Migrate to fluxcd/pkg

2020-06-30 17:19:22 +03:00 · 2020-06-30 17:19:22 +03:00 · e92cbbdd45
parent ea6c59b84a
commit e92cbbdd45
13 changed files with 24 additions and 1293 deletions
--- a/controllers/storage.go
+++ b/controllers/storage.go
@ -32,8 +32,8 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"github.com/fluxcd/pkg/lockedfile"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1alpha1"
 	"github.com/fluxcd/source-controller/internal/lockedfile"
 )
 const (
--- a/go.mod
+++ b/go.mod
@ -4,13 +4,14 @@ go 1.13
 require (
 	github.com/blang/semver v3.5.0+incompatible
 	github.com/fluxcd/pkg v0.0.1
 	github.com/go-git/go-billy/v5 v5.0.0
-	github.com/go-git/go-git/v5 v5.0.0
+	github.com/go-git/go-git/v5 v5.1.0
 	github.com/go-logr/logr v0.1.0
 	github.com/onsi/ginkgo v1.11.0
 	github.com/onsi/gomega v1.8.1
 	github.com/sosedoff/gitkit v0.2.1-0.20191202022816-7182d43c6254
-	golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073
+	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
 	helm.sh/helm/v3 v3.1.2
 	k8s.io/api v0.17.2
 	k8s.io/apimachinery v0.17.2
--- a/go.sum
+++ b/go.sum
@ -159,6 +159,8 @@ github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZM
 github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc=
 github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fluxcd/pkg v0.0.1 h1:yECp5SBjX7vUBOjd3KYBoVQwt22A0u1SZJjYV4PduAk=
 github.com/fluxcd/pkg v0.0.1/go.mod h1:3DgEcVmkVYrA/BDb/fyDIJllxK++c/ovLCMPRlkAp9Y=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
@ -178,8 +180,8 @@ github.com/go-git/go-billy/v5 v5.0.0 h1:7NQHvd9FVid8VL4qVUMm8XifBK+2xCoZ2lSk0agR
 github.com/go-git/go-billy/v5 v5.0.0/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0=
 github.com/go-git/go-git-fixtures/v4 v4.0.1 h1:q+IFMfLx200Q3scvt2hN79JsEzy4AmBTp/pqnefH+Bc=
 github.com/go-git/go-git-fixtures/v4 v4.0.1/go.mod h1:m+ICp2rF3jDhFgEZ/8yziagdT1C+ZpZcrJjappBCDSw=
-github.com/go-git/go-git/v5 v5.0.0 h1:k5RWPm4iJwYtfWoxIJy4wJX9ON7ihPeZZYC1fLYDnpg=
+github.com/go-git/go-git/v5 v5.1.0 h1:HxJn9g/E7eYvKW3Fm7Jt4ee8LXfPOm/H1cdDu8vEssk=
-github.com/go-git/go-git/v5 v5.0.0/go.mod h1:oYD8y9kWsGINPFJoLdaScGCN6dlKg23blmClfZwtUVA=
+github.com/go-git/go-git/v5 v5.1.0/go.mod h1:ZKfuPUoY1ZqIG4QG9BDBh3G4gLM5zvPuSJAozQrZuyM=
 github.com/go-ini/ini v1.25.4/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
@ -268,6 +270,8 @@ github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-github/v32 v32.0.0/go.mod h1:rIEpZD9CTDQwDK9GDrtMTycQNA4JU3qBsCizh3q2WCI=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
 github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@ -296,7 +300,10 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
 github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I=
 github.com/hashicorp/go-retryablehttp v0.6.4/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@ -312,6 +319,8 @@ github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
 github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.7 h1:Y+UAYTZ7gDEuOfhxKWy+dvb5dRQ6rJjFSdX2HZY1/gI=
 github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.9 h1:UauaLniWCFHWd+Jp9oCEkTBj8VO/9DKg3PV3VCNMDIg=
 github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
@ -497,6 +506,7 @@ github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljT
 github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw=
 github.com/xanzy/go-gitlab v0.32.1/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug=
 github.com/xanzy/ssh-agent v0.2.1 h1:TCbipTQL2JiiCprBWx9frJ2eJlCYT00NmctrHxVAr70=
 github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
@ -544,6 +554,8 @@ golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073 h1:xMPOj6Pz6UipU1wXLkrtqpHbR0AVFnyPEQq/wRWz9lM=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -558,6 +570,7 @@ golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181108082009-03003ca0c849/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -576,6 +589,7 @@ golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a h1:GuSPYbZzB5/dcLNCwLQLsg3obCJtX9IJhpXkvY7kzk0=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -618,6 +632,8 @@ golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@ -646,6 +662,7 @@ gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmK
 google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
--- a/internal/crypto/ssh/knownhosts/LICENSE
+++ b/internal/crypto/ssh/knownhosts/LICENSE
@ -1,27 +0,0 @@
 Copyright (c) 2009 The Go Authors. All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
 met:
   * Redistributions of source code must retain the above copyright
 notice, this list of conditions and the following disclaimer.
   * Redistributions in binary form must reproduce the above
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
   * Neither the name of Google Inc. nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/internal/crypto/ssh/knownhosts/knownhosts.go
+++ b/internal/crypto/ssh/knownhosts/knownhosts.go
@ -1,446 +0,0 @@
 // Copyright 2017 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Copyright 2020 The FluxCD contributors. All rights reserved.
 // This package provides an in-memory known hosts database
 // derived from the golang.org/x/crypto/ssh/knownhosts
 // package.
 // It has been slightly modified and adapted to work with
 // in-memory host keys not related to any known_hosts files
 // on disk, and the database can be initialized with just a
 // known_hosts byte blob.
