+  description: Test server related issues and pull requests
+  color: '#006b75'

.github/workflows/actions.yaml

@@ -0,0 +1,40 @@
+name: actions
+
+on:
+  pull_request:
+  push:
+    paths:
+      - 'actions/**'
+    branches:
+      - main
+
+permissions: read-all
+
+jobs:
+  actions:
+    strategy:
+      fail-fast: false
+      matrix:
+        version: [ubuntu-latest, macos-latest, windows-latest]
+
+    runs-on: ${{ matrix.version }}
+    name: actions on ${{ matrix.version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Setup yq
+        uses: ./actions/yq
+      - name: Setup kubeconform
+        uses: ./actions/kubeconform
+      - name: Setup envtest
+        uses: ./actions/envtest
+        with:
+          version: c7e1dc9b5302d649d5531e19168dd7ea0013736d # remove this when https://github.com/kubernetes-sigs/controller-runtime/issues/2720 is fixed
+      - name: Setup helm
+        uses: ./actions/helm
+      - name: Setup kubectl
+        uses: ./actions/kubectl
+      - name: Setup kustomize
+        uses: ./actions/kustomize
+      - name: Setup sops
+        uses: ./actions/sops

.github/workflows/build.yaml

@@ -6,33 +6,30 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
-      - name: Restore Go cache
-        uses: actions/cache@v1
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: 1.15.x
+          go-version: 1.24.x
+          # https://github.com/actions/setup-go/blob/main/docs/adrs/0000-caching-dependencies.md#example-of-real-use-cases
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
       - name: Run tests
-        run: make all
+        env:
+          SKIP_COSIGN_VERIFICATION: true
+        run: make test
       - name: Check if working tree is dirty
         run: |
           if [[ $(git diff --stat) != '' ]]; then
-            echo 'run make test and commit changes'
+            git --no-pager diff
+            echo 'run make all and commit changes'
             exit 1
           fi
-      - uses: ./actions/helm
-      - uses: ./actions/kubebuilder
-      - uses: ./actions/kubectl
-      - uses: ./actions/kustomize
-      - run: kubebuilder version

.github/workflows/cifuzz.yaml

@@ -0,0 +1,25 @@
+name: fuzz
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions: read-all
+
+jobs:
+  smoketest:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - name: Setup Go
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      with:
+        go-version: 1.24.x
+        # https://github.com/actions/setup-go/blob/main/docs/adrs/0000-caching-dependencies.md#example-of-real-use-cases
+        cache-dependency-path: |
+          **/go.sum
+          **/go.mod
+    - name: Smoke test Fuzzers
+      run: make fuzz-smoketest

.github/workflows/e2e.yaml

@@ -0,0 +1,89 @@
+name: e2e
+
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  git-test:
+    if: github.actor != 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        provider:
+          - gitkit
+          - gitlab-ce
+          - gitlab
+          - github
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      # Since this is a monorepo, changes in other packages will also trigger these e2e tests
+      # meant only for the git package. This detects us whether the changed files are part of the
+      # git directory. Subsequent steps check if this is true, before executing, thus helping us
+      # run these tests only when there are changes to the git package.
+      - name: Check for changes to git/ or e2e workflow
+        uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+            e2e:
+              - '.github/workflows/e2e.yaml'
+            git:
+              - 'git/**'
+      - name: Setup Go
+        if: ${{ steps.filter.outputs.git == 'true' || steps.filter.outputs.e2e == 'true' || github.event_name == 'workflow_dispatch' }}
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: 1.24.x
+          # https://github.com/actions/setup-go/blob/main/docs/adrs/0000-caching-dependencies.md#example-of-real-use-cases
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
+      - name: Run tests
+        if: ${{ steps.filter.outputs.git == 'true' || steps.filter.outputs.e2e == 'true' || github.event_name == 'workflow_dispatch' }}
+        run: |
+          run_e2e=true
+
+          # don't run e2e tests for PRs from forked repos for Github, GitLab and Bitbucket Server
+          if [[ ${{ github.event_name }} != "pull_request" ]] || \
+            [[ "${{ github.event.pull_request.head.repo.full_name }}" = ${{ github.repository }} ]]; then
+            if [[ ${{ matrix.provider }} = "github" ]]; then
+              export GO_TEST_PREFIX="TestGitHubE2E"
+              export GITHUB_USER="fluxcd-gitprovider-bot"
+              export GITHUB_ORG="fluxcd-testing"
+              export GITHUB_TOKEN="${{ secrets.GITPROVIDER_BOT_TOKEN }}"
+              export GHAPP_ID="${{ secrets.GHAPP_ID }}"
+              export GHAPP_INSTALL_ID="${{ secrets.GHAPP_INSTALL_ID }}"
+              export GHAPP_PRIVATE_KEY="${{ secrets.GHAPP_PRIVATE_KEY }}"
+            elif [[ ${{ matrix.provider }} = "gitlab" ]]; then
+              export GO_TEST_PREFIX="TestGitLabE2E"
+              export GITLAB_USER="fluxcd-gitprovider-bot"
+              export GITLAB_GROUP="fluxcd-testing"
+              export GITLAB_PAT="${{ secrets.GITLAB_BOT_TOKEN }}"
+            fi
+          else
+              run_e2e=false
+          fi
+
+          if [[ ${{ matrix.provider }} = "gitkit" ]]; then
+            export GO_TEST_PREFIX="TestGitKitE2E"
+            run_e2e=true
+          elif [[ ${{ matrix.provider }} = "gitlab-ce" ]]; then
+            export GO_TEST_PREFIX="TestGitLabCEE2E"
+            run_e2e=true
+          fi
+
+          if [ $run_e2e = true ]; then
+            cd git/internal/e2e && GO_TEST_PREFIX="${GO_TEST_PREFIX}" ./run.sh
+          else
+            echo "skipping tests for ${{ matrix.provider }}"
+          fi

.github/workflows/integration-aws.yaml

@@ -0,0 +1,69 @@
+name: integration-aws
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 12 * * *"
+  # push:
+  #   branches:
+  #     - main
+
+permissions:
+  contents: read
+  id-token: write # Required for obtaining AWS OIDC federated credential.
+
+jobs:
+  oci-test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        auth-mode:
+        - node-identity
+        - workload-identity
+      fail-fast: false
+    defaults:
+      run:
+        working-directory: ./oci/tests/integration
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: 1.24.x
+          cache-dependency-path: oci/tests/integration/go.sum
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.OCI_E2E_AWS_ASSUME_ROLE_NAME }}
+          role-session-name: OCI_GH_Actions
+          aws-region: us-east-1
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435  # v3.11.1
+      - name: Set dynamic variables in .env
+        run: |
+          cat > .env <<EOF
+          export TF_VAR_rand=${RANDOM}
+          export TF_VAR_tags='{"environment"="github", "ci"="true", "repo"="pkg", "createdat"="$(date -u +x%Y-%m-%d_%Hh%Mm%Ss)"}'
+          EOF
+      - name: Print .env for dynamic tag value reference
+        run: cat .env
+      - name: Build test app
+        run: make docker-build
+      - name: Run tests
+        run: . .env && make test-aws
+        env:
+          AWS_REGION: us-east-1
+          TF_VAR_cross_region: us-east-2
+          TF_VAR_enable_wi: ${{ (matrix.auth-mode == 'workload-identity' && 'true') || 'false' }}
+      - name: Ensure resource cleanup
+        if: ${{ always() }}
+        run: . .env && make destroy-aws
+        env:
+          AWS_REGION: us-east-1
+          TF_VAR_cross_region: us-east-2
+          TF_VAR_enable_wi: ${{ (matrix.auth-mode == 'workload-identity' && 'true') || 'false' }}

.github/workflows/integration-azure.yaml

@@ -0,0 +1,91 @@
+name: integration-azure
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 12 * * *"
+  # push:
+  #   branches:
+  #     - main
+
+permissions:
+  contents: read
+
+jobs:
+  oci-test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        auth-mode:
+        - node-identity
+        - workload-identity
+      fail-fast: false
+    defaults:
+      run:
+        working-directory: ./oci/tests/integration
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: 1.24.x
+          cache-dependency-path: oci/tests/integration/go.sum
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+      - name: Authenticate to Azure
+        uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v1.4.6
+        with:
+          creds: '{"clientId":"${{ secrets.ARM_CLIENT_ID }}","clientSecret":"${{ secrets.ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.ARM_TENANT_ID }}"}'
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435  # v3.11.1
+      - name: Set dynamic variables in .env
+        run: |
+          cat > .env <<EOF
+          export TF_VAR_tags='{"environment"="github", "ci"="true", "repo"="pkg", "createdat"="$(date -u +x%Y-%m-%d_%Hh%Mm%Ss)"}'
+          EOF
+      - name: Print .env for dynamic tag value reference
+        run: cat .env
+      - name: Build test app
+        run: make docker-build
+      - name: Prepare Git SSH secrets
+        run: |
+          mkdir -p azure
+          cat <<EOF > azure/identity
+          $GIT_SSH_IDENTITY
+          EOF
+          cat <<EOF > azure/identity.pub
+          $GIT_SSH_IDENTITY_PUB
+          EOF
+          cat <<EOF > azure/known_hosts
+          $GIT_SSH_KNOWN_HOSTS
+          EOF
+        env:
+          GIT_SSH_IDENTITY: ${{ secrets.GIT_SSH_IDENTITY }}
+          GIT_SSH_IDENTITY_PUB: ${{ secrets.GIT_SSH_IDENTITY_PUB }}
+          GIT_SSH_KNOWN_HOSTS: ${{ secrets.GIT_SSH_KNOWN_HOSTS }}
+      - name: Run tests
+        run: . .env && make test-azure
+        env:
+          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
+          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
+          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
+          TF_VAR_azure_location: ${{ vars.TF_VAR_azure_location }}
+          TF_VAR_enable_wi: ${{ (matrix.auth-mode == 'workload-identity') && 'true' || 'false' }}
+      - name: Ensure resource cleanup
+        if: ${{ always() }}
+        run: . .env && make destroy-azure
+        env:
+          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
+          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
+          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
+          TF_VAR_azure_location: ${{ vars.TF_VAR_azure_location }}
+          TF_VAR_enable_wi: ${{ (matrix.auth-mode == 'workload-identity') && 'true' || 'false' }}

.github/workflows/integration-cleanup.yaml

@@ -0,0 +1,107 @@
+name: integration-cleanup
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 * * * *"
+
+permissions:
+  id-token: write # Required for obtaining AWS OIDC federated credential.
+
+env:
+  GCRGC_VERSION: 0.4.8
+
+jobs:
+  gcp:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./tools/reaper
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: fluxcd/test-infra
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: 1.24.x
+          cache-dependency-path: ./tools/reaper/go.sum
+      - name: Setup bin dir
+        run: mkdir -p ~/.local/bin
+      - name: Populate local env
+        # This is needed to be able to use the global env as local env in cache
+        # key.
+        run: echo "GCRGC_VERSION=${GCRGC_VERSION}" >> $GITHUB_ENV
+      - name: Cache gcrgc
+        id: cache-gcrgc
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        with:
+          path: ~/.local/bin/gcrgc
+          key: gcrgc-${{ env.GCRGC_VERSION }}
+      - name: Install gcrgc
+        if: steps.cache-gcrgc.outputs.cache-hit != 'true'
+        run: |
+          cd $(mktemp -d)
+          wget https://github.com/graillus/gcrgc/releases/download/v${GCRGC_VERSION}/gcrgc_${GCRGC_VERSION}_linux_amd64.tar.gz -O - | tar xz
+          mv gcrgc ~/.local/bin/
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12
+        with:
+          credentials_json: '${{ secrets.CLEANUP_E2E_GOOGLE_CREDENTIALS }}'
+      - name: Setup gcloud
+        uses: google-github-actions/setup-gcloud@cb1e50a9932213ecece00a606661ae9ca44f3397 # v2.2.0
+      - name: Run gcrgc
+        # Cleanup all the GCR repositories in the project. They are not tracked
+        # by terraform used to provision test infra and are left behind.
+        run: gcrgc gcr.io/${{ vars.TF_VAR_gcp_project_id }} --retention-period 1h
+      - name: Run reaper
+        run: go run ./ -provider gcp -gcpproject ${{ vars.TF_VAR_gcp_project_id }} -retention-period 1h -tags 'ci=true' -delete
+
+  azure:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./tools/reaper
+    if: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: fluxcd/test-infra
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: 1.24.x
+          cache-dependency-path: ./tools/reaper/go.sum
+      - name: Authenticate to Azure
+        uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v1.4.6
+        with:
+          creds: '{"clientId":"${{ secrets.ARM_CLIENT_ID }}","clientSecret":"${{ secrets.ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.ARM_TENANT_ID }}"}'
+      - name: Run reaper
+        run: go run ./ -provider azure -retention-period 1h -tags 'ci=true' -delete
+
+  aws:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./tools/reaper
+    if: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: fluxcd/test-infra
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: 1.24.x
+          cache-dependency-path: ./tools/reaper/go.sum
+      - name: Authenticate to AWS
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.CLEANUP_E2E_AWS_ASSUME_ROLE_NAME }}
+          role-session-name: cleanup_GH_Actions
+          aws-region: ${{ vars.AWS_REGION }}
+      - name: Run reaper
+        run: go run ./ -provider aws-nuke -awsregions '${{ vars.AWS_REGION }},${{ vars.OCI_E2E_TF_VAR_cross_region }}' -retention-period 1h -tags 'ci=true' -delete

.github/workflows/integration-gcp.yaml

@@ -0,0 +1,83 @@
+name: integration-gcp
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 12 * * *"
+  # push:
+  #   branches:
+  #     - main
+
+permissions:
+  contents: read
+
+jobs:
+  oci-test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        auth-mode:
+        - node-identity
+        - workload-identity
+      fail-fast: false
+    defaults:
+      run:
+        working-directory: ./oci/tests/integration
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: 1.24.x
+          cache-dependency-path: oci/tests/integration/go.sum
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12
+        id: 'auth'
+        with:
+          credentials_json: '${{ secrets.OCI_E2E_GOOGLE_CREDENTIALS }}'
+          token_format: 'access_token'
+      - name: Setup gcloud
+        uses: google-github-actions/setup-gcloud@cb1e50a9932213ecece00a606661ae9ca44f3397 # v2.2.0
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435  # v3.11.1
+      - name: Log into gcr.io
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          registry: gcr.io
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+      - name: Log into us-central1-docker.pkg.dev
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          registry: us-central1-docker.pkg.dev
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+      - name: Set dynamic variables in .env
+        run: |
+          cat > .env <<EOF
+          export TF_VAR_tags='{"environment"="github", "ci"="true", "repo"="pkg", "createdat"="$(date -u +x%Y-%m-%d_%Hh%Mm%Ss)"}'
+          EOF
+      - name: Print .env for dynamic tag value reference
+        run: cat .env
+      - name: Build test app
+        run: make docker-build
+      - name: Run tests
+        run: . .env && make test-gcp
+        env:
+          TF_VAR_gcp_project_id: ${{ vars.TF_VAR_gcp_project_id }}
+          TF_VAR_gcp_region: ${{ vars.TF_VAR_gcp_region }}
+          TF_VAR_gcp_zone: ${{ vars.TF_VAR_gcp_zone }}
+          TF_VAR_enable_wi: ${{ (matrix.auth-mode == 'workload-identity' && 'true') || 'false' }}
+      - name: Ensure resource cleanup
+        if: ${{ always() }}
+        run: . .env && make destroy-gcp
+        env:
+          TF_VAR_gcp_project_id: ${{ vars.TF_VAR_gcp_project_id }}
+          TF_VAR_gcp_region: ${{ vars.TF_VAR_gcp_region }}
+          TF_VAR_gcp_zone: ${{ vars.TF_VAR_gcp_zone }}
+          TF_VAR_enable_wi: ${{ (matrix.auth-mode == 'workload-identity' && 'true') || 'false' }}

.github/workflows/ossf.yaml

@@ -0,0 +1,55 @@
+name: ossf
+
+on:
+  workflow_dispatch:
+  branch_protection_rule:
+  schedule:
+    # Weekly on Saturdays.
+    - cron: '30 1 * * 6'
+  push:
+    branches: [ main ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+      actions: read
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.BOT_GITHUB_TOKEN }}
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
+          # of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8
+        with:
+          sarif_file: results.sarif

.github/workflows/preview-release.yaml

@@ -0,0 +1,24 @@
+name: preview-release
+
+on:
+  workflow_dispatch:
+
+jobs:
+  preview-release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      - run: git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+      - run: git config --global user.name "github-actions[bot]"
+      - run: make tools
+      - run: ./bin/flux-tools pkg prep --yes
+      - run: git add .
+      - run: git commit -m "Release preview" || true
+      - run: ./bin/flux-tools pkg release --preview

.github/workflows/scan.yaml

@@ -0,0 +1,40 @@
+name: scan
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '18 10 * * 3'
+
+permissions:
+  security-events: write
+  actions: read
+  contents: read
+
+jobs:
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: 1.24.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8
+        with:
+          languages: go
+          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # xref: https://codeql.github.com/codeql-query-help/go/
+          queries: security-and-quality
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8

.github/workflows/sync-labels.yaml

@@ -0,0 +1,28 @@
+name: sync-labels
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - .github/labels.yaml
+
+permissions:
+  contents: read
+
+jobs:
+  labels:
+    name: Run sync
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
+        with:
+          # Configuration file
+          config-file: |
+            https://raw.githubusercontent.com/fluxcd/community/main/.github/standard-labels.yaml
+            .github/labels.yaml
+          # Strictly declarative
+          delete-other-labels: true

.gitignore

@@ -13,3 +13,7 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
+
+build/
+bin/
+testbin/

Makefile

@@ -1,21 +1,64 @@
 VER?=0.0.1
 MODULES=$(shell find . -mindepth 2 -maxdepth 4 -type f -name 'go.mod' | cut -c 3- | sed 's|/[^/]*$$||' | sort -u | tr / :)
-targets=$(addprefix test-, $(MODULES))
+root_dir=$(shell git rev-parse --show-toplevel)
 
-all:
-	$(MAKE) $(targets)
+# Use $GOBIN from the environment if set, otherwise use ./bin
+ifeq (,$(shell go env GOBIN))
+GOBIN=$(root_dir)/bin
+else
+GOBIN=$(shell go env GOBIN)
+endif
+
+PKG?=$*
+GO_TEST_ARGS ?= -race
+
+# API generation utilities
+CONTROLLER_GEN_VERSION ?= v0.16.1
+
+# Architecture to use envtest with
+ENVTEST_ARCH ?= amd64
+
+# Kubernetes versions to use envtest with
+ENVTEST_KUBERNETES_VERSION?=1.31
+
+all: tidy generate fmt vet
+
+tidy:
+	$(MAKE) $(addprefix tidy-, $(MODULES))
 
 tidy-%:
-	cd $(subst :,/,$*); go mod tidy
+	cd $(subst :,/,$*); go mod tidy -compat=1.24
+
+fmt:
+	$(MAKE) $(addprefix fmt-, $(MODULES))
 
 fmt-%:
 	cd $(subst :,/,$*); go fmt ./...
 
-vet-%:
-	cd $(subst :,/,$*); go vet ./...
+vet:
+	$(MAKE) $(addprefix vet-, $(MODULES))
 
-test-%: tidy-% fmt-% vet-%
-	cd $(subst :,/,$*); go test ./... -coverprofile cover.out
+vet-%:
+	cd $(subst :,/,$*); go vet ./... ;\
+
+
+# Run generate for all modules
+generate:
+	$(MAKE) $(addprefix generate-, $(MODULES))
+
+# Generate manifests e.g. CRD, RBAC etc.
+generate-%: controller-gen
+	cd $(subst :,/,$*); CGO_ENABLED=0 $(CONTROLLER_GEN) schemapatch:manifests="./" paths="./..." ;\
+	CGO_ENABLED=0 $(CONTROLLER_GEN) object:headerFile="$(root_dir)/hack/boilerplate.go.txt" paths="./..." ;\
+
+# Run tests for all modules
+test:
+	$(MAKE) $(addprefix test-, $(MODULES))
+
+# Run tests
+KUBEBUILDER_ASSETS?="$(shell $(ENVTEST) --arch=$(ENVTEST_ARCH) use -i $(ENVTEST_KUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR) -p path)"
+test-%: tidy-% generate-% fmt-% vet-% install-envtest
+	cd $(subst :,/,$*); KUBEBUILDER_ASSETS=$(KUBEBUILDER_ASSETS) go test ./... $(GO_TEST_ARGS) -coverprofile cover.out ;\
 
 release-%:
 	$(eval REL_PATH=$(subst :,/,$*))
@@ -24,3 +67,74 @@ release-%:
 	git pull
 	git tag "$(REL_PATH)/v$(VER)"
 	git push origin "$(REL_PATH)/v$(VER)"
+
+# Find or download controller-gen
+CONTROLLER_GEN = $(GOBIN)/controller-gen
+.PHONY: controller-gen
+controller-gen: ## Download controller-gen locally if necessary.
+	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
+
+ENVTEST_ASSETS_DIR=$(shell pwd)/testbin
+install-envtest: setup-envtest
+	mkdir -p ${ENVTEST_ASSETS_DIR}
+	$(ENVTEST) use $(ENVTEST_KUBERNETES_VERSION) --arch=$(ENVTEST_ARCH) --bin-dir=$(ENVTEST_ASSETS_DIR)
+
+ENVTEST = $(GOBIN)/setup-envtest
+.PHONY: envtest
+setup-envtest: ## Download envtest-setup locally if necessary.
+	$(call go-install-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
+
+# go-install-tool will 'go install' any package $2 and install it to $1.
+PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
+define go-install-tool
+@[ -f $(1) ] || { \
+set -e ;\
+TMP_DIR=$$(mktemp -d) ;\
+cd $$TMP_DIR ;\
+go mod init tmp ;\
+echo "Downloading $(2)" ;\
+GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
+rm -rf $$TMP_DIR ;\
+}
+endef
+
+# Build fuzzers used by oss-fuzz.
+fuzz-build:
+	rm -rf $(shell pwd)/build/fuzz/
+	mkdir -p $(shell pwd)/build/fuzz/out/
+
+	docker build . --pull --tag local-fuzzing:latest -f tests/fuzz/Dockerfile.builder
+	docker run --rm \
+		-e FUZZING_LANGUAGE=go -e SANITIZER=address \
+		-e CIFUZZ_DEBUG='True' -e OSS_FUZZ_PROJECT_NAME=fluxcd \
+		-v "$(shell go env GOMODCACHE):/root/go/pkg/mod" \
+		-v "$(shell pwd)/build/fuzz/out":/out \
+		local-fuzzing:latest
+
+# Run each fuzzer once to ensure they will work when executed by oss-fuzz.
+fuzz-smoketest: fuzz-build
+	docker run --rm \
+		-v "$(shell pwd)/build/fuzz/out":/out \
+		-v "$(shell pwd)/tests/fuzz/oss_fuzz_run.sh":/runner.sh \
+		-e ENVTEST_BIN_VERSION=$(ENVTEST_KUBERNETES_VERSION) \
+		local-fuzzing:latest \
+		bash -c "/runner.sh"
+
+# Prepare release for Go modules.
+.PHONY: prep
+prep: tools
+	@./bin/flux-tools pkg prep
+
+# Release Go modules.
+.PHONY: release
+release: tools
+	@./bin/flux-tools pkg release
+
+# Run vet for tools.
+.PHONY: tools
+tools:
+	@cd cmd; \
+	go mod tidy; \
+	go fmt ./internal/... ./cli/...; \
+	go vet ./internal/... ./cli/...; \
+	go build -o ../bin/flux-tools ./cli

README.md

@@ -3,4 +3,63 @@
 [![godev](https://img.shields.io/static/v1?label=godev&message=reference&color=00add8)](https://pkg.go.dev/github.com/fluxcd/pkg)
 [![build](https://github.com/fluxcd/pkg/workflows/build/badge.svg)](https://github.com/fluxcd/pkg/actions)
 
-GitOps Toolkit common packages.
+## GitOps Toolkit Go SDK
+
+### APIs
+- **[github.com/fluxcd/pkg/apis/acl](./apis/acl)** - API types for defining access control lists
+- **[github.com/fluxcd/pkg/apis/event](./apis/event)** - API Schema definitions for Flux eventing  
+- **[github.com/fluxcd/pkg/apis/kustomize](./apis/kustomize)** - API types for Kustomize resources
+- **[github.com/fluxcd/pkg/apis/meta](./apis/meta)** - Generic metadata APIs for Kubernetes resources
+
+### Authentication & Security
+- **[github.com/fluxcd/pkg/auth](./auth)** - OIDC-based authentication with cloud providers (AWS, Azure, GCP)
+- **[github.com/fluxcd/pkg/masktoken](./masktoken)** - Token redaction utilities for secure logging
+- **[github.com/fluxcd/pkg/ssh](./ssh)** - SSH host key scanning and management
+
+### Controller Runtime
+- **[github.com/fluxcd/pkg/runtime](./runtime)** - Controller Runtime SDK
+    - **[runtime/acl](./runtime/acl)** - Cross-namespace access control utilities
+    - **[runtime/cel](./runtime/cel)** - Common Expression Language (CEL) evaluation utilities
+    - **[runtime/client](./runtime/client)** - Kubernetes client runtime configuration options
+    - **[runtime/conditions](./runtime/conditions)** - Status conditions manipulation utilities
+    - **[runtime/controller](./runtime/controller)** - Controller embeddable structs for GitOps Toolkit conventions
+    - **[runtime/dependency](./runtime/dependency)** - Dependency sorting for Kubernetes resources
+    - **[runtime/errors](./runtime/errors)** - Generic controller and reconciler runtime errors
+    - **[runtime/events](./runtime/events)** - Kubernetes Events recording on external HTTP endpoints
+    - **[runtime/features](./runtime/features)** - Feature gate management
+    - **[runtime/jitter](./runtime/jitter)** - Jitter utilities for reconciliation intervals
+    - **[runtime/leaderelection](./runtime/leaderelection)** - Leader election runtime configuration
+    - **[runtime/logger](./runtime/logger)** - Logging runtime configuration options
+    - **[runtime/metrics](./runtime/metrics)** - Standard metrics recording for GitOps Toolkit components
+    - **[runtime/object](./runtime/object)** - Helpers for interacting with GitOps Toolkit objects
+    - **[runtime/patch](./runtime/patch)** - Patch utilities for conflict-free object patching
+    - **[runtime/pprof](./runtime/pprof)** - pprof endpoints registration helper
+    - **[runtime/predicates](./runtime/predicates)** - Controller-runtime predicates for event filtering
+    - **[runtime/probes](./runtime/probes)** - Health and readiness probes configuration
+    - **[runtime/reconcile](./runtime/reconcile)** - Reconciliation helpers and result finalization
+    - **[runtime/secrets](./runtime/secrets)** - Kubernetes secrets handling utilities (TLS, auth, tokens)
+    - **[runtime/statusreaders](./runtime/statusreaders)** - Status readers for Kubernetes resources
+    - **[runtime/testenv](./runtime/testenv)** - Setup helpers for local Kubernetes test environment
+    - **[runtime/transform](./runtime/transform)** - Type transformation utilities
+- **[github.com/fluxcd/pkg/ssa](./ssa)** - Kubernetes resources management using server-side apply
+
+### Source Management
+- **[github.com/fluxcd/pkg/git](./git)** - Git repository operations, commit verification, and reference handling
+- **[github.com/fluxcd/pkg/sourceignore](./sourceignore)** - Gitignore-like functionality for source filtering
+
+### Package Management
+- **[github.com/fluxcd/pkg/chartutil](./chartutil)** - Helm chart values management from Kubernetes resources
+- **[github.com/fluxcd/pkg/kustomize](./kustomize)** - Generic helpers for Kustomize operations
+- **[github.com/fluxcd/pkg/oci](./oci)** - OCI registry operations (push, pull, tag artifacts)
+
+### Utilities
+- **[github.com/fluxcd/pkg/cache](./cache)** - Generic cache implementations (expiring and LRU)
+- **[github.com/fluxcd/pkg/envsubst](./envsubst)** - Variable expansion in strings using `${var}` syntax
+- **[github.com/fluxcd/pkg/lockedfile](./lockedfile)** - Atomic file operations with locking
+- **[github.com/fluxcd/pkg/tar](./tar)** - Secure tarball extraction utilities
+- **[github.com/fluxcd/pkg/version](./version)** - Semantic version parsing and sorting
+
+### HTTP & Transport
+- **[github.com/fluxcd/pkg/http/fetch](./http/fetch)** - Archive fetcher for HTTP resources
+- **[github.com/fluxcd/pkg/http/transport](./http/transport)** - HTTP transport utilities
+

actions/crdjsonschema/Dockerfile

@@ -0,0 +1,18 @@
+FROM python:3-alpine
+
+RUN pip install --no-cache-dir pyaml
+
+ARG KUBERNETES_SPLIT_YAML_VERSION=0.4.0
+RUN wget -q -O - \
+    https://github.com/mogensen/kubernetes-split-yaml/releases/download/v${KUBERNETES_SPLIT_YAML_VERSION}/kubernetes-split-yaml_${KUBERNETES_SPLIT_YAML_VERSION}_linux_amd64.tar.gz | \
+    tar xz kubernetes-split-yaml -C /usr/bin/ && \
+    chmod +x /usr/bin/kubernetes-split-yaml && \
+    kubernetes-split-yaml -h
+
+COPY openapi2jsonschema.py /usr/bin/openapi2jsonschema
+RUN chmod +x /usr/bin/openapi2jsonschema
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]

actions/crdjsonschema/action.yml

@@ -0,0 +1,19 @@
+name: crdjsonschema
+description: Generate OpenAPI JSON schemas from Custom Resource Definitions
+author: Flux project
+branding:
+  icon: 'command'
+  color: 'blue'
+inputs:
+  crd:
+    description: 'Local path or URL of the CRD YAML file'
+    required: true
+  output:
+    description: 'Path to a local dir where to write the JSON file'
+    required: true
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+  args:
+    - ${{ inputs.crd }}
+    - ${{ inputs.output }}

actions/crdjsonschema/entrypoint.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env sh
+
+set -e
+
+[ -z "$1" ] && echo "No CRD file specified" && exit 1
+[ -z "$2" ] && echo "No output directory specified" && exit 1
+
+CRD_PATH=${1}
+if [ ! -f "$CRD_PATH" ]; then
+  echo "CRD file not found at ${CRD_PATH}"
+  exit 1
+fi
+
+OUTPUT_DIR=${2}
+mkdir -p "$OUTPUT_DIR"
+
+WORK_DIR=$(mktemp -dt crd-json-schemas-XXXXXX)
+trap 'rm -rf $WORK_DIR' EXIT
+
+SPLIT_DIR="$WORK_DIR/split"
+mkdir -p "$SPLIT_DIR"
+
+kubernetes-split-yaml --outdir "$SPLIT_DIR" "$CRD_PATH"
+
+( cd "$WORK_DIR"
+  openapi2jsonschema "$SPLIT_DIR"/*
+)
+
+mv "$WORK_DIR"/*.json "$OUTPUT_DIR"
+echo "OpenAPI JSON schemas saved to ${OUTPUT_DIR}"

actions/crdjsonschema/openapi2jsonschema.py

@@ -0,0 +1,192 @@
+#!/usr/bin/env python
+
+# Copyright 2021 The Flux authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script generates OpenAPI v3 JSON schema from Kubernetes CRD YAML
+# Derived from https://github.com/yannh/kubeconform
+# Derived from https://github.com/instrumenta/openapi2jsonschema
+
+import yaml
+import json
+import sys
+import os
+import urllib.request
+from dataclasses import dataclass
+from typing import Any
+
+
+@dataclass
+class Schema:
+    kind: str
+    group: str
+    version: str
+    definition: dict[Any, Any]
+
+def additional_properties(data):
+    "This recreates the behaviour of kubectl at https://github.com/kubernetes/kubernetes/blob/225b9119d6a8f03fcbe3cc3d590c261965d928d0/pkg/kubectl/validation/schema.go#L312"
+    new = {}
+    try:
+        for k, v in data.items():
+            new_v = v
+            if isinstance(v, dict):
+                if "properties" in v:
+                    if "additionalProperties" not in v:
+                        v["additionalProperties"] = False
+                new_v = additional_properties(v)
+            else:
+                new_v = v
+            new[k] = new_v
+        return new
+    except AttributeError:
+        return data
+
+
+def replace_int_or_string(data):
+    new = {}
+    try:
+        for k, v in data.items():
+            new_v = v
+            if isinstance(v, dict):
+                if "format" in v and v["format"] == "int-or-string":
+                    new_v = {"oneOf": [{"type": "string"}, {"type": "integer"}]}
+                else:
+                    new_v = replace_int_or_string(v)
+            elif isinstance(v, list):
+                new_v = list()
+                for x in v:
+                    new_v.append(replace_int_or_string(x))
+            else:
+                new_v = v
+            new[k] = new_v
+        return new
+    except AttributeError:
+        return data
+
+
+def allow_null_optional_fields(data, parent=None, grand_parent=None, key=None):
+    new = {}
+    try:
+        for k, v in data.items():
+            new_v = v
+            if isinstance(v, dict):
+                new_v = allow_null_optional_fields(v, data, parent, k)
+            elif isinstance(v, list):
+                new_v = list()
+                for x in v:
+                    new_v.append(allow_null_optional_fields(x, v, parent, k))
+            elif isinstance(v, str):
+                is_non_null_type = k == "type" and v != "null"
+                has_required_fields = grand_parent and "required" in grand_parent
+                if is_non_null_type and not has_required_field:
+                    new_v = [v, "null"]
+            new[k] = new_v
+        return new
+    except AttributeError:
+        return data
+
+
+def append_no_duplicates(obj, key, value):
+    """
+    Given a dictionary, lookup the given key, if it doesn't exist create a new array.
+    Then check if the given value already exists in the array, if it doesn't add it.
+    """
+    if key not in obj:
+        obj[key] = []
+    if value not in obj[key]:
+        obj[key].append(value)
+
+
+def write_schema_file(schema, filename):
+    schema = additional_properties(schema)
+    schema = replace_int_or_string(schema)
+
+    # Dealing with user input here..
+    filename = os.path.basename(filename)
+    f = open(filename, "w")
+    f.write(json.dumps(schema, indent=2))
+    f.close()
+    print("{filename}".format(filename=filename))
+
+
+if len(sys.argv) == 0:
+    print("missing file")
+    exit(1)
+
+schemas: list[Schema] = []
+
+for crdFile in sys.argv[1:]:
+    if crdFile.startswith("http"):
+        f = urllib.request.urlopen(crdFile)
+    else:
+        f = open(crdFile)
+    with f:
+
+        for y in yaml.load_all(f, Loader=yaml.SafeLoader):
+            if "kind" not in y:
+                continue
+            if y["kind"] != "CustomResourceDefinition":
+                continue
+
+            if "spec" in y and "validation" in y["spec"] and "openAPIV3Schema" in y["spec"]["validation"]:
+                schemas.append(Schema(
+                    kind=y["spec"]["names"]["kind"],
+                    group=y["spec"]["group"],
+                    version=y["spec"]["version"],
+                    definition=y["spec"]["validation"]["openAPIV3Schema"]
+                ))
+
+            elif "spec" in y and "versions" in y["spec"]:
+                for version in y["spec"]["versions"]:
+                    if "schema" in version and "openAPIV3Schema" in version["schema"]:
+                        schemas.append(Schema(
+                            kind=y["spec"]["names"]["kind"],
+                            group=y["spec"]["group"],
+                            version=version["name"],
+                            definition=version["schema"]["openAPIV3Schema"]
+                        ))
+
+
+filename_format = os.getenv("FILENAME_FORMAT", "{kind}-{group}-{version}")
+
+# Write down all separate schema files.
+for schema in schemas:
+    filename = filename_format.format(
+        kind=schema.kind,
+        group=schema.group.split(".")[0],
+        version=schema.version,
+    ).lower() + ".json"
+    write_schema_file(schema.definition, filename)
+
+
+# Make a single definitions file that has the enum field set for kind and apiVersion so we can have automatic matching
+# for JSON schema.
+with open('_definitions.json', 'w') as definitions_file:
+    definitions: dict[str, dict[Any, Any]] = {}
+
+    # NOTE: No deep copy is needed as we already wrote the schema files, so let's modify the original structures.
+    for schema in schemas:
+        append_no_duplicates(schema.definition['properties']['apiVersion'], 'enum', f'{schema.group}/{schema.version}')
+        append_no_duplicates(schema.definition['properties']['kind'], 'enum', schema.kind)
+        definitions[f'{schema.group}.{schema.version}.{schema.kind}'] = schema.definition
+
+    definitions_file.write(json.dumps({"definitions": definitions}, indent=2))
+
+# Finally we write a flux2 main schema file that can be used to automatically validate any Flux2 schema using oneOf
+# semantics.
+with open('all.json', 'w') as all_file:
+    refs = [{'$ref': f'_definitions.json#/definitions/{schema.group}.{schema.version}.{schema.kind}'} for schema in schemas]
+    all_file.write(json.dumps({ "oneOf": refs }, indent=2))
+
+exit(0)

