Merge pull request #1808 from TerryHowe/harden-blob-test

fix: blob test cores if no error

.github/dependabot.yaml

@@ -0,0 +1,40 @@
+version: 2
+
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    labels: ["dependencies"]
+    schedule:
+      interval: "monthly"
+    groups:
+      go-deps:
+        patterns:
+          - "*"
+    allow:
+      - dependency-type: "direct"
+    ignore:
+      # Cloud SDK are updated manually
+      - dependency-name: "cloud.google.com/*"
+      - dependency-name: "github.com/Azure/azure-sdk-for-go/*"
+      # Kubernetes deps are updated by fluxcd/pkg/runtime
+      - dependency-name: "k8s.io/*"
+      - dependency-name: "sigs.k8s.io/*"
+      - dependency-name: "github.com/go-logr/*"
+      # OCI deps are updated by fluxcd/pkg/oci
+      - dependency-name: "github.com/docker/*"
+      - dependency-name: "github.com/distribution/*"
+      - dependency-name: "github.com/google/go-containerregistry*"
+      - dependency-name: "github.com/opencontainers/*"
+      # Helm deps are updated by fluxcd/pkg/helmtestserver
+      - dependency-name: "helm.sh/helm/*"
+      # Flux APIs are updated at release time
+      - dependency-name: "github.com/fluxcd/source-controller/api"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    labels: ["area/ci", "dependencies"]
+    groups:
+      ci:
+        patterns:
+          - "*"
+    schedule:
+      interval: "monthly"

.github/labels.yaml

@@ -0,0 +1,39 @@
+# Configuration file to declaratively configure labels
+# Ref: https://github.com/EndBug/label-sync#Config-files
+
+- name: area/bucket
+  description: Bucket related issues and pull requests
+  color: '#00b140'
+- name: area/git
+  description: Git related issues and pull requests
+  color: '#863faf'
+- name: area/helm
+  description: Helm related issues and pull requests
+  color: '#1673b6'
+- name: area/oci
+  description: OCI related issues and pull requests
+  color: '#c739ff'
+- name: area/storage
+  description: Storage related issues and pull requests
+  color: '#4b0082'
+- name: backport:release/v1.0.x
+  description: To be backported to release/v1.0.x
+  color: '#ffd700'
+- name: backport:release/v1.1.x
+  description: To be backported to release/v1.1.x
+  color: '#ffd700'
+- name: backport:release/v1.2.x
+  description: To be backported to release/v1.2.x
+  color: '#ffd700'
+- name: backport:release/v1.3.x
+  description: To be backported to release/v1.3.x
+  color: '#ffd700'
+- name: backport:release/v1.4.x
+  description: To be backported to release/v1.4.x
+  color: '#ffd700'
+- name: backport:release/v1.5.x
+  description: To be backported to release/v1.5.x
+  color: '#ffd700'
+- name: backport:release/v1.6.x
+  description: To be backported to release/v1.6.x
+  color: '#ffd700'

.github/workflows/backport.yaml

@@ -0,0 +1,34 @@
+name: backport
+
+on:
+  pull_request_target:
+    types: [closed, labeled]
+
+permissions:
+  contents: read
+
+jobs:
+  pull-request:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Create backport PRs
+        uses: korthout/backport-action@436145e922f9561fc5ea157ff406f21af2d6b363 # v3.2.0
+        # xref: https://github.com/korthout/backport-action#inputs
+        with:
+          # Use token to allow workflows to be triggered for the created PR
+          github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          # Match labels with a pattern `backport:<target-branch>`
+          label_pattern: '^backport:([^ ]+)$'
+          # A bit shorter pull-request title than the default
+          pull_title: '[${target_branch}] ${pull_title}'
+          # Simpler PR description than default
+          pull_description: |-
+            Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.

.github/workflows/cifuzz.yaml

@@ -1,8 +1,9 @@
-name: CIFuzz
+name: fuzz
 on:
   pull_request:
     branches:
-      - main
+      - 'main'
+      - 'release/**'
     paths-ignore:
       - 'CHANGELOG.md'
       - 'README.md'
@@ -10,28 +11,21 @@ on:
 
 permissions:
   contents: read
-  
+
 jobs:
-  Fuzzing:
+  smoketest:
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout
-      uses: actions/checkout@v3
-    - name: Setup Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19.x
-    - id: go-env
-      run: |
-        echo "::set-output name=go-mod-cache::$(go env GOMODCACHE)"
-    - name: Restore Go cache
-      uses: actions/cache@v3
-      with:
-        path: ${{ steps.go-env.outputs.go-mod-cache }}
-        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go
-    - name: Smoke test Fuzzers
-      run: make fuzz-smoketest
-      env:
-        SKIP_COSIGN_VERIFICATION: true
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: 1.24.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
+      - name: Smoke test Fuzzers
+        run: make fuzz-smoketest
+        env:
+          SKIP_COSIGN_VERIFICATION: true

.github/workflows/e2e.yaml

@@ -1,14 +1,15 @@
 name: e2e
 
 on:
+  workflow_dispatch:
   pull_request:
-    paths-ignore:
-      - 'CHANGELOG.md'
-      - 'README.md'
-      - 'MAINTAINERS'
+    branches:
+      - 'main'
+      - 'release/**'
   push:
     branches:
-      - main
+      - 'main'
+      - 'release/**'
 
 permissions:
   contents: read # for actions/checkout to fetch code
@@ -19,28 +20,23 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: 1.19.x
-      - name: Restore Go cache
-        uses: actions/cache@v3
-        with:
-          path: /home/runner/work/_temp/_github_home/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
+          go-version: 1.24.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
       - name: Enable integration tests
-        # Only run integration tests for main branch
-        if: github.ref == 'refs/heads/main'
+        # Only run integration tests for main and release branches
+        if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')
         run: |
           echo 'GO_TAGS=integration' >> $GITHUB_ENV
       - name: Setup Kubernetes
-        uses: engineerd/setup-kind@v0.5.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         with:
-          version: v0.11.1
-          image: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
+          cluster_name: kind
       - name: Setup Kustomize
         uses: fluxcd/pkg/actions/kustomize@main
       - name: Setup Helm
@@ -50,42 +46,8 @@ jobs:
           SKIP_COSIGN_VERIFICATION: true
           CREATE_CLUSTER: false
         run: make e2e
-
-  kind-linux-arm64:
-    # Hosted on Equinix
-    # Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
-    runs-on: [self-hosted, Linux, ARM64, equinix]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.19.x
-      - name: Enable integration tests
-        # Only run integration tests for main branch
-        if: github.ref == 'refs/heads/main'
-        run: |
-          echo 'GO_TAGS=integration' >> $GITHUB_ENV
-      - name: Prepare
-        id: prep
-        run: |
-          echo ::set-output name=CLUSTER::arm64-${GITHUB_SHA:0:7}-$(date +%s)
-          echo ::set-output name=CONTEXT::kind-arm64-${GITHUB_SHA:0:7}-$(date +%s)
-      - name: Setup Kubernetes Kind
-        run: |
-          kind create cluster --name ${{ steps.prep.outputs.CLUSTER }} --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }}
-      - name: Run e2e tests
-        env:
-          SKIP_COSIGN_VERIFICATION: true
-          KIND_CLUSTER_NAME: ${{ steps.prep.outputs.CLUSTER }}
-          KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }}
-          CREATE_CLUSTER: false
-          BUILD_PLATFORM: linux/arm64
-          MINIO_TAG: RELEASE.2020-09-17T04-49-20Z-arm64
-        run: make e2e
-      - name: Cleanup
+      - name: Print controller logs
         if: always()
+        continue-on-error: true
         run: |
-          kind delete cluster --name ${{ steps.prep.outputs.CLUSTER }}
-          rm /tmp/${{ steps.prep.outputs.CLUSTER }}
+          kubectl -n source-system logs -l app=source-controller

.github/workflows/nightly.yml

@@ -14,18 +14,17 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v2
-        with:
-          platforms: all
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
         with:
           buildkitd-flags: "--debug"
       - name: Build multi-arch container image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0
         with:
           push: false
           builder: ${{ steps.buildx.outputs.name }}