 // https://pkg.go.dev/golang.org/x/crypto/ssh/knownhosts
 package knownhosts
 import (
 	"bufio"
 	"bytes"
 	"crypto/hmac"
 	"crypto/sha1"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
 	"net"
 	"strings"
 	"golang.org/x/crypto/ssh"
 	"golang.org/x/crypto/ssh/knownhosts"
 )
 // See the sshd manpage
 // (http://man.openbsd.org/sshd#SSH_KNOWN_HOSTS_FILE_FORMAT) for
 // background.
 type addr struct{ host, port string }
 func (a *addr) String() string {
 	h := a.host
 	if strings.Contains(h, ":") {
 		h = "[" + h + "]"
 	}
 	return h + ":" + a.port
 }
 type matcher interface {
 	match(addr) bool
 }
 type hostPattern struct {
 	negate bool
 	addr   addr
 }
 func (p *hostPattern) String() string {
 	n := ""
 	if p.negate {
 		n = "!"
 	}
 	return n + p.addr.String()
 }
 type hostPatterns []hostPattern
 func (ps hostPatterns) match(a addr) bool {
 	matched := false
 	for _, p := range ps {
 		if !p.match(a) {
 			continue
 		}
 		if p.negate {
 			return false
 		}
 		matched = true
 	}
 	return matched
 }
 // See
 // https://android.googlesource.com/platform/external/openssh/+/ab28f5495c85297e7a597c1ba62e996416da7c7e/addrmatch.c
 // The matching of * has no regard for separators, unlike filesystem globs
 func wildcardMatch(pat []byte, str []byte) bool {
 	for {
 		if len(pat) == 0 {
 			return len(str) == 0
 		}
 		if len(str) == 0 {
 			return false
 		}
 		if pat[0] == '*' {
 			if len(pat) == 1 {
 				return true
 			}
 			for j := range str {
 				if wildcardMatch(pat[1:], str[j:]) {
 					return true
 				}
 			}
 			return false
 		}
 		if pat[0] == '?' || pat[0] == str[0] {
 			pat = pat[1:]
 			str = str[1:]
 		} else {
 			return false
 		}
 	}
 }
 func (p *hostPattern) match(a addr) bool {
 	return wildcardMatch([]byte(p.addr.host), []byte(a.host)) && p.addr.port == a.port
 }
 type inMemoryHostKeyDB struct {
 	hostKeys []hostKey
 	revoked  map[string]*ssh.PublicKey
 }
 func newInMemoryHostKeyDB() *inMemoryHostKeyDB {
 	db := &inMemoryHostKeyDB{
 		revoked: make(map[string]*ssh.PublicKey),
 	}
 	return db
 }
 func keyEq(a, b ssh.PublicKey) bool {
 	return bytes.Equal(a.Marshal(), b.Marshal())
 }
 type hostKey struct {
 	matcher matcher
 	cert    bool
 	key     ssh.PublicKey
 }
 func (l *hostKey) match(a addr) bool {
 	return l.matcher.match(a)
 }
 // IsAuthorityForHost can be used as a callback in ssh.CertChecker
 func (db *inMemoryHostKeyDB) IsHostAuthority(remote ssh.PublicKey, address string) bool {
 	h, p, err := net.SplitHostPort(address)
 	if err != nil {
 		return false
 	}
 	a := addr{host: h, port: p}
 	for _, l := range db.hostKeys {
 		if l.cert && keyEq(l.key, remote) && l.match(a) {
 			return true
 		}
 	}
 	return false
 }
 // IsRevoked can be used as a callback in ssh.CertChecker
 func (db *inMemoryHostKeyDB) IsRevoked(key *ssh.Certificate) bool {
 	_, ok := db.revoked[string(key.Marshal())]
 	return ok
 }
 const markerCert = "@cert-authority"
 const markerRevoked = "@revoked"
 func nextWord(line []byte) (string, []byte) {
 	i := bytes.IndexAny(line, "\t ")
 	if i == -1 {
 		return string(line), nil
 	}
 	return string(line[:i]), bytes.TrimSpace(line[i:])
 }
 func parseLine(line []byte) (marker, host string, key ssh.PublicKey, err error) {
 	if w, next := nextWord(line); w == markerCert || w == markerRevoked {
 		marker = w
 		line = next
 	}
 	host, line = nextWord(line)
 	if len(line) == 0 {
 		return "", "", nil, errors.New("knownhosts: missing host pattern")
 	}
 	// ignore the keytype as it's in the key blob anyway.
 	_, line = nextWord(line)
 	if len(line) == 0 {
 		return "", "", nil, errors.New("knownhosts: missing key type pattern")
 	}
 	keyBlob, _ := nextWord(line)
 	keyBytes, err := base64.StdEncoding.DecodeString(keyBlob)
 	if err != nil {
 		return "", "", nil, err
 	}
 	key, err = ssh.ParsePublicKey(keyBytes)
 	if err != nil {
 		return "", "", nil, err
 	}
 	return marker, host, key, nil
 }
 func (db *inMemoryHostKeyDB) parseLine(line []byte) error {
 	marker, pattern, key, err := parseLine(line)
 	if err != nil {
 		return err
 	}
 	if marker == markerRevoked {
 		db.revoked[string(key.Marshal())] = &key
 		return nil
 	}
 	entry := hostKey{
 		key:  key,
 		cert: marker == markerCert,
 	}
 	if pattern[0] == '|' {
 		entry.matcher, err = newHashedHost(pattern)
 	} else {
 		entry.matcher, err = newHostnameMatcher(pattern)
 	}
 	if err != nil {
 		return err
 	}
 	db.hostKeys = append(db.hostKeys, entry)
 	return nil
 }
 func newHostnameMatcher(pattern string) (matcher, error) {
 	var hps hostPatterns
 	for _, p := range strings.Split(pattern, ",") {
 		if len(p) == 0 {
 			continue
 		}
 		var a addr
 		var negate bool
 		if p[0] == '!' {
 			negate = true
 			p = p[1:]
 		}
 		if len(p) == 0 {
 			return nil, errors.New("knownhosts: negation without following hostname")
 		}
 		var err error
 		if p[0] == '[' {
 			a.host, a.port, err = net.SplitHostPort(p)
 			if err != nil {
 				return nil, err
 			}
 		} else {
 			a.host, a.port, err = net.SplitHostPort(p)
 			if err != nil {
 				a.host = p
 				a.port = "22"
 			}
 		}
 		hps = append(hps, hostPattern{
 			negate: negate,
 			addr:   a,
 		})
 	}
 	return hps, nil
 }
 // check checks a key against the host database. This should not be
 // used for verifying certificates.