actions/envtest/action.yml

@@ -0,0 +1,81 @@
+name: Setup envtest
+description: A GitHub Action for installing setup-envtest and envtest binaries
+author: Flux project
+branding:
+  color: blue
+  icon: command
+inputs:
+  k8s_version:
+    description: Strict SemVer or version range of the envtest Kubernetes binaries to install. Defaults to the latest release.
+    required: true
+    default: latest
+  envtest_version:
+    description: verion of envtest to install. Can be a tag or a commit SHA. Defaults to latest.
+    required: true
+    default: latest
+runs:
+  using: composite
+  steps:
+    - name: Setup Go
+      uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+      with:
+        go-version: 1.20.x
+        cache: false
+    - name: Use specified version to install
+      if: inputs.envtest_version != ''
+      shell: bash
+      run: |
+        echo "VERSION=${{ inputs.version }}" >> "$GITHUB_ENV"
+    - name: Determine version to install
+      if: inputs.envtest_version == ''
+      shell: bash
+      run: |
+        VERSION=$(curl -fsSL -H "Authorization: token ${{github.token}}" "https://api.github.com/repos/kubernetes-sigs/controller-runtime/commits?path=tools/setup-envtest&page=1&per_page=1" | grep sha | head -n1 | cut -d '"' -f 4)
+        if [[ -z "$VERSION" ]]; then
+          echo "Unable to determine latest setup-envtest version"
+          exit 1
+        fi
+        echo "VERSION=${VERSION}" >> "$GITHUB_ENV"
+    - name: Download the binary to the runner's cache dir
+      shell: bash
+      run: |
+        OS=$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')
+        ARCH=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')
+
+        SETUPENVTEST_EXEC_FILE="setup-envtest"
+        if [[ "$OS" == "windows" ]]; then
+            SETUPENVTEST_EXEC_FILE="${SETUPENVTEST_EXEC_FILE}.exe"
+        fi
+
+        # Install the latest version of the setup-envtest tool.
+        SETUPENVTEST_TOOL_DIR="${RUNNER_TOOL_CACHE}/setup-envtest/${VERSION}/${OS}/${ARCH}"
+        if [[ ! -x "${SETUPENVTEST_TOOL_DIR}/${SETUPENVTEST_EXEC_FILE}" ]]; then
+          echo "Installing setup-envtest@$VERSION"
+          mkdir -p "$SETUPENVTEST_TOOL_DIR"
+          GOBIN="$SETUPENVTEST_TOOL_DIR" go install "sigs.k8s.io/controller-runtime/tools/setup-envtest@${VERSION}"
+
+          # Cleanup cache to avoid affecting other builds. Some go builds may get
+          # affected by this cache populated in the above operations.
+          go clean -cache
+        fi
+
+        # Add the setup-envtest tool dir to the path.
+        echo "Adding setup-envtest to path"
+        echo "$SETUPENVTEST_TOOL_DIR" >> "$GITHUB_PATH"
+
+    - name: Install the specified version of envtest
+      shell: bash
+      run: |
+        K8S_VERSION=${{ inputs.k8s_version }}
+        if [[ -z "$K8S_VERSION" ]]; then
+          K8S_VERSION="latest"
+        fi
+        # Install the assets for the specified version of Kubernetes.
+        ENVTEST_TOOL_DIR="${RUNNER_TOOL_CACHE}/envtest"
+        echo "Installing envtest assets for Kubernetes $K8S_VERSION"
+        setup-envtest use --bin-dir "$ENVTEST_TOOL_DIR" "$K8S_VERSION"
+
+        # Export the path to the KUBEBUILDER_ASSETS environment variable.
+        echo "Exporting KUBEBUILDER_ASSETS"
+        ENVTEST_ASSETS_PATH=$(setup-envtest use --bin-dir "$ENVTEST_TOOL_DIR" -i "$K8S_VERSION" -p path)
+        echo "KUBEBUILDER_ASSETS='$ENVTEST_ASSETS_PATH'" >> "$GITHUB_ENV"

actions/helm/Dockerfile

@@ -1,6 +0,0 @@
-FROM stefanprodan/alpine-base:latest
-
-COPY entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
-
-ENTRYPOINT ["/entrypoint.sh"]

actions/helm/action.yml

@@ -1,15 +1,65 @@
-name: 'helm'
-description: 'A GitHub Action to run Helm commands'
-author: 'Hidde Beydals'
+name: Setup Helm CLI
+description: A GitHub Action for installing the Helm CLI
+author: Flux project
 branding:
-  icon: 'command'
-  color: 'blue'
+  color: blue
+  icon: command
 inputs:
   version:
-    description: 'strict semver'
+    description: Strict SemVer of the Helm CLI to install. Defaults to the latest release.
     required: false
 runs:
-  using: 'docker'
-  image: 'Dockerfile'
-  args:
-    - ${{ inputs.version }}
+  using: composite
+  steps:
+    - name: Download the binary to the runner's cache dir
+      shell: bash
+      run: |
+        VERSION=${{ inputs.version }}
+        if [[ -z "$VERSION" ]] || [[ "$VERSION" = "latest" ]]; then
+          VERSION=$(curl -fsSL -H "Authorization: token ${{github.token}}" https://api.github.com/repos/helm/helm/releases/latest | grep tag_name | cut -d '"' -f 4)
+        fi
+        if [[ -z "$VERSION" ]]; then
+          echo "Unable to determine Helm version"
+          exit 1
+        fi
+        if [[ ! $VERSION = v* ]]; then
+          VERSION="v${VERSION}"
+        fi
+
+        OS=$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')
+        ARCH=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')
+        
+        HELM_EXEC_FILE="helm"
+        if [[ "$OS" == "windows" ]]; then
+            HELM_EXEC_FILE="${HELM_EXEC_FILE}.exe"
+        fi
+
+        HELM_TOOL_DIR="${RUNNER_TOOL_CACHE}/helm/${VERSION}/${OS}/${ARCH}"
+        if [[ ! -x "${HELM_TOOL_DIR}/${HELM_EXEC_FILE}" ]]; then
+          # Download the installer.
+          HELM_INSTALLER_TMP="$(mktemp -t helm-installer-XXXXXX)"
+          curl -fsSL -o "$HELM_INSTALLER_TMP" https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
+          chmod +x "$HELM_INSTALLER_TMP"
+
+          # Run the installer.
+          echo "Running Helm installer"
+          mkdir -p "$HELM_TOOL_DIR"
+          if [[ "$OS" = "macos" ]]; then
+            # Workaround for "helm not found. Is "<path>" on your $PATH?
+            export PATH="$HELM_TOOL_DIR:$PATH"
+          fi
+          USE_SUDO=false HELM_INSTALL_DIR="$HELM_TOOL_DIR" VERIFY_CHECKSUM=true VERIFY_SIGNATURES=false "$HELM_INSTALLER_TMP" --version "$VERSION"
+
+          # Clean up.
+          echo "Cleaning up"
+          rm -rf "$HELM_INSTALLER_TMP"
+        fi
+
+        # Add the Helm tool dir to the path.
+        echo "Adding Helm to path"
+        echo "$HELM_TOOL_DIR" >> "$GITHUB_PATH"
+
+    - name: Print installed Helm version
+      shell: bash
+      run: |
+        helm version

actions/helm/entrypoint.sh

@@ -1,18 +0,0 @@
-#!/bin/bash
-
-set -eu
-
-VERSION=${1:-3.3.4}
-
-helm_url=https://get.helm.sh && \
-curl -sL ${helm_url}/helm-v${VERSION}-linux-amd64.tar.gz | \
-tar xz
-
-mkdir -p $GITHUB_WORKSPACE/bin
-cp ./linux-amd64/helm $GITHUB_WORKSPACE/bin
-chmod +x $GITHUB_WORKSPACE/bin/helm
-
-$GITHUB_WORKSPACE/bin/helm version
-
-echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
-echo "$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/bin" >> $GITHUB_PATH

actions/kubebuilder/Dockerfile

@@ -1,6 +0,0 @@
-FROM stefanprodan/alpine-base:latest
-
-COPY entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
-
-ENTRYPOINT ["/entrypoint.sh"]

actions/kubebuilder/action.yml

@@ -1,15 +0,0 @@
-name: 'kubebuilder'
-description: 'A GitHub Action to run kubebuilder commands'
-author: 'Stefan Prodan'
-branding:
-  icon: 'command'
-  color: 'blue'
-inputs:
-  version:
-    description: 'strict semver'
-    required: false
-runs:
-  using: 'docker'
-  image: 'Dockerfile'
-  args:
-    - ${{ inputs.version }}

actions/kubebuilder/entrypoint.sh

@@ -1,14 +0,0 @@
-#!/bin/bash
-
-set -eu
-
-VERSION=${1:-2.3.1}
-
-curl -sL https://go.kubebuilder.io/dl/${VERSION}/linux/amd64 | tar -xz -C /tmp/
-
-mkdir -p $GITHUB_WORKSPACE/kubebuilder
-mv /tmp/kubebuilder_${VERSION}_linux_amd64/* $GITHUB_WORKSPACE/kubebuilder/
-ls -lh $GITHUB_WORKSPACE/kubebuilder/bin
-
-echo "$GITHUB_WORKSPACE/kubebuilder/bin" >> $GITHUB_PATH
-echo "$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/kubebuilder/bin" >> $GITHUB_PATH

actions/kubeconform/action.yml

@@ -0,0 +1,88 @@
+name: Setup kubeconform CLI
+description: A GitHub Action for installing the kubeconform CLI
+author: Flux project
+branding:
+  color: blue
+  icon: command
+inputs:
+  version:
+    description: Strict SemVer of the kubeconform CLI to install. Defaults to the latest release.
+    required: false
+runs:
+  using: composite
+  steps:
+    - name: Download the binary to the runner's cache dir
+      shell: bash
+      run: |
+        VERSION=${{ inputs.version }}
+        if [[ -z "$VERSION" ]] || [[ "$VERSION" == "latest" ]]; then
+          VERSION=$(curl -fsSL -H "Authorization: token ${{github.token}}" https://api.github.com/repos/yannh/kubeconform/releases/latest | grep tag_name | cut -d '"' -f 4)
+        fi
+        if [[ -z "$VERSION" ]]; then
+          echo "Unable to determine kubeconform version"
+        exit 1
+        fi
+        if [[ ! $VERSION = v* ]]; then
+          VERSION="v${VERSION}"
+        fi
+
+        OS=$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$OS" == "macos" ]]; then
+          OS="darwin"
+        fi
+
+        ARCH=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ARCH" == "x64" ]]; then
+          ARCH="amd64"
+        fi
+
+        KUBECONFORM_EXEC_FILE="kubeconform"
+        if [[ "$OS" == "windows" ]]; then
+            KUBECONFORM_EXEC_FILE="${KUBECONFORM_EXEC_FILE}.exe"
+        fi
+
+        KUBECONFORM_TOOL_DIR="${RUNNER_TOOL_CACHE}/kubeconform/${VERSION}/${OS}/${ARCH}"
+        if [[ ! -x "$KUBECONFORM_TOOL_DIR/$KUBECONFORM_EXEC_FILE" ]]; then
+          DL_DIR="$(mktemp -dt kubeconform-XXXXXX)"
+          trap 'rm -rf $DL_DIR' EXIT
+
+          echo "Downloading kubeconform ${VERSION} for ${OS}/${ARCH}"
+          KUBECONFORM_TARGET_FILE="kubeconform-${OS}-${ARCH}.tar.gz"
+          if [[ "$OS" == "windows" ]]; then
+            KUBECONFORM_TARGET_FILE="kubeconform-${OS}-${ARCH}.zip"
+          fi
+        
+          KUBECONFORM_CHECKSUMS_FILE="CHECKSUMS"
+
+          KUBECONFORM_DOWNLOAD_URL="https://github.com/yannh/kubeconform/releases/download/${VERSION}/"
+
+          curl -fsSL -o "$DL_DIR/$KUBECONFORM_TARGET_FILE" "$KUBECONFORM_DOWNLOAD_URL/$KUBECONFORM_TARGET_FILE"
+          curl -fsSL -o "$DL_DIR/$KUBECONFORM_CHECKSUMS_FILE" "$KUBECONFORM_DOWNLOAD_URL/$KUBECONFORM_CHECKSUMS_FILE"
+
+          echo "Verifying checksum"
+          sum=$(openssl sha1 -sha256 "$DL_DIR/$KUBECONFORM_TARGET_FILE" | awk '{print $2}')
+          expected_sum=$(grep " $KUBECONFORM_TARGET_FILE\$" "$DL_DIR/$KUBECONFORM_CHECKSUMS_FILE" | awk '{print $1}')
+          if [ "$sum" != "$expected_sum" ]; then
+            echo "SHA sum of ${KUBECONFORM_TARGET_FILE} does not match. Aborting."
+            exit 1
+          fi
+
+          echo "Installing kubeconform to ${KUBECONFORM_TOOL_DIR}"
+          mkdir -p "$KUBECONFORM_TOOL_DIR"
+        
+          if [[ "$OS" == "windows" ]]; then
+            unzip "$DL_DIR/$KUBECONFORM_TARGET_FILE" "$KUBECONFORM_EXEC_FILE" -d "$KUBECONFORM_TOOL_DIR"
+          else
+            tar xzf "$DL_DIR/$KUBECONFORM_TARGET_FILE" -C "$KUBECONFORM_TOOL_DIR" $KUBECONFORM_EXEC_FILE
+          fi
+
+          chmod +x "$KUBECONFORM_TOOL_DIR/$KUBECONFORM_EXEC_FILE"
+        fi
+
+        echo "Adding kubeconform to path"
+        echo "$KUBECONFORM_TOOL_DIR" >> "$GITHUB_PATH"
+
+    - name: Print installed kubeconform version
+      shell: bash
+      run: |
+        kubeconform -v

actions/kubectl/Dockerfile

@@ -1,6 +0,0 @@
-FROM stefanprodan/alpine-base:latest
-
-COPY entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
-
-ENTRYPOINT ["/entrypoint.sh"]

actions/kubectl/action.yml

@@ -1,15 +1,79 @@
-name: 'kubectl'
-description: 'A GitHub Action to run kubectl commands'
-author: 'Stefan Prodan'
+name: Setup kubectl CLI
+description: A GitHub Action for installing the kubectl CLI
+author: Flux project
 branding:
-  icon: 'command'
-  color: 'blue'
+  color: blue
+  icon: command
 inputs:
   version:
-    description: 'strict semver'
+    description: Strict SemVer of the kubectl CLI to install. Defaults to the latest release.
     required: false
 runs:
-  using: 'docker'
-  image: 'Dockerfile'
-  args:
-    - ${{ inputs.version }}
+  using: composite
+  steps:
+    - name: Download the binary to the runner's cache dir
+      shell: bash
+      run: |
+        VERSION=${{ inputs.version }}
+        if [[ -z "$VERSION" ]] || [[ "$VERSION" = "latest" ]]; then
+          VERSION=$(curl -fsSL -H "Authorization: token ${{github.token}}" https://api.github.com/repos/kubernetes/kubernetes/releases/latest | grep tag_name | cut -d '"' -f 4)
+        fi
+        if [[ -z "$VERSION" ]]; then
+          echo "Unable to determine Kubernetes version"
+          exit 1
+        fi
+        if [[ ! $VERSION = v* ]]; then
+          VERSION="v${VERSION}"
+        fi
+
+        OS=$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$OS" == "macos" ]]; then
+          OS="darwin"
+        fi
+
+        ARCH=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ARCH" == "x64" ]]; then
+          ARCH="amd64"
+        elif [[ "$ARCH" == "x86" ]]; then
+          ARCH="386"
+        fi
+
+        KUBECTL_EXEC_FILE="kubectl"
+        if [[ "$OS" == "windows" ]]; then
+            KUBECTL_EXEC_FILE="${KUBECTL_EXEC_FILE}.exe"
+        fi
+
+        KUBECTL_TOOL_DIR="${RUNNER_TOOL_CACHE}/kubectl/${VERSION}/${OS}/${ARCH}"
+        if [[ ! -x "$KUBECTL_TOOL_DIR/$KUBECTL_EXEC_FILE" ]]; then
+          DL_DIR="$(mktemp -dt kubectl-XXXXXX)"
+          trap 'rm -rf $DL_DIR' EXIT
+
+          echo "Downloading kubectl ${VERSION} for ${OS}/${ARCH}"
+          KUBECTL_DOWNLOAD_URL="https://dl.k8s.io/${VERSION}/bin/${OS}/${ARCH}/${KUBECTL_EXEC_FILE}"
+          KUBECTL_TARGET_FILE="$DL_DIR/$KUBECTL_EXEC_FILE"
+          KUBECTL_SHA256_FILE="$DL_DIR/$KUBECTL_EXEC_FILE.sha256"
+
+          curl -fsSL -o "$KUBECTL_TARGET_FILE" "$KUBECTL_DOWNLOAD_URL"
+          curl -fsSL -o "$KUBECTL_SHA256_FILE" "$KUBECTL_DOWNLOAD_URL.sha256"
+
+          echo "Verifying checksum"
+          sum=$(openssl sha1 -sha256 ${KUBECTL_TARGET_FILE} | awk '{print $2}')
+          expected_sum=$(cat ${KUBECTL_SHA256_FILE})
+          if [ "$sum" != "$expected_sum" ]; then
+            echo "SHA sum of ${KUBECTL_TARGET_FILE} does not match. Aborting."
+            exit 1
+          fi
+          
+          echo "Installing kubectl to ${KUBECTL_TOOL_DIR}"
+          mkdir -p "$KUBECTL_TOOL_DIR"
+          mv "$KUBECTL_TARGET_FILE" "$KUBECTL_TOOL_DIR/$KUBECTL_EXEC_FILE"
+          chmod +x "$KUBECTL_TOOL_DIR/$KUBECTL_EXEC_FILE"
+        fi
+
+        echo "Adding kubectl to path"
+        echo "$KUBECTL_TOOL_DIR" >> "$GITHUB_PATH"
+
+    - name: Print installed kubectl version
+      shell: bash
+      run: |
+        kubectl version --client

actions/kubectl/entrypoint.sh

@@ -1,16 +0,0 @@
-#!/bin/bash
-
-set -eu
-
-VERSION=${1:-1.19.2}
-
-curl -sL https://storage.googleapis.com/kubernetes-release/release/v${VERSION}/bin/linux/amd64/kubectl > kubectl
-
-mkdir -p $GITHUB_WORKSPACE/bin
-cp ./kubectl $GITHUB_WORKSPACE/bin
-chmod +x $GITHUB_WORKSPACE/bin/kubectl
-
-$GITHUB_WORKSPACE/bin/kubectl version --client
-
-echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
-echo "$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/bin" >> $GITHUB_PATH

actions/kustomize/Dockerfile

@@ -1,6 +0,0 @@
-FROM stefanprodan/alpine-base:latest
-
-COPY entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
-
-ENTRYPOINT ["/entrypoint.sh"]

actions/kustomize/action.yml

@@ -1,15 +1,87 @@
-name: 'kustomize'
-description: 'A GitHub Action to run kustomize commands'
-author: 'Stefan Prodan'
+name: Setup kustomize CLI
+description: A GitHub Action for installing the kustomize CLI
+author: Flux project
 branding:
-  icon: 'command'
-  color: 'blue'
+  color: blue
+  icon: command
 inputs:
   version:
-    description: 'strict semver'
+    description: "Strict SemVer of the kustomize CLI. Defaults to 5.3.0. Use 'latest' to get the latest release."
     required: false
+    default: "5.3.0"
 runs:
-  using: 'docker'
-  image: 'Dockerfile'
-  args:
-    - ${{ inputs.version }}
+  using: composite
+  steps:
+    - name: Download the binary to the runner's cache dir
+      shell: bash
+      run: |
+        VERSION=${{ inputs.version }}
+        if [[ -z "$VERSION" ]] || [[ "$VERSION" == "latest" ]]; then
+          VERSION=$(curl -fsSL -H "Authorization: token ${{github.token}}" https://api.github.com/repos/kubernetes-sigs/kustomize/releases/latest | grep tag_name | cut -d '"' -f 4)
+        fi
+        if [[ -z "$VERSION" ]]; then
+          echo "Unable to determine Kustomize version"
+        exit 1
+        fi
+        if [[ ! $VERSION = v* ]]; then
+          VERSION="v${VERSION}"
+        fi
+
+        OS=$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$OS" == "macos" ]]; then
+          OS="darwin"
+        fi
+
+        ARCH=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ARCH" == "x64" ]]; then
+          ARCH="amd64"
+        fi
+
+        KUSTOMIZE_EXEC_FILE="kustomize"
+        if [[ "$OS" == "windows" ]]; then
+            KUSTOMIZE_EXEC_FILE="${KUSTOMIZE_EXEC_FILE}.exe"
+        fi
+
+        KUSTOMIZE_TOOL_DIR="${RUNNER_TOOL_CACHE}/kustomize/${VERSION}/${OS}/${ARCH}"
+        if [[ ! -x "$KUSTOMIZE_TOOL_DIR/$KUSTOMIZE_EXEC_FILE" ]]; then
+          DL_DIR="$(mktemp -dt kustomize-XXXXXX)"
+          trap 'rm -rf $DL_DIR' EXIT
+
+          echo "Downloading kustomize ${VERSION} for ${OS}/${ARCH}"
+          KUSTOMIZE_TARGET_FILE="kustomize_${VERSION}_${OS}_${ARCH}.tar.gz"
+          if [[ "$OS" == "windows" ]]; then
+            KUSTOMIZE_TARGET_FILE="kustomize_${VERSION}_${OS}_${ARCH}.zip"
+          fi
+        
+          KUSTOMIZE_CHECKSUMS_FILE="checksums.txt"
+
+          KUSTOMIZE_DOWNLOAD_URL="https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2F${VERSION}/"
+
+          curl -fsSL -o "$DL_DIR/$KUSTOMIZE_TARGET_FILE" "$KUSTOMIZE_DOWNLOAD_URL/$KUSTOMIZE_TARGET_FILE"
+          curl -fsSL -o "$DL_DIR/$KUSTOMIZE_CHECKSUMS_FILE" "$KUSTOMIZE_DOWNLOAD_URL/$KUSTOMIZE_CHECKSUMS_FILE"
+
+          echo "Verifying checksum"
+          sum=$(openssl sha1 -sha256 "$DL_DIR/$KUSTOMIZE_TARGET_FILE" | awk '{print $2}')
+          expected_sum=$(grep " $KUSTOMIZE_TARGET_FILE\$" "$DL_DIR/$KUSTOMIZE_CHECKSUMS_FILE" | awk '{print $1}')
+          if [ "$sum" != "$expected_sum" ]; then
+            echo "SHA sum of ${KUSTOMIZE_TARGET_FILE} does not match. Aborting."
+            exit 1
+          fi
+
+          echo "Installing kustomize to ${KUSTOMIZE_TOOL_DIR}"
+          mkdir -p "$KUSTOMIZE_TOOL_DIR"
+          if [[ "$OS" == "windows" ]]; then
+            unzip "$DL_DIR/$KUSTOMIZE_TARGET_FILE" "$KUSTOMIZE_EXEC_FILE" -d "$KUSTOMIZE_TOOL_DIR"
+          else
+            tar xzf "$DL_DIR/$KUSTOMIZE_TARGET_FILE" -C "$KUSTOMIZE_TOOL_DIR" $KUSTOMIZE_EXEC_FILE
+          fi
+          chmod +x "$KUSTOMIZE_TOOL_DIR/$KUSTOMIZE_EXEC_FILE"
+        fi
+
+        echo "Adding kustomize to path"
+        echo "$KUSTOMIZE_TOOL_DIR" >> "$GITHUB_PATH"
+
+    - name: Print installed kustomize version
+      shell: bash
+      run: |
+        kustomize version

actions/kustomize/entrypoint.sh

@@ -1,18 +0,0 @@
-#!/bin/bash
-
-set -eu
-
-VERSION=${1:-3.8.2}
-
-kustomize_url=https://github.com/kubernetes-sigs/kustomize/releases/download && \
-curl -sL ${kustomize_url}/kustomize%2Fv${VERSION}/kustomize_v${VERSION}_linux_amd64.tar.gz | \
-tar xz
-
-mkdir -p $GITHUB_WORKSPACE/bin
-cp ./kustomize $GITHUB_WORKSPACE/bin
-chmod +x $GITHUB_WORKSPACE/bin/kustomize
-
-$GITHUB_WORKSPACE/bin/kustomize version
-
-echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
-echo "$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/bin" >> $GITHUB_PATH

actions/sops/action.yaml

@@ -0,0 +1,71 @@
+name: Setup SOPS
+description: A GitHub Action for installing the SOPS CLI
+author: Flux project
+branding:
+  color: blue
+  icon: command
+inputs:
+  version:
+    description: Strict SemVer of the SOPS CLI to install. Defaults to the latest release.
+    required: false
+runs:
+  using: composite
+  steps:
+    - name: Download the binary to the runner's cache dir
+      shell: bash
+      run: |
+        VERSION=${{ inputs.version }}
+        if [[ -z "$VERSION" ]] || [[ "$VERSION" == "latest" ]]; then
+          VERSION=$(curl -fsSL -H "Authorization: token ${{github.token}}" https://api.github.com/repos/getsops/sops/releases/latest | grep tag_name | cut -d '"' -f 4)
+        fi
+        if [[ -z "$VERSION" ]]; then
+          echo "Unable to determine SOPS version"
+        exit 1
+        fi
+        if [[ ! $VERSION = v* ]]; then
+          VERSION="v${VERSION}"
+        fi
+        
+        OS=$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$OS" == "macos" ]]; then
+          OS="darwin"
+        fi
+        
+        ARCH=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ARCH" == "x64" ]]; then
+          ARCH="amd64"
+        fi
+        
+        SOPS_EXEC_FILE="sops"
+        if [[ "$OS" == "windows" ]]; then
+            SOPS_EXEC_FILE="${SOPS_EXEC_FILE}.exe"
+        fi
+        
+        SOPS_TOOL_DIR="${RUNNER_TOOL_CACHE}/sops/${VERSION}/${OS}/${ARCH}"
+        if [[ ! -x "$SOPS_TOOL_DIR/$SOPS_EXEC_FILE" ]]; then
+          DL_DIR="$(mktemp -dt sops-XXXXXX)"
+          trap 'rm -rf $DL_DIR' EXIT
+        
+          echo "Downloading sops ${VERSION} for ${OS}/${ARCH}"
+          SOPS_TARGET_FILE="sops-${VERSION}.${OS}.${ARCH}"
+          if [[ "$OS" == "windows" ]]; then
+            SOPS_TARGET_FILE="sops-${VERSION}.${ARCH}.exe"
+          fi
+
+          SOPS_DOWNLOAD_URL="https://github.com/getsops/sops/releases/download/${VERSION}/"
+          echo "Downloading sops from $SOPS_DOWNLOAD_URL/$SOPS_TARGET_FILE"
+          curl -fsSL -o "$DL_DIR/$SOPS_TARGET_FILE" "$SOPS_DOWNLOAD_URL/$SOPS_TARGET_FILE"
+
+          echo "Installing sops to ${SOPS_TOOL_DIR}"
+          mkdir -p "$SOPS_TOOL_DIR"
+          mv "$DL_DIR/$SOPS_TARGET_FILE" "$SOPS_TOOL_DIR/$SOPS_EXEC_FILE"
+          chmod +x "$SOPS_TOOL_DIR/$SOPS_EXEC_FILE"
+        fi
+
+        echo "Adding sops to path"
+        echo "$SOPS_TOOL_DIR" >> "$GITHUB_PATH"
+
+    - name: Print installed sops version
+      shell: bash
+      run: |
+        sops --version

actions/yq/action.yml

@@ -0,0 +1,84 @@
+name: Setup yq CLI
+description: A GitHub Action for installing the yq CLI
+author: Flux project
+branding:
+  color: blue
+  icon: command
+inputs:
+  version:
+    description: Strict SemVer of the yq CLI to install. Defaults to the latest release.
+    required: false
+runs:
+  using: composite
+  steps:
+    - name: Download the binary to the runner's cache dir
+      shell: bash
+      run: |
+        VERSION=${{ inputs.version }}
+        if [[ -z "$VERSION" ]] || [[ "$VERSION" == "latest" ]]; then
+          VERSION=$(curl -fsSL -H "Authorization: token ${{github.token}}" https://api.github.com/repos/mikefarah/yq/releases/latest | grep tag_name | cut -d '"' -f 4)
+        fi
+        if [[ -z "$VERSION" ]]; then
+          echo "Unable to determine yq version"
+        exit 1
+        fi
+        if [[ ! $VERSION = v* ]]; then
+          VERSION="v${VERSION}"
+        fi
+
+        OS=$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$OS" == "macos" ]]; then
+          OS="darwin"
+        fi
+
+        ARCH=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ARCH" == "x64" ]]; then
+          ARCH="amd64"
+        fi
+
+        YQ_EXEC_FILE="yq_${OS}_${ARCH}"
+        if [[ "$OS" == "windows" ]]; then
+            YQ_EXEC_FILE="${YQ_EXEC_FILE}.exe"
+        fi
+
+        YQ_TOOL_DIR="${RUNNER_TOOL_CACHE}/yq/${VERSION}/${OS}/${ARCH}"
+        if [[ ! -x "$YQ_TOOL_DIR/$YQ_EXEC_FILE" ]]; then
+          DL_DIR="$(mktemp -dt yq-XXXXXX)"
+          trap 'rm -rf $DL_DIR' EXIT
+
+          echo "Downloading yq ${VERSION} for ${OS}/${ARCH}"
+          YQ_TARGET_FILE="yq"
+          if [[ "$OS" == "windows" ]]; then
+            YQ_TARGET_FILE="yq.exe"
+          fi
+        
+          YQ_CHECKSUMS_FILE="checksums"
+
+          YQ_DOWNLOAD_URL="https://github.com/mikefarah/yq/releases/download/${VERSION}/"
+
+          curl -fsSL -o "$DL_DIR/$YQ_TARGET_FILE" "$YQ_DOWNLOAD_URL/$YQ_EXEC_FILE"
+          curl -fsSL -o "$DL_DIR/$YQ_CHECKSUMS_FILE" "$YQ_DOWNLOAD_URL/$YQ_CHECKSUMS_FILE"
+
+          echo "Verifying checksum"
+          sum=$(openssl sha1 -sha256 "$DL_DIR/$YQ_TARGET_FILE" | awk '{print $2}')
+       
+          expected_sum=$(grep "^$YQ_EXEC_FILE " "$DL_DIR/$YQ_CHECKSUMS_FILE" | awk '{print $19}')
+          if [ "$sum" != "$expected_sum" ]; then
+            echo "SHA sum of $DL_DIR/$YQ_TARGET_FILE and $YQ_EXEC_FILE does not match. Aborting."
+            exit 1
+          fi
+
+          echo "Installing yq to ${YQ_TOOL_DIR}"
+          mkdir -p "$YQ_TOOL_DIR"
+        
+          cp "$DL_DIR/$YQ_TARGET_FILE" "$YQ_TOOL_DIR/$YQ_TARGET_FILE"
+          chmod +x "$YQ_TOOL_DIR/$YQ_TARGET_FILE"
+        fi
+
+        echo "Adding yq to path"
+        echo "$YQ_TOOL_DIR" >> "$GITHUB_PATH"
+
+    - name: Print installed yq version
+      shell: bash
+      run: |
+        yq --version

apis/acl/acl_types.go

@@ -0,0 +1,36 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package acl
+
+// AccessFrom defines an ACL for allowing cross-namespace references to a source object
+// based on the caller's namespace labels.
+type AccessFrom struct {
+	// NamespaceSelectors is the list of namespace selectors to which this ACL applies.
+	// Items in this list are evaluated using a logical OR operation.
+	// +required
+	NamespaceSelectors []NamespaceSelector `json:"namespaceSelectors"`
+}
+
+// NamespaceSelector selects the namespaces to which this ACL applies.
+// An empty map of MatchLabels matches all namespaces in a cluster.
+type NamespaceSelector struct {
+	// MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+	// map is equivalent to an element of matchExpressions, whose key field is "key", the
+	// operator is "In", and the values array contains only "value". The requirements are ANDed.
+	// +optional
+	MatchLabels map[string]string `json:"matchLabels,omitempty"`
+}

apis/acl/conditions.go

@@ -0,0 +1,31 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package acl
+
+// These constants define the Condition types for when the GitOps Toolkit components perform ACL assertions.
+const (
+	// AccessDeniedCondition indicates that access to a resource has been denied by an ACL assertion.
+	// The Condition adheres to an "abnormal-true" polarity pattern, and MUST only be present on the resource if the
+	// Condition is True.
+	AccessDeniedCondition string = "AccessDenied"
+)
+
+// These constants define the Condition reasons for when the GitOps Toolkit components perform ACL assertions.
+const (
+	// AccessDeniedReason indicates that access to a resource has been denied by an ACL assertion.
+	AccessDeniedReason string = "AccessDenied"
+)

apis/acl/doc.go

@@ -0,0 +1,19 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package acl contains the API types for defining access control lists for use by GitOps Toolkit components.
+// +kubebuilder:object:generate=true
+package acl

apis/acl/go.mod

@@ -0,0 +1,3 @@
+module github.com/fluxcd/pkg/apis/acl
+
+go 1.24.0

apis/acl/zz_generated.deepcopy.go

@@ -0,0 +1,67 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package acl
+
+import ()
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AccessFrom) DeepCopyInto(out *AccessFrom) {
+	*out = *in
+	if in.NamespaceSelectors != nil {
+		in, out := &in.NamespaceSelectors, &out.NamespaceSelectors
+		*out = make([]NamespaceSelector, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessFrom.
+func (in *AccessFrom) DeepCopy() *AccessFrom {
+	if in == nil {
+		return nil
+	}
+	out := new(AccessFrom)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespaceSelector) DeepCopyInto(out *NamespaceSelector) {
+	*out = *in
+	if in.MatchLabels != nil {
+		in, out := &in.MatchLabels, &out.MatchLabels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceSelector.
+func (in *NamespaceSelector) DeepCopy() *NamespaceSelector {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespaceSelector)
+	in.DeepCopyInto(out)
+	return out
+}

apis/event/go.mod

@@ -0,0 +1,29 @@
+module github.com/fluxcd/pkg/apis/event
+
+go 1.24.0
+
+require (
+	k8s.io/api v0.33.2
+	k8s.io/apimachinery v0.33.2
+)
+
+require (
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	golang.org/x/net v0.41.0 // indirect
+	golang.org/x/text v0.27.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
+	sigs.k8s.io/yaml v1.5.0 // indirect
+)

apis/event/go.sum

@@ -0,0 +1,97 @@
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
+go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
+golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
+golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/api v0.33.2 h1:YgwIS5jKfA+BZg//OQhkJNIfie/kmRsO0BmNaVSimvY=
+k8s.io/api v0.33.2/go.mod h1:fhrbphQJSM2cXzCWgqU29xLDuks4mu7ti9vveEnpSXs=
+k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY=
+k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
+sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
+sigs.k8s.io/yaml v1.5.0 h1:M10b2U7aEUY6hRtU870n2VTPgR5RZiL/I6Lcc2F4NUQ=
+sigs.k8s.io/yaml v1.5.0/go.mod h1:wZs27Rbxoai4C0f8/9urLZtZtF3avA3gKvGyPdDqTO4=

apis/event/v1beta1/doc.go

@@ -0,0 +1,19 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1beta1 contains the API Schema definitions for the Flux eventing API.
+// +kubebuilder:object:generate=true
+package v1beta1

apis/event/v1beta1/event.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Flux authors
+Copyright 2022 The Flux authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,28 +14,40 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package events
+package v1beta1
 
 import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// Valid values for event severity.
+// Group is the API Group for the Event API.
+const Group = "event.toolkit.fluxcd.io"
+
+// These constants define valid event severity values.
 const (
-	// Information only and will not cause any problems.
+	// EventSeverityTrace represents a trace event, usually
+	// informing about actions taken during reconciliation.
+	EventSeverityTrace string = "trace"
+	// EventSeverityInfo represents an informational event, usually
+	// informing about changes.
 	EventSeverityInfo string = "info"
-	// These events are to warn that something might go wrong.
+	// EventSeverityError represent an error event, usually a warning
+	// that something goes wrong.
 	EventSeverityError string = "error"
 )
 
+// EventTypeTrace represents a trace event.
+const EventTypeTrace string = "Trace"
+
 // Event is a report of an event issued by a controller.
 type Event struct {
 	// The object that this event is about.
 	// +required
 	InvolvedObject corev1.ObjectReference `json:"involvedObject"`
 
-	// Severity type of this event (info, error)
+	// Severity type of this event (trace, info, error)
+	// +kubebuilder:validation:Enum=trace;info;error
 	// +required
 	Severity string `json:"severity"`
 
@@ -44,7 +56,8 @@ type Event struct {
 	Timestamp metav1.Time `json:"timestamp"`
 
 	// A human-readable description of this event.
-	// Maximum length 39,000 characters
+	// Maximum length 39,000 characters.
+	// +kubebuilder:validation:MaxLength=39000
 	// +required
 	Message string `json:"message"`
 