.github/workflows/release.yml

@@ -7,22 +7,29 @@ on:
     inputs:
       tag:
         description: 'image tag prefix'
-        default: 'rc'
+        default: 'preview'
         required: true
 
 permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read
 
 env:
   CONTROLLER: ${{ github.event.repository.name }}
 
 jobs:
-  build-push:
+  release:
+    outputs:
+      hashes: ${{ steps.slsa.outputs.hashes }}
+      image_url: ${{ steps.slsa.outputs.image_url }}
+      image_digest: ${{ steps.slsa.outputs.image_digest }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # for creating the GitHub release.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for pushing and signing container images.
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Kustomize
         uses: fluxcd/pkg/actions/kustomize@main
       - name: Prepare
@@ -32,27 +39,27 @@ jobs:
           if [[ $GITHUB_REF == refs/tags/* ]]; then
             VERSION=${GITHUB_REF/refs\/tags\//}
           fi
-          echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
-          echo ::set-output name=VERSION::${VERSION}
+          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ghcr.io
           username: fluxcdbot
           password: ${{ secrets.GHCR_TOKEN }}
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           username: fluxcdbot
           password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
       - name: Generate images meta
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: |
             fluxcd/${{ env.CONTROLLER }}
@@ -60,8 +67,11 @@ jobs:
           tags: |
             type=raw,value=${{ steps.prep.outputs.VERSION }}
       - name: Publish images
-        uses: docker/build-push-action@v3
+        id: build-push
+        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0
         with:
+          sbom: true
+          provenance: true
           push: true
           builder: ${{ steps.buildx.outputs.name }}
           context: .
@@ -69,32 +79,82 @@ jobs:
           platforms: linux/amd64,linux/arm/v7,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-      - name: Check images
-        run: |
-          docker buildx imagetools inspect docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-          docker buildx imagetools inspect ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-          docker pull docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-          docker pull ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-      - uses: sigstore/cosign-installer@main
+      - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
       - name: Sign images
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign sign fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-          cosign sign ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
+          cosign sign --yes fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }}
+          cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }}
       - name: Generate release artifacts
         if: startsWith(github.ref, 'refs/tags/v')
         run: |
           mkdir -p config/release
           kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml
           kustomize build ./config/manager > ./config/release/${{ env.CONTROLLER }}.deployment.yaml
-          echo '[CHANGELOG](https://github.com/fluxcd/${{ env.CONTROLLER }}/blob/main/CHANGELOG.md)' > ./config/release/notes.md
-      - uses: anchore/sbom-action/download-syft@v0
+      - uses: anchore/sbom-action/download-syft@e11c554f704a0b820cbf8c51673f6945e0731532 # v0.20.0
       - name: Create release and SBOM
+        id: run-goreleaser
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: goreleaser/goreleaser-action@v3
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
         with:
           version: latest
-          args: release --release-notes=config/release/notes.md --rm-dist --skip-validate
+          args: release --clean --skip=validate
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate SLSA metadata
+        id: slsa
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+          
+          image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
+          echo "image_url=$image_url" >> $GITHUB_OUTPUT
+          
+          image_digest=${{ steps.build-push.outputs.digest }}
+          echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
+
+  release-provenance:
+    needs: [release]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      contents: write # for uploading attestations to GitHub releases.
+    if: startsWith(github.ref, 'refs/tags/v')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    with:
+      provenance-name: "provenance.intoto.jsonl"
+      base64-subjects: "${{ needs.release.outputs.hashes }}"
+      upload-assets: true
+
+  dockerhub-provenance:
+    needs: [release]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: startsWith(github.ref, 'refs/tags/v')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ${{ needs.release.outputs.image_url }}
+      digest: ${{ needs.release.outputs.image_digest }}
+      registry-username: fluxcdbot
+    secrets:
+      registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+
+  ghcr-provenance:
+    needs: [release]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: startsWith(github.ref, 'refs/tags/v')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ghcr.io/${{ needs.release.outputs.image_url }}
+      digest: ${{ needs.release.outputs.image_digest }}
+      registry-username: fluxcdbot
+    secrets:
+      registry-password: ${{ secrets.GHCR_TOKEN }}

.github/workflows/scan.yaml

@@ -1,10 +1,10 @@
-name: Scan
+name: scan
 
 on:
   push:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
   pull_request:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
   schedule:
     - cron: '18 10 * * 3'
 
@@ -17,9 +17,10 @@ jobs:
     name: FOSSA
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@v1
+        uses: fossa-contrib/fossa-action@3d2ef181b1820d6dcd1972f86a767d18167fa19b # v3.0.1
         with:
           # FOSSA Push-Only API Token
           fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
@@ -29,17 +30,23 @@ jobs:
     name: CodeQL
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-      - name: Set up Go
-        uses: actions/setup-go@v2
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: 1.19.x
+          go-version: 1.24.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
         with:
           languages: go
+          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # xref: https://codeql.github.com/codeql-query-help/go/
+          queries: security-and-quality
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18

.github/workflows/sync-labels.yaml

@@ -0,0 +1,28 @@
+name: sync-labels
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - .github/labels.yaml
+
+permissions:
+  contents: read
+
+jobs:
+  labels:
+    name: Run sync
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
+        with:
+          # Configuration file
+          config-file: |
+            https://raw.githubusercontent.com/fluxcd/community/main/.github/standard-labels.yaml
+            .github/labels.yaml
+          # Strictly declarative
+          delete-other-labels: true

.github/workflows/tests.yaml

@@ -1,15 +1,15 @@
 name: tests
 
 on:
+  workflow_dispatch:
   pull_request:
-    paths-ignore:
-      - 'CHANGELOG.md'
-      - 'README.md'
-      - 'MAINTAINERS'
-
+    branches:
+      - 'main'
+      - 'release/**'
   push:
     branches:
-      - main
+      - 'main'
+      - 'release/**'
 
 permissions:
   contents: read # for actions/checkout to fetch code
@@ -20,18 +20,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: 1.19.x
-      - name: Restore Go cache
-        uses: actions/cache@v3
-        with:
-          path: /home/runner/work/_temp/_github_home/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
+          go-version: 1.24.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
       - name: Run tests
         env:
           SKIP_COSIGN_VERIFICATION: true
@@ -40,61 +36,22 @@ jobs:
         run: make test
 
   test-linux-arm64:
-    # Hosted on Equinix
-    # Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
-    runs-on: [self-hosted, Linux, ARM64, equinix]
+    runs-on:
+      group: "ARM64"
+    if: github.actor != 'dependabot[bot]'
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: 1.19.x
+          go-version: 1.24.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
       - name: Run tests
         env:
           SKIP_COSIGN_VERIFICATION: true
-
           TEST_AZURE_ACCOUNT_NAME: ${{ secrets.TEST_AZURE_ACCOUNT_NAME }}
           TEST_AZURE_ACCOUNT_KEY: ${{ secrets.TEST_AZURE_ACCOUNT_KEY }}
-          
-          # Temporarily disabling -race for arm64 as our GitHub action
-          # runners don't seem to like it. The race detection was tested
-          # on both Apple M1 and Linux arm64 with successful results.
-          #
-          # We should reenable go test -race for arm64 runners once the
-          # current issue is resolved.
-          GO_TEST_ARGS: ''
         run: make test
-
-  # Runs 'make test' on MacOS to ensure the continuous support for contributors
-  # using it as a development environment.
-  darwin-amd64:
-    strategy:
-      matrix:
-        os: [macos-12]
-      fail-fast: false
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.19.x
-      - name: Restore Go cache
-        uses: actions/cache@v3
-        with:
-          path: /home/runner/work/_temp/_github_home/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-      - name: Install and configure Docker using colima
-        # Ref: https://github.com/abiosoft/colima/blob/main/docs/FAQ.md#cannot-connect-to-the-docker-daemon-at-unixvarrundockersock-is-the-docker-daemon-running
-        run: |
-          brew install docker
-          colima start
-          echo "DOCKER_HOST=unix://$HOME/.colima/default/docker.sock" >> $GITHUB_ENV
-      - name: Run tests
-        run: make test
-        env:
-          SKIP_COSIGN_VERIFICATION: true

.github/workflows/verify.yaml

@@ -2,14 +2,13 @@ name: verify
 
 on:
   pull_request:
-    paths-ignore:
-      - 'CHANGELOG.md'
-      - 'README.md'
-      - 'MAINTAINERS'
-
+    branches:
+      - 'main'
+      - 'release/**'
   push:
     branches:
-      - main
+      - 'main'
+      - 'release/**'
 
 permissions:
   contents: read # for actions/checkout to fetch code
@@ -20,17 +19,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: 1.19.x
-      - name: Restore Go cache
-        uses: actions/cache@v3
-        with:
-          path: /home/runner/work/_temp/_github_home/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
+          go-version: 1.24.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
       - name: Verify
         run: make verify

.goreleaser.yaml

@@ -4,9 +4,26 @@ builds:
   - skip: true
 
 release:
-  prerelease: "true"
   extra_files:
     - glob: config/release/*.yaml
+  prerelease: "auto"
+  header: |
+    ## Changelog
+
+    [{{.Tag}} changelog](https://github.com/fluxcd/{{.ProjectName}}/blob/{{.Tag}}/CHANGELOG.md)
+  footer: |
+    ## Container images
+    
+    - `docker.io/fluxcd/{{.ProjectName}}:{{.Tag}}`
+    - `ghcr.io/fluxcd/{{.ProjectName}}:{{.Tag}}`
+    
+    Supported architectures: `linux/amd64`, `linux/arm64` and `linux/arm/v7`.
+    
+    The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
+    To verify the images and their provenance (SLSA level 3), please see the [security documentation](https://fluxcd.io/flux/security/).
+
+changelog:
+  disable: true
 
 checksum:
   extra_files:
@@ -32,6 +49,7 @@ signs:
     certificate: "${artifact}.pem"
     args:
       - sign-blob
+      - "--yes"
       - "--output-certificate=${certificate}"
       - "--output-signature=${signature}"
       - "${artifact}"

DEVELOPMENT.md

@@ -15,7 +15,7 @@ There are a number of dependencies required to be able to run the controller and
 
 In addition to the above, the following dependencies are also used by some of the `make` targets:
 
-- `controller-gen` (v0.7.0)
+- `controller-gen` (v0.12.0)
 - `gen-crd-api-reference-docs` (v0.3.0)
 - `setup-envtest` (latest)
 
@@ -24,7 +24,7 @@ If any of the above dependencies are not present on your system, the first invoc
 ## How to run the test suite
 
 Prerequisites:
-* Go >= 1.18
+* Go >= 1.24
 
 You can run the test suite by simply doing
 
@@ -58,7 +58,7 @@ make run
 
 ### Building the container image
 
-Set the name of the container image to be created from the source code. This will be used 
+Set the name of the container image to be created from the source code. This will be used
 when building, pushing and referring to the image on YAML files:
 
 ```sh
@@ -79,7 +79,7 @@ make docker-push
 ```
 