 func (db *inMemoryHostKeyDB) check(address string, remote net.Addr, remoteKey ssh.PublicKey) error {
 	if revoked := db.revoked[string(remoteKey.Marshal())]; revoked != nil {
 		return &knownhosts.RevokedError{Revoked: knownhosts.KnownKey{Key: *revoked}}
 	}
 	host, port, err := net.SplitHostPort(remote.String())
 	if err != nil {
 		return fmt.Errorf("knownhosts: SplitHostPort(%s): %v", remote, err)
 	}
 	hostToCheck := addr{host, port}
 	if address != "" {
 		// Give preference to the hostname if available.
 		host, port, err := net.SplitHostPort(address)
 		if err != nil {
 			return fmt.Errorf("knownhosts: SplitHostPort(%s): %v", address, err)
 		}
 		hostToCheck = addr{host, port}
 	}
 	return db.checkAddr(hostToCheck, remoteKey)
 }
 // checkAddr checks if we can find the given public key for the
 // given address.  If we only find an entry for the IP address,
 // or only the hostname, then this still succeeds.
 func (db *inMemoryHostKeyDB) checkAddr(a addr, remoteKey ssh.PublicKey) error {
 	// TODO(hanwen): are these the right semantics? What if there
 	// is just a key for the IP address, but not for the
 	// hostname?
 	// Algorithm => key.
 	knownKeys := map[string]ssh.PublicKey{}
 	for _, l := range db.hostKeys {
 		if l.match(a) {
 			typ := l.key.Type()
 			if _, ok := knownKeys[typ]; !ok {
 				knownKeys[typ] = l.key
 			}
 		}
 	}
 	keyErr := &knownhosts.KeyError{}
 	for _, v := range knownKeys {
 		keyErr.Want = append(keyErr.Want, knownhosts.KnownKey{Key: v})
 	}
 	// Unknown remote host.
 	if len(knownKeys) == 0 {
 		return keyErr
 	}
 	// If the remote host starts using a different, unknown key type, we
 	// also interpret that as a mismatch.
 	if known, ok := knownKeys[remoteKey.Type()]; !ok || !keyEq(known, remoteKey) {
 		return keyErr
 	}
 	return nil
 }
 // The Read function parses file contents.
 func (db *inMemoryHostKeyDB) Read(r io.Reader) error {
 	scanner := bufio.NewScanner(r)
 	lineNum := 0
 	for scanner.Scan() {
 		lineNum++
 		line := scanner.Bytes()
 		line = bytes.TrimSpace(line)
 		if len(line) == 0 || line[0] == '#' {
 			continue
 		}
 		if err := db.parseLine(line); err != nil {
 			return fmt.Errorf("knownhosts: %v", err)
 		}
 	}
 	return scanner.Err()
 }
 // New creates a host key callback from the given OpenSSH host key
 // file bytes. The returned callback is for use in
 // ssh.ClientConfig.HostKeyCallback. By preference, the key check
 // operates on the hostname if available, i.e. if a server changes its
 // IP address, the host key check will still succeed, even though a
 // record of the new IP address is not available.
 func New(b []byte) (ssh.HostKeyCallback, error) {
 	db := newInMemoryHostKeyDB()
 	r := bytes.NewReader(b)
 	if err := db.Read(r); err != nil {
 		return nil, err
 	}
 	var certChecker ssh.CertChecker
 	certChecker.IsHostAuthority = db.IsHostAuthority
 	certChecker.IsRevoked = db.IsRevoked
 	certChecker.HostKeyFallback = db.check
 	return certChecker.CheckHostKey, nil
 }
 func decodeHash(encoded string) (hashType string, salt, hash []byte, err error) {
 	if len(encoded) == 0 || encoded[0] != '|' {
 		err = errors.New("knownhosts: hashed host must start with '|'")
 		return
 	}
 	components := strings.Split(encoded, "|")
 	if len(components) != 4 {
 		err = fmt.Errorf("knownhosts: got %d components, want 3", len(components))
 		return
 	}
 	hashType = components[1]
 	if salt, err = base64.StdEncoding.DecodeString(components[2]); err != nil {
 		return
 	}
 	if hash, err = base64.StdEncoding.DecodeString(components[3]); err != nil {
 		return
 	}
 	return
 }
 func encodeHash(typ string, salt []byte, hash []byte) string {
 	return strings.Join([]string{"",
 		typ,
 		base64.StdEncoding.EncodeToString(salt),
 		base64.StdEncoding.EncodeToString(hash),
 	}, "|")
 }
 // See https://android.googlesource.com/platform/external/openssh/+/ab28f5495c85297e7a597c1ba62e996416da7c7e/hostfile.c#120
 func hashHost(hostname string, salt []byte) []byte {
 	mac := hmac.New(sha1.New, salt)
 	mac.Write([]byte(hostname))
 	return mac.Sum(nil)
 }
 type hashedHost struct {
 	salt []byte
 	hash []byte
 }
 const sha1HashType = "1"
 func newHashedHost(encoded string) (*hashedHost, error) {
 	typ, salt, hash, err := decodeHash(encoded)
 	if err != nil {
 		return nil, err
 	}
 	// The type field seems for future algorithm agility, but it's
 	// actually hardcoded in openssh currently, see
 	// https://android.googlesource.com/platform/external/openssh/+/ab28f5495c85297e7a597c1ba62e996416da7c7e/hostfile.c#120
 	if typ != sha1HashType {
 		return nil, fmt.Errorf("knownhosts: got hash type %s, must be '1'", typ)
 	}
 	return &hashedHost{salt: salt, hash: hash}, nil
 }
 func (h *hashedHost) match(a addr) bool {
 	return bytes.Equal(hashHost(knownhosts.Normalize(a.String()), h.salt), h.hash)
 }
--- a/internal/crypto/ssh/knownhosts/knownhosts_test.go
+++ b/internal/crypto/ssh/knownhosts/knownhosts_test.go
@ -1,327 +0,0 @@
 // Copyright 2017 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Copyright 2020 The FluxCD contributors. All rights reserved.