@@ -65,3 +78,28 @@ type Event struct {
 	// +optional
 	ReportingInstance string `json:"reportingInstance,omitempty"`
 }
+
+// HasReason returns true if the Reason equals the given value.
+func (in *Event) HasReason(reason string) bool {
+	return in.Reason == reason
+}
+
+// HasMetadata returns true if the given key/value pair is found in Metadata.
+func (in *Event) HasMetadata(key string, val string) bool {
+	if v, ok := in.Metadata[key]; ok && v == val {
+		return true
+	}
+	return false
+}
+
+// GetRevision looks up for the MetaOriginRevisionKey and MetaRevisionKey
+// keys in the Metadata and returns the first it finds.
+func (in *Event) GetRevision() (string, bool) {
+	if r, ok := in.Metadata[MetaOriginRevisionKey]; ok {
+		return r, true
+	}
+	if r, ok := in.Metadata[MetaRevisionKey]; ok {
+		return r, true
+	}
+	return "", false
+}

apis/event/v1beta1/metadata.go

@@ -0,0 +1,42 @@
+/*
+Copyright 2022 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// These constants define the Event metadata keys used throughout Flux controllers.
+const (
+	// MetaRevisionKey is the key used to hold the source artifact revision.
+	MetaRevisionKey string = "revision"
+	// MetaOriginRevisionKey is the key used to hold the source artifact origin revision.
+	MetaOriginRevisionKey string = "originRevision"
+	// MetaChecksumKey is the key used to hold the source artifact checksum.
+	// Deprecated: in favor of MetaDigestKey.
+	MetaChecksumKey string = "checksum"
+	// MetaDigestKey is the key used to hold the source artifact digest.
+	MetaDigestKey string = "digest"
+	// MetaTokenKey is the key used to hold an arbitrary token whose contents
+	// are defined on a per-event-emitter basis for uniquely identifying the
+	// contents of the event payload. For example, it could be the generation
+	// of an object, or the hash of a set of configurations, or even a
+	// base64-encoded set of configurations. This is useful for example for
+	// rate limiting the events.
+	MetaTokenKey string = "token"
+	// MetaCommitStatusKey is the key used to signal a Git commit status event.
+	MetaCommitStatusKey string = "commit_status"
+	// MetaCommitStatusUpdateValue is the value of MetaCommitStatusKey
+	// used to signal a Git commit status update.
+	MetaCommitStatusUpdateValue string = "update"
+)

apis/event/v1beta1/zz_generated.deepcopy.go

@@ -0,0 +1,47 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1beta1
+
+import ()
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Event) DeepCopyInto(out *Event) {
+	*out = *in
+	out.InvolvedObject = in.InvolvedObject
+	in.Timestamp.DeepCopyInto(&out.Timestamp)
+	if in.Metadata != nil {
+		in, out := &in.Metadata, &out.Metadata
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Event.
+func (in *Event) DeepCopy() *Event {
+	if in == nil {
+		return nil
+	}
+	out := new(Event)
+	in.DeepCopyInto(out)
+	return out
+}

apis/kustomize/doc.go

@@ -0,0 +1,19 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package kustomize contains a selective set of Kustomize API types for use by GitOps Toolkit components.
+// +kubebuilder:object:generate=true
+package kustomize

apis/kustomize/go.mod

@@ -0,0 +1,28 @@
+module github.com/fluxcd/pkg/apis/kustomize
+
+go 1.24.0
+
+require k8s.io/apiextensions-apiserver v0.33.2
+
+require (
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	golang.org/x/net v0.41.0 // indirect
+	golang.org/x/text v0.27.0 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	k8s.io/apimachinery v0.33.2 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
+	sigs.k8s.io/yaml v1.5.0 // indirect
+)

apis/kustomize/go.sum

@@ -0,0 +1,97 @@
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
+go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
+golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
+golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/apiextensions-apiserver v0.33.2 h1:6gnkIbngnaUflR3XwE1mCefN3YS8yTD631JXQhsU6M8=
+k8s.io/apiextensions-apiserver v0.33.2/go.mod h1:IvVanieYsEHJImTKXGP6XCOjTwv2LUMos0YWc9O+QP8=
+k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY=
+k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
+sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
+sigs.k8s.io/yaml v1.5.0 h1:M10b2U7aEUY6hRtU870n2VTPgR5RZiL/I6Lcc2F4NUQ=
+sigs.k8s.io/yaml v1.5.0/go.mod h1:wZs27Rbxoai4C0f8/9urLZtZtF3avA3gKvGyPdDqTO4=

apis/kustomize/kustomize_types.go

@@ -0,0 +1,163 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kustomize
+
+import (
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+)
+
+// Image contains an image name, a new name, a new tag or digest, which will replace the original name and tag.
+type Image struct {
+	// Name is a tag-less image name.
+	// +required
+	Name string `json:"name"`
+
+	// NewName is the value used to replace the original name.
+	// +optional
+	NewName string `json:"newName,omitempty"`
+
+	// NewTag is the value used to replace the original tag.
+	// +optional
+	NewTag string `json:"newTag,omitempty"`
+
+	// Digest is the value used to replace the original image tag.
+	// If digest is present NewTag value is ignored.
+	// +optional
+	Digest string `json:"digest,omitempty"`
+}
+
+// Selector specifies a set of resources. Any resource that matches intersection of all conditions is included in this
+// set.
+type Selector struct {
+	// Group is the API group to select resources from.
+	// Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources.
+	// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+	// +optional
+	Group string `json:"group,omitempty"`
+
+	// Version of the API Group to select resources from.
+	// Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources.
+	// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+	// +optional
+	Version string `json:"version,omitempty"`
+
+	// Kind of the API Group to select resources from.
+	// Together with Group and Version it is capable of unambiguously
+	// identifying and/or selecting resources.
+	// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+	// +optional
+	Kind string `json:"kind,omitempty"`
+
+	// Namespace to select resources from.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+
+	// Name to match resources with.
+	// +optional
+	Name string `json:"name,omitempty"`
+
+	// AnnotationSelector is a string that follows the label selection expression
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+	// It matches with the resource annotations.
+	// +optional
+	AnnotationSelector string `json:"annotationSelector,omitempty"`
+
+	// LabelSelector is a string that follows the label selection expression
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+	// It matches with the resource labels.
+	// +optional
+	LabelSelector string `json:"labelSelector,omitempty"`
+}
+
+// Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should
+// be applied to.
+type Patch struct {
+	// Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with
+	// an array of operation objects.
+	// +required
+	Patch string `json:"patch"`
+
+	// Target points to the resources that the patch document should be applied to.
+	// +optional
+	Target *Selector `json:"target,omitempty"`
+}
+
+// JSON6902 is a JSON6902 operation object.
+// https://datatracker.ietf.org/doc/html/rfc6902#section-4
+type JSON6902 struct {
+	// Op indicates the operation to perform. Its value MUST be one of "add", "remove", "replace", "move", "copy", or
+	// "test".
+	// https://datatracker.ietf.org/doc/html/rfc6902#section-4
+	// +kubebuilder:validation:Enum=test;remove;add;replace;move;copy
+	// +required
+	Op string `json:"op"`
+
+	// Path contains the JSON-pointer value that references a location within the target document where the operation
+	// is performed. The meaning of the value depends on the value of Op.
+	// +required
+	Path string `json:"path"`
+
+	// From contains a JSON-pointer value that references a location within the target document where the operation is
+	// performed. The meaning of the value depends on the value of Op, and is NOT taken into account by all operations.
+	// +optional
+	From string `json:"from,omitempty"`
+
+	// Value contains a valid JSON structure. The meaning of the value depends on the value of Op, and is NOT taken into
+	// account by all operations.
+	// +optional
+	Value *apiextensionsv1.JSON `json:"value,omitempty"`
+}
+
+// JSON6902Patch contains a JSON6902 patch and the target the patch should be applied to.
+type JSON6902Patch struct {
+	// Patch contains the JSON6902 patch document with an array of operation objects.
+	// +required
+	Patch []JSON6902 `json:"patch"`
+
+	// Target points to the resources that the patch document should be applied to.
+	// +required
+	Target Selector `json:"target"`
+}
+
+// CustomHealthCheck defines the health check for custom resources.
+type CustomHealthCheck struct {
+	// APIVersion of the custom resource under evaluation.
+	// +required
+	APIVersion string `json:"apiVersion"`
+	// Kind of the custom resource under evaluation.
+	// +required
+	Kind string `json:"kind"`
+
+	HealthCheckExpressions `json:",inline"`
+}
+
+// HealthCheckExpressions defines the CEL expressions for determining the health status
+// of custom resources.
+type HealthCheckExpressions struct {
+	// Current is the CEL expression that determines if the status
+	// of the custom resource has reached the desired state.
+	// +required
+	Current string `json:"current"`
+	// InProgress is the CEL expression that determines if the status
+	// of the custom resource has not yet reached the desired state.
+	// +optional
+	InProgress string `json:"inProgress,omitempty"`
+	// Failed is the CEL expression that determines if the status
+	// of the custom resource has failed to reach the desired state.
+	// +optional
+	Failed string `json:"failed,omitempty"`
+}

apis/kustomize/zz_generated.deepcopy.go

@@ -0,0 +1,149 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package kustomize
+
+import (
+	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CustomHealthCheck) DeepCopyInto(out *CustomHealthCheck) {
+	*out = *in
+	out.HealthCheckExpressions = in.HealthCheckExpressions
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomHealthCheck.
+func (in *CustomHealthCheck) DeepCopy() *CustomHealthCheck {
+	if in == nil {
+		return nil
+	}
+	out := new(CustomHealthCheck)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HealthCheckExpressions) DeepCopyInto(out *HealthCheckExpressions) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HealthCheckExpressions.
+func (in *HealthCheckExpressions) DeepCopy() *HealthCheckExpressions {
+	if in == nil {
+		return nil
+	}
+	out := new(HealthCheckExpressions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Image) DeepCopyInto(out *Image) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Image.
+func (in *Image) DeepCopy() *Image {
+	if in == nil {
+		return nil
+	}
+	out := new(Image)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JSON6902) DeepCopyInto(out *JSON6902) {
+	*out = *in
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(v1.JSON)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JSON6902.
+func (in *JSON6902) DeepCopy() *JSON6902 {
+	if in == nil {
+		return nil
+	}
+	out := new(JSON6902)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JSON6902Patch) DeepCopyInto(out *JSON6902Patch) {
+	*out = *in
+	if in.Patch != nil {
+		in, out := &in.Patch, &out.Patch
+		*out = make([]JSON6902, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	out.Target = in.Target
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JSON6902Patch.
+func (in *JSON6902Patch) DeepCopy() *JSON6902Patch {
+	if in == nil {
+		return nil
+	}
+	out := new(JSON6902Patch)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Patch) DeepCopyInto(out *Patch) {
+	*out = *in
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = new(Selector)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Patch.
+func (in *Patch) DeepCopy() *Patch {
+	if in == nil {
+		return nil
+	}
+	out := new(Patch)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Selector) DeepCopyInto(out *Selector) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Selector.
+func (in *Selector) DeepCopy() *Selector {
+	if in == nil {
+		return nil
+	}
+	out := new(Selector)
+	in.DeepCopyInto(out)
+	return out
+}

apis/meta/annotations.go

@@ -17,59 +17,127 @@ limitations under the License.
 package meta
 
 const (
-	// ReconcileAtAnnotation is the annotation used for triggering a reconciliation
-	// outside of the defined schedule. Despite the name, the value is not
-	// interpreted as a timestamp, and any change in value shall trigger a
-	// reconciliation.
-	// DEPRECATED: has been replaced by ReconcileRequestAnnotation.
-	ReconcileAtAnnotation string = "fluxcd.io/reconcileAt"
-
-	// ReconcileRequestAnnotation is the new ReconcileAtAnnotation,
-	// with a better name. For backward-compatibility, use
-	// ReconcileAnnotationValue, which will account for both
-	// annotations.
+	// ReconcileRequestAnnotation is the annotation used for triggering a reconciliation
+	// outside of a defined interval. The value is interpreted as a token, and any change
+	// in value SHOULD trigger a reconciliation.
 	ReconcileRequestAnnotation string = "reconcile.fluxcd.io/requestedAt"
+
+	// ForceRequestAnnotation is the annotation used for triggering a one-off forced
+	// reconciliation, for example, of a HelmRelease when there are no new changes,
+	// or of something that runs on a schedule when the schedule is not due at the moment.
+	// The specific conditions for triggering a forced reconciliation depend on the
+	// specific controller implementation, but the annotation is used to standardize
+	// the mechanism across controllers. The value is interpreted as a token, and must
+	// equal the value of ReconcileRequestAnnotation in order to trigger a release.
+	ForceRequestAnnotation string = "reconcile.fluxcd.io/forceAt"
 )
 
-// ReconcileAnnotationValue returns a value for the reconciliation
-// request annotations, which can be used to detect changes; and, a
-// boolean indicating whether either annotation was set.
+// ReconcileAnnotationValue returns a value for the reconciliation request annotation, which can be used to detect
+// changes, and a boolean indicating whether the annotation was set.
 func ReconcileAnnotationValue(annotations map[string]string) (string, bool) {
-	reconcileAt, ok1 := annotations[ReconcileAtAnnotation]
-	requestedAt, ok2 := annotations[ReconcileRequestAnnotation]
-	// the values are concatenated; this means
-	// - a change in either will be detectable*, and
-	// - if one is set, the value will be just that; and,
-	// - if neither is set, it's a zero value.
-	//
-	// *unless the change is to shift a substring across the
-	// interstice between the strings; e.g., by swapping the value
-	// from one annotation to the other. Assuming a fresh timestamp is
-	// used each time, this caveat won't matter.
-	return reconcileAt + requestedAt, ok1 || ok2
+	requestedAt, ok := annotations[ReconcileRequestAnnotation]
+	return requestedAt, ok
 }
 
-// ReconcileRequestStatus is a struct to embed in the status type, so
-// that all types using the mechanism have the same field. Use it like
-// this:
+// ReconcileRequestStatus is a struct to embed in a status type, so that all types using the mechanism have the same
+// field. Use it like this:
 //
-// ```
-// type WhateverStatus struct {
-//   meta.ReconcileRequestStatus `json:",inline"`
-//   // other status fields...
-// }
-// ```
+//		type FooStatus struct {
+//	 	meta.ReconcileRequestStatus `json:",inline"`
+//	 	// other status fields...
+//		}
 type ReconcileRequestStatus struct {
 	// LastHandledReconcileAt holds the value of the most recent
-	// reconcile request value, so a change can be detected.
+	// reconcile request value, so a change of the annotation value
+	// can be detected.
 	// +optional
 	LastHandledReconcileAt string `json:"lastHandledReconcileAt,omitempty"`
 }
 
-func (rs ReconcileRequestStatus) GetLastHandledReconcileRequest() string {
-	return rs.LastHandledReconcileAt
+// GetLastHandledReconcileRequest returns the most recent reconcile request value from the ReconcileRequestStatus.
+func (in ReconcileRequestStatus) GetLastHandledReconcileRequest() string {
+	return in.LastHandledReconcileAt
 }
 
-func (rs *ReconcileRequestStatus) SetLastHandledReconcileRequest(token string) {
-	rs.LastHandledReconcileAt = token
+// SetLastHandledReconcileRequest sets the most recent reconcile request value in the ReconcileRequestStatus.
+func (in *ReconcileRequestStatus) SetLastHandledReconcileRequest(token string) {
+	in.LastHandledReconcileAt = token
+}
+
+// StatusWithHandledReconcileRequest describes a status type which holds the value of the most recent
+// ReconcileAnnotationValue.
+// +k8s:deepcopy-gen=false
+type StatusWithHandledReconcileRequest interface {
+	GetLastHandledReconcileRequest() string
+}
+
+// StatusWithHandledReconcileRequestSetter describes a status with a setter for the most ReconcileAnnotationValue.
+// +k8s:deepcopy-gen=false
+type StatusWithHandledReconcileRequestSetter interface {
+	SetLastHandledReconcileRequest(token string)
+}
+
+// ForceRequestStatus is a struct to embed in a status type, so that all types using the mechanism have the same
+// field. Use it like this:
+//
+//		type FooStatus struct {
+//	 	meta.ForceRequestStatus `json:",inline"`
+//	 	// other status fields...
+//		}
+type ForceRequestStatus struct {
+	// LastHandledForceAt holds the value of the most recent
+	// force request value, so a change of the annotation value
+	// can be detected.
+	// +optional
+	LastHandledForceAt string `json:"lastHandledForceAt,omitempty"`
+}
+
+// ShouldHandleForceRequest returns true if the object has a force request
+// annotation, and the value of the annotation matches the value of the
+// ReconcileRequestAnnotation annotation.
+//
+// To ensure that the force request is handled only once, the value of
+// <ObjectType>Status.LastHandledForceAt is updated to match the value of the
+// force request annotation (even if the force request is not handled because
+// the value of the ReconcileRequestAnnotation annotation does not match).
+func ShouldHandleForceRequest(obj interface {
+	ObjectWithAnnotationRequests
+	GetLastHandledForceRequestStatus() *string
+}) bool {
+	return HandleAnnotationRequest(obj, ForceRequestAnnotation, obj.GetLastHandledForceRequestStatus())
+}
+
+// ObjectWithAnnotationRequests is an interface that describes an object
+// that has annotations and a status with a last handled reconcile request.
+// +k8s:deepcopy-gen=false
+type ObjectWithAnnotationRequests interface {
+	GetAnnotations() map[string]string
+	StatusWithHandledReconcileRequest
+}
+
+// HandleAnnotationRequest returns true if the object has a request annotation, and
+// the value of the annotation matches the value of the ReconcileRequestAnnotation
+// annotation.
+//
+// The lastHandled argument is used to ensure that the request is handled only
+// once, and is updated to match the value of the request annotation (even if
+// the request is not handled because the value of the ReconcileRequestAnnotation
+// annotation does not match).
+func HandleAnnotationRequest(obj ObjectWithAnnotationRequests, annotation string, lastHandled *string) bool {
+	requestAt, requestOk := obj.GetAnnotations()[annotation]
+	reconcileAt, reconcileOk := ReconcileAnnotationValue(obj.GetAnnotations())
+
+	var lastHandledRequest string
+	if requestOk {
+		lastHandledRequest = *lastHandled
+		*lastHandled = requestAt
+	}
+
+	if requestOk && reconcileOk && requestAt == reconcileAt {
+		lastHandledReconcile := obj.GetLastHandledReconcileRequest()
+		if lastHandledReconcile != reconcileAt && lastHandledRequest != requestAt {
+			return true
+		}
+	}
+	return false
 }

apis/meta/annotations_test.go

@@ -23,14 +23,27 @@ import (
 
 type whateverStatus struct {
 	ReconcileRequestStatus `json:",inline"`
+	ForceRequestStatus     `json:",inline"`
 }
 
 type whatever struct {
 	Annotations map[string]string
-	Status      whateverStatus `json:"status,omitempty"`
+	Status      whateverStatus `json:"status"`
 }
 
-func TestGetAnnotationValue(t *testing.T) {
+func (w *whatever) GetAnnotations() map[string]string {
+	return w.Annotations
+}
+
+func (w *whatever) GetLastHandledReconcileRequest() string {
+	return w.Status.GetLastHandledReconcileRequest()
+}
+
+func (w *whatever) GetLastHandledForceRequestStatus() *string {
+	return &w.Status.LastHandledForceAt
+}
+
+func TestGetReconcileAnnotationValue(t *testing.T) {
 	obj := whatever{
 		Annotations: map[string]string{},
 	}
@@ -41,8 +54,8 @@ func TestGetAnnotationValue(t *testing.T) {
 	}
 	obj.Status.SetLastHandledReconcileRequest(val)
 
-	// set one annotation: should detect a change
-	obj.Annotations[ReconcileAtAnnotation] = time.Now().Format(time.RFC3339Nano)
+	// set annotation: should detect a change
+	obj.Annotations[ReconcileRequestAnnotation] = time.Now().Format(time.RFC3339Nano)
 	val, ok = ReconcileAnnotationValue(obj.Annotations)
 	if !ok {
 		t.Error("expected ReconcileAnnotationValue to return true when an annotation is set")
@@ -54,7 +67,7 @@ func TestGetAnnotationValue(t *testing.T) {
 
 	obj.Status.SetLastHandledReconcileRequest(val)
 
-	// set the other annotation; should detect a change
+	// update annotation; should detect a change
 	obj.Annotations[ReconcileRequestAnnotation] = time.Now().Format(time.RFC3339Nano)
 	val, ok = ReconcileAnnotationValue(obj.Annotations)
 	if !ok {
@@ -65,3 +78,112 @@ func TestGetAnnotationValue(t *testing.T) {
 		t.Error("expected to detect change in annotation value")
 	}
 }
+
+func TestShouldHandleForceRequest(t *testing.T) {
+	obj := &whatever{
+		Annotations: map[string]string{
+			ReconcileRequestAnnotation: "b",
+			ForceRequestAnnotation:     "b",
+		},
+		Status: whateverStatus{
+			ReconcileRequestStatus: ReconcileRequestStatus{
+				LastHandledReconcileAt: "a",
+			},
+			ForceRequestStatus: ForceRequestStatus{
+				LastHandledForceAt: "a",
+			},
+		},
+	}
+
+	if !ShouldHandleForceRequest(obj) {
+		t.Error("ShouldHandleForceRequest() = false")
+	}
+
+	if obj.Status.LastHandledForceAt != "b" {
+		t.Error("ShouldHandleForceRequest did not update LastHandledForceAt")
+	}
+}
+
+func TestHandleAnnotationRequest(t *testing.T) {
+	const requestAnnotation = "requestAnnotation"
+
+	tests := []struct {
+		name                     string
+		annotations              map[string]string
+		lastHandledReconcile     string
+		lastHandledRequest       string
+		want                     bool
+		expectLastHandledRequest string
+	}{
+		{
+			name: "valid request and reconcile annotations",
+			annotations: map[string]string{
+				ReconcileRequestAnnotation: "b",
+				requestAnnotation:          "b",
+			},
+			want:                     true,
+			expectLastHandledRequest: "b",
+		},
+		{
+			name: "mismatched annotations",
+			annotations: map[string]string{
+				ReconcileRequestAnnotation: "b",
+				requestAnnotation:          "c",
+			},
+			want:                     false,
+			expectLastHandledRequest: "c",
+		},
+		{
+			name: "reconcile matches previous request",
+			annotations: map[string]string{
+				ReconcileRequestAnnotation: "b",
+				requestAnnotation:          "b",
+			},
+			lastHandledReconcile:     "a",
+			lastHandledRequest:       "b",
+			want:                     false,
+			expectLastHandledRequest: "b",
+		},
+		{
+			name: "request matches previous reconcile",
+			annotations: map[string]string{
+				ReconcileRequestAnnotation: "b",
+				requestAnnotation:          "b",
+			},
+			lastHandledReconcile:     "b",
+			lastHandledRequest:       "a",
+			want:                     false,
+			expectLastHandledRequest: "b",
+		},
+		{
+			name:                     "missing annotations",
+			annotations:              map[string]string{},
+			lastHandledRequest:       "a",
+			want:                     false,
+			expectLastHandledRequest: "a",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			obj := &whatever{
+				Annotations: tt.annotations,
+				Status: whateverStatus{
+					ReconcileRequestStatus: ReconcileRequestStatus{
+						LastHandledReconcileAt: tt.lastHandledReconcile,
+					},
+				},
+			}
+
+			lastHandled := tt.lastHandledRequest
+			result := HandleAnnotationRequest(obj, requestAnnotation, &lastHandled)
+
+			if result != tt.want {
+				t.Errorf("HandleAnnotationRequest() = %v, want %v", result, tt.want)
+			}
+			if lastHandled != tt.expectLastHandledRequest {
+				t.Errorf("lastHandledRequest = %v, want %v", lastHandled, tt.expectLastHandledRequest)
+			}
+		})
+	}
+}

apis/meta/conditions.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Flux authors
+Copyright 2022 The Flux authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -17,55 +17,157 @@ limitations under the License.
 package meta
 
 import (
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+// These constants define generic Condition types to be used by GitOps Toolkit components.
+//
+// The ReadyCondition SHOULD be implemented by all components' Kubernetes resources to indicate they have been fully
+// reconciled by their respective reconciler. This MAY suffice for simple resources, e.g. a resource that just declares
+// state once and is not expected to receive any updates afterwards.
+//
+// For Kubernetes resources that are expected to receive spec updates over time, take a longer time to reconcile, or
+// deal with more complex logic in which for example a finite error state can be observed, it is RECOMMENDED to
+// implement the StalledCondition and ReconcilingCondition.
+//
+// By doing this, observers making use of kstatus to determine the current state of the resource will have a better
+// experience while they are e.g. waiting for a change to be reconciled, and will be able to stop waiting for a change
+// if a StalledCondition is observed, without having to rely on a timeout.
+//
+// For more information on kstatus, see:
+// https://github.com/kubernetes-sigs/cli-utils/blob/v0.25.0/pkg/kstatus/README.md
 const (
-	// ReadyCondition is the name of the Ready condition implemented by all toolkit
-	// resources.
+	// ReadyCondition indicates the resource is ready and fully reconciled.
+	// If the Condition is False, the resource SHOULD be considered to be in the process of reconciling and not a
+	// representation of actual state.
 	ReadyCondition string = "Ready"
+
+	// StalledCondition indicates the reconciliation of the resource has stalled, e.g. because the controller has
+	// encountered an error during the reconcile process or it has made insufficient progress (timeout).
+	// The Condition adheres to an "abnormal-true" polarity pattern, and MUST only be present on the resource if the
+	// Condition is True.
+	// For more information about polarity patterns, see:
+	// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+	StalledCondition string = "Stalled"
+
+	// ReconcilingCondition indicates the controller is currently working on reconciling the latest changes. This MAY be
+	// True for multiple reconciliation attempts, e.g. when an transient error occurred.
+	// The Condition adheres to an "abnormal-true" polarity pattern, and MUST only be present on the resource if the
+	// Condition is True.
+	// For more information about polarity patterns, see:
+	// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+	ReconcilingCondition string = "Reconciling"
+
+	// HealthyCondition represents the last recorded
+	// health assessment result.
+	HealthyCondition string = "Healthy"
 )
 
+// These constants define generic Condition reasons to be used by GitOps Toolkit components.
+//
+// Making use of a generic Reason is RECOMMENDED whenever it can be applied to a Condition in which it provides
+// sufficient context together with the type to summarize the meaning of the Condition cause.
+//
+// Where any of the generic Condition reasons does not suffice, GitOps Toolkit components can introduce new reasons to
+// their API specification, or use an arbitrary PascalCase string when setting the Condition.
+// Declaration of domain common Condition reasons in the API specification is RECOMMENDED, as it eases observations
+// for user and computer.
+//
+// For more information on Condition reason conventions, see:
+// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
 const (
-	// ReconciliationSucceededReason represents the fact that the reconciliation of
-	// a toolkit resource has succeeded.
-	ReconciliationSucceededReason string = "ReconciliationSucceeded"
+	// SucceededReason indicates a condition or event observed a success, for example when declared desired state
+	// matches actual state, or a performed action succeeded.
+	//
+	// More information about the reason of success MAY be available as additional metadata in an attached message.
+	SucceededReason string = "Succeeded"
 
-	// ReconciliationFailedReason represents the fact that the reconciliation of a
-	// toolkit resource has failed.
-	ReconciliationFailedReason string = "ReconciliationFailed"
+	// FailedReason indicates a condition or event observed a failure, for example when declared state does not match
+	// actual state, or a performed action failed.
+	//
+	// More information about the reason of failure MAY be available as additional metadata in an attached message.
+	FailedReason string = "Failed"
 
-	// ProgressingReason represents the fact that the reconciliation of a toolkit
-	// resource is underway.
+	// ProgressingReason indicates a condition or event observed progression, for example when the reconciliation of a
+	// resource or an action has started.
+	//
+	// When this reason is given, other conditions and types MAY no longer be considered as an up-to-date observation.
+	// Producers of the specific condition type or event SHOULD provide more information about the expectations and
+	// precise meaning in their API specification.
+	//
+	// More information about the reason or the current state of the progression MAY be available as additional metadata
+	// in an attached message.
 	ProgressingReason string = "Progressing"
 
-	// DependencyNotReadyReason represents the fact that one of the toolkit resource
-	// dependencies is not ready.
+	// SuspendedReason indicates a condition or event has observed a suspension, for
+	// example because a resource has been suspended, or a dependency is.
+	SuspendedReason string = "Suspended"
+
+	// ProgressingWithRetryReason represents the fact that
+	// the reconciliation encountered an error that will be retried.
+	ProgressingWithRetryReason string = "ProgressingWithRetry"
+
+	// DependencyNotReadyReason represents the fact that
+	// one of the dependencies is not ready.
 	DependencyNotReadyReason string = "DependencyNotReady"
 
-	// SuspendedReason represents the fact that the reconciliation of a toolkit
-	// resource is suspended.
-	SuspendedReason string = "Suspended"
+	// InvalidPathReason signals a failure caused by an invalid path.
+	InvalidPathReason string = "InvalidPath"
+
+	// InvalidURLReason signals a failure caused by an invalid URL.
+	InvalidURLReason string = "InvalidURL"
+
+	// InsecureConnectionsDisallowedReason signals a failure caused by
+	// the use of insecure HTTP connections.
+	InsecureConnectionsDisallowedReason = "InsecureConnectionsDisallowed"
+
+	// UnsupportedConnectionTypeReason signals a failure caused by
+	// the use of unsupported network protocols.
+	UnsupportedConnectionTypeReason = "UnsupportedConnectionType"
+
+	// PruneFailedReason represents the fact that the
+	// pruning of the resources failed.
+	PruneFailedReason string = "PruneFailed"
+
+	// ArtifactFailedReason represents the fact that the
+	// source artifact download failed.
+	ArtifactFailedReason string = "ArtifactFailed"
+
+	// BuildFailedReason represents the fact that the
+	// build failed.
+	BuildFailedReason string = "BuildFailed"
+
+	// HealthCheckFailedReason represents the fact that
+	// one of the health checks failed.
+	HealthCheckFailedReason string = "HealthCheckFailed"
+
+	// ReconciliationSucceededReason represents the fact that
+	// the reconciliation succeeded.
+	ReconciliationSucceededReason string = "ReconciliationSucceeded"
+
+	// ReconciliationFailedReason represents the fact that
+	// the reconciliation failed.
+	ReconciliationFailedReason string = "ReconciliationFailed"
+
+	// InvalidCELExpressionReason represents the fact that a CEL expression
+	// in the configuration is invalid.
+	InvalidCELExpressionReason string = "InvalidCELExpression"
+
+	// FeatureGateDisabledReason represents the fact that a feature is trying to
+	// be used, but the feature gate for that feature is disabled.
+	FeatureGateDisabledReason string = "FeatureGateDisabled"
 )
 
-// ObjectWithStatusConditions is an interface that describes kubernetes resource
-// type structs with Status Conditions
-type ObjectWithStatusConditions interface {
-	GetStatusConditions() *[]metav1.Condition
+// ObjectWithConditions describes a Kubernetes resource object with status conditions.
+// +k8s:deepcopy-gen=false
+type ObjectWithConditions interface {
+	// GetConditions returns a slice of metav1.Condition
+	GetConditions() []metav1.Condition
 }
 
-// SetResourceCondition sets the given condition with the given status,
-// reason and message on a resource.
-func SetResourceCondition(obj ObjectWithStatusConditions, condition string, status metav1.ConditionStatus, reason, message string) {
-	conditions := obj.GetStatusConditions()
-
-	newCondition := metav1.Condition{
-		Type:    condition,
-		Status:  status,
-		Reason:  reason,
-		Message: message,
-	}
-
-	apimeta.SetStatusCondition(conditions, newCondition)
+// ObjectWithConditionsSetter describes a Kubernetes resource object with a status conditions setter.
+// +k8s:deepcopy-gen=false
+type ObjectWithConditionsSetter interface {
+	// SetConditions sets the status conditions on the object
+	SetConditions([]metav1.Condition)
 }

apis/meta/dependencies.go

@@ -0,0 +1,24 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package meta
+
+// ObjectWithDependencies describes a Kubernetes resource object with dependencies.
+// +k8s:deepcopy-gen=false
+type ObjectWithDependencies interface {
+	// GetDependsOn returns a NamespacedObjectReference list the object depends on.
+	GetDependsOn() []NamespacedObjectReference
+}

apis/meta/doc.go

@@ -14,6 +14,10 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package meta contains the generic metadata APIs for use by
-// toolkit components.
+// Package meta contains the generic metadata APIs for use by GitOps Toolkit components.
+//
+// It is intended only to help adhere to Kubernetes API conventions, utility integrations, and Flux project considered
+// best practices. It may therefore be suitable for usage by Kubernetes resources with no relationship to the GitOps
+// Toolkit.
+// +kubebuilder:object:generate=true
 package meta

apis/meta/go.mod

@@ -1,5 +1,25 @@
 module github.com/fluxcd/pkg/apis/meta
 
-go 1.15
+go 1.24.0
 
-require k8s.io/apimachinery v0.19.4
+require k8s.io/apimachinery v0.33.2
+
+require (
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	golang.org/x/net v0.41.0 // indirect
+	golang.org/x/text v0.27.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
+	sigs.k8s.io/yaml v1.5.0 // indirect
+)

apis/meta/go.sum

@@ -1,169 +1,87 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
-github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
-github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
-github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-logr/logr v0.2.0 h1:QvGt2nLcHH0WK9orKa+ppBPAxREcH364nPUedEpK0TY=
-github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
-github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
-github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
-github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
-github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
-github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
-github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
-github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.10 h1:Kz6Cvnvv2wGdaG/V8yMvfkmNiXq9Ya2KUv4rouJJr68=
-github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs=
-github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
+go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200707034311-ab3426394381 h1:VXak5I6aEWmAXeQjA+QSZzlgNrpq9mjcfDemuexIKsU=
-golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
+golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
+golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/apimachinery v0.19.4 h1:+ZoddM7nbzrDCp0T3SWnyxqf8cbWPT2fkZImoyvHUG0=
-k8s.io/apimachinery v0.19.4/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
-k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
-k8s.io/klog/v2 v2.2.0 h1:XRvcwJozkgZ1UQJmfMGpvRthQHOvihEhYtDfAaxMz/A=
-k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
-k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o=
-sigs.k8s.io/structured-merge-diff/v4 v4.0.1 h1:YXTMot5Qz/X1iBRJhAt+vI+HVttY0WkSqqhKxQ0xVbA=
-sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
-sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
-sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
-sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY=
+k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
+sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
+sigs.k8s.io/yaml v1.5.0 h1:M10b2U7aEUY6hRtU870n2VTPgR5RZiL/I6Lcc2F4NUQ=
+sigs.k8s.io/yaml v1.5.0/go.mod h1:wZs27Rbxoai4C0f8/9urLZtZtF3avA3gKvGyPdDqTO4=

apis/meta/labels.go

@@ -0,0 +1,25 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package meta
+
+const (
+	// LabelKeyWatch is used to indicate that a resource should be watched by Flux.
+	LabelKeyWatch = "reconcile.fluxcd.io/watch"
+
+	// LabelValueWatchEnabled is the value for LabelKeyWatch that indicates a resource should be watched.
+	LabelValueWatchEnabled = "Enabled"
+)

apis/meta/reference_types.go

@@ -0,0 +1,194 @@
+/*
+Copyright 2020, 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package meta
+
+// LocalObjectReference contains enough information to locate the referenced Kubernetes resource object.
+type LocalObjectReference struct {
+	// Name of the referent.
+	// +required
+	Name string `json:"name"`
+}
+
+// NamespacedObjectReference contains enough information to locate the referenced Kubernetes resource object in any
+// namespace.
+type NamespacedObjectReference struct {
+	// Name of the referent.
+	// +required
+	Name string `json:"name"`
+
+	// Namespace of the referent, when not specified it acts as LocalObjectReference.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// String implements the fmt.Stringer interface for NamespacedObjectReference.
+func (in NamespacedObjectReference) String() string {
+	if in.Namespace != "" {
+		return in.Namespace + "/" + in.Name
+	}
+	return in.Name
+}
+
+// NamespacedObjectKindReference contains enough information to locate the typed referenced Kubernetes resource object
+// in any namespace.
+type NamespacedObjectKindReference struct {
+	// API version of the referent, if not specified the Kubernetes preferred version will be used.
+	// +optional
+	APIVersion string `json:"apiVersion,omitempty"`
+
+	// Kind of the referent.
+	// +required
+	Kind string `json:"kind"`
+
+	// Name of the referent.
+	// +required
+	Name string `json:"name"`
+
+	// Namespace of the referent, when not specified it acts as LocalObjectReference.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// SecretKeyReference contains enough information to locate the referenced Kubernetes Secret object in the same
+// namespace. Optionally a key can be specified.
+// Use this type instead of core/v1 SecretKeySelector when the Key is optional and the Optional field is not
+// applicable.
+type SecretKeyReference struct {
+	// Name of the Secret.
+	// +required
+	Name string `json:"name"`
+
+	// Key in the Secret, when not specified an implementation-specific default key is used.
+	// +optional
+	Key string `json:"key,omitempty"`
+}
+
+const (
+	// KubeConfigKeyProvider is the key in the ConfigMap that contains the provider name.
+	KubeConfigKeyProvider = "provider"
+	// KubeConfigKeyAddress is the key in the ConfigMap that contains the cluster resource
+	// name in the provider API
+	KubeConfigKeyCluster = "cluster"
+	// KubeConfigKeyAddress is the key in the ConfigMap that contains the address of the
+	// Kubernetes API server.
+	KubeConfigKeyAddress = "address"
+	// KubeConfigKeyCACert is the key in the ConfigMap that contains the PEM-encoded CA
+	// certificate for the Kubernetes API server.
+	KubeConfigKeyCACert = "ca.crt"
+	// KubeConfigKeyAudiences is the key in the ConfigMap that contains the audiences
+	// for the Kubernetes ServiceAccount token.
+	KubeConfigKeyAudiences = "audiences"
+	// KubeConfigKeyServiceAccountName is the key in the ConfigMap that contains the
+	// name of the Kubernetes ServiceAccount in the same namespace that should be used
+	// for authentication.
+	KubeConfigKeyServiceAccountName = "serviceAccountName"
+)
+
+// KubeConfigReference contains enough information build a kubeconfig
+// in memory for connecting to remote Kubernetes clusters.
+// +kubebuilder:validation:XValidation:rule="has(self.configMapRef) || has(self.secretRef)", message="exactly one of spec.kubeConfig.configMapRef or spec.kubeConfig.secretRef must be specified"
+// +kubebuilder:validation:XValidation:rule="!has(self.configMapRef) || !has(self.secretRef)", message="exactly one of spec.kubeConfig.configMapRef or spec.kubeConfig.secretRef must be specified"
+type KubeConfigReference struct {
+	// ConfigMapRef holds an optional name of a ConfigMap that contains
+	// the following keys:
+	//
+	// - `provider`: the provider to use. One of `aws`, `azure`, `gcp`, or
+	//    `generic`. Required.
+	// - `cluster`: the fully qualified resource name of the Kubernetes
+	//    cluster in the cloud provider API. Not used by the `generic`
+	//    provider. Required when one of `address` or `ca.crt` is not set.
+	// - `address`: the address of the Kubernetes API server. Required
+	//    for `generic`. For the other providers, if not specified, the
+	//    first address in the cluster resource will be used, and if
+	//    specified, it must match one of the addresses in the cluster
+	//    resource.
+	//    If audiences is not set, will be used as the audience for the
+	//    `generic` provider.
+	// - `ca.crt`: the optional PEM-encoded CA certificate for the
+	//    Kubernetes API server. If not set, the controller will use the
+	//    CA certificate from the cluster resource.
+	// - `audiences`: the optional audiences as a list of
+	//    line-break-separated strings for the Kubernetes ServiceAccount
+	//    token. Defaults to the `address` for the `generic` provider, or
+	//    to specific values for the other providers depending on the
+	//    provider.
+	// -  `serviceAccountName`: the optional name of the Kubernetes
+	//    ServiceAccount in the same namespace that should be used
+	//    for authentication. If not specified, the controller
+	//    ServiceAccount will be used.
+	//
+	// Mutually exclusive with SecretRef.
+	//
+	// +optional
+	ConfigMapRef *LocalObjectReference `json:"configMapRef,omitempty"`
+
+	// SecretRef holds an optional name of a secret that contains a key with
+	// the kubeconfig file as the value. If no key is set, the key will default
+	// to 'value'. Mutually exclusive with ConfigMapRef.
+	// It is recommended that the kubeconfig is self-contained, and the secret
+	// is regularly updated if credentials such as a cloud-access-token expire.
+	// Cloud specific `cmd-path` auth helpers will not function without adding
+	// binaries and credentials to the Pod that is responsible for reconciling
+	// Kubernetes resources. Supported only for the generic provider.
+	// +optional
+	SecretRef *SecretKeyReference `json:"secretRef,omitempty"`
+}
+
+// ValuesReference contains a reference to a resource containing Helm values,
+// and optionally the key they can be found at.
+type ValuesReference struct {
+	// Kind of the values referent, valid values are ('Secret', 'ConfigMap').
+	// +kubebuilder:validation:Enum=Secret;ConfigMap
+	// +required
+	Kind string `json:"kind"`
+
+	// Name of the values referent. Should reside in the same namespace as the
+	// referring resource.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +required
+	Name string `json:"name"`
+
+	// ValuesKey is the data key where the values.yaml or a specific value can be
+	// found at. Defaults to 'values.yaml'.
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:Pattern=`^[\-._a-zA-Z0-9]+$`
+	// +optional
+	ValuesKey string `json:"valuesKey,omitempty"`
+
+	// TargetPath is the YAML dot notation path the value should be merged at. When
+	// set, the ValuesKey is expected to be a single flat value. Defaults to 'None',
+	// which results in the values getting merged at the root.
+	// +kubebuilder:validation:MaxLength=250
+	// +kubebuilder:validation:Pattern=`^([a-zA-Z0-9_\-.\\\/]|\[[0-9]{1,5}\])+$`
+	// +optional
+	TargetPath string `json:"targetPath,omitempty"`
+
+	// Optional marks this ValuesReference as optional. When set, a not found error
+	// for the values reference is ignored, but any ValuesKey, TargetPath or
+	// transient error will still result in a reconciliation failure.
+	// +optional
+	Optional bool `json:"optional,omitempty"`
+}
+
+// GetValuesKey returns the defined ValuesKey, or the default ('values.yaml').
+func (in ValuesReference) GetValuesKey() string {
+	if in.ValuesKey == "" {
+		return "values.yaml"
+	}
+	return in.ValuesKey
+}