 Alternatively, the three steps above can be done in a single line:
-  
+
 ```sh
 IMG=registry-path/source-controller TAG=latest BUILD_ARGS=--push \
     make docker-build
@@ -128,7 +128,8 @@ Create a `.vscode/launch.json` file:
             "type": "go",
             "request": "launch",
             "mode": "auto",
-            "program": "${workspaceFolder}/main.go"
+            "program": "${workspaceFolder}/main.go",
+            "args": ["--storage-adv-addr=:0", "--storage-path=${workspaceFolder}/bin/data"]
         }
     ]
 }

Dockerfile

@@ -1,30 +1,16 @@
-ARG BASE_VARIANT=alpine
-ARG GO_VERSION=1.19
-ARG XX_VERSION=1.1.2
+ARG GO_VERSION=1.24
+ARG XX_VERSION=1.6.1
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-${BASE_VARIANT} as gostable
-
-FROM gostable AS go-linux
-
-# Build-base consists of build platform dependencies and xx.
-# These will be used at current arch to yield execute the cross compilations.
-FROM go-${TARGETOS} AS build-base
-
-RUN apk add --no-cache clang lld
+# Docker buildkit multi-arch build requires golang alpine
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS builder
 
+# Copy the build utilities.
 COPY --from=xx / /
 
-# build-go-mod can still be cached at build platform architecture.
-FROM build-base as build
-
 ARG TARGETPLATFORM
 
-# Some dependencies have to installed 
-# for the target platform: https://github.com/tonistiigi/xx#go--cgo
-RUN xx-apk add musl-dev gcc clang lld
-
 # Configure workspace
 WORKDIR /workspace
 
@@ -40,35 +26,23 @@ RUN go mod download
 
 # Copy source code
 COPY main.go main.go
-COPY controllers/ controllers/
 COPY pkg/ pkg/
 COPY internal/ internal/
 
 ARG TARGETPLATFORM
 ARG TARGETARCH
 
-# Reasons why CGO is in use:
-# - The SHA1 implementation (sha1cd) used by go-git depends on CGO for
-#   performance reasons. See: https://github.com/pjbgf/sha1cd/issues/15
-ENV CGO_ENABLED=1
+# build without specifing the arch
+ENV CGO_ENABLED=0
+RUN xx-go build -trimpath -a -o source-controller main.go
 
-RUN export CGO_LDFLAGS="-static -fuse-ld=lld" && \
-  xx-go build \
-  -ldflags "-s -w" \
-  -tags 'netgo,osusergo,static_build' \
-  -o /source-controller -trimpath main.go;
-
-# Ensure that the binary was cross-compiled correctly to the target platform.
-RUN xx-verify --static /source-controller
-
-FROM alpine:3.16
+FROM alpine:3.21
 
 ARG TARGETPLATFORM
 RUN apk --no-cache add ca-certificates \
   && update-ca-certificates
 
-# Copy over binary from build
-COPY --from=build /source-controller /usr/local/bin/
+COPY --from=builder /workspace/source-controller /usr/local/bin/
 
 USER 65534:65534
 ENTRYPOINT [ "source-controller" ]

MAINTAINERS

@@ -7,6 +7,4 @@ from the main Flux v2 git repository, as listed in
 
     https://github.com/fluxcd/flux2/blob/main/MAINTAINERS
 
-In alphabetical order:
-
-Paulo Gomes, Weaveworks <paulo.gomes@weave.works> (github: @pjbgf, slack: pjbgf)
+Dipti Pai, Microsoft <diptipai@microsoft.com> (github: @dipti-pai, slack: Dipti Pai)

Makefile

@@ -38,8 +38,8 @@ FUZZ_TIME ?= 1m
 GO_STATIC_FLAGS=-ldflags "-s -w" -tags 'netgo,osusergo,static_build$(addprefix ,,$(GO_TAGS))'
 
 # API (doc) generation utilities
-CONTROLLER_GEN_VERSION ?= v0.7.0
-GEN_API_REF_DOCS_VERSION ?= v0.3.0
+CONTROLLER_GEN_VERSION ?= v0.16.1
+GEN_API_REF_DOCS_VERSION ?= e327d0730470cbd61b06300f81c5fcf91c23c113
 
 # If gobin not set, create one on ./build and add to path.
 ifeq (,$(shell go env GOBIN))
@@ -61,40 +61,38 @@ ifeq ($(shell uname -s),Darwin)
 ENVTEST_ARCH=amd64
 endif
 
-all: build
+all: manager
 
-build: check-deps ## Build manager binary
+# Build manager binary
+manager: generate fmt vet
 	go build $(GO_STATIC_FLAGS) -o $(BUILD_DIR)/bin/manager main.go
 
 KUBEBUILDER_ASSETS?="$(shell $(ENVTEST) --arch=$(ENVTEST_ARCH) use -i $(ENVTEST_KUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR) -p path)"
-test: install-envtest test-api check-deps ## Run all tests
+test: install-envtest test-api ## Run all tests
 	HTTPS_PROXY="" HTTP_PROXY="" \
 	KUBEBUILDER_ASSETS=$(KUBEBUILDER_ASSETS) \
 	GIT_CONFIG_GLOBAL=/dev/null \
+	GIT_CONFIG_NOSYSTEM=true \
 	go test $(GO_STATIC_FLAGS) \
 	  ./... \
 	  $(GO_TEST_ARGS) \
 	  -coverprofile cover.out
 
-test-ctrl: install-envtest test-api check-deps ## Run controller tests
+test-ctrl: install-envtest test-api ## Run controller tests
 	HTTPS_PROXY="" HTTP_PROXY="" \
 	KUBEBUILDER_ASSETS=$(KUBEBUILDER_ASSETS) \
 	GIT_CONFIG_GLOBAL=/dev/null \
 	go test $(GO_STATIC_FLAGS) \
 	  -run "^$(GO_TEST_PREFIX).*" \
-	  -v ./controllers \
+	  -v ./internal/controller \
 	  -coverprofile cover.out
 
-check-deps:
-ifeq ($(shell uname -s),Darwin)
-	if ! command -v pkg-config &> /dev/null; then echo "pkg-config is required"; exit 1; fi
-endif
-
 test-api: ## Run api tests
 	cd api; go test $(GO_TEST_ARGS) ./... -coverprofile cover.out
 
 run: generate fmt vet manifests  ## Run against the configured Kubernetes cluster in ~/.kube/config
-	go run $(GO_STATIC_FLAGS) ./main.go
+	@mkdir -p $(PWD)/bin/data
+	go run $(GO_STATIC_FLAGS) ./main.go --storage-adv-addr=:0 --storage-path=$(PWD)/bin/data
 
 install: manifests  ## Install CRDs into a cluster
 	kustomize build config/crd | kubectl apply -f -
@@ -117,11 +115,11 @@ manifests: controller-gen  ## Generate manifests, e.g. CRD, RBAC, etc.
 	cd api; $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role paths="./..." output:crd:artifacts:config="../config/crd/bases"
 
 api-docs: gen-crd-api-reference-docs  ## Generate API reference documentation
-	$(GEN_CRD_API_REFERENCE_DOCS) -api-dir=./api/v1beta2 -config=./hack/api-docs/config.json -template-dir=./hack/api-docs/template -out-file=./docs/api/source.md
+	$(GEN_CRD_API_REFERENCE_DOCS) -api-dir=./api/v1 -config=./hack/api-docs/config.json -template-dir=./hack/api-docs/template -out-file=./docs/api/v1/source.md
 
 tidy:  ## Run go mod tidy
-	cd api; rm -f go.sum; go mod tidy -compat=1.19
-	rm -f go.sum; go mod tidy -compat=1.19
+	cd api; rm -f go.sum; go mod tidy -compat=1.24
+	rm -f go.sum; go mod tidy -compat=1.24
 
 fmt:  ## Run go fmt against code
 	go fmt ./...
@@ -147,13 +145,13 @@ docker-push:  ## Push Docker image
 CONTROLLER_GEN = $(GOBIN)/controller-gen
 .PHONY: controller-gen
 controller-gen: ## Download controller-gen locally if necessary.
-	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.8.0)
+	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
 
 # Find or download gen-crd-api-reference-docs
 GEN_CRD_API_REFERENCE_DOCS = $(GOBIN)/gen-crd-api-reference-docs
 .PHONY: gen-crd-api-reference-docs
 gen-crd-api-reference-docs: ## Download gen-crd-api-reference-docs locally if necessary
-	$(call go-install-tool,$(GEN_CRD_API_REFERENCE_DOCS),github.com/ahmetb/gen-crd-api-reference-docs@3f29e6853552dcf08a8e846b1225f275ed0f3e3b)
+	$(call go-install-tool,$(GEN_CRD_API_REFERENCE_DOCS),github.com/ahmetb/gen-crd-api-reference-docs@$(GEN_API_REF_DOCS_VERSION))
 
 ENVTEST = $(GOBIN)/setup-envtest
 .PHONY: envtest
@@ -190,7 +188,7 @@ TMP_DIR=$$(mktemp -d) ;\
 cd $$TMP_DIR ;\
 go mod init tmp ;\
 echo "Downloading $(2)" ;\
-env -i bash -c "GOBIN=$(GOBIN) PATH=$(PATH) GOPATH=$(shell go env GOPATH) GOCACHE=$(shell go env GOCACHE) go install $(2)" ;\
+env -i bash -c "GOBIN=$(GOBIN) PATH=\"$(PATH)\" GOPATH=$(shell go env GOPATH) GOCACHE=$(shell go env GOCACHE) go install $(2)" ;\
 rm -rf $$TMP_DIR ;\
 }
 endef

PROJECT

@@ -1,12 +1,21 @@
 domain: toolkit.fluxcd.io
 repo: github.com/fluxcd/source-controller
 resources:
+- group: source
+  kind: GitRepository
+  version: v1
 - group: source
   kind: GitRepository
   version: v1beta2
+- group: source
+  kind: HelmRepository
+  version: v1
 - group: source
   kind: HelmRepository
   version: v1beta2
+- group: source
+  kind: HelmChart
+  version: v1
 - group: source
   kind: HelmChart
   version: v1beta2
@@ -28,4 +37,10 @@ resources:
 - group: source
   kind: OCIRepository
   version: v1beta2
+- group: source
+  kind: Bucket
+  version: v1
+- group: source
+  kind: OCIRepository
+  version: v1
 version: "2"

README.md

@@ -5,23 +5,49 @@
 [![report](https://goreportcard.com/badge/github.com/fluxcd/source-controller)](https://goreportcard.com/report/github.com/fluxcd/source-controller)
 [![license](https://img.shields.io/github/license/fluxcd/source-controller.svg)](https://github.com/fluxcd/source-controller/blob/main/LICENSE)
 [![release](https://img.shields.io/github/release/fluxcd/source-controller/all.svg)](https://github.com/fluxcd/source-controller/releases)
- 
+
 The source-controller is a Kubernetes operator, specialised in artifacts acquisition
-from external sources such as Git, Helm repositories and S3 buckets.
+from external sources such as Git, OCI, Helm repositories and S3-compatible buckets.
 The source-controller implements the
-[source.toolkit.fluxcd.io](https://github.com/fluxcd/source-controller/tree/main/docs/spec/v1beta2) API
+[source.toolkit.fluxcd.io](docs/spec/README.md) API
 and is a core component of the [GitOps toolkit](https://fluxcd.io/flux/components/).
 
 ![overview](docs/diagrams/source-controller-overview.png)
 
-Features:
+## APIs
 
-* authenticates to sources (SSH, user/password, API token)
-* validates source authenticity (PGP)