 // This package provides an in-memory known hosts database
 // derived from the golang.org/x/crypto/ssh/knownhosts
 // package.
 // It has been slightly modified and adapted to work with
 // in-memory host keys not related to any known_hosts files
 // on disk, and the database can be initialized with just a
 // known_hosts byte blob.
 // https://pkg.go.dev/golang.org/x/crypto/ssh/knownhosts
 package knownhosts
 import (
 	"bytes"
 	"fmt"
 	"net"
 	"reflect"
 	"testing"
 	"golang.org/x/crypto/ssh"
 	"golang.org/x/crypto/ssh/knownhosts"
 )
 const edKeyStr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBAarftlLeoyf+v+nVchEZII/vna2PCV8FaX4vsF5BX"
 const alternateEdKeyStr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIXffBYeYL+WVzVru8npl5JHt2cjlr4ornFTWzoij9sx"
 const ecKeyStr = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLCu01+wpXe3xB5olXCN4SqU2rQu0qjSRKJO4Bg+JRCPU+ENcgdA5srTU8xYDz/GEa4dzK5ldPw4J/gZgSXCMs="
 var ecKey, alternateEdKey, edKey ssh.PublicKey
 var testAddr = &net.TCPAddr{
 	IP:   net.IP{198, 41, 30, 196},
 	Port: 22,
 }
 var testAddr6 = &net.TCPAddr{
 	IP: net.IP{198, 41, 30, 196,
 		1, 2, 3, 4,
 		1, 2, 3, 4,
 		1, 2, 3, 4,
 	},
 	Port: 22,
 }
 func init() {
 	var err error
 	ecKey, _, _, _, err = ssh.ParseAuthorizedKey([]byte(ecKeyStr))
 	if err != nil {
 		panic(err)
 	}
 	edKey, _, _, _, err = ssh.ParseAuthorizedKey([]byte(edKeyStr))
 	if err != nil {
 		panic(err)
 	}
 	alternateEdKey, _, _, _, err = ssh.ParseAuthorizedKey([]byte(alternateEdKeyStr))
 	if err != nil {
 		panic(err)
 	}
 }
 func testDB(t *testing.T, s string) *inMemoryHostKeyDB {
 	db := newInMemoryHostKeyDB()
 	if err := db.Read(bytes.NewBufferString(s)); err != nil {
 		t.Fatalf("Read: %v", err)
 	}
 	return db
 }
 func TestRevoked(t *testing.T) {
 	db := testDB(t, "\n\n@revoked * "+edKeyStr+"\n")
 	want := &knownhosts.RevokedError{
 		Revoked: knownhosts.KnownKey{
 			Key: edKey,
 		},
 	}
 	if err := db.check("", &net.TCPAddr{
 		Port: 42,
 	}, edKey); err == nil {
 		t.Fatal("no error for revoked key")
 	} else if !reflect.DeepEqual(want, err) {
 		t.Fatalf("got %#v, want %#v", want, err)
 	}
 }
 func TestHostAuthority(t *testing.T) {
 	for _, m := range []struct {
 		authorityFor string
 		address      string
 		good bool
 	}{
 		{authorityFor: "localhost", address: "localhost:22", good: true},
 		{authorityFor: "localhost", address: "localhost", good: false},
 		{authorityFor: "localhost", address: "localhost:1234", good: false},
 		{authorityFor: "[localhost]:1234", address: "localhost:1234", good: true},
 		{authorityFor: "[localhost]:1234", address: "localhost:22", good: false},
 		{authorityFor: "[localhost]:1234", address: "localhost", good: false},
 	} {
 		db := testDB(t, `@cert-authority `+m.authorityFor+` `+edKeyStr)
 		if ok := db.IsHostAuthority(db.hostKeys[0].key, m.address); ok != m.good {
 			t.Errorf("IsHostAuthority: authority %s, address %s, wanted good = %v, got good = %v",
 				m.authorityFor, m.address, m.good, ok)
 		}
 	}
 }
 func TestBracket(t *testing.T) {
 	db := testDB(t, `[git.eclipse.org]:29418,[198.41.30.196]:29418 `+edKeyStr)
 	if err := db.check("git.eclipse.org:29418", &net.TCPAddr{
 		IP:   net.IP{198, 41, 30, 196},
 		Port: 29418,
 	}, edKey); err != nil {
 		t.Errorf("got error %v, want none", err)
 	}
 	if err := db.check("git.eclipse.org:29419", &net.TCPAddr{
 		Port: 42,
 	}, edKey); err == nil {
 		t.Fatalf("no error for unknown address")
 	} else if ke, ok := err.(*knownhosts.KeyError); !ok {
 		t.Fatalf("got type %T, want *KeyError", err)
 	} else if len(ke.Want) > 0 {
 		t.Fatalf("got Want %v, want []", ke.Want)
 	}
 }
 func TestNewKeyType(t *testing.T) {
 	str := fmt.Sprintf("%s %s", testAddr, edKeyStr)
 	db := testDB(t, str)
 	if err := db.check("", testAddr, ecKey); err == nil {
 		t.Fatalf("no error for unknown address")
 	} else if ke, ok := err.(*knownhosts.KeyError); !ok {
 		t.Fatalf("got type %T, want *KeyError", err)
 	} else if len(ke.Want) == 0 {
 		t.Fatalf("got empty KeyError.Want")
 	}
 }
 func TestSameKeyType(t *testing.T) {