apis/meta/zz_generated.deepcopy.go

@@ -0,0 +1,153 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package meta
+
+import ()
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ForceRequestStatus) DeepCopyInto(out *ForceRequestStatus) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ForceRequestStatus.
+func (in *ForceRequestStatus) DeepCopy() *ForceRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ForceRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubeConfigReference) DeepCopyInto(out *KubeConfigReference) {
+	*out = *in
+	if in.ConfigMapRef != nil {
+		in, out := &in.ConfigMapRef, &out.ConfigMapRef
+		*out = new(LocalObjectReference)
+		**out = **in
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(SecretKeyReference)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeConfigReference.
+func (in *KubeConfigReference) DeepCopy() *KubeConfigReference {
+	if in == nil {
+		return nil
+	}
+	out := new(KubeConfigReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LocalObjectReference) DeepCopyInto(out *LocalObjectReference) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalObjectReference.
+func (in *LocalObjectReference) DeepCopy() *LocalObjectReference {
+	if in == nil {
+		return nil
+	}
+	out := new(LocalObjectReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespacedObjectKindReference) DeepCopyInto(out *NamespacedObjectKindReference) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespacedObjectKindReference.
+func (in *NamespacedObjectKindReference) DeepCopy() *NamespacedObjectKindReference {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespacedObjectKindReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespacedObjectReference) DeepCopyInto(out *NamespacedObjectReference) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespacedObjectReference.
+func (in *NamespacedObjectReference) DeepCopy() *NamespacedObjectReference {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespacedObjectReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReconcileRequestStatus) DeepCopyInto(out *ReconcileRequestStatus) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReconcileRequestStatus.
+func (in *ReconcileRequestStatus) DeepCopy() *ReconcileRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ReconcileRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretKeyReference) DeepCopyInto(out *SecretKeyReference) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeyReference.
+func (in *SecretKeyReference) DeepCopy() *SecretKeyReference {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretKeyReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ValuesReference) DeepCopyInto(out *ValuesReference) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValuesReference.
+func (in *ValuesReference) DeepCopy() *ValuesReference {
+	if in == nil {
+		return nil
+	}
+	out := new(ValuesReference)
+	in.DeepCopyInto(out)
+	return out
+}

auth/access_token.go

@@ -0,0 +1,185 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	authnv1 "k8s.io/api/authentication/v1"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/pkg/cache"
+)
+
+// GetAccessToken returns an access token for accessing resources in the given cloud provider.
+func GetAccessToken(ctx context.Context, provider Provider, opts ...Option) (Token, error) {
+
+	var o Options
+	o.Apply(opts...)
+
+	// Initialize access token fetcher for controller.
+	newAccessToken := func() (Token, error) {
+		token, err := provider.NewControllerToken(ctx, opts...)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create provider access token for the controller: %w", err)
+		}
+		return token, nil
+	}
+
+	// Update access token fetcher for a service account if specified.
+	var serviceAccount *corev1.ServiceAccount
+	var providerIdentity string
+	var audiences []string
+	if o.ServiceAccount != nil {
+		// Fetch service account details.
+		var err error
+		serviceAccount, audiences, providerIdentity, err =
+			getServiceAccountAndProviderInfo(ctx, provider, o.Client, *o.ServiceAccount, opts...)
+		if err != nil {
+			return nil, err
+		}
+
+		// Update the function to create an access token using the service account.
+		newAccessToken = func() (Token, error) {
+			// Check the feature gate for object-level workload identity.
+			if !IsObjectLevelWorkloadIdentityEnabled() {
+				return nil, ErrObjectLevelWorkloadIdentityNotEnabled
+			}
+
+			// Issue Kubernetes OIDC token for the service account.
+			tokenReq := &authnv1.TokenRequest{
+				Spec: authnv1.TokenRequestSpec{
+					Audiences: audiences,
+				},
+			}
+			if err := o.Client.SubResource("token").Create(ctx, serviceAccount, tokenReq); err != nil {
+				return nil, fmt.Errorf("failed to create kubernetes token for service account '%s/%s': %w",
+					serviceAccount.Namespace, serviceAccount.Name, err)
+			}
+			oidcToken := tokenReq.Status.Token
+
+			// Exchange the Kubernetes OIDC token for a provider access token.
+			token, err := provider.NewTokenForServiceAccount(ctx, oidcToken, *serviceAccount, opts...)
+			if err != nil {
+				return nil, fmt.Errorf("failed to create provider access token for service account '%s/%s': %w",
+					serviceAccount.Namespace, serviceAccount.Name, err)
+			}
+
+			return token, nil
+		}
+	}
+
+	// Bail out early if cache is disabled.
+	if o.Cache == nil {
+		return newAccessToken()
+	}
+
+	// Build cache key.
+	cacheKey := buildAccessTokenCacheKey(provider, audiences, providerIdentity, serviceAccount, opts...)
+
+	// Build involved object details.
+	kind := o.InvolvedObject.Kind
+	name := o.InvolvedObject.Name
+	namespace := o.InvolvedObject.Namespace
+	operation := o.InvolvedObject.Operation
+
+	// Get token from cache.
+	token, _, err := o.Cache.GetOrSet(ctx, cacheKey, func(ctx context.Context) (cache.Token, error) {
+		return newAccessToken()
+	}, cache.WithInvolvedObject(kind, name, namespace, operation))
+	if err != nil {
+		return nil, err
+	}
+
+	return token, nil
+}
+
+func getServiceAccountAndProviderInfo(ctx context.Context, provider Provider, client client.Client,
+	key client.ObjectKey, opts ...Option) (*corev1.ServiceAccount, []string, string, error) {
+
+	var o Options
+	o.Apply(opts...)
+
+	// Get service account.
+	var serviceAccount corev1.ServiceAccount
+	if err := client.Get(ctx, key, &serviceAccount); err != nil {
+		return nil, nil, "", fmt.Errorf("failed to get service account '%s/%s': %w",
+			key.Namespace, key.Name, err)
+	}
+
+	// Get provider audience.
+	audiences := o.Audiences
+	if len(audiences) == 0 {
+		var err error
+		audiences, err = provider.GetAudiences(ctx, serviceAccount)
+		if err != nil {
+			return nil, nil, "", fmt.Errorf("failed to get provider audience: %w", err)
+		}
+	}
+
+	// Get provider identity.
+	providerIdentity, err := provider.GetIdentity(serviceAccount)
+	if err != nil {
+		return nil, nil, "", fmt.Errorf("failed to get provider identity from service account '%s/%s' annotations: %w",
+			key.Namespace, key.Name, err)
+	}
+
+	return &serviceAccount, audiences, providerIdentity, nil
+}
+
+func buildAccessTokenCacheKey(provider Provider, audiences []string, providerIdentity string,
+	serviceAccount *corev1.ServiceAccount, opts ...Option) string {
+
+	var o Options
+	o.Apply(opts...)
+
+	var parts []string
+
+	parts = append(parts, fmt.Sprintf("provider=%s", provider.GetName()))
+
+	if serviceAccount != nil {
+		parts = append(parts, fmt.Sprintf("providerIdentity=%s", providerIdentity))
+		parts = append(parts, fmt.Sprintf("serviceAccountName=%s", serviceAccount.Name))
+		parts = append(parts, fmt.Sprintf("serviceAccountNamespace=%s", serviceAccount.Namespace))
+		parts = append(parts, fmt.Sprintf("serviceAccountTokenAudiences=%s", strings.Join(audiences, ",")))
+	}
+
+	if len(o.Scopes) > 0 {
+		parts = append(parts, fmt.Sprintf("scopes=%s", strings.Join(o.Scopes, ",")))
+	}
+
+	if o.STSRegion != "" {
+		parts = append(parts, fmt.Sprintf("stsRegion=%s", o.STSRegion))
+	}
+
+	if o.STSEndpoint != "" {
+		parts = append(parts, fmt.Sprintf("stsEndpoint=%s", o.STSEndpoint))
+	}
+
+	if o.ProxyURL != nil {
+		parts = append(parts, fmt.Sprintf("proxyURL=%s", o.ProxyURL))
+	}
+
+	if o.CAData != "" {
+		parts = append(parts, fmt.Sprintf("caData=%s", o.CAData))
+	}
+
+	return buildCacheKey(parts...)
+}

auth/access_token_test.go

@@ -0,0 +1,254 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth_test
+
+import (
+	"context"
+	"net/url"
+	"testing"
+	"time"
+
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/pkg/auth"
+	"github.com/fluxcd/pkg/cache"
+)
+
+func TestGetAccessToken(t *testing.T) {
+	g := NewWithT(t)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	t.Cleanup(cancel)
+
+	kubeClient, oidcClient := newTestEnv(t, ctx)
+
+	// Create a default service account.
+	defaultServiceAccount := &corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "default",
+			Namespace: "default",
+		},
+	}
+	err := kubeClient.Create(ctx, defaultServiceAccount)
+	g.Expect(err).NotTo(HaveOccurred())
+	saRef := client.ObjectKey{
+		Name:      defaultServiceAccount.Name,
+		Namespace: defaultServiceAccount.Namespace,
+	}
+
+	for _, tt := range []struct {
+		name               string
+		provider           *mockProvider
+		opts               []auth.Option
+		disableObjectLevel bool
+		expectedToken      auth.Token
+		expectedErr        string
+	}{
+		{
+			name: "controller access token",
+			provider: &mockProvider{
+				returnControllerToken: &mockToken{token: "mock-default-token"},
+			},
+			opts: []auth.Option{
+				auth.WithAudiences("audience1", "audience2"),
+				auth.WithScopes("scope1", "scope2"),
+				auth.WithSTSRegion("us-east-1"),
+				auth.WithSTSEndpoint("https://sts.some-cloud.io"),
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.io:8080"}),
+				auth.WithCAData("ca-data"),
+			},
+			expectedToken: &mockToken{token: "mock-default-token"},
+		},
+		{
+			name: "controller access token allowing shell out",
+			provider: &mockProvider{
+				returnControllerToken: &mockToken{token: "mock-default-token"},
+				paramAllowShellOut:    true,
+			},
+			opts: []auth.Option{
+				auth.WithAudiences("audience1", "audience2"),
+				auth.WithScopes("scope1", "scope2"),
+				auth.WithSTSRegion("us-east-1"),
+				auth.WithSTSEndpoint("https://sts.some-cloud.io"),
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.io:8080"}),
+				auth.WithCAData("ca-data"),
+				auth.WithAllowShellOut(),
+			},
+			expectedToken: &mockToken{token: "mock-default-token"},
+		},
+		{
+			name: "access token from service account",
+			provider: &mockProvider{
+				returnName:           "mock-provider",
+				returnAccessToken:    &mockToken{token: "mock-access-token"},
+				paramAudiences:       []string{"audience1", "audience2"},
+				paramServiceAccount:  *defaultServiceAccount,
+				paramOIDCTokenClient: oidcClient,
+			},
+			opts: []auth.Option{
+				auth.WithServiceAccount(saRef, kubeClient),
+				auth.WithAudiences("audience1", "audience2"),
+				auth.WithScopes("scope1", "scope2"),
+				auth.WithSTSRegion("us-east-1"),
+				auth.WithSTSEndpoint("https://sts.some-cloud.io"),
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.io:8080"}),
+				auth.WithCAData("ca-data"),
+				// Exercise the code path where a cache is set but no token is
+				// available in the cache.
+				func(o *auth.Options) {
+					tokenCache, err := cache.NewTokenCache(1)
+					g.Expect(err).NotTo(HaveOccurred())
+					o.Cache = tokenCache
+				},
+			},
+			expectedToken: &mockToken{token: "mock-access-token"},
+		},
+		{
+			name: "access token from service account - default audience",
+			provider: &mockProvider{
+				returnName:           "mock-provider",
+				returnAccessToken:    &mockToken{token: "mock-access-token"},
+				paramAudiences:       []string{},
+				paramServiceAccount:  *defaultServiceAccount,
+				paramOIDCTokenClient: oidcClient,
+			},
+			opts: []auth.Option{
+				auth.WithServiceAccount(saRef, kubeClient),
+				auth.WithScopes("scope1", "scope2"),
+				auth.WithSTSRegion("us-east-1"),
+				auth.WithSTSEndpoint("https://sts.some-cloud.io"),
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.io:8080"}),
+				auth.WithCAData("ca-data"),
+			},
+			expectedToken: &mockToken{token: "mock-access-token"},
+		},
+		{
+			name: "all the options are taken into account in the cache key",
+			provider: &mockProvider{
+				returnName:          "mock-provider",
+				returnIdentity:      "mock-identity",
+				paramAudiences:      []string{"audience1", "audience2"},
+				paramServiceAccount: *defaultServiceAccount,
+			},
+			opts: []auth.Option{
+				auth.WithServiceAccount(saRef, kubeClient),
+				auth.WithAudiences("audience1", "audience2"),
+				auth.WithScopes("scope1", "scope2"),
+				auth.WithSTSRegion("us-east-1"),
+				auth.WithSTSEndpoint("https://sts.some-cloud.io"),
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.io:8080"}),
+				auth.WithCAData("ca-data"),
+				func(o *auth.Options) {
+					tokenCache, err := cache.NewTokenCache(1)
+					g.Expect(err).NotTo(HaveOccurred())
+
+					const key = "db625bd5a96dc48fcc100659c6db98857d1e0ceec930bbded0fdece14af4307c"
+					token := &mockToken{token: "cached-token"}
+					cachedToken, ok, err := tokenCache.GetOrSet(ctx, key, func(ctx context.Context) (cache.Token, error) {
+						return token, nil
+					})
+					g.Expect(err).NotTo(HaveOccurred())
+					g.Expect(ok).To(BeFalse())
+					g.Expect(cachedToken).To(Equal(token))
+
+					o.Cache = tokenCache
+				},
+			},
+			expectedToken: &mockToken{token: "cached-token"},
+		},
+		{
+			name: "error getting identity",
+			provider: &mockProvider{
+				returnIdentityErr:   "mock error",
+				paramServiceAccount: *defaultServiceAccount,
+			},
+			opts: []auth.Option{
+				auth.WithServiceAccount(saRef, kubeClient),
+				auth.WithAudiences("audience1", "audience2"),
+				auth.WithScopes("scope1", "scope2"),
+				auth.WithSTSRegion("us-east-1"),
+				auth.WithSTSEndpoint("https://sts.some-cloud.io"),
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.io:8080"}),
+				auth.WithCAData("ca-data"),
+			},
+			expectedErr: "failed to get provider identity from service account 'default/default' annotations: mock error",
+		},
+		{
+			name: "error getting identity using cache",
+			provider: &mockProvider{
+				returnIdentityErr:   "mock error",
+				paramServiceAccount: *defaultServiceAccount,
+			},
+			opts: []auth.Option{
+				auth.WithServiceAccount(saRef, kubeClient),
+				auth.WithAudiences("audience1", "audience2"),
+				auth.WithScopes("scope1", "scope2"),
+				auth.WithSTSRegion("us-east-1"),
+				auth.WithSTSEndpoint("https://sts.some-cloud.io"),
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.io:8080"}),
+				auth.WithCAData("ca-data"),
+				func(o *auth.Options) {
+					tokenCache, err := cache.NewTokenCache(1)
+					g.Expect(err).NotTo(HaveOccurred())
+					o.Cache = tokenCache
+				},
+			},
+			expectedErr: "failed to get provider identity from service account 'default/default' annotations: mock error",
+		},
+		{
+			name: "disable object level workload identity",
+			provider: &mockProvider{
+				paramServiceAccount: *defaultServiceAccount,
+			},
+			opts: []auth.Option{
+				auth.WithServiceAccount(saRef, kubeClient),
+				auth.WithAudiences("audience1", "audience2"),
+				auth.WithScopes("scope1", "scope2"),
+				auth.WithSTSRegion("us-east-1"),
+				auth.WithSTSEndpoint("https://sts.some-cloud.io"),
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.io:8080"}),
+				auth.WithCAData("ca-data"),
+			},
+			disableObjectLevel: true,
+			expectedErr:        "ObjectLevelWorkloadIdentity feature gate is not enabled",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			tt.provider.t = t
+
+			if !tt.disableObjectLevel {
+				t.Setenv(auth.EnvVarEnableObjectLevelWorkloadIdentity, "true")
+			}
+
+			token, err := auth.GetAccessToken(ctx, tt.provider, tt.opts...)
+
+			if tt.expectedErr != "" {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(err.Error()).To(Equal(tt.expectedErr))
+				g.Expect(token).To(BeNil())
+			} else {
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(token).To(Equal(tt.expectedToken))
+			}
+		})
+	}
+}

auth/aws/credentials_provider.go

@@ -0,0 +1,60 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+
+	"github.com/fluxcd/pkg/auth"
+)
+
+type credentialsProvider struct {
+	ctx  context.Context
+	opts []auth.Option
+}
+
+// NewCredentialsProvider creates a new credentials provider for the given options.
+func NewCredentialsProvider(ctx context.Context, opts ...auth.Option) aws.CredentialsProvider {
+	return &credentialsProvider{ctx, opts}
+}
+
+// Retrieve implements aws.CredentialsProvider.
+// The context is ignored, use the constructor to set the context.
+// This is because the GCP abstraction does not receive a context
+// in the method arguments, so we unfortunately need to standardize
+// the behavior of all providers around this so the usage of this
+// library can be consistent regardless of the provider.
+func (c *credentialsProvider) Retrieve(context.Context) (aws.Credentials, error) {
+	token, err := auth.GetAccessToken(c.ctx, Provider{}, c.opts...)
+	if err != nil {
+		return aws.Credentials{}, err
+	}
+	awsCreds, ok := token.(*Credentials)
+	if !ok {
+		return aws.Credentials{}, fmt.Errorf("failed to cast token to AWS token: %T", token)
+	}
+	return aws.Credentials{
+		AccessKeyID:     *awsCreds.AccessKeyId,
+		SecretAccessKey: *awsCreds.SecretAccessKey,
+		SessionToken:    *awsCreds.SessionToken,
+		Expires:         *awsCreds.Expiration,
+		CanExpire:       true,
+	}, nil
+}

auth/aws/implementation.go

@@ -0,0 +1,65 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws
+
+import (
+	"context"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	signerv4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/ecr"
+	"github.com/aws/aws-sdk-go-v2/service/ecrpublic"
+	"github.com/aws/aws-sdk-go-v2/service/eks"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+)
+
+// Implementation provides the required methods of the AWS libraries.
+type Implementation interface {
+	LoadDefaultConfig(ctx context.Context, optFns ...func(*config.LoadOptions) error) (aws.Config, error)
+	AssumeRoleWithWebIdentity(ctx context.Context, params *sts.AssumeRoleWithWebIdentityInput, options sts.Options) (*sts.AssumeRoleWithWebIdentityOutput, error)
+	GetAuthorizationToken(ctx context.Context, cfg aws.Config) (any, error)
+	GetPublicAuthorizationToken(ctx context.Context, cfg aws.Config) (any, error)
+	DescribeCluster(ctx context.Context, params *eks.DescribeClusterInput, options eks.Options) (*eks.DescribeClusterOutput, error)
+	PresignGetCallerIdentity(ctx context.Context, optFn func(*sts.PresignOptions), options sts.Options) (*signerv4.PresignedHTTPRequest, error)
+}
+
+type implementation struct{}
+
+func (implementation) LoadDefaultConfig(ctx context.Context, optFns ...func(*config.LoadOptions) error) (aws.Config, error) {
+	return config.LoadDefaultConfig(ctx, optFns...)
+}
+
+func (implementation) AssumeRoleWithWebIdentity(ctx context.Context, params *sts.AssumeRoleWithWebIdentityInput, options sts.Options) (*sts.AssumeRoleWithWebIdentityOutput, error) {
+	return sts.New(options).AssumeRoleWithWebIdentity(ctx, params)
+}
+
+func (implementation) GetAuthorizationToken(ctx context.Context, cfg aws.Config) (any, error) {
+	return ecr.NewFromConfig(cfg).GetAuthorizationToken(ctx, &ecr.GetAuthorizationTokenInput{})
+}
+
+func (implementation) GetPublicAuthorizationToken(ctx context.Context, cfg aws.Config) (any, error) {
+	return ecrpublic.NewFromConfig(cfg).GetAuthorizationToken(ctx, &ecrpublic.GetAuthorizationTokenInput{})
+}
+
+func (implementation) DescribeCluster(ctx context.Context, params *eks.DescribeClusterInput, options eks.Options) (*eks.DescribeClusterOutput, error) {
+	return eks.New(options).DescribeCluster(ctx, params)
+}
+
+func (implementation) PresignGetCallerIdentity(ctx context.Context, optFn func(*sts.PresignOptions), options sts.Options) (*signerv4.PresignedHTTPRequest, error) {
+	return sts.NewPresignClient(sts.New(options)).PresignGetCallerIdentity(ctx, &sts.GetCallerIdentityInput{}, optFn)
+}

auth/aws/implementation_test.go

@@ -0,0 +1,281 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws_test
+
+import (
+	"context"
+	"encoding/base64"
+	"errors"
+	"net/http"
+	"net/url"
+	"testing"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	signerv4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/ecr"
+	ecrtypes "github.com/aws/aws-sdk-go-v2/service/ecr/types"
+	"github.com/aws/aws-sdk-go-v2/service/ecrpublic"
+	ecrpublictypes "github.com/aws/aws-sdk-go-v2/service/ecrpublic/types"
+	"github.com/aws/aws-sdk-go-v2/service/eks"
+	ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+	ststypes "github.com/aws/aws-sdk-go-v2/service/sts/types"
+	. "github.com/onsi/gomega"
+)
+
+type mockImplementation struct {
+	t *testing.T
+
+	publicECR bool
+
+	expectEKSAPICall bool
+
+	argRoleARN         string
+	argRoleSessionName string
+	argOIDCToken       string
+	argRegion          string
+	argSTSEndpoint     string
+	argProxyURL        *url.URL
+	argCredsProvider   aws.CredentialsProvider
+	argClusterName     string
+
+	returnCreds        aws.Credentials
+	returnUsername     string
+	returnPassword     string
+	returnEndpoint     string
+	returnCAData       string
+	returnPresignedURL string
+}
+
+type mockHTTPPresigner struct {
+	t              *testing.T
+	argClusterName string
+	returnURL      string
+}
+
+type mockCredentialsProvider struct{ aws.Credentials }
+
+func (m *mockImplementation) LoadDefaultConfig(ctx context.Context, optFns ...func(*config.LoadOptions) error) (aws.Config, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	var o config.LoadOptions
+	for _, optFn := range optFns {
+		optFn(&o)
+	}
+	g.Expect(o.Region).To(Equal(m.argRegion))
+	g.Expect(o.BaseEndpoint).To(Equal(m.argSTSEndpoint))
+	g.Expect(o.HTTPClient).NotTo(BeNil())
+	g.Expect(o.HTTPClient.(*http.Client)).NotTo(BeNil())
+	g.Expect(o.HTTPClient.(*http.Client).Transport).NotTo(BeNil())
+	g.Expect(o.HTTPClient.(*http.Client).Transport.(*http.Transport)).NotTo(BeNil())
+	g.Expect(o.HTTPClient.(*http.Client).Transport.(*http.Transport).Proxy).NotTo(BeNil())
+	proxyURL, err := o.HTTPClient.(*http.Client).Transport.(*http.Transport).Proxy(nil)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(proxyURL).To(Equal(m.argProxyURL))
+	return aws.Config{Credentials: &mockCredentialsProvider{m.returnCreds}}, nil
+}
+
+func (m *mockImplementation) AssumeRoleWithWebIdentity(ctx context.Context, params *sts.AssumeRoleWithWebIdentityInput, options sts.Options) (*sts.AssumeRoleWithWebIdentityOutput, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	g.Expect(params).NotTo(BeNil())
+	g.Expect(params.RoleArn).NotTo(BeNil())
+	g.Expect(*params.RoleArn).To(Equal(m.argRoleARN))
+	g.Expect(params.RoleSessionName).NotTo(BeNil())
+	g.Expect(*params.RoleSessionName).To(Equal(m.argRoleSessionName))
+	g.Expect(params.WebIdentityToken).NotTo(BeNil())
+	g.Expect(*params.WebIdentityToken).To(Equal(m.argOIDCToken))
+	g.Expect(options.Region).To(Equal(m.argRegion))
+	g.Expect(options.BaseEndpoint).NotTo(BeNil())
+	g.Expect(*options.BaseEndpoint).To(Equal(m.argSTSEndpoint))
+	g.Expect(options.HTTPClient).NotTo(BeNil())
+	g.Expect(options.HTTPClient.(*http.Client)).NotTo(BeNil())
+	g.Expect(options.HTTPClient.(*http.Client).Transport).NotTo(BeNil())
+	g.Expect(options.HTTPClient.(*http.Client).Transport.(*http.Transport)).NotTo(BeNil())
+	g.Expect(options.HTTPClient.(*http.Client).Transport.(*http.Transport).Proxy).NotTo(BeNil())
+	proxyURL, err := options.HTTPClient.(*http.Client).Transport.(*http.Transport).Proxy(nil)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(proxyURL).To(Equal(m.argProxyURL))
+	return &sts.AssumeRoleWithWebIdentityOutput{
+		Credentials: &ststypes.Credentials{
+			AccessKeyId:     aws.String(m.returnCreds.AccessKeyID),
+			SecretAccessKey: aws.String(m.returnCreds.SecretAccessKey),
+			SessionToken:    aws.String(m.returnCreds.SessionToken),
+			Expiration:      aws.Time(m.returnCreds.Expires),
+		},
+	}, nil
+}
+
+func (m *mockImplementation) GetAuthorizationToken(ctx context.Context, cfg aws.Config) (any, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	g.Expect(m.publicECR).To(BeFalse())
+	m.checkGetAuthorizationToken(ctx, cfg)
+	return &ecr.GetAuthorizationTokenOutput{
+		AuthorizationData: []ecrtypes.AuthorizationData{{
+			AuthorizationToken: aws.String(base64.StdEncoding.EncodeToString([]byte(m.returnUsername + ":" + m.returnPassword))),
+			ExpiresAt:          aws.Time(m.returnCreds.Expires),
+		}},
+	}, nil
+}
+
+func (m *mockImplementation) GetPublicAuthorizationToken(ctx context.Context, cfg aws.Config) (any, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	g.Expect(m.publicECR).To(BeTrue())
+	m.checkGetAuthorizationToken(ctx, cfg)
+	return &ecrpublic.GetAuthorizationTokenOutput{
+		AuthorizationData: &ecrpublictypes.AuthorizationData{
+			AuthorizationToken: aws.String(base64.StdEncoding.EncodeToString([]byte(m.returnUsername + ":" + m.returnPassword))),
+			ExpiresAt:          aws.Time(m.returnCreds.Expires),
+		},
+	}, nil
+}
+
+func (m *mockImplementation) DescribeCluster(ctx context.Context, params *eks.DescribeClusterInput, options eks.Options) (*eks.DescribeClusterOutput, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	g.Expect(m.expectEKSAPICall).To(BeTrue())
+	g.Expect(params).NotTo(BeNil())
+	g.Expect(params.Name).NotTo(BeNil())
+	g.Expect(*params.Name).To(Equal(m.argClusterName))
+	g.Expect(options.Region).To(Equal(m.argRegion))
+	g.Expect(options.Credentials).To(Equal(m.argCredsProvider))
+	g.Expect(options.HTTPClient).NotTo(BeNil())
+	g.Expect(options.HTTPClient.(*http.Client)).NotTo(BeNil())
+	g.Expect(options.HTTPClient.(*http.Client).Transport).NotTo(BeNil())
+	g.Expect(options.HTTPClient.(*http.Client).Transport.(*http.Transport)).NotTo(BeNil())
+	g.Expect(options.HTTPClient.(*http.Client).Transport.(*http.Transport).Proxy).NotTo(BeNil())
+	proxyURL, err := options.HTTPClient.(*http.Client).Transport.(*http.Transport).Proxy(nil)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(proxyURL).To(Equal(m.argProxyURL))
+	return &eks.DescribeClusterOutput{
+		Cluster: &ekstypes.Cluster{
+			Name:     aws.String(m.argClusterName),
+			Endpoint: aws.String(m.returnEndpoint),
+			CertificateAuthority: &ekstypes.Certificate{
+				Data: aws.String(m.returnCAData),
+			},
+		},
+	}, nil
+}
+
+func (m *mockImplementation) PresignGetCallerIdentity(ctx context.Context, optFn func(*sts.PresignOptions), options sts.Options) (*signerv4.PresignedHTTPRequest, error) {
+	m.t.Helper()
+
+	g := NewWithT(m.t)
+
+	// Check that optFn adds the presigner with the custom EKS headers to the options.
+	g.Expect(optFn).NotTo(BeNil())
+	mockPresigner := &mockHTTPPresigner{
+		t:              m.t,
+		argClusterName: m.argClusterName,
+		returnURL:      m.returnPresignedURL,
+	}
+	var presignOpts sts.PresignOptions
+	presignOpts.Presigner = mockPresigner
+	optFn(&presignOpts)
+	g.Expect(presignOpts.Presigner).NotTo(Equal(mockPresigner))
+	req, _ := http.NewRequest("POST", "https://sts.amazonaws.com/", nil)
+	signingTime := time.Date(2023, 1, 1, 12, 0, 0, 0, time.UTC)
+	signerOptFn := func(opts *signerv4.SignerOptions) { opts.LogSigning = true }
+	creds := aws.Credentials{
+		AccessKeyID:     "access-key-id",
+		SecretAccessKey: "secret-access-key",
+		SessionToken:    "session-token",
+	}
+	presignedURL, presignedHeader, err := presignOpts.Presigner.PresignHTTP(
+		ctx, creds, req, "payload-hash", "sts", "us-east-1", signingTime, signerOptFn)
+	g.Expect(presignedURL).To(Equal(m.returnPresignedURL))
+	g.Expect(presignedHeader).To(Equal(http.Header{"foo": []string{"bar"}}))
+	g.Expect(err).To(MatchError("mock presign error"))
+
+	// Check the sts options.
+	g.Expect(options.Region).To(Equal(m.argRegion))
+	g.Expect(options.Credentials).To(Equal(m.argCredsProvider))
+	if m.argSTSEndpoint != "" {
+		g.Expect(options.BaseEndpoint).NotTo(BeNil())
+		g.Expect(*options.BaseEndpoint).To(Equal(m.argSTSEndpoint))
+	} else {
+		g.Expect(options.BaseEndpoint).To(BeNil())
+	}
+	g.Expect(options.HTTPClient).NotTo(BeNil())
+	g.Expect(options.HTTPClient.(*http.Client)).NotTo(BeNil())
+	g.Expect(options.HTTPClient.(*http.Client).Transport).NotTo(BeNil())
+	g.Expect(options.HTTPClient.(*http.Client).Transport.(*http.Transport)).NotTo(BeNil())
+	g.Expect(options.HTTPClient.(*http.Client).Transport.(*http.Transport).Proxy).NotTo(BeNil())
+	proxyURL, err := options.HTTPClient.(*http.Client).Transport.(*http.Transport).Proxy(nil)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(proxyURL).To(Equal(m.argProxyURL))
+
+	return &signerv4.PresignedHTTPRequest{
+		URL: m.returnPresignedURL,
+	}, nil
+}
+
+func (m *mockImplementation) checkGetAuthorizationToken(ctx context.Context, cfg aws.Config) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	g.Expect(cfg.Region).To(Equal(m.argRegion))
+	g.Expect(cfg.Credentials).To(Equal(m.argCredsProvider))
+	g.Expect(cfg.HTTPClient).NotTo(BeNil())
+	g.Expect(cfg.HTTPClient.(*http.Client)).NotTo(BeNil())
+	g.Expect(cfg.HTTPClient.(*http.Client).Transport).NotTo(BeNil())
+	g.Expect(cfg.HTTPClient.(*http.Client).Transport.(*http.Transport)).NotTo(BeNil())
+	g.Expect(cfg.HTTPClient.(*http.Client).Transport.(*http.Transport).Proxy).NotTo(BeNil())
+	proxyURL, err := cfg.HTTPClient.(*http.Client).Transport.(*http.Transport).Proxy(nil)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(proxyURL).To(Equal(m.argProxyURL))
+}
+
+func (m *mockHTTPPresigner) PresignHTTP(ctx context.Context, credentials aws.Credentials,
+	r *http.Request, payloadHash string, service string, region string, signingTime time.Time,
+	optFns ...func(*signerv4.SignerOptions)) (url string, signedHeader http.Header, err error) {
+
+	m.t.Helper()
+
+	g := NewWithT(m.t)
+
+	// Check args.
+	g.Expect(ctx).NotTo(BeNil())
+	g.Expect(credentials.AccessKeyID).To(Equal("access-key-id"))
+	g.Expect(credentials.SecretAccessKey).To(Equal("secret-access-key"))
+	g.Expect(credentials.SessionToken).To(Equal("session-token"))
+	g.Expect(r).NotTo(BeNil())
+	g.Expect(r.Method).To(Equal("POST"))
+	g.Expect(r.URL.String()).To(Equal("https://sts.amazonaws.com/"))
+	g.Expect(r.Header.Get("x-k8s-aws-id")).To(Equal(m.argClusterName))
+	g.Expect(r.Header.Get("X-Amz-Expires")).To(Equal("900"))
+	g.Expect(payloadHash).To(Equal("payload-hash"))
+	g.Expect(service).To(Equal("sts"))
+	g.Expect(region).To(Equal("us-east-1"))
+	g.Expect(signingTime).To(Equal(time.Date(2023, 1, 1, 12, 0, 0, 0, time.UTC)))
+	g.Expect(optFns).To(HaveLen(1))
+	optFn := optFns[0]
+	g.Expect(optFn).NotTo(BeNil())
+	var signerOpts signerv4.SignerOptions
+	optFn(&signerOpts)
+	g.Expect(signerOpts).To(Equal(signerv4.SignerOptions{LogSigning: true}))
+
+	return m.returnURL, http.Header{"foo": []string{"bar"}}, errors.New("mock presign error")
+}
+
+func (m *mockCredentialsProvider) Retrieve(ctx context.Context) (aws.Credentials, error) {
+	return m.Credentials, nil
+}

auth/aws/options.go

@@ -0,0 +1,81 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws
+
+import (
+	"fmt"
+	"regexp"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+const stsEndpointPattern = `^https://(.+\.)?sts(-fips)?(\.[^.]+)?(\.vpce)?\.amazonaws\.com$`
+
+var stsEndpointRegex = regexp.MustCompile(stsEndpointPattern)
+
+// ValidateSTSEndpoint checks if the provided STS endpoint is valid.
+//
+// Global and regional endpoints:
+//
+//	https://docs.aws.amazon.com/general/latest/gr/sts.html
+//
+// VPC endpoint examples:
+//
+//	https://vpce-002b7cc8966426bc6-njisq19r.sts.us-east-1.vpce.amazonaws.com
+//	https://vpce-002b7cc8966426bc6-njisq19r-us-east-1a.sts.us-east-1.vpce.amazonaws.com
+func ValidateSTSEndpoint(endpoint string) error {
+	if !stsEndpointRegex.MatchString(endpoint) {
+		return fmt.Errorf("invalid STS endpoint: '%s'. must match %s",
+			endpoint, stsEndpointPattern)
+	}
+	return nil
+}
+
+const roleARNPattern = `^arn:aws[\w-]*:iam::[0-9]{1,30}:role/.{1,200}$`
+
+var roleARNRegex = regexp.MustCompile(roleARNPattern)
+
+func getRoleARN(serviceAccount corev1.ServiceAccount) (string, error) {
+	const key = "eks.amazonaws.com/role-arn"
+	arn := serviceAccount.Annotations[key]
+	if !roleARNRegex.MatchString(arn) {
+		return "", fmt.Errorf("invalid %s annotation: '%s'. must match %s",
+			key, arn, roleARNPattern)
+	}
+	return arn, nil
+}
+
+func getRoleSessionName(serviceAccount corev1.ServiceAccount, region string) string {
+	name := serviceAccount.Name
+	namespace := serviceAccount.Namespace
+	return fmt.Sprintf("%s.%s.%s.fluxcd.io", name, namespace, region)
+}
+
+const clusterPattern = `^arn:aws[\w-]*:eks:([^:]{1,100}):[0-9]{1,30}:cluster/(.{1,200})$`
+
+var clusterRegex = regexp.MustCompile(clusterPattern)
+
+func parseCluster(cluster string) (string, string, error) {
+	m := clusterRegex.FindStringSubmatch(cluster)
+	if len(m) != 3 {
+		return "", "", fmt.Errorf("invalid EKS cluster ARN: '%s'. must match %s",
+			cluster, clusterPattern)
+	}
+	region := m[1]
+	name := m[2]
+	return region, name, nil
+}