+| Kind                                               | API Version                   |
+|----------------------------------------------------|-------------------------------|
+| [GitRepository](docs/spec/v1/gitrepositories.md)   | `source.toolkit.fluxcd.io/v1` |
+| [OCIRepository](docs/spec/v1/ocirepositories.md)   | `source.toolkit.fluxcd.io/v1` |
+| [HelmRepository](docs/spec/v1/helmrepositories.md) | `source.toolkit.fluxcd.io/v1` |
+| [HelmChart](docs/spec/v1/helmcharts.md)            | `source.toolkit.fluxcd.io/v1` |
+| [Bucket](docs/spec/v1/buckets.md)                  | `source.toolkit.fluxcd.io/v1` |
+
+## Features
+
+* authenticates to sources (SSH, user/password, API token, Workload Identity)
+* validates source authenticity (PGP, Cosign, Notation)
 * detects source changes based on update policies (semver)
 * fetches resources on-demand and on-a-schedule
 * packages the fetched resources into a well-known format (tar.gz, yaml)
 * makes the artifacts addressable by their source identifier (sha, version, ts)
 * makes the artifacts available in-cluster to interested 3rd parties
 * notifies interested 3rd parties of source changes and availability (status conditions, events, hooks)
-* reacts to Git push and Helm chart upload events (via [notification-controller](https://github.com/fluxcd/notification-controller))
+* reacts to Git, Helm and OCI artifacts push events (via [notification-controller](https://github.com/fluxcd/notification-controller))
+
+## Guides
+
+* [Get started with Flux](https://fluxcd.io/flux/get-started/)
+* [Setup Webhook Receivers](https://fluxcd.io/flux/guides/webhook-receivers/)
+* [Setup Notifications](https://fluxcd.io/flux/guides/notifications/)
+* [How to build, publish and consume OCI Artifacts with Flux](https://fluxcd.io/flux/cheatsheets/oci-artifacts/)
+
+## Roadmap
+
+The roadmap for the Flux family of projects can be found at <https://fluxcd.io/roadmap/>.
+
+## Contributing
+
+This project is Apache 2.0 licensed and accepts contributions via GitHub pull requests.
+To start contributing please see the [development guide](DEVELOPMENT.md).

api/go.mod

@@ -1,33 +1,35 @@
 module github.com/fluxcd/source-controller/api
 
-go 1.18
+go 1.24.0
 
 require (
-	github.com/fluxcd/pkg/apis/acl v0.1.0
-	github.com/fluxcd/pkg/apis/meta v0.18.0
-	k8s.io/apimachinery v0.25.4
-	sigs.k8s.io/controller-runtime v0.13.1
+	github.com/fluxcd/pkg/apis/acl v0.7.0
+	github.com/fluxcd/pkg/apis/meta v1.12.0
+	k8s.io/apimachinery v0.33.0
+	sigs.k8s.io/controller-runtime v0.21.0
 )
 
-// Fix CVE-2022-32149
-replace golang.org/x/text => golang.org/x/text v0.4.0
-
 // Fix CVE-2022-28948
 replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
 
 require (
-	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	golang.org/x/net v0.2.0 // indirect
-	golang.org/x/text v0.4.0 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/klog/v2 v2.80.1 // indirect
-	k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )

api/go.sum

@@ -1,102 +1,117 @@
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fluxcd/pkg/apis/acl v0.1.0 h1:EoAl377hDQYL3WqanWCdifauXqXbMyFuK82NnX6pH4Q=
-github.com/fluxcd/pkg/apis/acl v0.1.0/go.mod h1:zfEZzz169Oap034EsDhmCAGgnWlcWmIObZjYMusoXS8=
-github.com/fluxcd/pkg/apis/meta v0.18.0 h1:s0LeulWcQ4DxVX6805vgDTxlA6bAYk+Lq1QHSnNdqLM=
-github.com/fluxcd/pkg/apis/meta v0.18.0/go.mod h1:pYvXRFi1UKNNrGR34jw3uqOnMXw9X6dTkML8j5Z7tis=
-github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
-github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
-github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/fluxcd/pkg/apis/acl v0.7.0 h1:dMhZJH+g6ZRPjs4zVOAN9vHBd1DcavFgcIFkg5ooOE0=
+github.com/fluxcd/pkg/apis/acl v0.7.0/go.mod h1:uv7pXXR/gydiX4MUwlQa7vS8JONEDztynnjTvY3JxKQ=
+github.com/fluxcd/pkg/apis/meta v1.12.0 h1:XW15TKZieC2b7MN8VS85stqZJOx+/b8jATQ/xTUhVYg=
+github.com/fluxcd/pkg/apis/meta v1.12.0/go.mod h1:+son1Va60x2eiDcTwd7lcctbI6C+K3gM7R+ULmEq1SI=
+github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU=
+github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
-github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
+github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
-github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
-github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
-github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q=
+github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg=
+github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.36.1 h1:bJDPBO7ibjxcbHMgSCoo4Yj18UWbKDlLwX1x9sybDcw=
+github.com/onsi/gomega v1.36.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
-golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
+golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-k8s.io/api v0.25.0 h1:H+Q4ma2U/ww0iGB78ijZx6DRByPz6/733jIuFpX70e0=
-k8s.io/apimachinery v0.25.4 h1:CtXsuaitMESSu339tfhVXhQrPET+EiWnIY1rcurKnAc=
-k8s.io/apimachinery v0.25.4/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo=
-k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4=
-k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJOIfnislxYlqTj8=
-k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/controller-runtime v0.13.1 h1:tUsRCSJVM1QQOOeViGeX3GMT3dQF1eePPw6sEE3xSlg=
-sigs.k8s.io/controller-runtime v0.13.1/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
-sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/api v0.33.0 h1:yTgZVn1XEe6opVpP1FylmNrIFWuDqe2H0V8CT5gxfIU=
+k8s.io/api v0.33.0/go.mod h1:CTO61ECK/KU7haa3qq8sarQ0biLq2ju405IZAd9zsiM=
+k8s.io/apimachinery v0.33.0 h1:1a6kHrJxb2hs4t8EE5wuR/WxKDwGN1FKH3JvDtA0CIQ=
+k8s.io/apimachinery v0.33.0/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e h1:KqK5c/ghOm8xkHYhlodbp6i6+r+ChV2vuAuVRdFbLro=
+k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8=
+sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

api/v1/artifact_types.go

@@ -0,0 +1,93 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"path"
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Artifact represents the output of a Source reconciliation.
+type Artifact struct {
+	// Path is the relative file path of the Artifact. It can be used to locate
+	// the file in the root of the Artifact storage on the local file system of
+	// the controller managing the Source.
+	// +required
+	Path string `json:"path"`
+
+	// URL is the HTTP address of the Artifact as exposed by the controller
+	// managing the Source. It can be used to retrieve the Artifact for
+	// consumption, e.g. by another controller applying the Artifact contents.
+	// +required
+	URL string `json:"url"`
+
+	// Revision is a human-readable identifier traceable in the origin source
+	// system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.
+	// +required
+	Revision string `json:"revision"`
+
+	// Digest is the digest of the file in the form of '<algorithm>:<checksum>'.
+	// +optional
+	// +kubebuilder:validation:Pattern="^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$"
+	Digest string `json:"digest,omitempty"`
+
+	// LastUpdateTime is the timestamp corresponding to the last update of the
+	// Artifact.
+	// +required
+	LastUpdateTime metav1.Time `json:"lastUpdateTime"`
+
+	// Size is the number of bytes in the file.
+	// +optional
+	Size *int64 `json:"size,omitempty"`
+
+	// Metadata holds upstream information such as OCI annotations.
+	// +optional
+	Metadata map[string]string `json:"metadata,omitempty"`
+}
+
+// HasRevision returns if the given revision matches the current Revision of
+// the Artifact.
+func (in *Artifact) HasRevision(revision string) bool {
+	if in == nil {
+		return false
+	}
+	return in.Revision == revision
+}
+
+// HasDigest returns if the given digest matches the current Digest of the
+// Artifact.
+func (in *Artifact) HasDigest(digest string) bool {
+	if in == nil {
+		return false
+	}
+	return in.Digest == digest
+}
+
+// ArtifactDir returns the artifact dir path in the form of
+// '<kind>/<namespace>/<name>'.
+func ArtifactDir(kind, namespace, name string) string {
+	kind = strings.ToLower(kind)
+	return path.Join(kind, namespace, name)
+}
+
+// ArtifactPath returns the artifact path in the form of
+// '<kind>/<namespace>/name>/<filename>'.
+func ArtifactPath(kind, namespace, name, filename string) string {
+	return path.Join(ArtifactDir(kind, namespace, name), filename)
+}

api/v1/bucket_types.go

@@ -0,0 +1,271 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/pkg/apis/meta"
+)
+
+const (
+	// BucketKind is the string representation of a Bucket.
+	BucketKind = "Bucket"
+)
+
+const (
+	// BucketProviderGeneric for any S3 API compatible storage Bucket.
+	BucketProviderGeneric string = "generic"
+	// BucketProviderAmazon for an AWS S3 object storage Bucket.
+	// Provides support for retrieving credentials from the AWS EC2 service.
+	BucketProviderAmazon string = "aws"
+	// BucketProviderGoogle for a Google Cloud Storage Bucket.
+	// Provides support for authentication using a workload identity.
+	BucketProviderGoogle string = "gcp"
+	// BucketProviderAzure for an Azure Blob Storage Bucket.
+	// Provides support for authentication using a Service Principal,