 	str := fmt.Sprintf("%s %s", testAddr, edKeyStr)
 	db := testDB(t, str)
 	if err := db.check("", testAddr, alternateEdKey); err == nil {
 		t.Fatalf("no error for unknown address")
 	} else if ke, ok := err.(*knownhosts.KeyError); !ok {
 		t.Fatalf("got type %T, want *KeyError", err)
 	} else if len(ke.Want) == 0 {
 		t.Fatalf("got empty KeyError.Want")
 	} else if got, want := ke.Want[0].Key.Marshal(), edKey.Marshal(); !bytes.Equal(got, want) {
 		t.Fatalf("got key %q, want %q", got, want)
 	}
 }
 func TestIPAddress(t *testing.T) {
 	str := fmt.Sprintf("%s %s", testAddr, edKeyStr)
 	db := testDB(t, str)
 	if err := db.check("", testAddr, edKey); err != nil {
 		t.Errorf("got error %q, want none", err)
 	}
 }
 func TestIPv6Address(t *testing.T) {
 	str := fmt.Sprintf("%s %s", testAddr6, edKeyStr)
 	db := testDB(t, str)
 	if err := db.check("", testAddr6, edKey); err != nil {
 		t.Errorf("got error %q, want none", err)
 	}
 }
 func TestBasic(t *testing.T) {
 	str := fmt.Sprintf("#comment\n\nserver.org,%s %s\notherhost %s", testAddr, edKeyStr, ecKeyStr)
 	db := testDB(t, str)
 	if err := db.check("server.org:22", testAddr, edKey); err != nil {
 		t.Errorf("got error %v, want none", err)
 	}
 	want := knownhosts.KnownKey{
 		Key: edKey,
 	}
 	if err := db.check("server.org:22", testAddr, ecKey); err == nil {
 		t.Errorf("succeeded, want KeyError")
 	} else if ke, ok := err.(*knownhosts.KeyError); !ok {
 		t.Errorf("got %T, want *KeyError", err)
 	} else if len(ke.Want) != 1 {
 		t.Errorf("got %v, want 1 entry", ke)
 	} else if !reflect.DeepEqual(ke.Want[0], want) {
 		t.Errorf("got %v, want %v", ke.Want[0], want)
 	}
 }
 func TestHostNamePrecedence(t *testing.T) {
 	var evilAddr = &net.TCPAddr{
 		IP:   net.IP{66, 66, 66, 66},
 		Port: 22,
 	}
 	str := fmt.Sprintf("server.org,%s %s\nevil.org,%s %s", testAddr, edKeyStr, evilAddr, ecKeyStr)
 	db := testDB(t, str)
 	if err := db.check("server.org:22", evilAddr, ecKey); err == nil {
 		t.Errorf("check succeeded")
 	} else if _, ok := err.(*knownhosts.KeyError); !ok {
 		t.Errorf("got %T, want *KeyError", err)
 	}
 }
 func TestDBOrderingPrecedenceKeyType(t *testing.T) {
 	str := fmt.Sprintf("server.org,%s %s\nserver.org,%s %s", testAddr, edKeyStr, testAddr, alternateEdKeyStr)
 	db := testDB(t, str)
 	if err := db.check("server.org:22", testAddr, alternateEdKey); err == nil {
 		t.Errorf("check succeeded")
 	} else if _, ok := err.(*knownhosts.KeyError); !ok {
 		t.Errorf("got %T, want *KeyError", err)
 	}
 }
 func TestNegate(t *testing.T) {
 	str := fmt.Sprintf("%s,!server.org %s", testAddr, edKeyStr)
 	db := testDB(t, str)
 	if err := db.check("server.org:22", testAddr, ecKey); err == nil {
 		t.Errorf("succeeded")
 	} else if ke, ok := err.(*knownhosts.KeyError); !ok {
 		t.Errorf("got error type %T, want *KeyError", err)
 	} else if len(ke.Want) != 0 {
 		t.Errorf("got expected keys %d (first of type %s), want []", len(ke.Want), ke.Want[0].Key.Type())
 	}
 }
 func TestWildcard(t *testing.T) {
 	str := fmt.Sprintf("server*.domain %s", edKeyStr)
 	db := testDB(t, str)
 	want := &knownhosts.KeyError{
 		Want: []knownhosts.KnownKey{{
 			Key: edKey,
 		}},
 	}
 	got := db.check("server.domain:22", &net.TCPAddr{}, ecKey)
 	if !reflect.DeepEqual(got, want) {
 		t.Errorf("got %s, want %s", got, want)
 	}
 }
 func TestWildcardMatch(t *testing.T) {
 	for _, c := range []struct {
 		pat, str string
 		want     bool
 	}{
 		{"a?b", "abb", true},
 		{"ab", "abc", false},
 		{"abc", "ab", false},
 		{"a*b", "axxxb", true},
 		{"a*b", "axbxb", true},
 		{"a*b", "axbxbc", false},
 		{"a*?", "axbxc", true},
 		{"a*b*", "axxbxxxxxx", true},
 		{"a*b*c", "axxbxxxxxxc", true},
 		{"a*b*?", "axxbxxxxxxc", true},
 		{"a*b*z", "axxbxxbxxxz", true},
 		{"a*b*z", "axxbxxzxxxz", true},
 		{"a*b*z", "axxbxxzxxx", false},
 	} {
 		got := wildcardMatch([]byte(c.pat), []byte(c.str))
 		if got != c.want {
 			t.Errorf("wildcardMatch(%q, %q) = %v, want %v", c.pat, c.str, got, c.want)
 		}
 	}
 }
 // TODO(hanwen): test coverage for certificates.