auth/aws/options_test.go

@@ -0,0 +1,154 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/gomega"
+
+	"github.com/fluxcd/pkg/auth/aws"
+)
+
+func TestValidateSTSEndpoint(t *testing.T) {
+	for _, tt := range []struct {
+		name        string
+		stsEndpoint string
+		valid       bool
+	}{
+		// valid endpoints
+		{
+			name:        "global endpoint",
+			stsEndpoint: "https://sts.amazonaws.com",
+			valid:       true,
+		},
+		{
+			name:        "sts.us-east-2.amazonaws.com",
+			stsEndpoint: "https://sts.us-east-2.amazonaws.com",
+			valid:       true,
+		},
+		{
+			name:        "sts-fips.us-east-2.amazonaws.com",
+			stsEndpoint: "https://sts-fips.us-east-2.amazonaws.com",
+			valid:       true,
+		},
+		{
+			name:        "sts.us-east-1.amazonaws.com",
+			stsEndpoint: "https://sts.us-east-1.amazonaws.com",
+			valid:       true,
+		},
+		{
+			name:        "sts-fips.us-east-1.amazonaws.com",
+			stsEndpoint: "https://sts-fips.us-east-1.amazonaws.com",
+			valid:       true,
+		},
+		{
+			name:        "sts.us-west-1.amazonaws.com",
+			stsEndpoint: "https://sts.us-west-1.amazonaws.com",
+			valid:       true,
+		},
+		{
+			name:        "sts-fips.us-west-1.amazonaws.com",
+			stsEndpoint: "https://sts-fips.us-west-1.amazonaws.com",
+			valid:       true,
+		},
+		{
+			name:        "sts.us-west-2.amazonaws.com",
+			stsEndpoint: "https://sts.us-west-2.amazonaws.com",
+			valid:       true,
+		},
+		{
+			name:        "sts-fips.us-west-2.amazonaws.com",
+			stsEndpoint: "https://sts-fips.us-west-2.amazonaws.com",
+			valid:       true,
+		},
+		{
+			name:        "sts.il-central-1.amazonaws.com",
+			stsEndpoint: "https://sts.il-central-1.amazonaws.com",
+			valid:       true,
+		},
+		{
+			name:        "sts.mx-central-1.amazonaws.com",
+			stsEndpoint: "https://sts.mx-central-1.amazonaws.com",
+			valid:       true,
+		},
+		{
+			name:        "sts.me-south-1.amazonaws.com",
+			stsEndpoint: "https://sts.me-south-1.amazonaws.com",
+			valid:       true,
+		},
+		{
+			name:        "sts.me-central-1.amazonaws.com",
+			stsEndpoint: "https://sts.me-central-1.amazonaws.com",
+			valid:       true,
+		},
+		{
+			name:        "sts.sa-east-1.amazonaws.com",
+			stsEndpoint: "https://sts.sa-east-1.amazonaws.com",
+			valid:       true,
+		},
+		{
+			name:        "sts.us-gov-east-1.amazonaws.com",
+			stsEndpoint: "https://sts.us-gov-east-1.amazonaws.com",
+			valid:       true,
+		},
+		{
+			name:        "sts.us-gov-west-1.amazonaws.com",
+			stsEndpoint: "https://sts.us-gov-west-1.amazonaws.com",
+			valid:       true,
+		},
+		{
+			name:        "vpce-002b7cc8966426bc6-njisq19r.sts.us-east-1.vpce.amazonaws.com",
+			stsEndpoint: "https://vpce-002b7cc8966426bc6-njisq19r.sts.us-east-1.vpce.amazonaws.com",
+			valid:       true,
+		},
+		{
+			name:        "vpce-002b7cc8966426bc6-njisq19r-us-east-1a.sts.us-east-1.vpce.amazonaws.com",
+			stsEndpoint: "https://vpce-002b7cc8966426bc6-njisq19r-us-east-1a.sts.us-east-1.vpce.amazonaws.com",
+			valid:       true,
+		},
+		// invalid endpoints
+		{
+			name:        "non sts endpoint",
+			stsEndpoint: "https://stss.amazonaws.com",
+			valid:       false,
+		},
+		{
+			name:        "non aws endpoint",
+			stsEndpoint: "https://sts.amazonaws.example.com",
+			valid:       false,
+		},
+		{
+			name:        "http endpoint",
+			stsEndpoint: "http://sts.amazonaws.com",
+			valid:       false,
+		},
+		{
+			name:        "no scheme",
+			stsEndpoint: "sts.amazonaws.com",
+			valid:       false,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			err := aws.ValidateSTSEndpoint(tt.stsEndpoint)
+
+			g.Expect(err == nil).To(Equal(tt.valid))
+		})
+	}
+}

auth/aws/provider.go

@@ -0,0 +1,412 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws
+
+import (
+	"context"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"os"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/ecr"
+	"github.com/aws/aws-sdk-go-v2/service/ecrpublic"
+	"github.com/aws/aws-sdk-go-v2/service/eks"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+	"github.com/google/go-containerregistry/pkg/authn"
+	corev1 "k8s.io/api/core/v1"
+
+	"github.com/fluxcd/pkg/auth"
+)
+
+// ProviderName is the name of the AWS authentication provider.
+const ProviderName = "aws"
+
+// Provider implements the auth.Provider interface for AWS authentication.
+type Provider struct{ Implementation }
+
+// GetName implements auth.Provider.
+func (Provider) GetName() string {
+	return ProviderName
+}
+
+// NewControllerToken implements auth.Provider.
+func (p Provider) NewControllerToken(ctx context.Context, opts ...auth.Option) (auth.Token, error) {
+	var o auth.Options
+	o.Apply(opts...)
+
+	confOpts := []func(*config.LoadOptions) error{
+		config.WithHTTPClient(o.GetHTTPClient()),
+	}
+
+	stsRegion := o.STSRegion
+	if stsRegion == "" {
+		// EKS sets this environment variable automatically if the controller pod is
+		// properly configured with IRSA or EKS Pod Identity, so we can rely on it.
+		stsRegion = os.Getenv("AWS_REGION")
+		if stsRegion == "" {
+			return nil, errors.New("AWS_REGION environment variable is not set in the Flux controller. " +
+				"if you have properly configured IAM Roles for Service Accounts (IRSA) or EKS Pod Identity, " +
+				"please delete/replace the controller pod so the EKS admission controllers can inject this " +
+				"environment variable, or set it manually if the cluster is not EKS")
+		}
+	}
+	confOpts = append(confOpts, config.WithRegion(stsRegion))
+
+	if e := o.STSEndpoint; e != "" {
+		if err := ValidateSTSEndpoint(e); err != nil {
+			return nil, err
+		}
+		confOpts = append(confOpts, config.WithBaseEndpoint(e))
+	}
+
+	conf, err := p.impl().LoadDefaultConfig(ctx, confOpts...)
+	if err != nil {
+		return nil, err
+	}
+	creds, err := conf.Credentials.Retrieve(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return newTokenFromAWSCredentials(&creds), nil
+}
+
+// GetAudiences implements auth.Provider.
+func (Provider) GetAudiences(context.Context, corev1.ServiceAccount) ([]string, error) {
+	return []string{"sts.amazonaws.com"}, nil
+}
+
+// GetIdentity implements auth.Provider.
+func (Provider) GetIdentity(serviceAccount corev1.ServiceAccount) (string, error) {
+	roleARN, err := getRoleARN(serviceAccount)
+	if err != nil {
+		return "", err
+	}
+	return roleARN, nil
+}
+
+// NewTokenForServiceAccount implements auth.Provider.
+func (p Provider) NewTokenForServiceAccount(ctx context.Context, oidcToken string,
+	serviceAccount corev1.ServiceAccount, opts ...auth.Option) (auth.Token, error) {
+
+	var o auth.Options
+	o.Apply(opts...)
+
+	stsRegion := o.STSRegion
+	if stsRegion == "" {
+		// In this case we can't rely on IRSA or EKS Pod Identity for the controller
+		// pod because this is object-level configuration, so we show a different
+		// error message.
+		// In this error message we assume an API that has a region field, e.g. the
+		// Bucket API. APIs that can extract the region from the ARN (e.g. KMS) will
+		// never reach this code path.
+		return nil, errors.New("an AWS region is required for authenticating with a service account. " +
+			"please configure one in the object spec")
+	}
+
+	roleARN, err := getRoleARN(serviceAccount)
+	if err != nil {
+		return nil, err
+	}
+
+	roleSessionName := getRoleSessionName(serviceAccount, stsRegion)
+
+	stsOpts := sts.Options{
+		Region:     stsRegion,
+		HTTPClient: o.GetHTTPClient(),
+	}
+
+	if e := o.STSEndpoint; e != "" {
+		if err := ValidateSTSEndpoint(e); err != nil {
+			return nil, err
+		}
+		stsOpts.BaseEndpoint = &e
+	}
+
+	req := &sts.AssumeRoleWithWebIdentityInput{
+		RoleArn:          &roleARN,
+		RoleSessionName:  &roleSessionName,
+		WebIdentityToken: &oidcToken,
+	}
+	resp, err := p.impl().AssumeRoleWithWebIdentity(ctx, req, stsOpts)
+	if err != nil {
+		return nil, err
+	}
+	if resp.Credentials == nil {
+		return nil, fmt.Errorf("credentials are nil")
+	}
+
+	creds := &Credentials{*resp.Credentials}
+	if creds.Expiration == nil {
+		creds.Expiration = &time.Time{}
+	}
+
+	return creds, nil
+}
+
+// GetAccessTokenOptionsForArtifactRepository implements auth.Provider.
+func (p Provider) GetAccessTokenOptionsForArtifactRepository(artifactRepository string) ([]auth.Option, error) {
+	// AWS requires a region for getting access credentials. To avoid requiring
+	// two regions to be passed in the Flux APIs we leverage the region present
+	// in the ECR repository.
+	// **Important**: This code path is required for supporting the identity of
+	// the EKS node! The AWS_REGION environment variable is only automatically
+	// set for IRSA and EKS Pod Identity. We strive to support the identity of
+	// the node for artifact repository APIs because EKS users also use it for
+	// for pulling container images to spin up pods inside the cluster, so this
+	// allows a simpler user experience setting up ECR authentication only once.
+	registryInput, err := p.ParseArtifactRepository(artifactRepository)
+	if err != nil {
+		return nil, err
+	}
+	ecrRegion := getECRRegionFromRegistryInput(registryInput)
+	return []auth.Option{auth.WithSTSRegion(ecrRegion)}, nil
+}
+
+// This regex is sourced from the AWS ECR Credential Helper (https://github.com/awslabs/amazon-ecr-credential-helper).
+// It covers both public AWS partitions like amazonaws.com, China partitions like amazonaws.com.cn, and non-public partitions.
+const registryPattern = `([0-9+]*).dkr.ecr(?:-fips)?\.([^/.]*)\.(amazonaws\.com[.cn]*|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)`
+
+const publicECR = "public.ecr.aws"
+
+var registryRegex = regexp.MustCompile(registryPattern)
+
+// ParseArtifactRepository implements auth.Provider.
+// ParseArtifactRepository returns the ECR region, unless the registry
+// is public.ecr.aws, in which case it returns public.ecr.aws.
+func (Provider) ParseArtifactRepository(artifactRepository string) (string, error) {
+	registry, err := auth.GetRegistryFromArtifactRepository(artifactRepository)
+	if err != nil {
+		return "", err
+	}
+
+	if registry == publicECR {
+		return publicECR, nil
+	}
+
+	parts := registryRegex.FindAllStringSubmatch(registry, -1)
+	if len(parts) < 1 || len(parts[0]) < 3 {
+		return "", fmt.Errorf("invalid AWS registry: '%s'. must match %s",
+			registry, registryPattern)
+	}
+
+	ecrRegion := parts[0][2]
+	return ecrRegion, nil
+}
+
+func getECRRegionFromRegistryInput(registryInput string) string {
+	if registryInput == publicECR {
+		// Region is required to be us-east-1 for public ECR:
+		// https://docs.aws.amazon.com/AmazonECR/latest/public/public-registry-auth.html#public-registry-auth-token
+		return "us-east-1"
+	}
+	return registryInput
+}
+
+// NewArtifactRegistryCredentials implements auth.Provider.
+func (p Provider) NewArtifactRegistryCredentials(ctx context.Context, registryInput string,
+	accessToken auth.Token, opts ...auth.Option) (*auth.ArtifactRegistryCredentials, error) {
+
+	var o auth.Options
+	o.Apply(opts...)
+
+	authTokenFunc := p.impl().GetAuthorizationToken
+	if registryInput == publicECR {
+		authTokenFunc = p.impl().GetPublicAuthorizationToken
+	}
+
+	conf := aws.Config{
+		Region:      getECRRegionFromRegistryInput(registryInput),
+		Credentials: accessToken.(*Credentials).provider(),
+		HTTPClient:  o.GetHTTPClient(),
+	}
+
+	respAny, err := authTokenFunc(ctx, conf)
+	if err != nil {
+		return nil, err
+	}
+
+	// Parse the authorization token.
+	var token string
+	var expiresAt time.Time
+	switch resp := respAny.(type) {
+	case *ecr.GetAuthorizationTokenOutput:
+		if len(resp.AuthorizationData) == 0 {
+			return nil, fmt.Errorf("no authorization data returned")
+		}
+		if resp.AuthorizationData[0].AuthorizationToken == nil {
+			return nil, fmt.Errorf("authorization token is nil")
+		}
+		if resp.AuthorizationData[0].ExpiresAt == nil {
+			return nil, fmt.Errorf("authorization token expiration is nil")
+		}
+		token = *resp.AuthorizationData[0].AuthorizationToken
+		expiresAt = *resp.AuthorizationData[0].ExpiresAt
+	case *ecrpublic.GetAuthorizationTokenOutput:
+		if resp.AuthorizationData == nil {
+			return nil, fmt.Errorf("no authorization data returned")
+		}
+		if resp.AuthorizationData.AuthorizationToken == nil {
+			return nil, fmt.Errorf("authorization token is nil")
+		}
+		if resp.AuthorizationData.ExpiresAt == nil {
+			return nil, fmt.Errorf("authorization token expiration is nil")
+		}
+		token = *resp.AuthorizationData.AuthorizationToken
+		expiresAt = *resp.AuthorizationData.ExpiresAt
+	}
+	b, err := base64.StdEncoding.DecodeString(token)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse authorization token: %w", err)
+	}
+	s := strings.Split(string(b), ":")
+	if len(s) != 2 {
+		return nil, fmt.Errorf("invalid authorization token format")
+	}
+	return &auth.ArtifactRegistryCredentials{
+		Authenticator: authn.FromConfig(authn.AuthConfig{
+			Username: s[0],
+			Password: s[1],
+		}),
+		ExpiresAt: expiresAt,
+	}, nil
+}
+
+// GetAccessTokenOptionsForCluster implements auth.Provider.
+func (Provider) GetAccessTokenOptionsForCluster(opts ...auth.Option) ([][]auth.Option, error) {
+	var o auth.Options
+	o.Apply(opts...)
+	// ClusterResource is always needed for AWS as we need to extract the region.
+	region, _, err := parseCluster(o.ClusterResource)
+	if err != nil {
+		return nil, err
+	}
+	return [][]auth.Option{{auth.WithSTSRegion(region)}}, nil
+}
+
+// NewRESTConfig implements auth.Provider.
+//
+// Reference:
+// https://docs.aws.amazon.com/eks/latest/best-practices/identity-and-access-management.html#_controlling_access_to_eks_clusters
+func (p Provider) NewRESTConfig(ctx context.Context, accessTokens []auth.Token,
+	opts ...auth.Option) (*auth.RESTConfig, error) {
+
+	// The expiration for an EKS restconfig is always 15 minutes, see the reference above.
+	// Let's record time.Now() on the beginning of the procedure to be on the safe side.
+	expiresAt := time.Now().Add(15 * time.Minute)
+
+	creds := accessTokens[0].(*Credentials).provider()
+
+	var o auth.Options
+	o.Apply(opts...)
+	hc := o.GetHTTPClient()
+
+	// ClusterResource is always needed for AWS as we need to extract the region.
+	cluster := o.ClusterResource
+	region, clusterName, err := parseCluster(cluster)
+	if err != nil {
+		return nil, err
+	}
+
+	// Describe the cluster resource to get missing CA or endpoint.
+	host := o.ClusterAddress
+	caData := []byte(o.CAData)
+	if host == "" || len(caData) == 0 {
+		describeInput := &eks.DescribeClusterInput{
+			Name: aws.String(clusterName),
+		}
+		eksOpts := eks.Options{
+			Region:      region,
+			Credentials: creds,
+			HTTPClient:  hc,
+		}
+		clusterResource, err := p.impl().DescribeCluster(ctx, describeInput, eksOpts)
+		if err != nil {
+			return nil, fmt.Errorf("failed to describe EKS cluster '%s': %w", cluster, err)
+		}
+
+		// Compare specified address and address from the cluster resource.
+		endpoint := *clusterResource.Cluster.Endpoint
+		if host != "" {
+			canonicalAddress, err := auth.ParseClusterAddress(host)
+			if err != nil {
+				return nil, fmt.Errorf("failed to parse specified cluster address '%s': %w", host, err)
+			}
+			canonicalEndpoint, err := auth.ParseClusterAddress(endpoint)
+			if err != nil {
+				return nil, fmt.Errorf("failed to parse EKS endpoint '%s': %w", endpoint, err)
+			}
+			if canonicalAddress != canonicalEndpoint {
+				return nil, fmt.Errorf("EKS endpoint '%s' does not match specified address: '%s'", endpoint, host)
+			}
+		}
+
+		// Update host and CA with cluster details.
+		host = endpoint
+		if len(caData) == 0 {
+			caData, err = base64.StdEncoding.DecodeString(*clusterResource.Cluster.CertificateAuthority.Data)
+			if err != nil {
+				return nil, fmt.Errorf("failed to decode EKS CA certificate: %w", err)
+			}
+		}
+	}
+
+	// Build token. See reference above.
+	presignOpts := func(po *sts.PresignOptions) {
+		po.Presigner = &eksHTTPPresignerV4{
+			HTTPPresignerV4: po.Presigner,
+			clusterName:     clusterName,
+		}
+	}
+	stsOpts := sts.Options{
+		Region:      region,
+		Credentials: creds,
+		HTTPClient:  hc,
+	}
+	if e := o.STSEndpoint; e != "" {
+		if err := ValidateSTSEndpoint(e); err != nil {
+			return nil, err
+		}
+		stsOpts.BaseEndpoint = &e
+	}
+	presignedReq, err := p.impl().PresignGetCallerIdentity(ctx, presignOpts, stsOpts)
+	if err != nil {
+		return nil, fmt.Errorf("failed to presign GetCallerIdentity request: %w", err)
+	}
+	token := fmt.Sprintf("k8s-aws-v1.%s", base64.RawURLEncoding.EncodeToString([]byte(presignedReq.URL)))
+
+	// Build and return the REST config.
+	return &auth.RESTConfig{
+		Host:        host,
+		BearerToken: token,
+		CAData:      caData,
+		ExpiresAt:   expiresAt,
+	}, nil
+}
+
+func (p Provider) impl() Implementation {
+	if p.Implementation == nil {
+		return implementation{}
+	}
+	return p.Implementation
+}

auth/aws/provider_test.go

@@ -0,0 +1,495 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws_test
+
+import (
+	"context"
+	"net/url"
+	"testing"
+	"time"
+
+	awssdk "github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/service/sts/types"
+	"github.com/google/go-containerregistry/pkg/authn"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/pkg/auth"
+	"github.com/fluxcd/pkg/auth/aws"
+)
+
+func TestProvider_NewControllerToken(t *testing.T) {
+	impl := &mockImplementation{
+		t:              t,
+		argRegion:      "us-east-1",
+		argProxyURL:    &url.URL{Scheme: "http", Host: "proxy.example.com"},
+		argSTSEndpoint: "https://sts.amazonaws.com",
+		returnCreds:    awssdk.Credentials{AccessKeyID: "access-key-id"},
+	}
+
+	for _, tt := range []struct {
+		name               string
+		stsEndpoint        string
+		artifactRepository string
+		skipSTSRegion      bool
+		err                string
+	}{
+		{
+			name:        "valid",
+			stsEndpoint: "https://sts.amazonaws.com",
+		},
+		{
+			name:        "invalid sts endpoint",
+			stsEndpoint: "https://something.amazonaws.com",
+			err:         `invalid STS endpoint: 'https://something.amazonaws.com'. must match ^https://(.+\.)?sts(-fips)?(\.[^.]+)?(\.vpce)?\.amazonaws\.com$`,
+		},
+		{
+			name:          "missing region",
+			stsEndpoint:   "https://sts.amazonaws.com",
+			skipSTSRegion: true,
+			err: "AWS_REGION environment variable is not set in the Flux controller. " +
+				"if you have properly configured IAM Roles for Service Accounts (IRSA) or EKS Pod Identity, " +
+				"please delete/replace the controller pod so the EKS admission controllers can inject this " +
+				"environment variable, or set it manually if the cluster is not EKS",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			if !tt.skipSTSRegion {
+				t.Setenv("AWS_REGION", "us-east-1")
+			}
+
+			opts := []auth.Option{
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.example.com"}),
+				auth.WithSTSEndpoint(tt.stsEndpoint),
+			}
+
+			provider := aws.Provider{Implementation: impl}
+			token, err := provider.NewControllerToken(context.Background(), opts...)
+
+			if tt.err == "" {
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(token).To(Equal(&aws.Credentials{Credentials: types.Credentials{
+					AccessKeyId:     awssdk.String("access-key-id"),
+					SecretAccessKey: awssdk.String(""),
+					SessionToken:    awssdk.String(""),
+					Expiration:      awssdk.Time(time.Time{}),
+				}}))
+			} else {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(err.Error()).To(Equal(tt.err))
+				g.Expect(token).To(BeNil())
+			}
+		})
+	}
+}
+
+func TestProvider_NewTokenForServiceAccount(t *testing.T) {
+	for _, tt := range []struct {
+		name               string
+		roleARN            string
+		stsEndpoint        string
+		artifactRepository string
+		skipSTSRegion      bool
+		err                string
+	}{
+		{
+			name:        "valid",
+			roleARN:     "arn:aws:iam::1234567890:role/some-role",
+			stsEndpoint: "https://sts.amazonaws.com",
+		},
+		{
+			name:        "us gov is valid",
+			roleARN:     "arn:aws-us-gov:iam::1234567890:role/some-role",
+			stsEndpoint: "https://sts.amazonaws.com",
+		},
+		{
+			name:        "invalid sts endpoint",
+			roleARN:     "arn:aws:iam::1234567890:role/some-role",
+			stsEndpoint: "https://something.amazonaws.com",
+			err:         `invalid STS endpoint: 'https://something.amazonaws.com'. must match ^https://(.+\.)?sts(-fips)?(\.[^.]+)?(\.vpce)?\.amazonaws\.com$`,
+		},
+		{
+			name:          "missing region",
+			roleARN:       "arn:aws:iam::1234567890:role/some-role",
+			stsEndpoint:   "https://sts.amazonaws.com",
+			skipSTSRegion: true,
+			err: "an AWS region is required for authenticating with a service account. " +
+				"please configure one in the object spec",
+		},
+		{
+			name:        "invalid role ARN",
+			roleARN:     "foobar",
+			stsEndpoint: "https://sts.amazonaws.com",
+			err:         `invalid eks.amazonaws.com/role-arn annotation: 'foobar'. must match ^arn:aws[\w-]*:iam::[0-9]{1,30}:role/.{1,200}$`,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			impl := &mockImplementation{
+				t:                  t,
+				argRegion:          "us-east-1",
+				argRoleARN:         tt.roleARN,
+				argRoleSessionName: "test-sa.test-ns.us-east-1.fluxcd.io",
+				argOIDCToken:       "oidc-token",
+				argProxyURL:        &url.URL{Scheme: "http", Host: "proxy.example.com"},
+				argSTSEndpoint:     "https://sts.amazonaws.com",
+				returnCreds:        awssdk.Credentials{AccessKeyID: "access-key-id"},
+			}
+
+			oidcToken := "oidc-token"
+			serviceAccount := corev1.ServiceAccount{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "test-sa",
+					Namespace:   "test-ns",
+					Annotations: map[string]string{"eks.amazonaws.com/role-arn": tt.roleARN},
+				},
+			}
+
+			opts := []auth.Option{
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.example.com"}),
+				auth.WithSTSEndpoint(tt.stsEndpoint),
+			}
+
+			if !tt.skipSTSRegion {
+				opts = append(opts, auth.WithSTSRegion("us-east-1"))
+			}
+
+			provider := aws.Provider{Implementation: impl}
+			token, err := provider.NewTokenForServiceAccount(context.Background(), oidcToken, serviceAccount, opts...)
+
+			if tt.err == "" {
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(token).To(Equal(&aws.Credentials{Credentials: types.Credentials{
+					AccessKeyId:     awssdk.String("access-key-id"),
+					SecretAccessKey: awssdk.String(""),
+					SessionToken:    awssdk.String(""),
+					Expiration:      awssdk.Time(time.Time{}),
+				}}))
+			} else {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(err.Error()).To(Equal(tt.err))
+				g.Expect(token).To(BeNil())
+			}
+		})
+	}
+}
+
+func TestProvider_GetAudiences(t *testing.T) {
+	g := NewWithT(t)
+	aud, err := aws.Provider{}.GetAudiences(context.Background(), corev1.ServiceAccount{})
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(aud).To(Equal([]string{"sts.amazonaws.com"}))
+}
+
+func TestProvider_GetIdentity(t *testing.T) {
+	g := NewWithT(t)
+
+	identity, err := aws.Provider{}.GetIdentity(corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				"eks.amazonaws.com/role-arn": "arn:aws:iam::1234567890:role/some-role",
+			},
+		},
+	})
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(identity).To(Equal("arn:aws:iam::1234567890:role/some-role"))
+}
+
+func TestProvider_NewArtifactRegistryCredentials(t *testing.T) {
+	for _, tt := range []struct {
+		name               string
+		artifactRepository string
+		expectedPublicECR  bool
+		expectedRegion     string
+	}{
+		{
+			name:               "non public ECR, us-east-1",
+			artifactRepository: "012345678901.dkr.ecr.us-east-1.amazonaws.com/foo",
+			expectedRegion:     "us-east-1",
+			expectedPublicECR:  false,
+		},
+		{
+			name:               "non public ECR, us-west-2",
+			artifactRepository: "012345678901.dkr.ecr.us-west-2.amazonaws.com/foo",
+			expectedRegion:     "us-west-2",
+			expectedPublicECR:  false,
+		},
+		{
+			name:               "public ECR",
+			artifactRepository: "public.ecr.aws",
+			expectedRegion:     "us-east-1", // Public ECR is always us-east-1
+			expectedPublicECR:  true,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			impl := &mockImplementation{
+				t:                t,
+				publicECR:        tt.expectedPublicECR,
+				argRegion:        tt.expectedRegion,
+				argProxyURL:      &url.URL{Scheme: "http", Host: "proxy.example.com"},
+				argCredsProvider: credentials.NewStaticCredentialsProvider("access-key-id", "secret-access-key", "session-token"),
+				returnCreds: awssdk.Credentials{
+					AccessKeyID:     "access-key-id",
+					SecretAccessKey: "secret-access-key",
+					SessionToken:    "session-token",
+				},
+				returnUsername: "username",
+				returnPassword: "password",
+			}
+
+			opts := []auth.Option{
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.example.com"}),
+			}
+
+			provider := aws.Provider{Implementation: impl}
+			creds, err := auth.GetArtifactRegistryCredentials(
+				context.Background(), provider, tt.artifactRepository, opts...)
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(creds).To(Equal(&auth.ArtifactRegistryCredentials{
+				Authenticator: authn.FromConfig(authn.AuthConfig{
+					Username: "username",
+					Password: "password",
+				}),
+			}))
+		})
+	}
+}
+
+func TestProvider_GetAccessTokenOptionsForArtifactRepository(t *testing.T) {
+	g := NewWithT(t)
+
+	opts, err := aws.Provider{}.GetAccessTokenOptionsForArtifactRepository(
+		"012345678901.dkr.ecr.us-east-1.amazonaws.com/foo:v1")
+	g.Expect(err).NotTo(HaveOccurred())
+
+	var o auth.Options
+	o.Apply(opts...)
+
+	g.Expect(o.STSRegion).To(Equal("us-east-1"))
+}
+
+func TestProvider_ParseArtifactRepository(t *testing.T) {
+	tests := []struct {
+		artifactRepository string
+		expectedRegion     string
+		expectValid        bool
+	}{
+		{
+			artifactRepository: "012345678901.dkr.ecr.us-east-1.amazonaws.com/foo:v1",
+			expectedRegion:     "us-east-1",
+			expectValid:        true,
+		},
+		{
+			artifactRepository: "012345678901.dkr.ecr.us-east-1.amazonaws.com/foo",
+			expectedRegion:     "us-east-1",
+			expectValid:        true,
+		},
+		{
+			artifactRepository: "012345678901.dkr.ecr.us-east-1.amazonaws.com",
+			expectedRegion:     "us-east-1",
+			expectValid:        true,
+		},
+		{
+			artifactRepository: "012345678901.dkr.ecr.us-east-1.amazonaws.com/v2/part/part",
+			expectedRegion:     "us-east-1",
+			expectValid:        true,
+		},
+		{
+			artifactRepository: "012345678901.dkr.ecr.cn-north-1.amazonaws.com.cn/foo",
+			expectedRegion:     "cn-north-1",
+			expectValid:        true,
+		},
+		{
+			artifactRepository: "012345678901.dkr.ecr-fips.us-gov-west-1.amazonaws.com",
+			expectedRegion:     "us-gov-west-1",
+			expectValid:        true,
+		},
+		{
+			artifactRepository: "012345678901.dkr.ecr.us-secret-region.sc2s.sgov.gov",
+			expectedRegion:     "us-secret-region",
+			expectValid:        true,
+		},
+		{
+			artifactRepository: "012345678901.dkr.ecr-fips.us-ts-region.c2s.ic.gov",
+			expectedRegion:     "us-ts-region",
+			expectValid:        true,
+		},
+		{
+			artifactRepository: "012345678901.dkr.ecr.uk-region.cloud.adc-e.uk",
+			expectedRegion:     "uk-region",
+			expectValid:        true,
+		},
+		{
+			artifactRepository: "012345678901.dkr.ecr.us-ts-region.csp.hci.ic.gov",
+			expectedRegion:     "us-ts-region",
+			expectValid:        true,
+		},
+		{
+			artifactRepository: "gcr.io/foo/bar:baz",
+			expectValid:        false,
+		},
+		{
+			artifactRepository: "public.ecr.aws/foo/bar",
+			expectedRegion:     "public.ecr.aws",
+			expectValid:        true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.artifactRepository, func(t *testing.T) {
+			g := NewWithT(t)
+
+			region, err := aws.Provider{}.ParseArtifactRepository(tt.artifactRepository)
+			g.Expect(err == nil).To(Equal(tt.expectValid))
+			g.Expect(region).To(Equal(tt.expectedRegion))
+		})
+	}
+}
+
+func TestProvider_NewRESTConfig(t *testing.T) {
+	for _, tt := range []struct {
+		name           string
+		cluster        string
+		clusterAddress string
+		caData         string
+		stsEndpoint    string
+		err            string
+	}{
+		{
+			name:    "valid EKS cluster",
+			cluster: "arn:aws:eks:us-east-1:123456789012:cluster/test-cluster",
+		},
+		{
+			name:    "us gov EKS cluster is valid",
+			cluster: "arn:aws-us-gov:eks:us-east-1:123456789012:cluster/test-cluster",
+		},
+		{
+			name:           "valid EKS cluster with address match",
+			cluster:        "arn:aws:eks:us-east-1:123456789012:cluster/test-cluster",
+			clusterAddress: "https://EXAMPLE1234567890123456789012345678.gr7.us-east-1.eks.amazonaws.com:443",
+		},
+		{
+			name:    "valid EKS cluster with CA",
+			cluster: "arn:aws:eks:us-east-1:123456789012:cluster/test-cluster",
+			caData:  "-----BEGIN CERTIFICATE-----",
+		},
+		{
+			name:           "CA and address only. EKS requires cluster to extract region",
+			clusterAddress: "https://EXAMPLE1234567890123456789012345678.gr7.us-east-1.eks.amazonaws.com:443",
+			caData:         "-----BEGIN CERTIFICATE-----",
+			err:            `invalid EKS cluster ARN: ''. must match ^arn:aws[\w-]*:eks:([^:]{1,100}):[0-9]{1,30}:cluster/(.{1,200})$`,
+		},
+		{
+			name:           "cluster address mismatch",
+			cluster:        "arn:aws:eks:us-east-1:123456789012:cluster/test-cluster",
+			clusterAddress: "https://different-endpoint.eks.amazonaws.com:443",
+			err:            "EKS endpoint 'https://EXAMPLE1234567890123456789012345678.gr7.us-east-1.eks.amazonaws.com' does not match specified address: 'https://different-endpoint.eks.amazonaws.com:443'",
+		},
+		{
+			name:        "valid EKS cluster with custom STS endpoint",
+			cluster:     "arn:aws:eks:us-east-1:123456789012:cluster/test-cluster",
+			stsEndpoint: "https://sts.amazonaws.com",
+		},
+		{
+			name:        "invalid STS endpoint",
+			cluster:     "arn:aws:eks:us-east-1:123456789012:cluster/test-cluster",
+			stsEndpoint: "https://invalid.amazonaws.com",
+			err:         `invalid STS endpoint: 'https://invalid.amazonaws.com'. must match ^https://(.+\.)?sts(-fips)?(\.[^.]+)?(\.vpce)?\.amazonaws\.com$`,
+		},
+		{
+			name:    "invalid cluster ARN",
+			cluster: "invalid-cluster-arn",
+			err:     `invalid EKS cluster ARN: 'invalid-cluster-arn'. must match ^arn:aws[\w-]*:eks:([^:]{1,100}):[0-9]{1,30}:cluster/(.{1,200})$`,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			impl := &mockImplementation{
+				t:                  t,
+				expectEKSAPICall:   tt.clusterAddress == "" || tt.caData == "",
+				argRegion:          "us-east-1",
+				argClusterName:     "test-cluster",
+				argProxyURL:        &url.URL{Scheme: "http", Host: "proxy.example.com"},
+				argSTSEndpoint:     tt.stsEndpoint,
+				argCredsProvider:   credentials.NewStaticCredentialsProvider("access-key-id", "secret-access-key", "session-token"),
+				returnCreds:        awssdk.Credentials{AccessKeyID: "access-key-id", SecretAccessKey: "secret-access-key", SessionToken: "session-token"},
+				returnEndpoint:     "https://EXAMPLE1234567890123456789012345678.gr7.us-east-1.eks.amazonaws.com",
+				returnCAData:       "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t", // base64 encoded "-----BEGIN CERTIFICATE-----"
+				returnPresignedURL: "https://sts.us-east-1.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15&X-Amz-Algorithm=AWS4-HMAC-SHA256",
+			}
+
+			opts := []auth.Option{
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.example.com"}),
+			}
+
+			if tt.cluster != "" {
+				opts = append(opts, auth.WithClusterResource(tt.cluster))
+			}
+
+			if tt.clusterAddress != "" {
+				opts = append(opts, auth.WithClusterAddress(tt.clusterAddress))
+			}
+
+			if tt.caData != "" {
+				opts = append(opts, auth.WithCAData(tt.caData))
+			}
+
+			if tt.stsEndpoint != "" {
+				opts = append(opts, auth.WithSTSEndpoint(tt.stsEndpoint))
+			}
+
+			provider := aws.Provider{Implementation: impl}
+			restConfig, err := auth.GetRESTConfig(context.Background(), provider, opts...)
+
+			if tt.err == "" {
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(restConfig).NotTo(BeNil())
+				g.Expect(restConfig.Host).To(Equal("https://EXAMPLE1234567890123456789012345678.gr7.us-east-1.eks.amazonaws.com"))
+				g.Expect(restConfig.BearerToken).To(Equal("k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtZWFzdC0xLmFtYXpvbmF3cy5jb20vP0FjdGlvbj1HZXRDYWxsZXJJZGVudGl0eSZWZXJzaW9uPTIwMTEtMDYtMTUmWC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTY"))
+				g.Expect(restConfig.CAData).To(Equal([]byte("-----BEGIN CERTIFICATE-----")))
+				g.Expect(restConfig.ExpiresAt).To(BeTemporally(">", time.Now().Add(14*time.Minute)))
+				g.Expect(restConfig.ExpiresAt).To(BeTemporally("<", time.Now().Add(16*time.Minute)))
+			} else {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(err.Error()).To(ContainSubstring(tt.err))
+				g.Expect(restConfig).To(BeNil())
+			}
+		})
+	}
+}
+
+func TestProvider_GetAccessTokenOptionsForCluster(t *testing.T) {
+	g := NewWithT(t)
+
+	opts, err := aws.Provider{}.GetAccessTokenOptionsForCluster(
+		auth.WithClusterResource("arn:aws:eks:us-west-2:123456789012:cluster/my-cluster"))
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(opts).To(HaveLen(1))
+
+	var o auth.Options
+	o.Apply(opts[0]...)
+
+	g.Expect(o.STSRegion).To(Equal("us-west-2"))
+}