+	// Managed Identity or Shared Key.
+	BucketProviderAzure string = "azure"
+)
+
+// BucketSpec specifies the required configuration to produce an Artifact for
+// an object storage bucket.
+// +kubebuilder:validation:XValidation:rule="self.provider == 'aws' || self.provider == 'generic' || !has(self.sts)", message="STS configuration is only supported for the 'aws' and 'generic' Bucket providers"
+// +kubebuilder:validation:XValidation:rule="self.provider != 'aws' || !has(self.sts) || self.sts.provider == 'aws'", message="'aws' is the only supported STS provider for the 'aws' Bucket provider"
+// +kubebuilder:validation:XValidation:rule="self.provider != 'generic' || !has(self.sts) || self.sts.provider == 'ldap'", message="'ldap' is the only supported STS provider for the 'generic' Bucket provider"
+// +kubebuilder:validation:XValidation:rule="!has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.secretRef)", message="spec.sts.secretRef is not required for the 'aws' STS provider"
+// +kubebuilder:validation:XValidation:rule="!has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.certSecretRef)", message="spec.sts.certSecretRef is not required for the 'aws' STS provider"
+type BucketSpec struct {
+	// Provider of the object storage bucket.
+	// Defaults to 'generic', which expects an S3 (API) compatible object
+	// storage.
+	// +kubebuilder:validation:Enum=generic;aws;gcp;azure
+	// +kubebuilder:default:=generic
+	// +optional
+	Provider string `json:"provider,omitempty"`
+
+	// BucketName is the name of the object storage bucket.
+	// +required
+	BucketName string `json:"bucketName"`
+
+	// Endpoint is the object storage address the BucketName is located at.
+	// +required
+	Endpoint string `json:"endpoint"`
+
+	// STS specifies the required configuration to use a Security Token
+	// Service for fetching temporary credentials to authenticate in a
+	// Bucket provider.
+	//
+	// This field is only supported for the `aws` and `generic` providers.
+	// +optional
+	STS *BucketSTSSpec `json:"sts,omitempty"`
+
+	// Insecure allows connecting to a non-TLS HTTP Endpoint.
+	// +optional
+	Insecure bool `json:"insecure,omitempty"`
+
+	// Region of the Endpoint where the BucketName is located in.
+	// +optional
+	Region string `json:"region,omitempty"`
+
+	// Prefix to use for server-side filtering of files in the Bucket.
+	// +optional
+	Prefix string `json:"prefix,omitempty"`
+
+	// SecretRef specifies the Secret containing authentication credentials
+	// for the Bucket.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// CertSecretRef can be given the name of a Secret containing
+	// either or both of
+	//
+	// - a PEM-encoded client certificate (`tls.crt`) and private
+	// key (`tls.key`);
+	// - a PEM-encoded CA certificate (`ca.crt`)
+	//
+	// and whichever are supplied, will be used for connecting to the
+	// bucket. The client cert and key are useful if you are
+	// authenticating with a certificate; the CA cert is useful if
+	// you are using a self-signed server certificate. The Secret must
+	// be of type `Opaque` or `kubernetes.io/tls`.
+	//
+	// This field is only supported for the `generic` provider.
+	// +optional
+	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
+
+	// ProxySecretRef specifies the Secret containing the proxy configuration
+	// to use while communicating with the Bucket server.
+	// +optional
+	ProxySecretRef *meta.LocalObjectReference `json:"proxySecretRef,omitempty"`
+
+	// Interval at which the Bucket Endpoint is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +required
+	Interval metav1.Duration `json:"interval"`
+
+	// Timeout for fetch operations, defaults to 60s.
+	// +kubebuilder:default="60s"
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+	// +optional
+	Timeout *metav1.Duration `json:"timeout,omitempty"`
+
+	// Ignore overrides the set of excluded patterns in the .sourceignore format
+	// (which is the same as .gitignore). If not provided, a default will be used,
+	// consult the documentation for your version to find out what those are.
+	// +optional
+	Ignore *string `json:"ignore,omitempty"`
+
+	// Suspend tells the controller to suspend the reconciliation of this
+	// Bucket.
+	// +optional
+	Suspend bool `json:"suspend,omitempty"`
+}
+
+// BucketSTSSpec specifies the required configuration to use a Security Token
+// Service for fetching temporary credentials to authenticate in a Bucket
+// provider.
+type BucketSTSSpec struct {
+	// Provider of the Security Token Service.
+	// +kubebuilder:validation:Enum=aws;ldap
+	// +required
+	Provider string `json:"provider"`
+
+	// Endpoint is the HTTP/S endpoint of the Security Token Service from
+	// where temporary credentials will be fetched.
+	// +required
+	// +kubebuilder:validation:Pattern="^(http|https)://.*$"
+	Endpoint string `json:"endpoint"`
+
+	// SecretRef specifies the Secret containing authentication credentials
+	// for the STS endpoint. This Secret must contain the fields `username`
+	// and `password` and is supported only for the `ldap` provider.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// CertSecretRef can be given the name of a Secret containing
+	// either or both of
+	//
+	// - a PEM-encoded client certificate (`tls.crt`) and private
+	// key (`tls.key`);
+	// - a PEM-encoded CA certificate (`ca.crt`)
+	//
+	// and whichever are supplied, will be used for connecting to the
+	// STS endpoint. The client cert and key are useful if you are
+	// authenticating with a certificate; the CA cert is useful if
+	// you are using a self-signed server certificate. The Secret must
+	// be of type `Opaque` or `kubernetes.io/tls`.
+	//
+	// This field is only supported for the `ldap` provider.
+	// +optional
+	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
+}
+
+// BucketStatus records the observed state of a Bucket.
+type BucketStatus struct {
+	// ObservedGeneration is the last observed generation of the Bucket object.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// Conditions holds the conditions for the Bucket.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// URL is the dynamic fetch link for the latest Artifact.
+	// It is provided on a "best effort" basis, and using the precise
+	// BucketStatus.Artifact data is recommended.
+	// +optional
+	URL string `json:"url,omitempty"`
+
+	// Artifact represents the last successful Bucket reconciliation.
+	// +optional
+	Artifact *Artifact `json:"artifact,omitempty"`
+
+	// ObservedIgnore is the observed exclusion patterns used for constructing
+	// the source artifact.
+	// +optional
+	ObservedIgnore *string `json:"observedIgnore,omitempty"`
+
+	meta.ReconcileRequestStatus `json:",inline"`
+}
+
+const (
+	// BucketOperationSucceededReason signals that the Bucket listing and fetch
+	// operations succeeded.
+	BucketOperationSucceededReason string = "BucketOperationSucceeded"
+
+	// BucketOperationFailedReason signals that the Bucket listing or fetch
+	// operations failed.
+	BucketOperationFailedReason string = "BucketOperationFailed"
+)
+
+// GetConditions returns the status conditions of the object.
+func (in *Bucket) GetConditions() []metav1.Condition {
+	return in.Status.Conditions
+}
+
+// SetConditions sets the status conditions on the object.
+func (in *Bucket) SetConditions(conditions []metav1.Condition) {
+	in.Status.Conditions = conditions
+}
+
+// GetRequeueAfter returns the duration after which the source must be reconciled again.
+func (in *Bucket) GetRequeueAfter() time.Duration {
+	return in.Spec.Interval.Duration
+}
+
+// GetArtifact returns the latest artifact from the source if present in the status sub-resource.
+func (in *Bucket) GetArtifact() *Artifact {
+	return in.Status.Artifact
+}
+
+// +genclient
+// +kubebuilder:storageversion
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
+
+// Bucket is the Schema for the buckets API.
+type Bucket struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec BucketSpec `json:"spec,omitempty"`
+	// +kubebuilder:default={"observedGeneration":-1}
+	Status BucketStatus `json:"status,omitempty"`
+}
+
+// BucketList contains a list of Bucket objects.
+// +kubebuilder:object:root=true
+type BucketList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Bucket `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Bucket{}, &BucketList{})
+}

api/v1/condition_types.go

@@ -0,0 +1,118 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+const SourceFinalizer = "finalizers.fluxcd.io"
+
+const (
+	// ArtifactInStorageCondition indicates the availability of the Artifact in
+	// the storage.
+	// If True, the Artifact is stored successfully.
+	// This Condition is only present on the resource if the Artifact is
+	// successfully stored.
+	ArtifactInStorageCondition string = "ArtifactInStorage"
+
+	// ArtifactOutdatedCondition indicates the current Artifact of the Source
+	// is outdated.
+	// This is a "negative polarity" or "abnormal-true" type, and is only
+	// present on the resource if it is True.
+	ArtifactOutdatedCondition string = "ArtifactOutdated"
+
+	// SourceVerifiedCondition indicates the integrity verification of the