 const testHostname = "hostname"
 // generated with keygen -H -f
 const encodedTestHostnameHash = "|1|IHXZvQMvTcZTUU29+2vXFgx8Frs=|UGccIWfRVDwilMBnA3WJoRAC75Y="
 func TestHostHash(t *testing.T) {
 	testHostHash(t, testHostname, encodedTestHostnameHash)
 }
 func TestHashList(t *testing.T) {
 	encoded := knownhosts.HashHostname(testHostname)
 	testHostHash(t, testHostname, encoded)
 }
 func testHostHash(t *testing.T, hostname, encoded string) {
 	typ, salt, hash, err := decodeHash(encoded)
 	if err != nil {
 		t.Fatalf("decodeHash: %v", err)
 	}
 	if got := encodeHash(typ, salt, hash); got != encoded {
 		t.Errorf("got encoding %s want %s", got, encoded)
 	}
 	if typ != sha1HashType {
 		t.Fatalf("got hash type %q, want %q", typ, sha1HashType)
 	}
 	got := hashHost(hostname, salt)
 	if !bytes.Equal(got, hash) {
 		t.Errorf("got hash %x want %x", got, hash)
 	}
 }
 func TestHashedHostkeyCheck(t *testing.T) {
 	str := fmt.Sprintf("%s %s", knownhosts.HashHostname(testHostname), edKeyStr)
 	db := testDB(t, str)
 	if err := db.check(testHostname+":22", testAddr, edKey); err != nil {
 		t.Errorf("check(%s): %v", testHostname, err)
 	}
 	want := &knownhosts.KeyError{
 		Want: []knownhosts.KnownKey{{
 			Key: edKey,
 		}},
 	}
 	if got := db.check(testHostname+":22", testAddr, alternateEdKey); !reflect.DeepEqual(got, want) {
 		t.Errorf("got error %v, want %v", got, want)
 	}
 }
--- a/internal/git/transport.go
+++ b/internal/git/transport.go
@ -25,7 +25,7 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/transport/ssh"
 	corev1 "k8s.io/api/core/v1"
-	"github.com/fluxcd/source-controller/internal/crypto/ssh/knownhosts"
+	"github.com/fluxcd/pkg/ssh/knownhosts"
 )
 func AuthSecretStrategyForURL(url string) AuthSecretStrategy {
--- a/internal/lockedfile/LICENSE
+++ b/internal/lockedfile/LICENSE
@ -1,27 +0,0 @@
 Copyright (c) 2009 The Go Authors. All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
 met:
   * Redistributions of source code must retain the above copyright
 notice, this list of conditions and the following disclaimer.
   * Redistributions in binary form must reproduce the above
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
   * Neither the name of Google Inc. nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/internal/lockedfile/internal/filelock/filelock.go
+++ b/internal/lockedfile/internal/filelock/filelock.go
@ -1,98 +0,0 @@
 // Copyright 2018 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package filelock provides a platform-independent API for advisory file
 // locking. Calls to functions in this package on platforms that do not support
 // advisory locks will return errors for which IsNotSupported returns true.
 package filelock
 import (
 	"errors"
 	"os"
 )
 // A File provides the minimal set of methods required to lock an open file.
 // File implementations must be usable as map keys.
 // The usual implementation is *os.File.
 type File interface {
 	// Name returns the name of the file.
 	Name() string
 	// Fd returns a valid file descriptor.
 	// (If the File is an *os.File, it must not be closed.)
 	Fd() uintptr
 	// Stat returns the FileInfo structure describing file.
 	Stat() (os.FileInfo, error)
 }
 // Lock places an advisory write lock on the file, blocking until it can be
 // locked.
 //
 // If Lock returns nil, no other process will be able to place a read or write
 // lock on the file until this process exits, closes f, or calls Unlock on it.
 //
 // If f's descriptor is already read- or write-locked, the behavior of Lock is
 // unspecified.
 //
 // Closing the file may or may not release the lock promptly. Callers should
 // ensure that Unlock is always called when Lock succeeds.
 func Lock(f File) error {
 	return lock(f, writeLock)
 }
 // RLock places an advisory read lock on the file, blocking until it can be locked.
 //
 // If RLock returns nil, no other process will be able to place a write lock on
 // the file until this process exits, closes f, or calls Unlock on it.
 //
 // If f is already read- or write-locked, the behavior of RLock is unspecified.
 //
 // Closing the file may or may not release the lock promptly. Callers should
 // ensure that Unlock is always called if RLock succeeds.
 func RLock(f File) error {
 	return lock(f, readLock)
 }
 // Unlock removes an advisory lock placed on f by this process.
 //
 // The caller must not attempt to unlock a file that is not locked.
 func Unlock(f File) error {
 	return unlock(f)
 }
 // String returns the name of the function corresponding to lt
 // (Lock, RLock, or Unlock).
 func (lt lockType) String() string {
 	switch lt {
 	case readLock:
 		return "RLock"
 	case writeLock:
 		return "Lock"
 	default:
 		return "Unlock"
 	}
 }
 // IsNotSupported returns a boolean indicating whether the error is known to
 // report that a function is not supported (possibly for a specific input).