auth/aws/restconfig.go

@@ -0,0 +1,45 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	signerv4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+)
+
+// eksHTTPPresignerV4 implements sts.HTTPPresignerV4 adding the cluster name
+// to the request header x-k8s-aws-id, as required by EKS authentication.
+type eksHTTPPresignerV4 struct {
+	sts.HTTPPresignerV4
+	clusterName string
+}
+
+// PresignHTTP implements sts.HTTPPresignerV4.
+func (e *eksHTTPPresignerV4) PresignHTTP(
+	ctx context.Context, credentials aws.Credentials, r *http.Request,
+	payloadHash string, service string, region string, signingTime time.Time,
+	optFns ...func(*signerv4.SignerOptions),
+) (string, http.Header, error) {
+	r.Header.Add("x-k8s-aws-id", e.clusterName)
+	r.Header.Add("X-Amz-Expires", "900") // ref: https://github.com/aws/aws-sdk-go-v2/issues/1922#issuecomment-1429063756
+	return e.HTTPPresignerV4.PresignHTTP(ctx, credentials, r, payloadHash, service, region, signingTime, optFns...)
+}

auth/aws/token.go

@@ -0,0 +1,46 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws
+
+import (
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/service/sts/types"
+)
+
+// Credentials is the AWS token.
+type Credentials struct{ types.Credentials }
+
+func newTokenFromAWSCredentials(creds *aws.Credentials) *Credentials {
+	return &Credentials{types.Credentials{
+		AccessKeyId:     &creds.AccessKeyID,
+		SecretAccessKey: &creds.SecretAccessKey,
+		SessionToken:    &creds.SessionToken,
+		Expiration:      &creds.Expires,
+	}}
+}
+
+// GetDuration implements auth.Token.
+func (c *Credentials) GetDuration() time.Duration {
+	return time.Until(*c.Expiration)
+}
+
+func (c *Credentials) provider() aws.CredentialsProvider {
+	return credentials.NewStaticCredentialsProvider(*c.AccessKeyId, *c.SecretAccessKey, *c.SessionToken)
+}

auth/azure/implementation.go

@@ -0,0 +1,64 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azure
+
+import (
+	"context"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry"
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice"
+)
+
+// Implementation provides the required methods of the Azure libraries.
+type Implementation interface {
+	NewDefaultAzureCredential(options *azidentity.DefaultAzureCredentialOptions) (azcore.TokenCredential, error)
+	NewDefaultAzureCredentialWithoutShellOut(options *azidentity.DefaultAzureCredentialOptions) (azcore.TokenCredential, error)
+	NewClientAssertionCredential(tenantID string, clientID string, getAssertion func(context.Context) (string, error), options *azidentity.ClientAssertionCredentialOptions) (azcore.TokenCredential, error)
+	ExchangeAADAccessTokenForACRRefreshToken(ctx context.Context, client *azcontainerregistry.AuthenticationClient, grantType azcontainerregistry.PostContentSchemaGrantType, service string, options *azcontainerregistry.AuthenticationClientExchangeAADAccessTokenForACRRefreshTokenOptions) (azcontainerregistry.AuthenticationClientExchangeAADAccessTokenForACRRefreshTokenResponse, error)
+	NewManagedClustersClient(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (AKSClient, error)
+}
+
+// AKSClient provides the required methods of the AKS client.
+type AKSClient interface {
+	Get(ctx context.Context, resourceGroupName string, resourceName string, options *armcontainerservice.ManagedClustersClientGetOptions) (armcontainerservice.ManagedClustersClientGetResponse, error)
+	ListClusterUserCredentials(ctx context.Context, resourceGroupName string, resourceName string, options *armcontainerservice.ManagedClustersClientListClusterUserCredentialsOptions) (armcontainerservice.ManagedClustersClientListClusterUserCredentialsResponse, error)
+}
+
+type implementation struct{}
+
+func (implementation) NewDefaultAzureCredential(options *azidentity.DefaultAzureCredentialOptions) (azcore.TokenCredential, error) {
+	return azidentity.NewDefaultAzureCredential(options)
+}
+
+func (implementation) NewDefaultAzureCredentialWithoutShellOut(options *azidentity.DefaultAzureCredentialOptions) (azcore.TokenCredential, error) {
+	return newDefaultAzureCredential(options)
+}
+
+func (implementation) NewClientAssertionCredential(tenantID string, clientID string, getAssertion func(context.Context) (string, error), options *azidentity.ClientAssertionCredentialOptions) (azcore.TokenCredential, error) {
+	return azidentity.NewClientAssertionCredential(tenantID, clientID, getAssertion, options)
+}
+
+func (implementation) ExchangeAADAccessTokenForACRRefreshToken(ctx context.Context, client *azcontainerregistry.AuthenticationClient, grantType azcontainerregistry.PostContentSchemaGrantType, service string, options *azcontainerregistry.AuthenticationClientExchangeAADAccessTokenForACRRefreshTokenOptions) (azcontainerregistry.AuthenticationClientExchangeAADAccessTokenForACRRefreshTokenResponse, error) {
+	return client.ExchangeAADAccessTokenForACRRefreshToken(ctx, grantType, service, options)
+}
+
+func (implementation) NewManagedClustersClient(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (AKSClient, error) {
+	return armcontainerservice.NewManagedClustersClient(subscriptionID, credential, options)
+}

auth/azure/implementation_test.go

@@ -0,0 +1,268 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azure_test
+
+import (
+	"context"
+	"net/http"
+	"net/url"
+	"reflect"
+	"testing"
+	"time"
+	"unsafe"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry"
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice"
+	. "github.com/onsi/gomega"
+
+	"github.com/fluxcd/pkg/auth/azure"
+)
+
+type mockImplementation struct {
+	t *testing.T
+
+	shellOut bool
+
+	expectAKSAPICall bool
+
+	argTenantID      string
+	argClientID      string
+	argOIDCToken     string
+	argProxyURL      *url.URL
+	argScopes        []string
+	argToken         string
+	argRegistry      string
+	argSubscription  string
+	argResourceGroup string
+	argClusterName   string
+
+	// For dual-token flow (RESTConfig)
+	argFirstScopes  []string
+	argSecondScopes []string
+	firstCallMade   bool
+
+	returnToken       string
+	returnACRToken    string
+	returnCluster     armcontainerservice.ManagedCluster
+	returnKubeconfigs []*armcontainerservice.CredentialResult
+}
+
+type mockTokenCredential struct {
+	t *testing.T
+
+	argScopes []string
+
+	returnToken string
+}
+
+type mockAKSClient struct {
+	t *testing.T
+
+	argResourceGroup string
+	argClusterName   string
+
+	returnCluster     armcontainerservice.ManagedCluster
+	returnKubeconfigs []*armcontainerservice.CredentialResult
+}
+
+func (m *mockImplementation) NewDefaultAzureCredential(options *azidentity.DefaultAzureCredentialOptions) (azcore.TokenCredential, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	g.Expect(m.shellOut).To(BeTrue())
+	return m.newDefaultAzureCredential(options)
+}
+
+func (m *mockImplementation) NewDefaultAzureCredentialWithoutShellOut(options *azidentity.DefaultAzureCredentialOptions) (azcore.TokenCredential, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	g.Expect(m.shellOut).To(BeFalse())
+	return m.newDefaultAzureCredential(options)
+}
+
+func (m *mockImplementation) newDefaultAzureCredential(options *azidentity.DefaultAzureCredentialOptions) (azcore.TokenCredential, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	g.Expect(options.Transport).NotTo(BeNil())
+	g.Expect(options.Transport.(*http.Client)).NotTo(BeNil())
+	g.Expect(options.Transport.(*http.Client).Transport).NotTo(BeNil())
+	g.Expect(options.Transport.(*http.Client).Transport.(*http.Transport)).NotTo(BeNil())
+	g.Expect(options.Transport.(*http.Client).Transport.(*http.Transport).Proxy).NotTo(BeNil())
+	proxyURL, err := options.Transport.(*http.Client).Transport.(*http.Transport).Proxy(nil)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(proxyURL).To(Equal(m.argProxyURL))
+
+	// Determine which scopes to expect based on dual-token flow
+	expectedScopes := m.argScopes
+	if m.argFirstScopes != nil && m.argSecondScopes != nil {
+		if !m.firstCallMade {
+			expectedScopes = m.argFirstScopes
+			m.firstCallMade = true
+		} else {
+			expectedScopes = m.argSecondScopes
+		}
+	}
+
+	return &mockTokenCredential{t: m.t, argScopes: expectedScopes, returnToken: m.returnToken}, nil
+}
+
+func (m *mockImplementation) NewClientAssertionCredential(tenantID string, clientID string, getAssertion func(context.Context) (string, error), options *azidentity.ClientAssertionCredentialOptions) (azcore.TokenCredential, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	g.Expect(tenantID).To(Equal(m.argTenantID))
+	g.Expect(clientID).To(Equal(m.argClientID))
+	g.Expect(getAssertion).NotTo(BeNil())
+	oidcToken, err := getAssertion(context.Background())
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(oidcToken).To(Equal(m.argOIDCToken))
+	g.Expect(options).NotTo(BeNil())
+	g.Expect(options.Transport).NotTo(BeNil())
+	g.Expect(options.Transport.(*http.Client)).NotTo(BeNil())
+	g.Expect(options.Transport.(*http.Client).Transport).NotTo(BeNil())
+	g.Expect(options.Transport.(*http.Client).Transport.(*http.Transport)).NotTo(BeNil())
+	g.Expect(options.Transport.(*http.Client).Transport.(*http.Transport).Proxy).NotTo(BeNil())
+	proxyURL, err := options.Transport.(*http.Client).Transport.(*http.Transport).Proxy(nil)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(proxyURL).To(Equal(m.argProxyURL))
+
+	// Determine which scopes to expect based on dual-token flow
+	expectedScopes := m.argScopes
+	if m.argFirstScopes != nil && m.argSecondScopes != nil {
+		if !m.firstCallMade {
+			expectedScopes = m.argFirstScopes
+			m.firstCallMade = true
+		} else {
+			expectedScopes = m.argSecondScopes
+		}
+	}
+
+	return &mockTokenCredential{t: m.t, argScopes: expectedScopes, returnToken: m.returnToken}, nil
+}
+
+func (m *mockImplementation) ExchangeAADAccessTokenForACRRefreshToken(ctx context.Context, client *azcontainerregistry.AuthenticationClient, grantType azcontainerregistry.PostContentSchemaGrantType, service string, options *azcontainerregistry.AuthenticationClientExchangeAADAccessTokenForACRRefreshTokenOptions) (azcontainerregistry.AuthenticationClientExchangeAADAccessTokenForACRRefreshTokenResponse, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+
+	// Assert registry endpoint.
+	endpointField := reflect.ValueOf(client).Elem().FieldByName("endpoint")
+	endpointValue := reflect.NewAt(endpointField.Type(), unsafe.Pointer(endpointField.UnsafeAddr())).Elem().Interface().(string)
+	g.Expect(endpointValue).To(Equal("https://" + m.argRegistry))
+
+	// Assert proxy URL.
+	azcoreClientField := reflect.ValueOf(client).Elem().FieldByName("internal")
+	azcoreClientValue := reflect.NewAt(azcoreClientField.Type(), unsafe.Pointer(azcoreClientField.UnsafeAddr())).Elem().Interface().(*azcore.Client)
+	g.Expect(azcoreClientValue).NotTo(BeNil())
+	pipeline := azcoreClientValue.Pipeline()
+	g.Expect(pipeline).NotTo(BeNil())
+	pipelineValue := reflect.ValueOf(pipeline)
+	pipelinePtr := reflect.New(pipelineValue.Type())
+	pipelinePtr.Elem().Set(pipelineValue)
+	policiesField := pipelinePtr.Elem().FieldByName("policies")
+	policiesValue := reflect.NewAt(policiesField.Type(), unsafe.Pointer(policiesField.UnsafeAddr())).Elem().Interface().([]policy.Policy)
+	g.Expect(policiesValue).NotTo(BeNil())
+	transportPolicy := policiesValue[len(policiesValue)-1]
+	transportPolicyValue := reflect.ValueOf(transportPolicy)
+	transportPolicyPtr := reflect.New(transportPolicyValue.Type())
+	transportPolicyPtr.Elem().Set(transportPolicyValue)
+	transportField := transportPolicyPtr.Elem().FieldByName("trans")
+	transportValue := reflect.NewAt(transportField.Type(), unsafe.Pointer(transportField.UnsafeAddr())).Elem().Interface().(policy.Transporter)
+	g.Expect(transportValue).NotTo(BeNil())
+	g.Expect(transportValue.(*http.Client)).NotTo(BeNil())
+	g.Expect(transportValue.(*http.Client).Transport).NotTo(BeNil())
+	g.Expect(transportValue.(*http.Client).Transport.(*http.Transport)).NotTo(BeNil())
+	g.Expect(transportValue.(*http.Client).Transport.(*http.Transport).Proxy).NotTo(BeNil())
+	proxyURL, err := transportValue.(*http.Client).Transport.(*http.Transport).Proxy(nil)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(proxyURL).To(Equal(m.argProxyURL))
+
+	// Assert trivial inputs.
+	g.Expect(grantType).To(Equal(azcontainerregistry.PostContentSchemaGrantTypeAccessToken))
+	g.Expect(service).To(Equal(m.argRegistry))
+	g.Expect(options).To(Equal(&azcontainerregistry.AuthenticationClientExchangeAADAccessTokenForACRRefreshTokenOptions{
+		AccessToken: &m.argToken,
+	}))
+
+	return azcontainerregistry.AuthenticationClientExchangeAADAccessTokenForACRRefreshTokenResponse{
+		ACRRefreshToken: azcontainerregistry.ACRRefreshToken{RefreshToken: &m.returnACRToken},
+	}, nil
+}
+
+func (m *mockImplementation) NewManagedClustersClient(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (azure.AKSClient, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	g.Expect(m.expectAKSAPICall).To(BeTrue())
+	g.Expect(subscriptionID).To(Equal(m.argSubscription))
+	g.Expect(credential).NotTo(BeNil())
+	token, err := credential.GetToken(context.Background(), policy.TokenRequestOptions{})
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(token.Token).To(Equal(m.argToken))
+	g.Expect(options).NotTo(BeNil())
+	g.Expect(options.Transport).NotTo(BeNil())
+	g.Expect(options.Transport.(*http.Client)).NotTo(BeNil())
+	g.Expect(options.Transport.(*http.Client).Transport).NotTo(BeNil())
+	g.Expect(options.Transport.(*http.Client).Transport.(*http.Transport)).NotTo(BeNil())
+	g.Expect(options.Transport.(*http.Client).Transport.(*http.Transport).Proxy).NotTo(BeNil())
+	proxyURL, err := options.Transport.(*http.Client).Transport.(*http.Transport).Proxy(nil)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(proxyURL).To(Equal(m.argProxyURL))
+	return &mockAKSClient{
+		t:                 m.t,
+		argResourceGroup:  m.argResourceGroup,
+		argClusterName:    m.argClusterName,
+		returnCluster:     m.returnCluster,
+		returnKubeconfigs: m.returnKubeconfigs,
+	}, nil
+}
+
+func (m *mockAKSClient) Get(ctx context.Context, resourceGroupName string, resourceName string, options *armcontainerservice.ManagedClustersClientGetOptions) (armcontainerservice.ManagedClustersClientGetResponse, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	g.Expect(ctx).NotTo(BeNil())
+	g.Expect(resourceGroupName).To(Equal(m.argResourceGroup))
+	g.Expect(resourceName).To(Equal(m.argClusterName))
+	g.Expect(options).To(BeNil())
+	return armcontainerservice.ManagedClustersClientGetResponse{
+		ManagedCluster: m.returnCluster,
+	}, nil
+}
+
+func (m *mockAKSClient) ListClusterUserCredentials(ctx context.Context, resourceGroupName string, resourceName string, options *armcontainerservice.ManagedClustersClientListClusterUserCredentialsOptions) (armcontainerservice.ManagedClustersClientListClusterUserCredentialsResponse, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	g.Expect(ctx).NotTo(BeNil())
+	g.Expect(resourceGroupName).To(Equal(m.argResourceGroup))
+	g.Expect(resourceName).To(Equal(m.argClusterName))
+	g.Expect(options).To(BeNil())
+	return armcontainerservice.ManagedClustersClientListClusterUserCredentialsResponse{
+		CredentialResults: armcontainerservice.CredentialResults{
+			Kubeconfigs: m.returnKubeconfigs,
+		},
+	}, nil
+}
+
+func (m *mockTokenCredential) GetToken(ctx context.Context, options policy.TokenRequestOptions) (azcore.AccessToken, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	g.Expect(options.Scopes).To(Equal(m.argScopes))
+	return azcore.AccessToken{
+		Token:     m.returnToken,
+		ExpiresOn: time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC), // Fixed expiry for testing
+	}, nil
+}

auth/azure/new_default_azure_credential.go

@@ -0,0 +1,91 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azure
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+)
+
+// newDefaultAzureCredential is like azidentity.NewDefaultAzureCredential(),
+// but does not call the functions that shell out to Azure CLIs.
+func newDefaultAzureCredential(options *azidentity.DefaultAzureCredentialOptions) (azcore.TokenCredential, error) {
+	const (
+		azureClientID           = "AZURE_CLIENT_ID"
+		azureFederatedTokenFile = "AZURE_FEDERATED_TOKEN_FILE"
+		azureAuthorityHost      = "AZURE_AUTHORITY_HOST"
+		azureTenantID           = "AZURE_TENANT_ID"
+	)
+
+	var errorMessages []string
+
+	envCred, err := azidentity.NewEnvironmentCredential(&azidentity.EnvironmentCredentialOptions{
+		ClientOptions: options.ClientOptions, DisableInstanceDiscovery: options.DisableInstanceDiscovery},
+	)
+	if err == nil {
+		return envCred, nil
+	} else {
+		errorMessages = append(errorMessages, "EnvironmentCredential: "+err.Error())
+	}
+
+	// workload identity requires values for AZURE_AUTHORITY_HOST, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE, AZURE_TENANT_ID
+	haveWorkloadConfig := false
+	clientID, haveClientID := os.LookupEnv(azureClientID)
+	if haveClientID {
+		if file, ok := os.LookupEnv(azureFederatedTokenFile); ok {
+			if _, ok := os.LookupEnv(azureAuthorityHost); ok {
+				if tenantID, ok := os.LookupEnv(azureTenantID); ok {
+					haveWorkloadConfig = true
+					workloadCred, err := azidentity.NewWorkloadIdentityCredential(&azidentity.WorkloadIdentityCredentialOptions{
+						ClientID:                 clientID,
+						TenantID:                 tenantID,
+						TokenFilePath:            file,
+						ClientOptions:            options.ClientOptions,
+						DisableInstanceDiscovery: options.DisableInstanceDiscovery,
+					})
+					if err == nil {
+						return workloadCred, nil
+					} else {
+						errorMessages = append(errorMessages, "Workload Identity"+": "+err.Error())
+					}
+				}
+			}
+		}
+	}
+	if !haveWorkloadConfig {
+		err := errors.New("missing environment variables for workload identity. Check webhook and pod configuration")
+		errorMessages = append(errorMessages, fmt.Sprintf("Workload Identity: %s", err))
+	}
+
+	o := &azidentity.ManagedIdentityCredentialOptions{ClientOptions: options.ClientOptions}
+	if haveClientID {
+		o.ID = azidentity.ClientID(clientID)
+	}
+	miCred, err := azidentity.NewManagedIdentityCredential(o)
+	if err == nil {
+		return miCred, nil
+	} else {
+		errorMessages = append(errorMessages, "ManagedIdentity"+": "+err.Error())
+	}
+
+	return nil, errors.New(strings.Join(errorMessages, "\n"))
+}

auth/azure/options.go

@@ -0,0 +1,148 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azure
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"regexp"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func getIdentity(serviceAccount corev1.ServiceAccount) (string, error) {
+	tenantID, err := getTenantID(serviceAccount)
+	if err != nil {
+		return "", err
+	}
+	clientID, err := getClientID(serviceAccount)
+	if err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("%s/%s", tenantID, clientID), nil
+}
+
+func getTenantID(serviceAccount corev1.ServiceAccount) (string, error) {
+	const key = "azure.workload.identity/tenant-id"
+	if tenantID, ok := serviceAccount.Annotations[key]; ok {
+		return tenantID, nil
+	}
+	return "", fmt.Errorf("azure tenant ID is not set in the service account annotation %s", key)
+}
+
+func getClientID(serviceAccount corev1.ServiceAccount) (string, error) {
+	const key = "azure.workload.identity/client-id"
+	if clientID, ok := serviceAccount.Annotations[key]; ok {
+		return clientID, nil
+	}
+	return "", fmt.Errorf("azure client ID is not set in the service account annotation %s", key)
+}
+
+const clusterPattern = `(?i)^/subscriptions/([^/]{36})/resourceGroups/([^/]{1,200})/providers/Microsoft\.ContainerService/managedClusters/([^/]{1,200})$`
+
+var clusterRegex = regexp.MustCompile(clusterPattern)
+
+func parseCluster(cluster string) (string, string, string, error) {
+	m := clusterRegex.FindStringSubmatch(cluster)
+	if len(m) != 4 {
+		return "", "", "", fmt.Errorf("invalid AKS cluster ID: '%s'. must match %s",
+			cluster, clusterPattern)
+	}
+	subscriptionID := m[1]
+	resourceGroup := m[2]
+	clusterName := m[3]
+	return subscriptionID, resourceGroup, clusterName, nil
+}
+
+// envVarAzureEnvironmentFilepath is the environment variable name used to specify the path of the configuration file with custom Azure endpoints.
+const envVarAzureEnvironmentFilepath = "AZURE_ENVIRONMENT_FILEPATH"
+
+// Environment is used to read the Azure environment configuration from a JSON file, it is a subset of the struct defined in
+// https://github.com/kubernetes-sigs/cloud-provider-azure/blob/e68bd888a7616d52f45f39238691f32821884120/pkg/azclient/cloud.go#L152-L185
+// with exact same field names and json annotations.
+// We define this struct here for two reasons:
+//  1. We are not aware of any libraries we could import this struct from.
+//  2. We don't use all the fields defined in the original struct.
+type Environment struct {
+	ContainerRegistryDNSSuffix string `json:"containerRegistryDNSSuffix,omitempty"`
+	ResourceManagerEndpoint    string `json:"resourceManagerEndpoint,omitempty"`
+	TokenAudience              string `json:"tokenAudience,omitempty"`
+}
+
+// hasEnvironmentFile checks if the environment variable AZURE_ENVIRONMENT_FILEPATH is set
+func hasEnvironmentFile() bool {
+	_, ok := os.LookupEnv(envVarAzureEnvironmentFilepath)
+	return ok
+}
+
+// getEnvironmentConfig reads the Azure environment configuration from a JSON file
+// located at the path specified by the environment variable AZURE_ENVIRONMENT_FILEPATH.
+// Call hasEnvironmentFile() before calling this function to ensure the file exists.
+func getEnvironmentConfig() (*Environment, error) {
+	envFilePath := os.Getenv(envVarAzureEnvironmentFilepath)
+	if len(envFilePath) == 0 {
+		return nil, fmt.Errorf("environment variable %s is not set", envVarAzureEnvironmentFilepath)
+	}
+	content, err := os.ReadFile(envFilePath)
+	if err != nil {
+		return nil, err
+	}
+	env := &Environment{}
+	if err = json.Unmarshal(content, env); err != nil {
+		return nil, err
+	}
+
+	return env, nil
+}
+
+// getCloudConfigFromEnvironment reads the Azure environment configuration and returns a cloud.Configuration object.
+func getCloudConfigFromEnvironment() (*cloud.Configuration, error) {
+	env, err := getEnvironmentConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	cloudConf := cloud.Configuration{
+		Services: make(map[cloud.ServiceName]cloud.ServiceConfiguration),
+	}
+	if len(env.ResourceManagerEndpoint) > 0 && len(env.TokenAudience) > 0 {
+		cloudConf.Services[cloud.ResourceManager] = cloud.ServiceConfiguration{
+			Endpoint: env.ResourceManagerEndpoint,
+			Audience: env.TokenAudience,
+		}
+	} else {
+		return nil, fmt.Errorf("resourceManagerEndpoint and tokenAudience must be set in the environment file")
+	}
+
+	return &cloudConf, nil
+}
+
+// getContainerRegistryDNSSuffix reads the Azure environment configuration and returns the container registry DNS suffix.
+func getContainerRegistryDNSSuffix() (string, error) {
+	env, err := getEnvironmentConfig()
+	if err != nil {
+		return "", err
+	}
+
+	if len(env.ContainerRegistryDNSSuffix) == 0 {
+		return "", fmt.Errorf("containerRegistryDNSSuffix must be set in the environment file")
+	}
+
+	return env.ContainerRegistryDNSSuffix, nil
+}

auth/azure/provider.go

@@ -0,0 +1,393 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azure
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"regexp"
+	"strings"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/go-containerregistry/pkg/authn"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/fluxcd/pkg/auth"
+)
+
+// ProviderName is the name of the Azure authentication provider.
+const ProviderName = "azure"
+
+// Provider implements the auth.Provider interface for Azure authentication.
+type Provider struct{ Implementation }
+
+// GetName implements auth.Provider.
+func (Provider) GetName() string {
+	return ProviderName
+}
+
+// NewControllerToken implements auth.Provider.
+func (p Provider) NewControllerToken(ctx context.Context, opts ...auth.Option) (auth.Token, error) {
+
+	var o auth.Options
+	o.Apply(opts...)
+
+	azOpts := azidentity.DefaultAzureCredentialOptions{
+		ClientOptions: azcore.ClientOptions{
+			Transport: o.GetHTTPClient(),
+		},
+	}
+
+	credFunc := p.impl().NewDefaultAzureCredentialWithoutShellOut
+	if o.AllowShellOut {
+		credFunc = p.impl().NewDefaultAzureCredential
+	}
+	cred, err := credFunc(&azOpts)
+	if err != nil {
+		return nil, err
+	}
+	token, err := cred.GetToken(ctx, policy.TokenRequestOptions{
+		Scopes: o.Scopes,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &Token{token}, nil
+}
+
+// GetAudiences implements auth.Provider.
+func (Provider) GetAudiences(context.Context, corev1.ServiceAccount) ([]string, error) {
+	return []string{"api://AzureADTokenExchange"}, nil
+}
+
+// GetIdentity implements auth.Provider.
+func (Provider) GetIdentity(serviceAccount corev1.ServiceAccount) (string, error) {
+	return getIdentity(serviceAccount)
+}
+
+// NewTokenForServiceAccount implements auth.Provider.
+func (p Provider) NewTokenForServiceAccount(ctx context.Context, oidcToken string,
+	serviceAccount corev1.ServiceAccount, opts ...auth.Option) (auth.Token, error) {
+
+	var o auth.Options
+	o.Apply(opts...)
+
+	identity, err := getIdentity(serviceAccount)
+	if err != nil {
+		return nil, err
+	}
+	s := strings.Split(identity, "/")
+	tenantID, clientID := s[0], s[1]
+
+	azOpts := &azidentity.ClientAssertionCredentialOptions{
+		ClientOptions: azcore.ClientOptions{
+			Transport: o.GetHTTPClient(),
+		},
+	}
+
+	cred, err := p.impl().NewClientAssertionCredential(tenantID, clientID, func(context.Context) (string, error) {
+		return oidcToken, nil
+	}, azOpts)
+	if err != nil {
+		return nil, err
+	}
+	token, err := cred.GetToken(ctx, policy.TokenRequestOptions{
+		Scopes: o.Scopes,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &Token{token}, nil
+}
+
+// GetAccessTokenOptionsForArtifactRepository implements auth.Provider.
+func (p Provider) GetAccessTokenOptionsForArtifactRepository(artifactRepository string) ([]auth.Option, error) {
+	// Azure requires scopes for getting access tokens. Here we compute
+	// the scope for ACR, which is based on the registry host.
+
+	registry, err := auth.GetRegistryFromArtifactRepository(artifactRepository)
+	if err != nil {
+		return nil, err
+	}
+
+	var conf *cloud.Configuration
+	switch {
+	case hasEnvironmentFile():
+		var err error
+		conf, err = getCloudConfigFromEnvironment()
+		if err != nil {
+			return nil, err
+		}
+	case strings.HasSuffix(registry, ".azurecr.cn"):
+		conf = &cloud.AzureChina
+	case strings.HasSuffix(registry, ".azurecr.us"):
+		conf = &cloud.AzureGovernment
+	default:
+		conf = &cloud.AzurePublic
+	}
+	acrScope := conf.Services[cloud.ResourceManager].Endpoint + "/.default"
+
+	return []auth.Option{auth.WithScopes(acrScope)}, nil
+}
+
+// https://github.com/kubernetes/kubernetes/blob/v1.23.1/pkg/credentialprovider/azure/azure_credentials.go#L55
+const registryPattern = `^.+\.(azurecr\.io|azurecr\.cn|azurecr\.de|azurecr\.us)$`
+
+var registryRegex = regexp.MustCompile(registryPattern)
+
+// ParseArtifactRepository implements auth.Provider.
+// ParseArtifactRepository returns the ACR registry host.
+func (Provider) ParseArtifactRepository(artifactRepository string) (string, error) {
+	registry, err := auth.GetRegistryFromArtifactRepository(artifactRepository)
+	if err != nil {
+		return "", err
+	}
+
+	// For issuing Azure registry credentials the registry host is required.
+	if registryRegex.MatchString(registry) {
+		return registry, nil
+	}
+
+	// Check if environment variable is configured for container registry suffix
+	if hasEnvironmentFile() {
+		// Load the environment configuration from the file
+		registrySuffix, err := getContainerRegistryDNSSuffix()
+		if err != nil {
+			return "", fmt.Errorf("failed to get container registry suffix from environment file: %w", err)
+		}
+		if strings.HasSuffix(registry, registrySuffix) {
+			return registry, nil
+		}
+		return "", fmt.Errorf("invalid Azure registry: '%s'. must end with %s",
+			registry, registrySuffix)
+	}
+
+	return "", fmt.Errorf("invalid Azure registry: '%s'. must match %s",
+		registry, registryPattern)
+}
+
+// NewArtifactRegistryCredentials implements auth.Provider.
+func (p Provider) NewArtifactRegistryCredentials(ctx context.Context, registry string,
+	accessToken auth.Token, opts ...auth.Option) (*auth.ArtifactRegistryCredentials, error) {
+
+	var o auth.Options
+	o.Apply(opts...)
+
+	// Create the ACR authentication client.
+	endpoint := fmt.Sprintf("https://%s", registry)
+	clientOpts := azcontainerregistry.AuthenticationClientOptions{
+		ClientOptions: azcore.ClientOptions{
+			Transport: o.GetHTTPClient(),
+		},
+	}
+	client, err := azcontainerregistry.NewAuthenticationClient(endpoint, &clientOpts)
+	if err != nil {
+		return nil, err
+	}
+
+	// Exchange the access token for an ACR token.
+	grantType := azcontainerregistry.PostContentSchemaGrantTypeAccessToken
+	service := registry
+	tokenOpts := &azcontainerregistry.AuthenticationClientExchangeAADAccessTokenForACRRefreshTokenOptions{
+		AccessToken: &accessToken.(*Token).Token,
+	}
+	resp, err := p.impl().ExchangeAADAccessTokenForACRRefreshToken(ctx, client, grantType, service, tokenOpts)
+	if err != nil {
+		return nil, err
+	}
+	token := *resp.RefreshToken
+
+	// Parse the refresh token to get the expiry time.
+	var claims jwt.MapClaims
+	if _, _, err := jwt.NewParser().ParseUnverified(token, &claims); err != nil {
+		return nil, err
+	}
+	expiry, err := claims.GetExpirationTime()
+	if err != nil {
+		return nil, err
+	}
+
+	// Return the credentials.
+	return &auth.ArtifactRegistryCredentials{
+		Authenticator: authn.FromConfig(authn.AuthConfig{
+			// https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#az-acr-login-with---expose-token
+			Username: "00000000-0000-0000-0000-000000000000",
+			Password: token,
+		}),
+		ExpiresAt: expiry.Time,
+	}, nil
+}
+
+// GetAccessTokenOptionsForCluster implements auth.Provider.
+func (Provider) GetAccessTokenOptionsForCluster(opts ...auth.Option) ([][]auth.Option, error) {
+	var o auth.Options
+	o.Apply(opts...)
+
+	var atOpts [][]auth.Option
+
+	// Token used for impersonating the Managed Identity inside the AKS cluster.
+	const aksScope = "6dae42f8-4368-4678-94ff-3960e28e3630/.default"
+	aksTokenOpts := []auth.Option{auth.WithScopes(aksScope)}
+	atOpts = append(atOpts, aksTokenOpts)
+
+	// Token needed for looking up details of the cluster resource.
+	if o.ClusterAddress == "" || o.CAData == "" {
+		conf := &cloud.AzurePublic
+		switch authorityHost := os.Getenv("AZURE_AUTHORITY_HOST"); {
+		case hasEnvironmentFile():
+			var err error
+			conf, err = getCloudConfigFromEnvironment()
+			if err != nil {
+				return nil, err
+			}
+		case strings.Contains(authorityHost, "chinacloudapi.cn"):
+			conf = &cloud.AzureChina
+		case strings.Contains(authorityHost, "microsoftonline.us"):
+			conf = &cloud.AzureGovernment
+		}
+		armScope := conf.Services[cloud.ResourceManager].Audience + "/.default"
+		armTokenOpts := []auth.Option{auth.WithScopes(armScope)}
+		atOpts = append(atOpts, armTokenOpts)
+	}
+
+	return atOpts, nil
+}
+
+// NewRESTConfig implements auth.Provider.
+func (p Provider) NewRESTConfig(ctx context.Context, accessTokens []auth.Token,
+	opts ...auth.Option) (*auth.RESTConfig, error) {
+
+	aksToken := accessTokens[0].(*Token)
+
+	var armToken *Token
+	if len(accessTokens) == 2 {
+		armToken = accessTokens[1].(*Token)
+	}
+
+	var o auth.Options
+	o.Apply(opts...)
+
+	// Describe the cluster resource to get missing CA or endpoint.
+	host := o.ClusterAddress
+	caData := []byte(o.CAData)
+	if host == "" || len(caData) == 0 {
+		cluster := o.ClusterResource
+		subscriptionID, resourceGroup, clusterName, err := parseCluster(cluster)
+		if err != nil {
+			return nil, err
+		}
+
+		// Create client for describing the cluster resource.
+		clientOpts := arm.ClientOptions{
+			ClientOptions: azcore.ClientOptions{
+				Transport: o.GetHTTPClient(),
+			},
+		}
+		client, err := p.impl().NewManagedClustersClient(
+			subscriptionID, armToken.credential(), &clientOpts)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create client for describing AKS cluster: %w", err)
+		}
+
+		// Describe the cluster resource.
+		clusterResource, err := client.Get(ctx, resourceGroup, clusterName, nil)
+		if err != nil {
+			return nil, fmt.Errorf("failed to describe AKS cluster: %w", err)
+		}
+
+		// We only support clusters with Microsoft Entra ID integration enabled.
+		if clusterResource.Properties.AADProfile == nil {
+			return nil, fmt.Errorf("AKS cluster %s does not have Microsoft Entra ID integration enabled. "+
+				"See docs for enabling: https://learn.microsoft.com/en-us/azure/aks/enable-authentication-microsoft-entra-id",
+				cluster)
+		}
+
+		// Parse specified cluster address.
+		var canonicalHost string
+		if host != "" {
+			var err error
+			canonicalHost, err = auth.ParseClusterAddress(host)
+			if err != nil {
+				return nil, fmt.Errorf("failed to parse specified cluster address '%s': %w", host, err)
+			}
+		}
+
+		// List kubeconfigs for this AKS cluster. We need to find the one
+		// matching the canonical address, or the first one if no address
+		// is specified.
+		resp, err := client.ListClusterUserCredentials(ctx, resourceGroup, clusterName, nil)
+		if err != nil {
+			return nil, err
+		}
+		var restConfig *rest.Config
+		var addresses []string
+		for i, kc := range resp.Kubeconfigs {
+			conf, err := clientcmd.RESTConfigFromKubeConfig(kc.Value)
+			if err != nil {
+				return nil, fmt.Errorf("failed to parse kubeconfig[%d]: %w", i, err)
+			}
+			addresses = append(addresses, fmt.Sprintf("'%s'", conf.Host))
+			canonicalHostFromAPI, err := auth.ParseClusterAddress(conf.Host)
+			if err != nil {
+				return nil, fmt.Errorf("failed to parse address '%s' from kubeconfig[%d]: %w", conf.Host, i, err)
+			}
+			if canonicalHost == "" || canonicalHostFromAPI == canonicalHost {
+				restConfig = conf
+				break
+			}
+		}
+		if restConfig == nil {
+			if canonicalHost == "" {
+				return nil, fmt.Errorf("no kubeconfig found for AKS cluster %s", cluster)
+			}
+			return nil, fmt.Errorf("AKS cluster %s does not match specified address '%s'. cluster addresses: [%s]",
+				cluster, o.ClusterAddress, strings.Join(addresses, ", "))
+		}
+
+		// Update host and CA with cluster details.
+		host = restConfig.Host
+		if len(caData) == 0 {
+			caData = restConfig.CAData
+		}
+	}
+
+	// Build and return the REST config.
+	return &auth.RESTConfig{
+		Host:        host,
+		BearerToken: aksToken.Token,
+		CAData:      caData,
+		ExpiresAt:   aksToken.ExpiresOn,
+	}, nil
+}
+
+func (p Provider) impl() Implementation {
+	if p.Implementation == nil {
+		return implementation{}
+	}
+	return p.Implementation
+}