+	// Source.
+	// If True, the integrity check succeeded. If False, it failed.
+	// This Condition is only present on the resource if the integrity check
+	// is enabled.
+	SourceVerifiedCondition string = "SourceVerified"
+
+	// FetchFailedCondition indicates a transient or persistent fetch failure
+	// of an upstream Source.
+	// If True, observations on the upstream Source revision may be impossible,
+	// and the Artifact available for the Source may be outdated.
+	// This is a "negative polarity" or "abnormal-true" type, and is only
+	// present on the resource if it is True.
+	FetchFailedCondition string = "FetchFailed"
+
+	// BuildFailedCondition indicates a transient or persistent build failure
+	// of a Source's Artifact.
+	// If True, the Source can be in an ArtifactOutdatedCondition.
+	// This is a "negative polarity" or "abnormal-true" type, and is only
+	// present on the resource if it is True.
+	BuildFailedCondition string = "BuildFailed"
+
+	// StorageOperationFailedCondition indicates a transient or persistent
+	// failure related to storage. If True, the reconciliation failed while
+	// performing some filesystem operation.
+	// This is a "negative polarity" or "abnormal-true" type, and is only
+	// present on the resource if it is True.
+	StorageOperationFailedCondition string = "StorageOperationFailed"
+)
+
+// Reasons are provided as utility, and not part of the declarative API.
+const (
+	// URLInvalidReason signals that a given Source has an invalid URL.
+	URLInvalidReason string = "URLInvalid"
+
+	// AuthenticationFailedReason signals that a Secret does not have the
+	// required fields, or the provided credentials do not match.
+	AuthenticationFailedReason string = "AuthenticationFailed"
+
+	// VerificationError signals that the Source's verification
+	// check failed.
+	VerificationError string = "VerificationError"
+
+	// DirCreationFailedReason signals a failure caused by a directory creation
+	// operation.
+	DirCreationFailedReason string = "DirectoryCreationFailed"
+
+	// StatOperationFailedReason signals a failure caused by a stat operation on
+	// a path.
+	StatOperationFailedReason string = "StatOperationFailed"
+
+	// ReadOperationFailedReason signals a failure caused by a read operation.
+	ReadOperationFailedReason string = "ReadOperationFailed"
+
+	// AcquireLockFailedReason signals a failure in acquiring lock.
+	AcquireLockFailedReason string = "AcquireLockFailed"
+
+	// InvalidPathReason signals a failure caused by an invalid path.
+	InvalidPathReason string = "InvalidPath"
+
+	// ArchiveOperationFailedReason signals a failure in archive operation.
+	ArchiveOperationFailedReason string = "ArchiveOperationFailed"
+
+	// SymlinkUpdateFailedReason signals a failure in updating a symlink.
+	SymlinkUpdateFailedReason string = "SymlinkUpdateFailed"
+
+	// ArtifactUpToDateReason signals that an existing Artifact is up-to-date
+	// with the Source.
+	ArtifactUpToDateReason string = "ArtifactUpToDate"
+
+	// CacheOperationFailedReason signals a failure in cache operation.
+	CacheOperationFailedReason string = "CacheOperationFailed"
+
+	// PatchOperationFailedReason signals a failure in patching a kubernetes API
+	// object.
+	PatchOperationFailedReason string = "PatchOperationFailed"
+
+	// InvalidSTSConfigurationReason signals that the STS configurtion is invalid.
+	InvalidSTSConfigurationReason string = "InvalidSTSConfiguration"
+
+	// InvalidProviderConfigurationReason signals that the provider
+	// configuration is invalid.
+	InvalidProviderConfigurationReason string = "InvalidProviderConfiguration"
+)

api/v1/doc.go

@@ -0,0 +1,20 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1 contains API Schema definitions for the source v1 API group
+// +kubebuilder:object:generate=true
+// +groupName=source.toolkit.fluxcd.io
+package v1

api/v1/gitrepository_types.go

@@ -0,0 +1,378 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/pkg/apis/meta"
+)
+
+const (
+	// GitRepositoryKind is the string representation of a GitRepository.
+	GitRepositoryKind = "GitRepository"
+
+	// GitProviderGeneric provides support for authentication using
+	// credentials specified in secretRef.
+	GitProviderGeneric string = "generic"
+
+	// GitProviderAzure provides support for authentication to azure
+	// repositories using Managed Identity.
+	GitProviderAzure string = "azure"
+
+	// GitProviderGitHub provides support for authentication to git
+	// repositories using GitHub App authentication
+	GitProviderGitHub string = "github"
+)
+
+const (
+	// IncludeUnavailableCondition indicates one of the includes is not
+	// available. For example, because it does not exist, or does not have an
+	// Artifact.
+	// This is a "negative polarity" or "abnormal-true" type, and is only
+	// present on the resource if it is True.
+	IncludeUnavailableCondition string = "IncludeUnavailable"
+)
+
+// GitVerificationMode specifies the verification mode for a Git repository.
+type GitVerificationMode string
+
+// Valid checks the validity of the Git verification mode.
+func (m GitVerificationMode) Valid() bool {
+	switch m {
+	case ModeGitHEAD, ModeGitTag, ModeGitTagAndHEAD:
+		return true
+	default:
+		return false
+	}
+}
+
+const (
+	// ModeGitHEAD implies that the HEAD of the Git repository (after it has been
+	// checked out to the required commit) should be verified.
+	ModeGitHEAD GitVerificationMode = "HEAD"
+	// ModeGitTag implies that the tag object specified in the checkout configuration
+	// should be verified.
+	ModeGitTag GitVerificationMode = "Tag"
+	// ModeGitTagAndHEAD implies that both the tag object and the commit it points
+	// to should be verified.
+	ModeGitTagAndHEAD GitVerificationMode = "TagAndHEAD"
+)
+
+// GitRepositorySpec specifies the required configuration to produce an
+// Artifact for a Git repository.
+type GitRepositorySpec struct {
+	// URL specifies the Git repository URL, it can be an HTTP/S or SSH address.
+	// +kubebuilder:validation:Pattern="^(http|https|ssh)://.*$"
+	// +required
+	URL string `json:"url"`
+
+	// SecretRef specifies the Secret containing authentication credentials for
+	// the GitRepository.
+	// For HTTPS repositories the Secret must contain 'username' and 'password'
+	// fields for basic auth or 'bearerToken' field for token auth.
+	// For SSH repositories the Secret must contain 'identity'
+	// and 'known_hosts' fields.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// Provider used for authentication, can be 'azure', 'github', 'generic'.
+	// When not specified, defaults to 'generic'.
+	// +kubebuilder:validation:Enum=generic;azure;github
+	// +optional
+	Provider string `json:"provider,omitempty"`
+
+	// Interval at which the GitRepository URL is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +required
+	Interval metav1.Duration `json:"interval"`
+
+	// Timeout for Git operations like cloning, defaults to 60s.
+	// +kubebuilder:default="60s"
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+	// +optional
+	Timeout *metav1.Duration `json:"timeout,omitempty"`
+
+	// Reference specifies the Git reference to resolve and monitor for
+	// changes, defaults to the 'master' branch.
+	// +optional
+	Reference *GitRepositoryRef `json:"ref,omitempty"`
+
+	// Verification specifies the configuration to verify the Git commit
+	// signature(s).
+	// +optional
+	Verification *GitRepositoryVerification `json:"verify,omitempty"`
+
+	// ProxySecretRef specifies the Secret containing the proxy configuration
+	// to use while communicating with the Git server.
+	// +optional
+	ProxySecretRef *meta.LocalObjectReference `json:"proxySecretRef,omitempty"`
+
+	// Ignore overrides the set of excluded patterns in the .sourceignore format
+	// (which is the same as .gitignore). If not provided, a default will be used,
+	// consult the documentation for your version to find out what those are.
+	// +optional
+	Ignore *string `json:"ignore,omitempty"`
+
+	// Suspend tells the controller to suspend the reconciliation of this
+	// GitRepository.
+	// +optional
+	Suspend bool `json:"suspend,omitempty"`
+
+	// RecurseSubmodules enables the initialization of all submodules within
+	// the GitRepository as cloned from the URL, using their default settings.
+	// +optional
+	RecurseSubmodules bool `json:"recurseSubmodules,omitempty"`
+
+	// Include specifies a list of GitRepository resources which Artifacts
+	// should be included in the Artifact produced for this GitRepository.
+	// +optional
+	Include []GitRepositoryInclude `json:"include,omitempty"`
+
+	// SparseCheckout specifies a list of directories to checkout when cloning
+	// the repository. If specified, only these directories are included in the
+	// Artifact produced for this GitRepository.
+	// +optional
+	SparseCheckout []string `json:"sparseCheckout,omitempty"`
+}
+
+// GitRepositoryInclude specifies a local reference to a GitRepository which
+// Artifact (sub-)contents must be included, and where they should be placed.
+type GitRepositoryInclude struct {
+	// GitRepositoryRef specifies the GitRepository which Artifact contents
+	// must be included.
+	// +required