 // It is satisfied by ErrNotSupported as well as some syscall errors.
 func IsNotSupported(err error) bool {
 	return isNotSupported(underlyingError(err))
 }
 var ErrNotSupported = errors.New("operation not supported")
 // underlyingError returns the underlying error for known os error types.
 func underlyingError(err error) error {
 	switch err := err.(type) {
 	case *os.PathError:
 		return err.Err
 	case *os.LinkError:
 		return err.Err
 	case *os.SyscallError:
 		return err.Err
 	}
 	return err
 }
--- a/internal/lockedfile/internal/filelock/filelock_unix.go
+++ b/internal/lockedfile/internal/filelock/filelock_unix.go
@ -1,44 +0,0 @@
 // Copyright 2018 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // +build darwin dragonfly freebsd linux netbsd openbsd
 package filelock
 import (
 	"os"
 	"syscall"
 )
 type lockType int16
 const (
 	readLock  lockType = syscall.LOCK_SH
 	writeLock lockType = syscall.LOCK_EX
 )
 func lock(f File, lt lockType) (err error) {
 	for {
 		err = syscall.Flock(int(f.Fd()), int(lt))
 		if err != syscall.EINTR {
 			break
 		}
 	}
 	if err != nil {
 		return &os.PathError{
 			Op:   lt.String(),
 			Path: f.Name(),
 			Err:  err,
 		}
 	}
 	return nil
 }
 func unlock(f File) error {
 	return lock(f, syscall.LOCK_UN)
 }
 func isNotSupported(err error) bool {
 	return err == syscall.ENOSYS || err == syscall.ENOTSUP || err == syscall.EOPNOTSUPP || err == ErrNotSupported
 }
--- a/internal/lockedfile/lockedfile.go
+++ b/internal/lockedfile/lockedfile.go
@ -1,187 +0,0 @@
 // Copyright 2018 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package lockedfile creates and manipulates files whose contents should only
 // change atomically.
 package lockedfile
 import (
 	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
 	"runtime"
 )
 // A File is a locked *os.File.
 //
 // Closing the file releases the lock.
 //
 // If the program exits while a file is locked, the operating system releases
 // the lock but may not do so promptly: callers must ensure that all locked
 // files are closed before exiting.
 type File struct {
 	osFile
 	closed bool
 }
 // osFile embeds a *os.File while keeping the pointer itself unexported.
 // (When we close a File, it must be the same file descriptor that we opened!)
 type osFile struct {
 	*os.File
 }
 // OpenFile is like os.OpenFile, but returns a locked file.
 // If flag includes os.O_WRONLY or os.O_RDWR, the file is write-locked;
 // otherwise, it is read-locked.
 func OpenFile(name string, flag int, perm os.FileMode) (*File, error) {
 	var (
 		f   = new(File)
 		err error
 	)
 	f.osFile.File, err = openFile(name, flag, perm)
 	if err != nil {
 		return nil, err
 	}
 	// Although the operating system will drop locks for open files when the go
 	// command exits, we want to hold locks for as little time as possible, and we
 	// especially don't want to leave a file locked after we're done with it. Our
 	// Close method is what releases the locks, so use a finalizer to report
 	// missing Close calls on a best-effort basis.
 	runtime.SetFinalizer(f, func(f *File) {
 		panic(fmt.Sprintf("lockedfile.File %s became unreachable without a call to Close", f.Name()))
 	})
 	return f, nil
 }
 // Open is like os.Open, but returns a read-locked file.
 func Open(name string) (*File, error) {
 	return OpenFile(name, os.O_RDONLY, 0)
 }
 // Create is like os.Create, but returns a write-locked file.
 func Create(name string) (*File, error) {
 	return OpenFile(name, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0666)
 }
 // Edit creates the named file with mode 0666 (before umask),
 // but does not truncate existing contents.
 //
 // If Edit succeeds, methods on the returned File can be used for I/O.
 // The associated file descriptor has mode O_RDWR and the file is write-locked.
 func Edit(name string) (*File, error) {
 	return OpenFile(name, os.O_RDWR|os.O_CREATE, 0666)
 }
 // Close unlocks and closes the underlying file.
 //
 // Close may be called multiple times; all calls after the first will return a
 // non-nil error.
 func (f *File) Close() error {
 	if f.closed {
 		return &os.PathError{
 			Op:   "close",
 			Path: f.Name(),
 			Err:  os.ErrClosed,
 		}
 	}
 	f.closed = true
 	err := closeFile(f.osFile.File)
 	runtime.SetFinalizer(f, nil)
 	return err
 }
 // Read opens the named file with a read-lock and returns its contents.
 func Read(name string) ([]byte, error) {
 	f, err := Open(name)
 	if err != nil {
 		return nil, err
 	}
 	defer f.Close()
 	return ioutil.ReadAll(f)
 }
 // Write opens the named file (creating it with the given permissions if needed),
 // then write-locks it and overwrites it with the given content.
 func Write(name string, content io.Reader, perm os.FileMode) (err error) {
 	f, err := OpenFile(name, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, perm)
 	if err != nil {
 		return err
 	}
 	_, err = io.Copy(f, content)
 	if closeErr := f.Close(); err == nil {
 		err = closeErr
 	}
 	return err
 }
 // Transform invokes t with the result of reading the named file, with its lock
 // still held.
 //
 // If t returns a nil error, Transform then writes the returned contents back to
 // the file, making a best effort to preserve existing contents on error.