auth/azure/provider_test.go

@@ -0,0 +1,710 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azure_test
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"fmt"
+	"net/url"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/go-containerregistry/pkg/authn"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/pkg/auth"
+	"github.com/fluxcd/pkg/auth/azure"
+)
+
+func TestProvider_NewControllerToken(t *testing.T) {
+	for _, tt := range []struct {
+		name     string
+		shellOut bool
+	}{
+		{
+			name:     "without shell out",
+			shellOut: false,
+		},
+		{
+			name:     "with shell out",
+			shellOut: true,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			impl := &mockImplementation{
+				t:           t,
+				shellOut:    tt.shellOut,
+				argProxyURL: &url.URL{Scheme: "http", Host: "proxy.example.com"},
+				argScopes:   []string{"scope1", "scope2"},
+				returnToken: "access-token",
+			}
+
+			opts := []auth.Option{
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.example.com"}),
+				auth.WithScopes("scope1", "scope2"),
+			}
+
+			if tt.shellOut {
+				opts = append(opts, auth.WithAllowShellOut())
+			}
+
+			provider := azure.Provider{Implementation: impl}
+			token, err := provider.NewControllerToken(context.Background(), opts...)
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(token).To(Equal(&azure.Token{AccessToken: azcore.AccessToken{
+				Token:     "access-token",
+				ExpiresOn: time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC),
+			}}))
+		})
+	}
+}
+
+func TestProvider_NewTokenForServiceAccount(t *testing.T) {
+	for _, tt := range []struct {
+		name        string
+		annotations map[string]string
+		err         string
+	}{
+		{
+			name: "valid",
+			annotations: map[string]string{
+				"azure.workload.identity/tenant-id": "tenant-id",
+				"azure.workload.identity/client-id": "client-id",
+			},
+		},
+		{
+			name: "tenant id missing",
+			annotations: map[string]string{
+				"azure.workload.identity/client-id": "client-id",
+			},
+			err: "azure tenant ID is not set in the service account annotation azure.workload.identity/tenant-id",
+		},
+		{
+			name: "client id missing",
+			annotations: map[string]string{
+				"azure.workload.identity/tenant-id": "tenant-id",
+			},
+			err: "azure client ID is not set in the service account annotation azure.workload.identity/client-id",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			impl := &mockImplementation{
+				t:            t,
+				argTenantID:  "tenant-id",
+				argClientID:  "client-id",
+				argOIDCToken: "oidc-token",
+				argProxyURL:  &url.URL{Scheme: "http", Host: "proxy.example.com"},
+				argScopes:    []string{"scope1", "scope2"},
+				returnToken:  "access-token",
+			}
+
+			oidcToken := "oidc-token"
+			serviceAccount := corev1.ServiceAccount{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: tt.annotations,
+				},
+			}
+			opts := []auth.Option{
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.example.com"}),
+				auth.WithScopes("scope1", "scope2"),
+			}
+
+			provider := azure.Provider{Implementation: impl}
+			token, err := provider.NewTokenForServiceAccount(context.Background(), oidcToken, serviceAccount, opts...)
+
+			if tt.err == "" {
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(token).To(Equal(&azure.Token{AccessToken: azcore.AccessToken{
+					Token:     "access-token",
+					ExpiresOn: time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC),
+				}}))
+			} else {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(err.Error()).To(Equal(tt.err))
+				g.Expect(token).To(BeNil())
+			}
+		})
+	}
+}
+
+func TestProvider_GetAudiences(t *testing.T) {
+	g := NewWithT(t)
+	aud, err := azure.Provider{}.GetAudiences(context.Background(), corev1.ServiceAccount{})
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(aud).To(Equal([]string{"api://AzureADTokenExchange"}))
+}
+
+func TestProvider_GetIdentity(t *testing.T) {
+	g := NewWithT(t)
+
+	identity, err := azure.Provider{}.GetIdentity(corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				"azure.workload.identity/client-id": "client-id",
+				"azure.workload.identity/tenant-id": "tenant-id",
+			},
+		},
+	})
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(identity).To(Equal("tenant-id/client-id"))
+}
+
+func TestProvider_NewArtifactRegistryCredentials(t *testing.T) {
+	g := NewWithT(t)
+
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	g.Expect(err).NotTo(HaveOccurred())
+	exp := time.Now().Add(time.Hour).Unix()
+	refreshToken, err := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims{
+		"exp": exp,
+	}).SignedString(privateKey)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	for _, tt := range []struct {
+		registry      string
+		expectedScope string
+	}{
+		{
+			registry:      "foo.azurecr.io",
+			expectedScope: "https://management.azure.com/.default",
+		},
+		{
+			registry:      "foo.azurecr.cn",
+			expectedScope: "https://management.chinacloudapi.cn/.default",
+		},
+		{
+			registry:      "foo.azurecr.us",
+			expectedScope: "https://management.usgovcloudapi.net/.default",
+		},
+	} {
+		t.Run(tt.registry, func(t *testing.T) {
+			g := NewWithT(t)
+
+			impl := &mockImplementation{
+				t:              t,
+				argRegistry:    tt.registry,
+				argToken:       "access-token",
+				argProxyURL:    &url.URL{Scheme: "http", Host: "proxy.example.com"},
+				argScopes:      []string{tt.expectedScope},
+				returnToken:    "access-token",
+				returnACRToken: refreshToken,
+			}
+			provider := azure.Provider{Implementation: impl}
+
+			artifactRepository := fmt.Sprintf("%s/repo", tt.registry)
+			opts := []auth.Option{
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.example.com"}),
+			}
+
+			creds, err := auth.GetArtifactRegistryCredentials(context.Background(), provider, artifactRepository, opts...)
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(creds).To(Equal(&auth.ArtifactRegistryCredentials{
+				Authenticator: authn.FromConfig(authn.AuthConfig{
+					Username: "00000000-0000-0000-0000-000000000000",
+					Password: refreshToken,
+				}),
+				ExpiresAt: time.Unix(exp, 0),
+			}))
+		})
+	}
+}
+
+func TestProvider_ParseArtifactRegistry(t *testing.T) {
+	for _, tt := range []struct {
+		artifactRepository         string
+		expectedRegistryURL        string
+		containerRegistryDNSSuffix string
+		expectValid                bool
+	}{
+		{
+			artifactRepository:  "foo.azurecr.io/repo",
+			expectedRegistryURL: "foo.azurecr.io",
+			expectValid:         true,
+		},
+		{
+			artifactRepository:  "foo.azurecr.cn/repo",
+			expectedRegistryURL: "foo.azurecr.cn",
+			expectValid:         true,
+		},
+		{
+			artifactRepository:  "foo.azurecr.de/repo",
+			expectedRegistryURL: "foo.azurecr.de",
+			expectValid:         true,
+		},
+		{
+			artifactRepository:  "foo.azurecr.us/repo",
+			expectedRegistryURL: "foo.azurecr.us",
+			expectValid:         true,
+		},
+		{
+			artifactRepository: "foo.azurecr.com/repo",
+			expectValid:        false,
+		},
+		{
+			artifactRepository: ".azurecr.io/repo",
+			expectValid:        false,
+		},
+		{
+			artifactRepository: "012345678901.dkr.ecr.us-east-1.amazonaws.com",
+			expectValid:        false,
+		},
+		{
+			artifactRepository:         "foo.azurecr.private/repo",
+			expectedRegistryURL:        "foo.azurecr.private",
+			containerRegistryDNSSuffix: "azurecr.private",
+			expectValid:                true,
+		},
+		{
+			artifactRepository:         "foo.azurecr.private/repo",
+			expectedRegistryURL:        "foo.azurecr.private",
+			containerRegistryDNSSuffix: "azurecr.pr",
+			expectValid:                false,
+		},
+	} {
+		t.Run(tt.artifactRepository, func(t *testing.T) {
+			g := NewWithT(t)
+
+			// Create a temporary JSON file if containerRegistryDNS is defined
+			if tt.containerRegistryDNSSuffix != "" {
+				envContent := fmt.Sprintf(`{"containerRegistryDNSSuffix": "%s"}`, tt.containerRegistryDNSSuffix)
+				tempFileName, err := createTempAzureEnvFile(envContent)
+				g.Expect(err).NotTo(HaveOccurred())
+				defer os.Remove(tempFileName)
+
+				// Set the environment variable to point to the temp file
+				t.Setenv("AZURE_ENVIRONMENT_FILEPATH", tempFileName)
+			}
+			registryURL, err := azure.Provider{}.ParseArtifactRepository(tt.artifactRepository)
+
+			if tt.expectValid {
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(registryURL).To(Equal(tt.expectedRegistryURL))
+			} else {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(registryURL).To(BeEmpty())
+			}
+		})
+	}
+}
+
+func TestProvider_GetAccessTokenOptionsForArtifactRepository(t *testing.T) {
+	for _, tt := range []struct {
+		name               string
+		artifactRepository string
+		readFromEnv        bool
+		expectedScope      string
+	}{
+		{
+			name:               "Azure Public Cloud",
+			artifactRepository: "myregistry.azurecr.io",
+			expectedScope:      "https://management.azure.com/.default",
+		},
+		{
+			name:               "Azure China Cloud",
+			artifactRepository: "myregistry.azurecr.cn",
+			expectedScope:      "https://management.chinacloudapi.cn/.default",
+		},
+		{
+			name:               "Azure Government Cloud",
+			artifactRepository: "myregistry.azurecr.us",
+			expectedScope:      "https://management.usgovcloudapi.net/.default",
+		},
+		{
+			name:               "Invalid registry",
+			artifactRepository: "myregistry.invalid.io",
+			expectedScope:      "https://management.azure.com/.default",
+		},
+		{
+			name:               "Custom environment file",
+			artifactRepository: "myregistry.private.io",
+			readFromEnv:        true,
+			expectedScope:      "https://management.core.azure.private/.default",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			if tt.readFromEnv {
+				envContent := fmt.Sprintf(`{"resourceManagerEndpoint": "%s", "tokenAudience": "%s", "extraField": "%s"}`, "https://management.core.azure.private", "https://management.core.azure.private", "random-extra-field-for-testing")
+				tempFileName, err := createTempAzureEnvFile(envContent)
+				g.Expect(err).NotTo(HaveOccurred())
+				defer os.Remove(tempFileName)
+
+				// Set the environment variable to point to the temp file
+				t.Setenv("AZURE_ENVIRONMENT_FILEPATH", tempFileName)
+			}
+
+			provider := azure.Provider{}
+			opts, err := provider.GetAccessTokenOptionsForArtifactRepository(tt.artifactRepository)
+
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(opts).To(HaveLen(1))
+
+			var armOptions auth.Options
+			armOptions.Apply(opts...)
+			g.Expect(armOptions.Scopes).To(Equal([]string{tt.expectedScope}))
+
+		})
+	}
+}
+
+func TestProvider_NewRESTConfig(t *testing.T) {
+	for _, tt := range []struct {
+		name           string
+		cluster        string
+		clusterAddress string
+		caData         string
+		aadProfile     *armcontainerservice.ManagedClusterAADProfile
+		kubeconfigs    []*armcontainerservice.CredentialResult
+		authorityHost  string
+		secondScope    string
+		err            string
+	}{
+		{
+			name:    "valid AKS cluster",
+			cluster: "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/test-rg/providers/Microsoft.ContainerService/managedClusters/test-cluster",
+			aadProfile: &armcontainerservice.ManagedClusterAADProfile{
+				Managed: &[]bool{true}[0],
+			},
+			kubeconfigs: []*armcontainerservice.CredentialResult{
+				{
+					Name:  &[]string{"clusterUser"}[0],
+					Value: createKubeconfig("test-cluster", "https://test-cluster-12345678.hcp.eastus.azmk8s.io:443"),
+				},
+				{
+					Name:  &[]string{"clusterUser-secondary"}[0],
+					Value: createKubeconfig("test-cluster-secondary", "https://test-cluster-secondary-87654321.hcp.westus.azmk8s.io:443"),
+				},
+			},
+		},
+		{
+			name:    "valid AKS cluster - china",
+			cluster: "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/test-rg/providers/Microsoft.ContainerService/managedClusters/test-cluster",
+			aadProfile: &armcontainerservice.ManagedClusterAADProfile{
+				Managed: &[]bool{true}[0],
+			},
+			kubeconfigs: []*armcontainerservice.CredentialResult{
+				{
+					Name:  &[]string{"clusterUser"}[0],
+					Value: createKubeconfig("test-cluster", "https://test-cluster-12345678.hcp.eastus.azmk8s.io:443"),
+				},
+				{
+					Name:  &[]string{"clusterUser-secondary"}[0],
+					Value: createKubeconfig("test-cluster-secondary", "https://test-cluster-secondary-87654321.hcp.westus.azmk8s.io:443"),
+				},
+			},
+			authorityHost: "https://login.chinacloudapi.cn/",
+			secondScope:   "https://management.core.chinacloudapi.cn/.default",
+		},
+		{
+			name:    "valid AKS cluster - us gov",
+			cluster: "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/test-rg/providers/Microsoft.ContainerService/managedClusters/test-cluster",
+			aadProfile: &armcontainerservice.ManagedClusterAADProfile{
+				Managed: &[]bool{true}[0],
+			},
+			kubeconfigs: []*armcontainerservice.CredentialResult{
+				{
+					Name:  &[]string{"clusterUser"}[0],
+					Value: createKubeconfig("test-cluster", "https://test-cluster-12345678.hcp.eastus.azmk8s.io:443"),
+				},
+				{
+					Name:  &[]string{"clusterUser-secondary"}[0],
+					Value: createKubeconfig("test-cluster-secondary", "https://test-cluster-secondary-87654321.hcp.westus.azmk8s.io:443"),
+				},
+			},
+			authorityHost: "https://login.microsoftonline.us/",
+			secondScope:   "https://management.core.usgovcloudapi.net/.default",
+		},
+		{
+			name:    "valid AKS cluster - lowercase",
+			cluster: "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/test-rg/providers/Microsoft.ContainerService/managedClusters/test-cluster",
+			aadProfile: &armcontainerservice.ManagedClusterAADProfile{
+				Managed: &[]bool{true}[0],
+			},
+			kubeconfigs: []*armcontainerservice.CredentialResult{
+				{
+					Name:  &[]string{"clusterUser"}[0],
+					Value: createKubeconfig("test-cluster", "https://test-cluster-12345678.hcp.eastus.azmk8s.io:443"),
+				},
+				{
+					Name:  &[]string{"clusterUser-secondary"}[0],
+					Value: createKubeconfig("test-cluster-secondary", "https://test-cluster-secondary-87654321.hcp.westus.azmk8s.io:443"),
+				},
+			},
+		},
+		{
+			name:           "valid AKS cluster with address match",
+			cluster:        "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/test-rg/providers/Microsoft.ContainerService/managedClusters/test-cluster",
+			clusterAddress: "https://test-cluster-secondary-87654321.hcp.westus.azmk8s.io:443",
+			aadProfile: &armcontainerservice.ManagedClusterAADProfile{
+				Managed: &[]bool{true}[0],
+			},
+			kubeconfigs: []*armcontainerservice.CredentialResult{
+				{
+					Name:  &[]string{"clusterUser"}[0],
+					Value: createKubeconfig("test-cluster", "https://test-cluster-12345678.hcp.eastus.azmk8s.io:443"),
+				},
+				{
+					Name:  &[]string{"clusterUser-secondary"}[0],
+					Value: createKubeconfig("test-cluster-secondary", "https://test-cluster-secondary-87654321.hcp.westus.azmk8s.io:443"),
+				},
+			},
+		},
+		{
+			name:    "valid AKS cluster with CA",
+			cluster: "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/test-rg/providers/Microsoft.ContainerService/managedClusters/test-cluster",
+			caData:  "-----BEGIN CERTIFICATE-----",
+			aadProfile: &armcontainerservice.ManagedClusterAADProfile{
+				Managed: &[]bool{true}[0],
+			},
+			kubeconfigs: []*armcontainerservice.CredentialResult{
+				{
+					Name:  &[]string{"clusterUser"}[0],
+					Value: createKubeconfig("test-cluster", "https://test-cluster-12345678.hcp.eastus.azmk8s.io:443"),
+				},
+				{
+					Name:  &[]string{"clusterUser-secondary"}[0],
+					Value: createKubeconfig("test-cluster-secondary", "https://test-cluster-secondary-87654321.hcp.westus.azmk8s.io:443"),
+				},
+			},
+		},
+		{
+			name:           "CA and address only",
+			clusterAddress: "https://test-cluster-secondary-87654321.hcp.westus.azmk8s.io:443",
+			caData:         "-----BEGIN CERTIFICATE-----",
+			aadProfile: &armcontainerservice.ManagedClusterAADProfile{
+				Managed: &[]bool{true}[0],
+			},
+			kubeconfigs: []*armcontainerservice.CredentialResult{
+				{
+					Name:  &[]string{"clusterUser"}[0],
+					Value: createKubeconfig("test-cluster", "https://test-cluster-12345678.hcp.eastus.azmk8s.io:443"),
+				},
+				{
+					Name:  &[]string{"clusterUser-secondary"}[0],
+					Value: createKubeconfig("test-cluster-secondary", "https://test-cluster-secondary-87654321.hcp.westus.azmk8s.io:443"),
+				},
+			},
+		},
+		{
+			name:           "cluster address mismatch",
+			cluster:        "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/test-rg/providers/Microsoft.ContainerService/managedClusters/test-cluster",
+			clusterAddress: "https://different-cluster.hcp.eastus.azmk8s.io:443",
+			aadProfile: &armcontainerservice.ManagedClusterAADProfile{
+				Managed: &[]bool{true}[0],
+			},
+			kubeconfigs: []*armcontainerservice.CredentialResult{
+				{
+					Name:  &[]string{"clusterUser"}[0],
+					Value: createKubeconfig("test-cluster", "https://test-cluster-12345678.hcp.eastus.azmk8s.io:443"),
+				},
+			},
+			err: "AKS cluster /subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/test-rg/providers/Microsoft.ContainerService/managedClusters/test-cluster does not match specified address 'https://different-cluster.hcp.eastus.azmk8s.io:443'. cluster addresses: ['https://test-cluster-12345678.hcp.eastus.azmk8s.io:443']",
+		},
+		{
+			name:    "cluster without AAD integration",
+			cluster: "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/test-rg/providers/Microsoft.ContainerService/managedClusters/test-cluster",
+			err:     "AKS cluster /subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/test-rg/providers/Microsoft.ContainerService/managedClusters/test-cluster does not have Microsoft Entra ID integration enabled. See docs for enabling: https://learn.microsoft.com/en-us/azure/aks/enable-authentication-microsoft-entra-id",
+		},
+		{
+			name:    "invalid cluster ID",
+			cluster: "invalid-cluster-id",
+			err:     `invalid AKS cluster ID: 'invalid-cluster-id'. must match (?i)^/subscriptions/([^/]{36})/resourceGroups/([^/]{1,200})/providers/Microsoft\.ContainerService/managedClusters/([^/]{1,200})$`,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			if tt.authorityHost != "" {
+				t.Setenv("AZURE_AUTHORITY_HOST", tt.authorityHost)
+			}
+
+			secondScope := "https://management.core.windows.net//.default"
+			if tt.secondScope != "" {
+				secondScope = tt.secondScope
+			}
+
+			impl := &mockImplementation{
+				t:                t,
+				expectAKSAPICall: tt.clusterAddress == "" || tt.caData == "",
+				argToken:         "access-token",
+				argFirstScopes:   []string{"6dae42f8-4368-4678-94ff-3960e28e3630/.default"},
+				argSecondScopes:  []string{secondScope},
+				argSubscription:  "12345678-1234-1234-1234-123456789012",
+				argResourceGroup: "test-rg",
+				argClusterName:   "test-cluster",
+				argProxyURL:      &url.URL{Scheme: "http", Host: "proxy.example.com"},
+				returnToken:      "access-token",
+				returnCluster: armcontainerservice.ManagedCluster{
+					Properties: &armcontainerservice.ManagedClusterProperties{
+						AADProfile: tt.aadProfile,
+					},
+				},
+				returnKubeconfigs: tt.kubeconfigs,
+			}
+
+			opts := []auth.Option{
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.example.com"}),
+			}
+
+			if tt.cluster != "" {
+				opts = append(opts, auth.WithClusterResource(tt.cluster))
+			}
+
+			if tt.clusterAddress != "" {
+				opts = append(opts, auth.WithClusterAddress(tt.clusterAddress))
+			}
+
+			if tt.caData != "" {
+				opts = append(opts, auth.WithCAData(tt.caData))
+			}
+
+			provider := azure.Provider{Implementation: impl}
+			restConfig, err := auth.GetRESTConfig(context.Background(), provider, opts...)
+
+			if tt.err == "" {
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(restConfig).NotTo(BeNil())
+				expectedHost := "https://test-cluster-12345678.hcp.eastus.azmk8s.io:443"
+				if tt.clusterAddress != "" {
+					expectedHost = tt.clusterAddress
+				}
+				g.Expect(restConfig.Host).To(Equal(expectedHost))
+				g.Expect(restConfig.BearerToken).To(Equal("access-token"))
+				g.Expect(restConfig.CAData).To(Equal([]byte("-----BEGIN CERTIFICATE-----")))
+				g.Expect(restConfig.ExpiresAt).To(Equal(time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC)))
+			} else {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(err.Error()).To(ContainSubstring(tt.err))
+				g.Expect(restConfig).To(BeNil())
+			}
+		})
+	}
+}
+
+func TestProvider_GetAccessTokenOptionsForCluster(t *testing.T) {
+	g := NewWithT(t)
+
+	t.Run("needs to fetch cluster", func(t *testing.T) {
+		opts, err := azure.Provider{}.GetAccessTokenOptionsForCluster(
+			auth.WithClusterResource("/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/test-rg/providers/Microsoft.ContainerService/managedClusters/test-cluster"))
+		g.Expect(err).NotTo(HaveOccurred())
+		g.Expect(opts).To(HaveLen(2))
+
+		// AKS token options
+		var aksOptions auth.Options
+		aksOptions.Apply(opts[0]...)
+		g.Expect(aksOptions.Scopes).To(Equal([]string{"6dae42f8-4368-4678-94ff-3960e28e3630/.default"}))
+
+		// ARM token options
+		var armOptions auth.Options
+		armOptions.Apply(opts[1]...)
+		g.Expect(armOptions.Scopes).To(Equal([]string{"https://management.core.windows.net//.default"}))
+	})
+
+	t.Run("needs to fetch cluster arm options from env", func(t *testing.T) {
+		envContent := fmt.Sprintf(`{"resourceManagerEndpoint": "%s", "tokenAudience": "%s", "extraField": "%s"}`, "https://management.core.azure.private/", "https://management.core.azure.private/", "random-extra-field-for-testing")
+		tempFileName, err := createTempAzureEnvFile(envContent)
+		g.Expect(err).NotTo(HaveOccurred())
+		defer os.Remove(tempFileName)
+
+		// Set the environment variable to point to the temp file
+		t.Setenv("AZURE_ENVIRONMENT_FILEPATH", tempFileName)
+
+		opts, err := azure.Provider{}.GetAccessTokenOptionsForCluster(
+			auth.WithClusterResource("/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/test-rg/providers/Microsoft.ContainerService/managedClusters/test-cluster"))
+		g.Expect(err).NotTo(HaveOccurred())
+		g.Expect(opts).To(HaveLen(2))
+
+		// AKS token options
+		var aksOptions auth.Options
+		aksOptions.Apply(opts[0]...)
+		g.Expect(aksOptions.Scopes).To(Equal([]string{"6dae42f8-4368-4678-94ff-3960e28e3630/.default"}))
+
+		// ARM token options
+		var armOptions auth.Options
+		armOptions.Apply(opts[1]...)
+		g.Expect(armOptions.Scopes).To(Equal([]string{"https://management.core.azure.private//.default"}))
+	})
+
+	t.Run("no need to fetch cluster", func(t *testing.T) {
+		opts, err := azure.Provider{}.GetAccessTokenOptionsForCluster(
+			auth.WithClusterAddress("https://test-cluster-12345678.hcp.eastus.azmk8s.io:443"),
+			auth.WithCAData("-----BEGIN CERTIFICATE-----"))
+		g.Expect(err).NotTo(HaveOccurred())
+		g.Expect(opts).To(HaveLen(1))
+
+		// AKS token options
+		var aksOptions auth.Options
+		aksOptions.Apply(opts[0]...)
+		g.Expect(aksOptions.Scopes).To(Equal([]string{"6dae42f8-4368-4678-94ff-3960e28e3630/.default"}))
+	})
+}
+
+func createKubeconfig(clusterName, serverURL string) []byte {
+	return []byte(fmt.Sprintf(`apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t
+    server: %s
+  name: %s
+contexts:
+- context:
+    cluster: %s
+    user: clusterUser_test-rg_%s
+  name: %s
+current-context: %s
+kind: Config
+users:
+- name: clusterUser_test-rg_%s
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: kubelogin
+      env: null
+`, serverURL, clusterName, clusterName, clusterName, clusterName, clusterName, clusterName))
+}
+
+func createTempAzureEnvFile(content string) (string, error) {
+	tempFile, err := os.CreateTemp("", "azure_env_*.json")
+	if err != nil {
+		return "", err
+	}
+
+	if err := tempFile.Close(); err != nil {
+		os.Remove(tempFile.Name())
+		return "", err
+	}
+
+	if err := os.WriteFile(tempFile.Name(), []byte(content), 0644); err != nil {
+		return "", err
+	}
+
+	return tempFile.Name(), nil
+}

auth/azure/scopes.go

@@ -0,0 +1,28 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azure
+
+const (
+	// https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principal-managed-identity?view=azure-devops#q-can-i-add-a-managed-identity-from-a-different-tenant-to-my-organization
+	ScopeDevOps = "499b84ac-1321-427f-aa17-267ca6975798/.default"
+
+	// https://github.com/Azure/azure-sdk-for-go/blob/f5dfe3b53fe63aacd3aeba948bbe21d961edf376/sdk/storage/azqueue/internal/shared/shared.go#L18
+	ScopeBlobStorage = "https://storage.azure.com/.default"
+
+	// https://github.com/Azure/azure-sdk-for-go/blob/f5dfe3b53fe63aacd3aeba948bbe21d961edf376/sdk/messaging/azeventhubs/internal/sbauth/token_provider.go#L99
+	ScopeEventHubs = "https://eventhubs.azure.net//.default"
+)

auth/azure/token.go

@@ -0,0 +1,44 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azure
+
+import (
+	"context"
+	"time"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+)
+
+// Token is the Azure token.
+type Token struct{ azcore.AccessToken }
+
+type staticTokenCredential struct{ azcore.AccessToken }
+
+// GetDuration implements auth.Token.
+func (t *Token) GetDuration() time.Duration {
+	return time.Until(t.ExpiresOn)
+}
+
+func (t *Token) credential() azcore.TokenCredential {
+	return &staticTokenCredential{t.AccessToken}
+}
+
+// GetToken implements azcore.TokenCredential.
+func (s *staticTokenCredential) GetToken(context.Context, policy.TokenRequestOptions) (azcore.AccessToken, error) {
+	return s.AccessToken, nil
+}

auth/azure/token_credential.go

@@ -0,0 +1,59 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azure
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+
+	"github.com/fluxcd/pkg/auth"
+)
+
+type tokenCredential struct {
+	ctx  context.Context
+	opts []auth.Option
+}
+
+// NewTokenCredential creates a new token credential for the given options.
+func NewTokenCredential(ctx context.Context, opts ...auth.Option) azcore.TokenCredential {
+	return &tokenCredential{ctx, opts}
+}
+
+// GetToken implements exported.TokenCredential.
+// The context is ignored, use the constructor to set the context.
+// This is because the GCP abstraction does not receive a context
+// in the method arguments, so we unfortunately need to standardize
+// the behavior of all providers around this so the usage of this
+// library can be consistent regardless of the provider.
+func (t *tokenCredential) GetToken(_ context.Context, tokenOpts policy.TokenRequestOptions) (azcore.AccessToken, error) {
+	opts := t.opts
+	if tokenOpts.Scopes != nil {
+		opts = append(opts, auth.WithScopes(tokenOpts.Scopes...))
+	}
+	token, err := auth.GetAccessToken(t.ctx, Provider{}, opts...)
+	if err != nil {
+		return azcore.AccessToken{}, err
+	}
+	azureToken, ok := token.(*Token)
+	if !ok {
+		return azcore.AccessToken{}, fmt.Errorf("failed to cast token to Azure token: %T", token)
+	}
+	return azureToken.AccessToken, nil
+}

auth/cache_key.go

@@ -0,0 +1,29 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"strings"
+)
+
+func buildCacheKey(parts ...string) string {
+	s := strings.Join(parts, "\n")
+	hash := sha256.Sum256([]byte(s))
+	return fmt.Sprintf("%x", hash)
+}

auth/doc.go

@@ -0,0 +1,18 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// auth is a package for handling secret-less authentication with cloud providers.
+package auth

auth/feature_gate.go

@@ -0,0 +1,53 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"fmt"
+	"os"
+)
+
+// FeatureGateObjectLevelWorkloadIdentity is a feature gate that enables the use of
+// object-level workload identity for authentication.
+const FeatureGateObjectLevelWorkloadIdentity = "ObjectLevelWorkloadIdentity"
+
+// ErrObjectLevelWorkloadIdentityNotEnabled is returned when object-level
+// workload identity is attempted but not enabled.
+var ErrObjectLevelWorkloadIdentityNotEnabled = fmt.Errorf(
+	"%s feature gate is not enabled", FeatureGateObjectLevelWorkloadIdentity)
+
+// SetFeatureGates sets the default values for the feature gates.
+func SetFeatureGates(features map[string]bool) {
+	// opt-in from Flux v2.6.
+	features[FeatureGateObjectLevelWorkloadIdentity] = false
+}
+
+// EnvVarEnableObjectLevelWorkloadIdentity is the environment variable that
+// enables the use of object-level workload identity for authentication.
+const EnvVarEnableObjectLevelWorkloadIdentity = "ENABLE_OBJECT_LEVEL_WORKLOAD_IDENTITY"
+
+// EnableObjectLevelWorkloadIdentity enables the use of object-level workload
+// identity for authentication.
+func EnableObjectLevelWorkloadIdentity() {
+	os.Setenv(EnvVarEnableObjectLevelWorkloadIdentity, "true")
+}
+
+// IsObjectLevelWorkloadIdentityEnabled returns true if the object-level
+// workload identity feature gate is enabled.
+func IsObjectLevelWorkloadIdentityEnabled() bool {
+	return os.Getenv(EnvVarEnableObjectLevelWorkloadIdentity) == "true"
+}

auth/gcp/gke_metadata.go

@@ -0,0 +1,127 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gcp
+
+import (
+	"context"
+	"fmt"
+	"sync"
+
+	"cloud.google.com/go/compute/metadata"
+)
+
+type gkeMetadataLoader struct {
+	projectID string
+	location  string
+	name      string
+
+	mu     sync.RWMutex
+	loaded bool
+}
+
+var gkeMetadata gkeMetadataLoader
+
+func (g *gkeMetadataLoader) getAudience(ctx context.Context) (string, error) {
+	if err := g.load(ctx); err != nil {
+		return "", err
+	}
+	wiPool, _ := g.workloadIdentityPool(ctx)
+	wiProvider, _ := g.workloadIdentityProvider(ctx)
+	return fmt.Sprintf("identitynamespace:%s:%s", wiPool, wiProvider), nil
+}
+
+func (g *gkeMetadataLoader) workloadIdentityPool(ctx context.Context) (string, error) {
+	if err := g.load(ctx); err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("%s.svc.id.goog", g.projectID), nil
+}
+
+func (g *gkeMetadataLoader) workloadIdentityProvider(ctx context.Context) (string, error) {
+	if err := g.load(ctx); err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("https://container.googleapis.com/v1/projects/%s/locations/%s/clusters/%s",
+		g.projectID,
+		g.location,
+		g.name), nil
+}
+
+// load loads the GKE cluster metadata from the metadata service, assuming the
+// pod is running on a GKE node/pod. It will fail otherwise, and this
+// is the reason why this method should be called lazily. If this code ran on any
+// other cluster that is not GKE it would fail consistently and throw the pods
+// in crash loop if running on startup. This method is thread-safe and will
+// only load the metadata successfully once.
+//
+// Technically we could receive options here to use a custom HTTP client with
+// a proxy, but this proxy is configured at the object level and here we are
+// loading cluster-level metadata that doesn't change during the lifetime of
+// the pod. So we can't use an object-level proxy here. Furthermore, this
+// implementation targets specifically GKE clusters, and in such clusters the
+// metadata server is usually a DaemonSet pod that serves only node-local
+// traffic, so a proxy doesn't make sense here anyway.
+func (g *gkeMetadataLoader) load(ctx context.Context) error {
+	// Bail early if the metadata was already loaded.
+	g.mu.RLock()
+	loaded := g.loaded
+	g.mu.RUnlock()
+	if loaded {
+		return nil
+	}
+
+	g.mu.Lock()
+	defer g.mu.Unlock()
+
+	// Check again if the metadata was loaded while we were waiting for the lock.
+	if g.loaded {
+		return nil
+	}
+
+	client := metadata.NewClient(nil)
+
+	projectID, err := client.GetWithContext(ctx, "project/project-id")
+	if err != nil {
+		return fmt.Errorf("failed to get GKE cluster project ID from the metadata service: %w", err)
+	}
+	if projectID == "" {
+		return fmt.Errorf("failed to get GKE cluster project ID from the metadata service: empty value")
+	}
+
+	location, err := client.GetWithContext(ctx, "instance/attributes/cluster-location")
+	if err != nil {
+		return fmt.Errorf("failed to get GKE cluster location from the metadata service: %w", err)
+	}
+	if location == "" {
+		return fmt.Errorf("failed to get GKE cluster location from the metadata service: empty value")
+	}
+
+	name, err := client.GetWithContext(ctx, "instance/attributes/cluster-name")
+	if err != nil {
+		return fmt.Errorf("failed to get GKE cluster name from the metadata service: %w", err)
+	}
+	if name == "" {
+		return fmt.Errorf("failed to get GKE cluster name from the metadata service: empty value")
+	}
+
+	g.projectID = projectID
+	g.location = location
+	g.name = name
+	g.loaded = true
+
+	return nil
+}

auth/gcp/gke_metadata_test.go

@@ -0,0 +1,41 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gcp_test
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func startGKEMetadataServer(t *testing.T) {
+	t.Helper()
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/computeMetadata/v1/project/project-id":
+			fmt.Fprintf(w, "%s", "project-id")
+		case "/computeMetadata/v1/instance/attributes/cluster-location":
+			fmt.Fprintf(w, "%s", "cluster-location")
+		case "/computeMetadata/v1/instance/attributes/cluster-name":
+			fmt.Fprintf(w, "%s", "cluster-name")
+		}
+	}))
+	t.Cleanup(srv.Close)
+	t.Setenv("GCE_METADATA_HOST", strings.TrimPrefix(srv.URL, "http://"))
+}

auth/gcp/implementation.go

@@ -0,0 +1,47 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gcp
+
+import (
+	"context"
+
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google"
+	"golang.org/x/oauth2/google/externalaccount"
+	"google.golang.org/api/container/v1"
+)
+
+// Implementation provides the required methods of the GCP libraries.
+type Implementation interface {
+	DefaultTokenSource(ctx context.Context, scope ...string) (oauth2.TokenSource, error)
+	NewTokenSource(ctx context.Context, conf externalaccount.Config) (oauth2.TokenSource, error)
+	GetCluster(ctx context.Context, cluster string, client *container.Service) (*container.Cluster, error)
+}
+
+type implementation struct{}
+
+func (implementation) DefaultTokenSource(ctx context.Context, scope ...string) (oauth2.TokenSource, error) {
+	return google.DefaultTokenSource(ctx, scope...)
+}
+
+func (implementation) NewTokenSource(ctx context.Context, conf externalaccount.Config) (oauth2.TokenSource, error) {
+	return externalaccount.NewTokenSource(ctx, conf)
+}
+
+func (implementation) GetCluster(ctx context.Context, cluster string, client *container.Service) (*container.Cluster, error) {
+	return client.Projects.Locations.Clusters.Get(cluster).Context(ctx).Do()
+}