+	GitRepositoryRef meta.LocalObjectReference `json:"repository"`
+
+	// FromPath specifies the path to copy contents from, defaults to the root
+	// of the Artifact.
+	// +optional
+	FromPath string `json:"fromPath,omitempty"`
+
+	// ToPath specifies the path to copy contents to, defaults to the name of
+	// the GitRepositoryRef.
+	// +optional
+	ToPath string `json:"toPath,omitempty"`
+}
+
+// GetFromPath returns the specified FromPath.
+func (in *GitRepositoryInclude) GetFromPath() string {
+	return in.FromPath
+}
+
+// GetToPath returns the specified ToPath, falling back to the name of the
+// GitRepositoryRef.
+func (in *GitRepositoryInclude) GetToPath() string {
+	if in.ToPath == "" {
+		return in.GitRepositoryRef.Name
+	}
+	return in.ToPath
+}
+
+// GitRepositoryRef specifies the Git reference to resolve and checkout.
+type GitRepositoryRef struct {
+	// Branch to check out, defaults to 'master' if no other field is defined.
+	// +optional
+	Branch string `json:"branch,omitempty"`
+
+	// Tag to check out, takes precedence over Branch.
+	// +optional
+	Tag string `json:"tag,omitempty"`
+
+	// SemVer tag expression to check out, takes precedence over Tag.
+	// +optional
+	SemVer string `json:"semver,omitempty"`
+
+	// Name of the reference to check out; takes precedence over Branch, Tag and SemVer.
+	//
+	// It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description
+	// Examples: "refs/heads/main", "refs/tags/v0.1.0", "refs/pull/420/head", "refs/merge-requests/1/head"
+	// +optional
+	Name string `json:"name,omitempty"`
+
+	// Commit SHA to check out, takes precedence over all reference fields.
+	//
+	// This can be combined with Branch to shallow clone the branch, in which
+	// the commit is expected to exist.
+	// +optional
+	Commit string `json:"commit,omitempty"`
+}
+
+// GitRepositoryVerification specifies the Git commit signature verification
+// strategy.
+type GitRepositoryVerification struct {
+	// Mode specifies which Git object(s) should be verified.
+	//
+	// The variants "head" and "HEAD" both imply the same thing, i.e. verify
+	// the commit that the HEAD of the Git repository points to. The variant
+	// "head" solely exists to ensure backwards compatibility.
+	// +kubebuilder:validation:Enum=head;HEAD;Tag;TagAndHEAD
+	// +optional
+	// +kubebuilder:default:=HEAD
+	Mode GitVerificationMode `json:"mode,omitempty"`
+
+	// SecretRef specifies the Secret containing the public keys of trusted Git
+	// authors.
+	// +required
+	SecretRef meta.LocalObjectReference `json:"secretRef"`
+}
+
+// GitRepositoryStatus records the observed state of a Git repository.
+type GitRepositoryStatus struct {
+	// ObservedGeneration is the last observed generation of the GitRepository
+	// object.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// Conditions holds the conditions for the GitRepository.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// Artifact represents the last successful GitRepository reconciliation.
+	// +optional
+	Artifact *Artifact `json:"artifact,omitempty"`
+
+	// IncludedArtifacts contains a list of the last successfully included
+	// Artifacts as instructed by GitRepositorySpec.Include.
+	// +optional
+	IncludedArtifacts []*Artifact `json:"includedArtifacts,omitempty"`
+
+	// ObservedIgnore is the observed exclusion patterns used for constructing
+	// the source artifact.
+	// +optional
+	ObservedIgnore *string `json:"observedIgnore,omitempty"`
+
+	// ObservedRecurseSubmodules is the observed resource submodules
+	// configuration used to produce the current Artifact.
+	// +optional
+	ObservedRecurseSubmodules bool `json:"observedRecurseSubmodules,omitempty"`
+
+	// ObservedInclude is the observed list of GitRepository resources used to
+	// produce the current Artifact.
+	// +optional
+	ObservedInclude []GitRepositoryInclude `json:"observedInclude,omitempty"`
+
+	// ObservedSparseCheckout is the observed list of directories used to
+	// produce the current Artifact.
+	// +optional
+	ObservedSparseCheckout []string `json:"observedSparseCheckout,omitempty"`
+
+	// SourceVerificationMode is the last used verification mode indicating
+	// which Git object(s) have been verified.
+	// +optional
+	SourceVerificationMode *GitVerificationMode `json:"sourceVerificationMode,omitempty"`
+
+	meta.ReconcileRequestStatus `json:",inline"`
+}
+
+const (
+	// GitOperationSucceedReason signals that a Git operation (e.g. clone,
+	// checkout, etc.) succeeded.
+	GitOperationSucceedReason string = "GitOperationSucceeded"
+
+	// GitOperationFailedReason signals that a Git operation (e.g. clone,
+	// checkout, etc.) failed.
+	GitOperationFailedReason string = "GitOperationFailed"
+)
+
+// GetConditions returns the status conditions of the object.
+func (in GitRepository) GetConditions() []metav1.Condition {
+	return in.Status.Conditions
+}
+
+// SetConditions sets the status conditions on the object.
+func (in *GitRepository) SetConditions(conditions []metav1.Condition) {
+	in.Status.Conditions = conditions
+}
+
+// GetRequeueAfter returns the duration after which the GitRepository must be
+// reconciled again.
+func (in GitRepository) GetRequeueAfter() time.Duration {
+	return in.Spec.Interval.Duration
+}
+
+// GetArtifact returns the latest Artifact from the GitRepository if present in
+// the status sub-resource.
+func (in *GitRepository) GetArtifact() *Artifact {
+	return in.Status.Artifact
+}
+
+// GetProvider returns the Git authentication provider.
+func (v *GitRepository) GetProvider() string {
+	if v.Spec.Provider == "" {
+		return GitProviderGeneric
+	}
+	return v.Spec.Provider
+}
+
+// GetMode returns the declared GitVerificationMode, or a ModeGitHEAD default.
+func (v *GitRepositoryVerification) GetMode() GitVerificationMode {
+	if v.Mode.Valid() {
+		return v.Mode
+	}
+	return ModeGitHEAD
+}
+
+// VerifyHEAD returns if the configured mode instructs verification of the
+// Git HEAD.
+func (v *GitRepositoryVerification) VerifyHEAD() bool {
+	return v.GetMode() == ModeGitHEAD || v.GetMode() == ModeGitTagAndHEAD
+}
+
+// VerifyTag returns if the configured mode instructs verification of the
+// Git tag.
+func (v *GitRepositoryVerification) VerifyTag() bool {
+	return v.GetMode() == ModeGitTag || v.GetMode() == ModeGitTagAndHEAD
+}
+
+// +genclient
+// +kubebuilder:storageversion
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=gitrepo
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="URL",type=string,JSONPath=`.spec.url`
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
+
+// GitRepository is the Schema for the gitrepositories API.
+type GitRepository struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec GitRepositorySpec `json:"spec,omitempty"`
+	// +kubebuilder:default={"observedGeneration":-1}
+	Status GitRepositoryStatus `json:"status,omitempty"`
+}
+
+// GitRepositoryList contains a list of GitRepository objects.
+// +kubebuilder:object:root=true
+type GitRepositoryList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []GitRepository `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&GitRepository{}, &GitRepositoryList{})
+}

api/v1/groupversion_info.go

@@ -0,0 +1,33 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects.
+	GroupVersion = schema.GroupVersion{Group: "source.toolkit.fluxcd.io", Version: "v1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)

api/v1/helmchart_types.go

@@ -0,0 +1,227 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/pkg/apis/meta"
+)
+
+// HelmChartKind is the string representation of a HelmChart.
+const HelmChartKind = "HelmChart"
+
+// HelmChartSpec specifies the desired state of a Helm chart.
+type HelmChartSpec struct {
+	// Chart is the name or path the Helm chart is available at in the
+	// SourceRef.
+	// +required
+	Chart string `json:"chart"`
+
+	// Version is the chart version semver expression, ignored for charts from
+	// GitRepository and Bucket sources. Defaults to latest when omitted.
+	// +kubebuilder:default:=*
+	// +optional
+	Version string `json:"version,omitempty"`
+
+	// SourceRef is the reference to the Source the chart is available at.
+	// +required
+	SourceRef LocalHelmChartSourceReference `json:"sourceRef"`
+
+	// Interval at which the HelmChart SourceRef is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +required
+	Interval metav1.Duration `json:"interval"`
+
+	// ReconcileStrategy determines what enables the creation of a new artifact.
+	// Valid values are ('ChartVersion', 'Revision').
+	// See the documentation of the values for an explanation on their behavior.
+	// Defaults to ChartVersion when omitted.
+	// +kubebuilder:validation:Enum=ChartVersion;Revision
+	// +kubebuilder:default:=ChartVersion
+	// +optional
+	ReconcileStrategy string `json:"reconcileStrategy,omitempty"`
+
+	// ValuesFiles is an alternative list of values files to use as the chart
+	// values (values.yaml is not included by default), expected to be a
+	// relative path in the SourceRef.
+	// Values files are merged in the order of this list with the last file
+	// overriding the first. Ignored when omitted.
+	// +optional
+	ValuesFiles []string `json:"valuesFiles,omitempty"`
+