 //
 // t must not modify the slice passed to it.
 func Transform(name string, t func([]byte) ([]byte, error)) (err error) {
 	f, err := Edit(name)
 	if err != nil {
 		return err
 	}
 	defer f.Close()
 	old, err := ioutil.ReadAll(f)
 	if err != nil {
 		return err
 	}
 	new, err := t(old)
 	if err != nil {
 		return err
 	}
 	if len(new) > len(old) {
 		// The overall file size is increasing, so write the tail first: if we're
 		// about to run out of space on the disk, we would rather detect that
 		// failure before we have overwritten the original contents.
 		if _, err := f.WriteAt(new[len(old):], int64(len(old))); err != nil {
 			// Make a best effort to remove the incomplete tail.
 			f.Truncate(int64(len(old)))
 			return err
 		}
 	}
 	// We're about to overwrite the old contents. In case of failure, make a best
 	// effort to roll back before we close the file.
 	defer func() {
 		if err != nil {
 			if _, err := f.WriteAt(old, 0); err == nil {
 				f.Truncate(int64(len(old)))
 			}
 		}
 	}()
 	if len(new) >= len(old) {
 		if _, err := f.WriteAt(new[:len(old)], 0); err != nil {
 			return err
 		}
 	} else {
 		if _, err := f.WriteAt(new, 0); err != nil {
 			return err
 		}
 		// The overall file size is decreasing, so shrink the file to its final size
 		// after writing. We do this after writing (instead of before) so that if
 		// the write fails, enough filesystem space will likely still be reserved
 		// to contain the previous contents.
 		if err := f.Truncate(int64(len(new))); err != nil {
 			return err
 		}
 	}
 	return nil
 }
--- a/internal/lockedfile/lockedfile_filelock.go
+++ b/internal/lockedfile/lockedfile_filelock.go
@ -1,64 +0,0 @@
 // Copyright 2018 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // +build !plan9
 package lockedfile
 import (
 	"os"
 	"github.com/fluxcd/source-controller/internal/lockedfile/internal/filelock"
 )
 func openFile(name string, flag int, perm os.FileMode) (*os.File, error) {
 	// On BSD systems, we could add the O_SHLOCK or O_EXLOCK flag to the OpenFile
 	// call instead of locking separately, but we have to support separate locking
 	// calls for Linux and Windows anyway, so it's simpler to use that approach
 	// consistently.
 	f, err := os.OpenFile(name, flag&^os.O_TRUNC, perm)
 	if err != nil {
 		return nil, err
 	}
 	switch flag & (os.O_RDONLY | os.O_WRONLY | os.O_RDWR) {
 	case os.O_WRONLY, os.O_RDWR:
 		err = filelock.Lock(f)
 	default:
 		err = filelock.RLock(f)
 	}
 	if err != nil {
 		f.Close()
 		return nil, err
 	}
 	if flag&os.O_TRUNC == os.O_TRUNC {
 		if err := f.Truncate(0); err != nil {
 			// The documentation for os.O_TRUNC says “if possible, truncate file when
 			// opened”, but doesn't define “possible” (golang.org/issue/28699).
 			// We'll treat regular files (and symlinks to regular files) as “possible”
 			// and ignore errors for the rest.
 			if fi, statErr := f.Stat(); statErr != nil || fi.Mode().IsRegular() {
 				filelock.Unlock(f)
 				f.Close()
 				return nil, err
 			}
 		}
 	}
 	return f, nil
 }
 func closeFile(f *os.File) error {
 	// Since locking syscalls operate on file descriptors, we must unlock the file
 	// while the descriptor is still valid — that is, before the file is closed —
 	// and avoid unlocking files that are already closed.
 	err := filelock.Unlock(f)
 	if closeErr := f.Close(); err == nil {
 		err = closeErr
 	}
 	return err
 }
--- a/internal/lockedfile/mutex.go
+++ b/internal/lockedfile/mutex.go
@ -1,67 +0,0 @@
 // Copyright 2018 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package lockedfile
 import (
 	"fmt"
 	"os"
 	"sync"
 )
 // A Mutex provides mutual exclusion within and across processes by locking a
 // well-known file. Such a file generally guards some other part of the
 // filesystem: for example, a Mutex file in a directory might guard access to
 // the entire tree rooted in that directory.
 //
 // Mutex does not implement sync.Locker: unlike a sync.Mutex, a lockedfile.Mutex
 // can fail to lock (e.g. if there is a permission error in the filesystem).
 //
 // Like a sync.Mutex, a Mutex may be included as a field of a larger struct but
 // must not be copied after first use. The Path field must be set before first
 // use and must not be change thereafter.
 type Mutex struct {
 	Path string     // The path to the well-known lock file. Must be non-empty.
 	mu   sync.Mutex // A redundant mutex. The race detector doesn't know about file locking, so in tests we may need to lock something that it understands.
 }
 // MutexAt returns a new Mutex with Path set to the given non-empty path.
 func MutexAt(path string) *Mutex {
 	if path == "" {
 		panic("lockedfile.MutexAt: path must be non-empty")
 	}
 	return &Mutex{Path: path}
 }
 func (mu *Mutex) String() string {
 	return fmt.Sprintf("lockedfile.Mutex(%s)", mu.Path)
 }
 // Lock attempts to lock the Mutex.
 //
 // If successful, Lock returns a non-nil unlock function: it is provided as a
 // return-value instead of a separate method to remind the caller to check the
 // accompanying error. (See https://golang.org/issue/20803.)
 func (mu *Mutex) Lock() (unlock func(), err error) {
 	if mu.Path == "" {
 		panic("lockedfile.Mutex: missing Path during Lock")
 	}
 	// We could use either O_RDWR or O_WRONLY here. If we choose O_RDWR and the
 	// file at mu.Path is write-only, the call to OpenFile will fail with a
 	// permission error. That's actually what we want: if we add an RLock method
 	// in the future, it should call OpenFile with O_RDONLY and will require the
 	// files must be readable, so we should not let the caller make any
 	// assumptions about Mutex working with write-only files.
 	f, err := OpenFile(mu.Path, os.O_RDWR|os.O_CREATE, 0666)
 	if err != nil {
 		return nil, err
 	}
 	mu.mu.Lock()
 	return func() {
 		mu.mu.Unlock()
 		f.Close()
 	}, nil
 }