auth/gcp/implementation_test.go

@@ -0,0 +1,112 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gcp_test
+
+import (
+	"context"
+	"net/http"
+	"net/url"
+	"reflect"
+	"testing"
+	"unsafe"
+
+	. "github.com/onsi/gomega"
+	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google/externalaccount"
+	"google.golang.org/api/container/v1"
+)
+
+type mockImplementation struct {
+	t *testing.T
+
+	expectGKEAPICall bool
+
+	argConfig   externalaccount.Config
+	argProxyURL *url.URL
+	argCluster  string
+
+	returnToken   *oauth2.Token
+	returnCluster *container.Cluster
+}
+
+func (m *mockImplementation) DefaultTokenSource(ctx context.Context, scope ...string) (oauth2.TokenSource, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	g.Expect(ctx).NotTo(BeNil())
+	g.Expect(ctx.Value(oauth2.HTTPClient)).NotTo(BeNil())
+	g.Expect(ctx.Value(oauth2.HTTPClient).(*http.Client)).NotTo(BeNil())
+	g.Expect(ctx.Value(oauth2.HTTPClient).(*http.Client).Transport).NotTo(BeNil())
+	g.Expect(ctx.Value(oauth2.HTTPClient).(*http.Client).Transport.(*http.Transport)).NotTo(BeNil())
+	g.Expect(ctx.Value(oauth2.HTTPClient).(*http.Client).Transport.(*http.Transport).Proxy).NotTo(BeNil())
+	proxyURL, err := ctx.Value(oauth2.HTTPClient).(*http.Client).Transport.(*http.Transport).Proxy(nil)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(proxyURL).To(Equal(m.argProxyURL))
+	g.Expect(scope).To(Equal([]string{
+		"https://www.googleapis.com/auth/cloud-platform",
+		"https://www.googleapis.com/auth/userinfo.email",
+	}))
+	return oauth2.StaticTokenSource(m.returnToken), nil
+}
+
+func (m *mockImplementation) NewTokenSource(ctx context.Context, conf externalaccount.Config) (oauth2.TokenSource, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	g.Expect(ctx).NotTo(BeNil())
+	g.Expect(ctx.Value(oauth2.HTTPClient)).NotTo(BeNil())
+	g.Expect(ctx.Value(oauth2.HTTPClient).(*http.Client)).NotTo(BeNil())
+	g.Expect(ctx.Value(oauth2.HTTPClient).(*http.Client).Transport).NotTo(BeNil())
+	g.Expect(ctx.Value(oauth2.HTTPClient).(*http.Client).Transport.(*http.Transport)).NotTo(BeNil())
+	g.Expect(ctx.Value(oauth2.HTTPClient).(*http.Client).Transport.(*http.Transport).Proxy).NotTo(BeNil())
+	proxyURL, err := ctx.Value(oauth2.HTTPClient).(*http.Client).Transport.(*http.Transport).Proxy(nil)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(proxyURL).To(Equal(m.argProxyURL))
+	g.Expect(conf).To(Equal(m.argConfig))
+	return oauth2.StaticTokenSource(m.returnToken), nil
+}
+
+func (m *mockImplementation) GetCluster(ctx context.Context, cluster string, client *container.Service) (*container.Cluster, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	g.Expect(m.expectGKEAPICall).To(BeTrue())
+	g.Expect(ctx).NotTo(BeNil())
+	g.Expect(cluster).To(Equal(m.argCluster))
+	g.Expect(client).NotTo(BeNil())
+	g.Expect(client.BasePath).To(Equal("https://container.googleapis.com/"))
+	httpClientField := reflect.ValueOf(client).Elem().FieldByName("client")
+	httpClientValue := reflect.NewAt(httpClientField.Type(), unsafe.Pointer(httpClientField.UnsafeAddr())).Elem().Interface().(*http.Client)
+	g.Expect(httpClientValue).NotTo(BeNil())
+	g.Expect(httpClientValue.Transport).NotTo(BeNil())
+	g.Expect(httpClientValue.Transport.(*oauth2.Transport)).NotTo(BeNil())
+	g.Expect(httpClientValue.Transport.(*oauth2.Transport).Source).NotTo(BeNil())
+	token, err := httpClientValue.Transport.(*oauth2.Transport).Source.Token()
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(token).To(Equal(m.returnToken))
+	g.Expect(httpClientValue.Transport.(*oauth2.Transport).Base).NotTo(BeNil())
+	g.Expect(httpClientValue.Transport.(*oauth2.Transport).Base.(*otelhttp.Transport)).NotTo(BeNil())
+	otelRoundTripperField := reflect.ValueOf(httpClientValue.Transport.(*oauth2.Transport).Base.(*otelhttp.Transport)).Elem().FieldByName("rt")
+	otelRoundTripperValue := reflect.NewAt(otelRoundTripperField.Type(), unsafe.Pointer(otelRoundTripperField.UnsafeAddr())).Elem().Interface()
+	g.Expect(otelRoundTripperValue).NotTo(BeNil())
+	parameterRoundTripperField := reflect.ValueOf(otelRoundTripperValue).Elem().FieldByName("base")
+	parameterRoundTripperValue := reflect.NewAt(parameterRoundTripperField.Type(), unsafe.Pointer(parameterRoundTripperField.UnsafeAddr())).Elem().Interface()
+	g.Expect(parameterRoundTripperValue.(*http.Transport)).NotTo(BeNil())
+	g.Expect(parameterRoundTripperValue.(*http.Transport).Proxy).NotTo(BeNil())
+	proxyURL, err := parameterRoundTripperValue.(*http.Transport).Proxy(nil)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(proxyURL).To(Equal(m.argProxyURL))
+	return m.returnCluster, nil
+}

auth/gcp/options.go

@@ -0,0 +1,70 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gcp
+
+import (
+	"fmt"
+	"regexp"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+const serviceAccountEmailPattern = `^[a-zA-Z0-9-]{1,100}@[a-zA-Z0-9-]{1,100}\.iam\.gserviceaccount\.com$`
+
+var serviceAccountEmailRegex = regexp.MustCompile(serviceAccountEmailPattern)
+
+func getServiceAccountEmail(serviceAccount corev1.ServiceAccount) (string, error) {
+	const key = "iam.gke.io/gcp-service-account"
+	email := serviceAccount.Annotations[key]
+	if email == "" {
+		return "", nil
+	}
+	if !serviceAccountEmailRegex.MatchString(email) {
+		return "", fmt.Errorf("invalid %s annotation: '%s'. must match %s",
+			key, email, serviceAccountEmailPattern)
+	}
+	return email, nil
+}
+
+const workloadIdentityProviderPattern = `^projects/\d{1,30}/locations/global/workloadIdentityPools/[^/]{1,100}/providers/[^/]{1,100}$`
+
+var workloadIdentityProviderRegex = regexp.MustCompile(workloadIdentityProviderPattern)
+
+func getWorkloadIdentityProviderAudience(serviceAccount corev1.ServiceAccount) (string, error) {
+	const key = "gcp.auth.fluxcd.io/workload-identity-provider"
+	wip := serviceAccount.Annotations[key]
+	if wip == "" {
+		return "", nil
+	}
+	if !workloadIdentityProviderRegex.MatchString(wip) {
+		return "", fmt.Errorf("invalid %s annotation: '%s'. must match %s",
+			key, wip, workloadIdentityProviderPattern)
+	}
+	return fmt.Sprintf("//iam.googleapis.com/%s", wip), nil
+}
+
+const clusterPattern = `^projects/[^/]{1,200}/locations/[^/]{1,200}/clusters/[^/]{1,200}$`
+
+var clusterRegex = regexp.MustCompile(clusterPattern)
+
+func parseCluster(cluster string) error {
+	if !clusterRegex.MatchString(cluster) {
+		return fmt.Errorf("invalid GKE cluster ID: '%s'. must match %s",
+			cluster, clusterPattern)
+	}
+	return nil
+}

auth/gcp/provider.go

@@ -0,0 +1,286 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gcp
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"net/http"
+	"regexp"
+
+	"github.com/google/go-containerregistry/pkg/authn"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google/externalaccount"
+	"google.golang.org/api/container/v1"
+	"google.golang.org/api/option"
+	htransport "google.golang.org/api/transport/http"
+	corev1 "k8s.io/api/core/v1"
+
+	auth "github.com/fluxcd/pkg/auth"
+)
+
+// ProviderName is the name of the GCP authentication provider.
+const ProviderName = "gcp"
+
+var scopes = []string{
+	"https://www.googleapis.com/auth/cloud-platform",
+	"https://www.googleapis.com/auth/userinfo.email",
+}
+
+// Provider implements the auth.Provider interface for GCP authentication.
+type Provider struct{ Implementation }
+
+// GetName implements auth.Provider.
+func (Provider) GetName() string {
+	return ProviderName
+}
+
+// NewControllerToken implements auth.Provider.
+func (p Provider) NewControllerToken(ctx context.Context, opts ...auth.Option) (auth.Token, error) {
+	var o auth.Options
+	o.Apply(opts...)
+
+	ctx = context.WithValue(ctx, oauth2.HTTPClient, o.GetHTTPClient())
+
+	src, err := p.impl().DefaultTokenSource(ctx, scopes...)
+	if err != nil {
+		return nil, err
+	}
+	token, err := src.Token()
+	if err != nil {
+		return nil, err
+	}
+
+	return &Token{*token}, nil
+}
+
+// GetAudiences implements auth.Provider.
+func (Provider) GetAudiences(ctx context.Context, serviceAccount corev1.ServiceAccount) ([]string, error) {
+
+	// Check if a workload identity provider is specified in the service account.
+	// If so, the current cluster is not GKE and the audience is the provider itself.
+	audience, err := getWorkloadIdentityProviderAudience(serviceAccount)
+	if err != nil {
+		return nil, err
+	}
+	if audience != "" {
+		return []string{audience}, nil
+	}
+
+	// Assume we are in GKE. In this case, the audience is the workload identity pool.
+	audience, err = gkeMetadata.workloadIdentityPool(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return []string{audience}, nil
+}
+
+// GetIdentity implements auth.Provider.
+func (Provider) GetIdentity(serviceAccount corev1.ServiceAccount) (string, error) {
+	email, err := getServiceAccountEmail(serviceAccount)
+	if err != nil {
+		return "", err
+	}
+	return email, nil
+}
+
+// NewTokenForServiceAccount implements auth.Provider.
+func (p Provider) NewTokenForServiceAccount(ctx context.Context, oidcToken string,
+	serviceAccount corev1.ServiceAccount, opts ...auth.Option) (auth.Token, error) {
+
+	var o auth.Options
+	o.Apply(opts...)
+
+	// Check if a workload identity provider is specified in the service account.
+	// If so, the current cluster is not GKE and the audience is the provider itself.
+	audience, err := getWorkloadIdentityProviderAudience(serviceAccount)
+	if err != nil {
+		return nil, err
+	}
+
+	// Assume we are in GKE. In this case, retrieve the audience from the metadata.
+	if audience == "" {
+		audience, err = gkeMetadata.getAudience(ctx)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	conf := externalaccount.Config{
+		UniverseDomain:       "googleapis.com",
+		Audience:             audience,
+		SubjectTokenType:     "urn:ietf:params:oauth:token-type:jwt",
+		TokenURL:             "https://sts.googleapis.com/v1/token",
+		SubjectTokenSupplier: StaticTokenSupplier(oidcToken),
+		Scopes:               scopes,
+	}
+
+	email, err := getServiceAccountEmail(serviceAccount)
+	if err != nil {
+		return nil, err
+	}
+
+	if email != "" { // impersonation
+		conf.ServiceAccountImpersonationURL = fmt.Sprintf(
+			"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s:generateAccessToken",
+			email)
+	} else { // direct access
+		conf.TokenInfoURL = "https://sts.googleapis.com/v1/introspect"
+	}
+
+	ctx = context.WithValue(ctx, oauth2.HTTPClient, o.GetHTTPClient())
+
+	src, err := p.impl().NewTokenSource(ctx, conf)
+	if err != nil {
+		return nil, err
+	}
+	token, err := src.Token()
+	if err != nil {
+		return nil, err
+	}
+
+	return &Token{*token}, nil
+}
+
+// GetAccessTokenOptionsForArtifactRepository implements auth.Provider.
+func (Provider) GetAccessTokenOptionsForArtifactRepository(string) ([]auth.Option, error) {
+	// GCP does not require any special options to retrieve access tokens.
+	return nil, nil
+}
+
+const registryPattern = `^(((.+\.)?gcr\.io)|(.+-docker\.pkg\.dev))$`
+
+var registryRegex = regexp.MustCompile(registryPattern)
+
+// ParseArtifactRepository implements auth.Provider.
+func (Provider) ParseArtifactRepository(artifactRepository string) (string, error) {
+	registry, err := auth.GetRegistryFromArtifactRepository(artifactRepository)
+	if err != nil {
+		return "", err
+	}
+
+	if !registryRegex.MatchString(registry) {
+		return "", fmt.Errorf("invalid GCP registry: '%s'. must match %s",
+			registry, registryPattern)
+	}
+
+	// The artifact repository is irrelevant for issuing GCP registry credentials,
+	// just return the provider name for inclusion in the cache key.
+	return ProviderName, nil
+}
+
+// NewArtifactRegistryCredentials implements auth.Provider.
+func (Provider) NewArtifactRegistryCredentials(_ context.Context, _ string,
+	accessToken auth.Token, _ ...auth.Option) (*auth.ArtifactRegistryCredentials, error) {
+
+	t := accessToken.(*Token)
+
+	return &auth.ArtifactRegistryCredentials{
+		Authenticator: authn.FromConfig(authn.AuthConfig{
+			Username: "oauth2accesstoken",
+			Password: t.AccessToken,
+		}),
+		ExpiresAt: t.Expiry,
+	}, nil
+}
+
+// GetAccessTokenOptionsForCluster implements auth.Provider.
+func (Provider) GetAccessTokenOptionsForCluster(opts ...auth.Option) ([][]auth.Option, error) {
+	// A single token is needed. No options.
+	return [][]auth.Option{{}}, nil
+}
+
+// NewRESTConfig implements auth.Provider.
+func (p Provider) NewRESTConfig(ctx context.Context, accessTokens []auth.Token,
+	opts ...auth.Option) (*auth.RESTConfig, error) {
+
+	token := accessTokens[0].(*Token)
+
+	var o auth.Options
+	o.Apply(opts...)
+
+	// Describe the cluster resource to get missing CA or endpoint.
+	host := o.ClusterAddress
+	caData := []byte(o.CAData)
+	if host == "" || len(caData) == 0 {
+		cluster := o.ClusterResource
+		if err := parseCluster(cluster); err != nil {
+			return nil, err
+		}
+
+		// Create client for describing the cluster resource.
+		baseTransport := http.DefaultTransport.(*http.Transport).Clone()
+		if p := o.ProxyURL; p != nil {
+			baseTransport.Proxy = http.ProxyURL(p)
+		}
+		transport, err := htransport.NewTransport(ctx, baseTransport, option.WithTokenSource(token.source()))
+		if err != nil {
+			return nil, fmt.Errorf("failed to create google http transport for describing GKE cluster: %w", err)
+		}
+		client, err := container.NewService(ctx, option.WithHTTPClient(&http.Client{Transport: transport}))
+		if err != nil {
+			return nil, fmt.Errorf("failed to create client for describing GKE cluster: %w", err)
+		}
+
+		// Describe the cluster resource.
+		clusterResource, err := p.impl().GetCluster(ctx, cluster, client)
+		if err != nil {
+			return nil, fmt.Errorf("failed to describe GKE cluster '%s': %w", cluster, err)
+		}
+
+		// Compare specified address and address from the cluster resource.
+		endpoint := clusterResource.Endpoint
+		if host != "" {
+			canonicalAddress, err := auth.ParseClusterAddress(host)
+			if err != nil {
+				return nil, fmt.Errorf("failed to parse specified cluster address '%s': %w", host, err)
+			}
+			canonicalEndpoint, err := auth.ParseClusterAddress(endpoint)
+			if err != nil {
+				return nil, fmt.Errorf("failed to parse GKE endpoint '%s': %w", endpoint, err)
+			}
+			if canonicalAddress != canonicalEndpoint {
+				return nil, fmt.Errorf("GKE endpoint '%s' does not match specified address: '%s'", endpoint, host)
+			}
+		}
+
+		// Update host and CA with cluster details.
+		host = endpoint
+		if len(caData) == 0 {
+			caData, err = base64.StdEncoding.DecodeString(clusterResource.MasterAuth.ClusterCaCertificate)
+			if err != nil {
+				return nil, fmt.Errorf("failed to decode GKE CA certificate: %w", err)
+			}
+		}
+	}
+
+	// Build and return the REST config.
+	return &auth.RESTConfig{
+		Host:        host,
+		BearerToken: token.AccessToken,
+		CAData:      caData,
+		ExpiresAt:   token.Expiry,
+	}, nil
+}
+
+func (p Provider) impl() Implementation {
+	if p.Implementation == nil {
+		return implementation{}
+	}
+	return p.Implementation
+}

auth/gcp/provider_test.go

@@ -0,0 +1,460 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gcp_test
+
+import (
+	"context"
+	"net/url"
+	"testing"
+	"time"
+
+	"github.com/google/go-containerregistry/pkg/authn"
+	. "github.com/onsi/gomega"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google/externalaccount"
+	"google.golang.org/api/container/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/pkg/auth"
+	"github.com/fluxcd/pkg/auth/gcp"
+)
+
+func TestProvider_NewControllerToken(t *testing.T) {
+	g := NewWithT(t)
+
+	impl := &mockImplementation{
+		t:           t,
+		argProxyURL: &url.URL{Scheme: "http", Host: "proxy.example.com"},
+		returnToken: &oauth2.Token{AccessToken: "access-token"},
+	}
+
+	opts := []auth.Option{
+		auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.example.com"}),
+	}
+
+	provider := gcp.Provider{Implementation: impl}
+	token, err := provider.NewControllerToken(context.Background(), opts...)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(token).To(Equal(&gcp.Token{oauth2.Token{AccessToken: "access-token"}}))
+}
+
+func TestProvider_NewTokenForServiceAccount(t *testing.T) {
+	startGKEMetadataServer(t)
+
+	for _, tt := range []struct {
+		name        string
+		conf        externalaccount.Config
+		annotations map[string]string
+		err         string
+	}{
+		{
+			name: "direct access",
+			conf: externalaccount.Config{
+				Audience:         "identitynamespace:project-id.svc.id.goog:https://container.googleapis.com/v1/projects/project-id/locations/cluster-location/clusters/cluster-name",
+				SubjectTokenType: "urn:ietf:params:oauth:token-type:jwt",
+				TokenURL:         "https://sts.googleapis.com/v1/token",
+				TokenInfoURL:     "https://sts.googleapis.com/v1/introspect",
+				Scopes: []string{
+					"https://www.googleapis.com/auth/cloud-platform",
+					"https://www.googleapis.com/auth/userinfo.email",
+				},
+				SubjectTokenSupplier: gcp.StaticTokenSupplier("oidc-token"),
+				UniverseDomain:       "googleapis.com",
+			},
+		},
+		{
+			name: "impersonation",
+			conf: externalaccount.Config{
+				Audience:                       "identitynamespace:project-id.svc.id.goog:https://container.googleapis.com/v1/projects/project-id/locations/cluster-location/clusters/cluster-name",
+				SubjectTokenType:               "urn:ietf:params:oauth:token-type:jwt",
+				TokenURL:                       "https://sts.googleapis.com/v1/token",
+				ServiceAccountImpersonationURL: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/test-sa@project-id.iam.gserviceaccount.com:generateAccessToken",
+				Scopes: []string{
+					"https://www.googleapis.com/auth/cloud-platform",
+					"https://www.googleapis.com/auth/userinfo.email",
+				},
+				SubjectTokenSupplier: gcp.StaticTokenSupplier("oidc-token"),
+				UniverseDomain:       "googleapis.com",
+			},
+			annotations: map[string]string{
+				"iam.gke.io/gcp-service-account": "test-sa@project-id.iam.gserviceaccount.com",
+			},
+		},
+		{
+			name: "direct access - federation",
+			conf: externalaccount.Config{
+				Audience:         "//iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/test-pool/providers/test-provider",
+				SubjectTokenType: "urn:ietf:params:oauth:token-type:jwt",
+				TokenURL:         "https://sts.googleapis.com/v1/token",
+				TokenInfoURL:     "https://sts.googleapis.com/v1/introspect",
+				Scopes: []string{
+					"https://www.googleapis.com/auth/cloud-platform",
+					"https://www.googleapis.com/auth/userinfo.email",
+				},
+				SubjectTokenSupplier: gcp.StaticTokenSupplier("oidc-token"),
+				UniverseDomain:       "googleapis.com",
+			},
+			annotations: map[string]string{
+				"gcp.auth.fluxcd.io/workload-identity-provider": "projects/1234567890/locations/global/workloadIdentityPools/test-pool/providers/test-provider",
+			},
+		},
+		{
+			name: "impersonation - federation",
+			conf: externalaccount.Config{
+				Audience:                       "//iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/test-pool/providers/test-provider",
+				SubjectTokenType:               "urn:ietf:params:oauth:token-type:jwt",
+				TokenURL:                       "https://sts.googleapis.com/v1/token",
+				ServiceAccountImpersonationURL: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/test-sa@project-id.iam.gserviceaccount.com:generateAccessToken",
+				Scopes: []string{
+					"https://www.googleapis.com/auth/cloud-platform",
+					"https://www.googleapis.com/auth/userinfo.email",
+				},
+				SubjectTokenSupplier: gcp.StaticTokenSupplier("oidc-token"),
+				UniverseDomain:       "googleapis.com",
+			},
+			annotations: map[string]string{
+				"iam.gke.io/gcp-service-account":                "test-sa@project-id.iam.gserviceaccount.com",
+				"gcp.auth.fluxcd.io/workload-identity-provider": "projects/1234567890/locations/global/workloadIdentityPools/test-pool/providers/test-provider",
+			},
+		},
+		{
+			name: "invalid sa email",
+			annotations: map[string]string{
+				"iam.gke.io/gcp-service-account": "foobar",
+			},
+			err: `invalid iam.gke.io/gcp-service-account annotation: 'foobar'. must match ^[a-zA-Z0-9-]{1,100}@[a-zA-Z0-9-]{1,100}\.iam\.gserviceaccount\.com$`,
+		},
+		{
+			name: "invalid workload identity provider",
+			annotations: map[string]string{
+				"gcp.auth.fluxcd.io/workload-identity-provider": "foobar",
+			},
+			err: `invalid gcp.auth.fluxcd.io/workload-identity-provider annotation: 'foobar'. must match ^projects/\d{1,30}/locations/global/workloadIdentityPools/[^/]{1,100}/providers/[^/]{1,100}$`,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			impl := &mockImplementation{
+				t:           t,
+				argConfig:   tt.conf,
+				argProxyURL: &url.URL{Scheme: "http", Host: "proxy.example.com"},
+				returnToken: &oauth2.Token{AccessToken: "access-token"},
+			}
+
+			oidcToken := "oidc-token"
+			serviceAccount := corev1.ServiceAccount{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "test-sa",
+					Namespace:   "test-ns",
+					Annotations: tt.annotations,
+				},
+			}
+			opts := []auth.Option{
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.example.com"}),
+				auth.WithSTSEndpoint("https://sts.example.com"),
+			}
+
+			provider := gcp.Provider{Implementation: impl}
+			token, err := provider.NewTokenForServiceAccount(context.Background(), oidcToken, serviceAccount, opts...)
+
+			if tt.err == "" {
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(token).To(Equal(&gcp.Token{oauth2.Token{AccessToken: "access-token"}}))
+			} else {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(err.Error()).To(Equal(tt.err))
+				g.Expect(token).To(BeNil())
+			}
+		})
+	}
+}
+
+func TestProvider_GetAudience(t *testing.T) {
+	startGKEMetadataServer(t)
+
+	for _, tt := range []struct {
+		name        string
+		annotations map[string]string
+		expected    string
+	}{
+		{
+			name: "federation",
+			annotations: map[string]string{
+				"gcp.auth.fluxcd.io/workload-identity-provider": "projects/1234567890/locations/global/workloadIdentityPools/test-pool/providers/test-provider",
+			},
+			expected: "//iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/test-pool/providers/test-provider",
+		},
+		{
+			name:     "gke",
+			expected: "project-id.svc.id.goog",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			serviceAccount := corev1.ServiceAccount{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: tt.annotations,
+				},
+			}
+
+			aud, err := gcp.Provider{}.GetAudiences(context.Background(), serviceAccount)
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(aud).To(Equal([]string{tt.expected}))
+		})
+	}
+}
+
+func TestProvider_GetIdentity(t *testing.T) {
+	for _, tt := range []struct {
+		name        string
+		annotations map[string]string
+		expected    string
+	}{
+		{
+			name: "impersonation",
+			annotations: map[string]string{
+				"iam.gke.io/gcp-service-account": "test-sa@project-id.iam.gserviceaccount.com",
+			},
+			expected: "test-sa@project-id.iam.gserviceaccount.com",
+		},
+		{
+			name:     "direct access",
+			expected: "",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			serviceAccount := corev1.ServiceAccount{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: tt.annotations,
+				},
+			}
+
+			identity, err := gcp.Provider{}.GetIdentity(serviceAccount)
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(identity).To(Equal(tt.expected))
+		})
+	}
+}
+
+func TestProvider_NewArtifactRegistryCredentials(t *testing.T) {
+	g := NewWithT(t)
+
+	exp := time.Now()
+
+	provider := gcp.Provider{
+		Implementation: &mockImplementation{
+			t:           t,
+			argProxyURL: &url.URL{Scheme: "http", Host: "proxy.example.com"},
+			returnToken: &oauth2.Token{
+				AccessToken: "access-token",
+				Expiry:      exp,
+			},
+		},
+	}
+
+	creds, err := auth.GetArtifactRegistryCredentials(context.Background(), provider, "gcr.io",
+		auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.example.com"}))
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(creds).NotTo(BeNil())
+	g.Expect(creds.ExpiresAt).To(Equal(exp))
+	g.Expect(creds.Authenticator).NotTo(BeNil())
+	authConf, err := creds.Authenticator.Authorization()
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(authConf).To(Equal(&authn.AuthConfig{
+		Username: "oauth2accesstoken",
+		Password: "access-token",
+	}))
+}
+
+func TestProvider_ParseArtifactRegistry(t *testing.T) {
+	for _, tt := range []struct {
+		artifactRepository string
+		expectValid        bool
+	}{
+		{
+			artifactRepository: "gcr.io",
+			expectValid:        true,
+		},
+		{
+			artifactRepository: ".gcr.io",
+			expectValid:        false,
+		},
+		{
+			artifactRepository: "a.gcr.io",
+			expectValid:        true,
+		},
+		{
+			artifactRepository: "-docker.pkg.dev",
+			expectValid:        false,
+		},
+		{
+			artifactRepository: "a-docker.pkg.dev",
+			expectValid:        true,
+		},
+		{
+			artifactRepository: "012345678901.dkr.ecr.us-east-1.amazonaws.com",
+			expectValid:        false,
+		},
+	} {
+		t.Run(tt.artifactRepository, func(t *testing.T) {
+			g := NewWithT(t)
+
+			cacheKey, err := gcp.Provider{}.ParseArtifactRepository(tt.artifactRepository)
+
+			if tt.expectValid {
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(cacheKey).To(Equal("gcp"))
+			} else {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(cacheKey).To(BeEmpty())
+			}
+		})
+	}
+}
+
+func TestProvider_NewRESTConfig(t *testing.T) {
+	for _, tt := range []struct {
+		name           string
+		cluster        string
+		clusterAddress string
+		caData         string
+		masterAuth     *container.MasterAuth
+		endpoint       string
+		err            string
+	}{
+		{
+			name:    "valid GKE cluster",
+			cluster: "projects/test-project/locations/us-central1/clusters/test-cluster",
+			masterAuth: &container.MasterAuth{
+				ClusterCaCertificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t", // base64 encoded "-----BEGIN CERTIFICATE-----"
+			},
+			endpoint: "https://203.0.113.10",
+		},
+		{
+			name:           "valid GKE cluster with address match",
+			cluster:        "projects/test-project/locations/us-central1/clusters/test-cluster",
+			clusterAddress: "https://203.0.113.10:443",
+			masterAuth: &container.MasterAuth{
+				ClusterCaCertificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t",
+			},
+			endpoint: "https://203.0.113.10",
+		},
+		{
+			name:     "valid GKE cluster with CA",
+			cluster:  "projects/test-project/locations/us-central1/clusters/test-cluster",
+			caData:   "-----BEGIN CERTIFICATE-----",
+			endpoint: "https://203.0.113.10",
+		},
+		{
+			name:           "CA and address only",
+			clusterAddress: "https://203.0.113.10",
+			caData:         "-----BEGIN CERTIFICATE-----",
+			endpoint:       "https://203.0.113.10",
+		},
+		{
+			name:           "cluster address mismatch",
+			cluster:        "projects/test-project/locations/us-central1/clusters/test-cluster",
+			clusterAddress: "https://198.51.100.10:443",
+			masterAuth: &container.MasterAuth{
+				ClusterCaCertificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t",
+			},
+			endpoint: "https://203.0.113.10",
+			err:      "GKE endpoint 'https://203.0.113.10' does not match specified address: 'https://198.51.100.10:443'",
+		},
+		{
+			name:    "invalid cluster ID",
+			cluster: "invalid-cluster-id",
+			err:     "invalid GKE cluster ID: 'invalid-cluster-id'. must match ^projects/[^/]{1,200}/locations/[^/]{1,200}/clusters/[^/]{1,200}$",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			tokenExpiry := time.Now().Add(1 * time.Hour)
+			impl := &mockImplementation{
+				t:                t,
+				expectGKEAPICall: tt.clusterAddress == "" || tt.caData == "",
+				argCluster:       tt.cluster,
+				argProxyURL:      &url.URL{Scheme: "http", Host: "proxy.example.com"},
+				returnToken: &oauth2.Token{
+					AccessToken: "access-token",
+					Expiry:      tokenExpiry,
+				},
+				returnCluster: &container.Cluster{
+					Endpoint:   tt.endpoint,
+					MasterAuth: tt.masterAuth,
+				},
+			}
+
+			opts := []auth.Option{
+				auth.WithProxyURL(url.URL{Scheme: "http", Host: "proxy.example.com"}),
+			}
+
+			if tt.cluster != "" {
+				opts = append(opts, auth.WithClusterResource(tt.cluster))
+			}
+
+			if tt.clusterAddress != "" {
+				opts = append(opts, auth.WithClusterAddress(tt.clusterAddress))
+			}
+
+			if tt.caData != "" {
+				opts = append(opts, auth.WithCAData(tt.caData))
+			}
+
+			provider := gcp.Provider{Implementation: impl}
+			restConfig, err := auth.GetRESTConfig(context.Background(), provider, opts...)
+
+			if tt.err == "" {
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(restConfig).NotTo(BeNil())
+				g.Expect(restConfig.Host).To(Equal(tt.endpoint))
+				g.Expect(restConfig.BearerToken).To(Equal("access-token"))
+				g.Expect(restConfig.CAData).To(Equal([]byte("-----BEGIN CERTIFICATE-----")))
+				g.Expect(restConfig.ExpiresAt).To(Equal(tokenExpiry))
+			} else {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(err.Error()).To(ContainSubstring(tt.err))
+				g.Expect(restConfig).To(BeNil())
+			}
+		})
+	}
+}
+
+func TestProvider_GetAccessTokenOptionsForCluster(t *testing.T) {
+	g := NewWithT(t)
+
+	t.Run("with cluster resource", func(t *testing.T) {
+		opts, err := gcp.Provider{}.GetAccessTokenOptionsForCluster(
+			auth.WithClusterResource("projects/test-project/locations/us-central1/clusters/test-cluster"))
+		g.Expect(err).NotTo(HaveOccurred())
+		g.Expect(opts).To(HaveLen(1))
+		g.Expect(opts[0]).To(HaveLen(0)) // Empty slice - no options needed for GCP
+	})
+
+	t.Run("without cluster resource", func(t *testing.T) {
+		opts, err := gcp.Provider{}.GetAccessTokenOptionsForCluster()
+		g.Expect(err).NotTo(HaveOccurred())
+		g.Expect(opts).To(HaveLen(1))
+		g.Expect(opts[0]).To(HaveLen(0)) // Empty slice - no options needed for GCP
+	})
+}

auth/gcp/token.go

@@ -0,0 +1,35 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gcp
+
+import (
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+// Token is the GCP token.
+type Token struct{ oauth2.Token }
+
+// GetDuration implements auth.Token.
+func (t *Token) GetDuration() time.Duration {
+	return time.Until(t.Expiry)
+}
+
+func (t *Token) source() oauth2.TokenSource {
+	return oauth2.StaticTokenSource(&t.Token)
+}

auth/gcp/token_source.go

@@ -0,0 +1,49 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gcp
+
+import (
+	"context"
+	"fmt"
+
+	"golang.org/x/oauth2"
+
+	auth "github.com/fluxcd/pkg/auth"
+)
+
+type tokenSource struct {
+	ctx  context.Context
+	opts []auth.Option
+}
+
+// NewTokenSource creates a new token source for the given context and options.
+func NewTokenSource(ctx context.Context, opts ...auth.Option) oauth2.TokenSource {
+	return &tokenSource{ctx, opts}
+}
+
+// Token implements oauth2.TokenSource.
+func (t *tokenSource) Token() (*oauth2.Token, error) {
+	token, err := auth.GetAccessToken(t.ctx, Provider{}, t.opts...)
+	if err != nil {
+		return nil, err
+	}
+	gcpToken, ok := token.(*Token)
+	if !ok {
+		return nil, fmt.Errorf("failed to cast token to GCP token: %T", token)
+	}
+	return &gcpToken.Token, nil
+}

auth/gcp/token_supplier.go

@@ -0,0 +1,31 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gcp
+
+import (
+	"context"
+
+	"golang.org/x/oauth2/google/externalaccount"
+)
+
+// StaticTokenSupplier provides a static OIDC token.
+type StaticTokenSupplier string
+
+// SubjectToken implements externalaccount.SubjectTokenSupplier.
+func (s StaticTokenSupplier) SubjectToken(context.Context, externalaccount.SupplierOptions) (string, error) {
+	return string(s), nil
+}

auth/generic/implementation.go

@@ -0,0 +1,30 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package generic
+
+import "os"
+
+// Implementation provides the required methods of the generic libraries.
+type Implementation interface {
+	ReadFile(name string) ([]byte, error)
+}
+
+type implementation struct{}
+
+func (implementation) ReadFile(name string) ([]byte, error) {
+	return os.ReadFile(name)
+}

auth/generic/implementation_test.go

@@ -0,0 +1,36 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package generic_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/gomega"
+)
+
+type mockImplementation struct {
+	t *testing.T
+
+	b []byte
+}
+
+func (m *mockImplementation) ReadFile(name string) ([]byte, error) {
+	m.t.Helper()
+	g := NewWithT(m.t)
+	g.Expect(name).To(Equal("/var/run/secrets/kubernetes.io/serviceaccount/token"))
+	return m.b, nil
+}

auth/generic/provider.go

@@ -0,0 +1,201 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package generic
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	authnv1 "k8s.io/api/authentication/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/pkg/auth"
+)
+
+// ProviderName is the name of the generic authentication provider.
+const ProviderName = "generic"
+
+// Provider implements the auth.Provider interface for generic authentication.
+type Provider struct{ Implementation }
+
+// GetName implements auth.RESTConfigProvider.
+func (p Provider) GetName() string {
+	return ProviderName
+}
+
+// NewControllerToken implements auth.RESTConfigProvider.
+func (p Provider) NewControllerToken(ctx context.Context, opts ...auth.Option) (auth.Token, error) {
+
+	var o auth.Options
+	o.Apply(opts...)
+
+	if o.Client == nil {
+		return nil, errors.New("client is required to create a controller token")
+	}
+
+	// Like all providers, this one should fetch controller-level credentials
+	// from the environment. In this case, this means opening the well-known
+	// Kubernetes service account token file and parsing it to figure out
+	// the controller's identity.
+	const tokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+	b, err := p.impl().ReadFile(tokenFile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read service account token file %s: %w", tokenFile, err)
+	}
+
+	// Get controller service account from token subject.
+	tok, _, err := jwt.NewParser().ParseUnverified(string(b), jwt.MapClaims{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse service account token: %w", err)
+	}
+	sub, err := tok.Claims.GetSubject()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get subject from service account token: %w", err)
+	}
+	parts := strings.Split(sub, ":")
+	if len(parts) != 4 {
+		return nil, fmt.Errorf("invalid subject format in service account token: %s", sub)
+	}
+	serviceAccount := corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      parts[3],
+			Namespace: parts[2],
+		},
+	}
+
+	// Create token.
+	tokenReq := &authnv1.TokenRequest{
+		Spec: authnv1.TokenRequestSpec{
+			Audiences: o.Audiences,
+		},
+	}
+	if err := o.Client.SubResource("token").Create(ctx, &serviceAccount, tokenReq); err != nil {
+		return nil, fmt.Errorf("failed to create kubernetes token for controller service account '%s': %w",
+			client.ObjectKeyFromObject(&serviceAccount), err)
+	}
+	token := tokenReq.Status.Token
+
+	exp, err := getExpirationFromToken(token)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Token{
+		Token:     token,
+		ExpiresAt: *exp,
+	}, nil
+}
+
+// GetAudiences implements auth.RESTConfigProvider.
+func (Provider) GetAudiences(context.Context, corev1.ServiceAccount) ([]string, error) {
+	// Use TokenRequest default audiences.
+	return nil, nil
+}
+
+// GetIdentity implements auth.RESTConfigProvider.
+func (Provider) GetIdentity(serviceAccount corev1.ServiceAccount) (string, error) {
+	return fmt.Sprintf("system:serviceaccount:%s:%s", serviceAccount.Namespace, serviceAccount.Name), nil
+}
+
+// NewTokenForServiceAccount implements auth.RESTConfigProvider.
+func (Provider) NewTokenForServiceAccount(ctx context.Context, oidcToken string,
+	serviceAccount corev1.ServiceAccount, opts ...auth.Option) (auth.Token, error) {
+
+	exp, err := getExpirationFromToken(oidcToken)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Token{
+		Token:     oidcToken,
+		ExpiresAt: *exp,
+	}, nil
+}
+
+// GetAccessTokenOptionsForCluster implements auth.RESTConfigProvider.
+func (Provider) GetAccessTokenOptionsForCluster(opts ...auth.Option) ([][]auth.Option, error) {
+
+	var o auth.Options
+	o.Apply(opts...)
+
+	audiences := o.Audiences
+	if len(audiences) == 0 {
+		// Use cluster address as the default audience.
+		audiences = []string{o.ClusterAddress}
+	}
+
+	return [][]auth.Option{{auth.WithAudiences(audiences...)}}, nil
+}
+
+// NewRESTConfig implements auth.RESTConfigProvider.
+func (Provider) NewRESTConfig(ctx context.Context, accessTokens []auth.Token,
+	opts ...auth.Option) (*auth.RESTConfig, error) {
+
+	token := accessTokens[0].(*Token)
+
+	var o auth.Options
+	o.Apply(opts...)
+
+	// Parse the cluster address.
+	host := o.ClusterAddress
+	if host == "" {
+		return nil, errors.New("cluster address is required to create a REST config")
+	}
+	var err error
+	host, err = auth.ParseClusterAddress(host)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse cluster address %s: %w", o.ClusterAddress, err)
+	}
+
+	// Get CA if provided.
+	var caData []byte
+	if o.CAData != "" {
+		caData = []byte(o.CAData)
+	}
+
+	return &auth.RESTConfig{
+		Host:        host,
+		CAData:      caData,
+		BearerToken: token.Token,
+		ExpiresAt:   token.ExpiresAt,
+	}, nil
+}
+
+func (p Provider) impl() Implementation {
+	if p.Implementation == nil {
+		return implementation{}
+	}
+	return p.Implementation
+}
+
+func getExpirationFromToken(token string) (*time.Time, error) {
+	tok, _, err := jwt.NewParser().ParseUnverified(token, jwt.MapClaims{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse service account token: %w", err)
+	}
+	exp, err := tok.Claims.GetExpirationTime()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get expiration time from service account token: %w", err)
+	}
+	return &exp.Time, nil
+}