+	// IgnoreMissingValuesFiles controls whether to silently ignore missing values
+	// files rather than failing.
+	// +optional
+	IgnoreMissingValuesFiles bool `json:"ignoreMissingValuesFiles,omitempty"`
+
+	// Suspend tells the controller to suspend the reconciliation of this
+	// source.
+	// +optional
+	Suspend bool `json:"suspend,omitempty"`
+
+	// Verify contains the secret name containing the trusted public keys
+	// used to verify the signature and specifies which provider to use to check
+	// whether OCI image is authentic.
+	// This field is only supported when using HelmRepository source with spec.type 'oci'.
+	// Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.
+	// +optional
+	Verify *OCIRepositoryVerification `json:"verify,omitempty"`
+}
+
+const (
+	// ReconcileStrategyChartVersion reconciles when the version of the Helm chart is different.
+	ReconcileStrategyChartVersion string = "ChartVersion"
+
+	// ReconcileStrategyRevision reconciles when the Revision of the source is different.
+	ReconcileStrategyRevision string = "Revision"
+)
+
+// LocalHelmChartSourceReference contains enough information to let you locate
+// the typed referenced object at namespace level.
+type LocalHelmChartSourceReference struct {
+	// APIVersion of the referent.
+	// +optional
+	APIVersion string `json:"apiVersion,omitempty"`
+
+	// Kind of the referent, valid values are ('HelmRepository', 'GitRepository',
+	// 'Bucket').
+	// +kubebuilder:validation:Enum=HelmRepository;GitRepository;Bucket
+	// +required
+	Kind string `json:"kind"`
+
+	// Name of the referent.
+	// +required
+	Name string `json:"name"`
+}
+
+// HelmChartStatus records the observed state of the HelmChart.
+type HelmChartStatus struct {
+	// ObservedGeneration is the last observed generation of the HelmChart
+	// object.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// ObservedSourceArtifactRevision is the last observed Artifact.Revision
+	// of the HelmChartSpec.SourceRef.
+	// +optional
+	ObservedSourceArtifactRevision string `json:"observedSourceArtifactRevision,omitempty"`
+
+	// ObservedChartName is the last observed chart name as specified by the
+	// resolved chart reference.
+	// +optional
+	ObservedChartName string `json:"observedChartName,omitempty"`
+
+	// ObservedValuesFiles are the observed value files of the last successful
+	// reconciliation.
+	// It matches the chart in the last successfully reconciled artifact.
+	// +optional
+	ObservedValuesFiles []string `json:"observedValuesFiles,omitempty"`
+
+	// Conditions holds the conditions for the HelmChart.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// URL is the dynamic fetch link for the latest Artifact.
+	// It is provided on a "best effort" basis, and using the precise
+	// BucketStatus.Artifact data is recommended.
+	// +optional
+	URL string `json:"url,omitempty"`
+
+	// Artifact represents the output of the last successful reconciliation.
+	// +optional
+	Artifact *Artifact `json:"artifact,omitempty"`
+
+	meta.ReconcileRequestStatus `json:",inline"`
+}
+
+const (
+	// ChartPullSucceededReason signals that the pull of the Helm chart
+	// succeeded.
+	ChartPullSucceededReason string = "ChartPullSucceeded"
+
+	// ChartPackageSucceededReason signals that the package of the Helm
+	// chart succeeded.
+	ChartPackageSucceededReason string = "ChartPackageSucceeded"
+)
+
+// GetConditions returns the status conditions of the object.
+func (in HelmChart) GetConditions() []metav1.Condition {
+	return in.Status.Conditions
+}
+
+// SetConditions sets the status conditions on the object.
+func (in *HelmChart) SetConditions(conditions []metav1.Condition) {
+	in.Status.Conditions = conditions
+}
+
+// GetRequeueAfter returns the duration after which the source must be
+// reconciled again.
+func (in HelmChart) GetRequeueAfter() time.Duration {
+	return in.Spec.Interval.Duration
+}
+
+// GetArtifact returns the latest artifact from the source if present in the
+// status sub-resource.
+func (in *HelmChart) GetArtifact() *Artifact {
+	return in.Status.Artifact
+}
+
+// GetValuesFiles returns a merged list of HelmChartSpec.ValuesFiles.
+func (in *HelmChart) GetValuesFiles() []string {
+	return in.Spec.ValuesFiles
+}
+
+// +genclient
+// +kubebuilder:storageversion
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=hc
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Chart",type=string,JSONPath=`.spec.chart`
+// +kubebuilder:printcolumn:name="Version",type=string,JSONPath=`.spec.version`
+// +kubebuilder:printcolumn:name="Source Kind",type=string,JSONPath=`.spec.sourceRef.kind`
+// +kubebuilder:printcolumn:name="Source Name",type=string,JSONPath=`.spec.sourceRef.name`
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
+
+// HelmChart is the Schema for the helmcharts API.
+type HelmChart struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec HelmChartSpec `json:"spec,omitempty"`
+	// +kubebuilder:default={"observedGeneration":-1}
+	Status HelmChartStatus `json:"status,omitempty"`
+}
+
+// HelmChartList contains a list of HelmChart objects.
+// +kubebuilder:object:root=true
+type HelmChartList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []HelmChart `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&HelmChart{}, &HelmChartList{})
+}

api/v1/helmrepository_types.go

@@ -0,0 +1,228 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/pkg/apis/acl"
+	"github.com/fluxcd/pkg/apis/meta"
+)
+
+const (
+	// HelmRepositoryKind is the string representation of a HelmRepository.
+	HelmRepositoryKind = "HelmRepository"
+	// HelmRepositoryURLIndexKey is the key used for indexing HelmRepository
+	// objects by their HelmRepositorySpec.URL.
+	HelmRepositoryURLIndexKey = ".metadata.helmRepositoryURL"
+	// HelmRepositoryTypeDefault is the default HelmRepository type.
+	// It is used when no type is specified and corresponds to a Helm repository.
+	HelmRepositoryTypeDefault = "default"
+	// HelmRepositoryTypeOCI is the type for an OCI repository.
+	HelmRepositoryTypeOCI = "oci"
+)
+
+// HelmRepositorySpec specifies the required configuration to produce an
+// Artifact for a Helm repository index YAML.
+type HelmRepositorySpec struct {
+	// URL of the Helm repository, a valid URL contains at least a protocol and
+	// host.
+	// +kubebuilder:validation:Pattern="^(http|https|oci)://.*$"
+	// +required
+	URL string `json:"url"`
+
+	// SecretRef specifies the Secret containing authentication credentials
+	// for the HelmRepository.
+	// For HTTP/S basic auth the secret must contain 'username' and 'password'
+	// fields.
+	// Support for TLS auth using the 'certFile' and 'keyFile', and/or 'caFile'
+	// keys is deprecated. Please use `.spec.certSecretRef` instead.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// CertSecretRef can be given the name of a Secret containing
+	// either or both of
+	//
+	// - a PEM-encoded client certificate (`tls.crt`) and private
+	// key (`tls.key`);
+	// - a PEM-encoded CA certificate (`ca.crt`)
+	//
+	// and whichever are supplied, will be used for connecting to the
+	// registry. The client cert and key are useful if you are
+	// authenticating with a certificate; the CA cert is useful if
+	// you are using a self-signed server certificate. The Secret must
+	// be of type `Opaque` or `kubernetes.io/tls`.
+	//
+	// It takes precedence over the values specified in the Secret referred
+	// to by `.spec.secretRef`.
+	// +optional
+	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
+
+	// PassCredentials allows the credentials from the SecretRef to be passed
+	// on to a host that does not match the host as defined in URL.
+	// This may be required if the host of the advertised chart URLs in the
+	// index differ from the defined URL.
+	// Enabling this should be done with caution, as it can potentially result
+	// in credentials getting stolen in a MITM-attack.
+	// +optional
+	PassCredentials bool `json:"passCredentials,omitempty"`
+
+	// Interval at which the HelmRepository URL is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +optional
+	Interval metav1.Duration `json:"interval,omitempty"`
+
+	// Insecure allows connecting to a non-TLS HTTP container registry.
+	// This field is only taken into account if the .spec.type field is set to 'oci'.
+	// +optional
+	Insecure bool `json:"insecure,omitempty"`
+
+	// Timeout is used for the index fetch operation for an HTTPS helm repository,
+	// and for remote OCI Repository operations like pulling for an OCI helm
+	// chart by the associated HelmChart.
+	// Its default value is 60s.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+	// +optional
+	Timeout *metav1.Duration `json:"timeout,omitempty"`
+
+	// Suspend tells the controller to suspend the reconciliation of this
+	// HelmRepository.
+	// +optional
+	Suspend bool `json:"suspend,omitempty"`
+
+	// AccessFrom specifies an Access Control List for allowing cross-namespace
+	// references to this object.
+	// NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092
+	// +optional
+	AccessFrom *acl.AccessFrom `json:"accessFrom,omitempty"`
+
+	// Type of the HelmRepository.
+	// When this field is set to  "oci", the URL field value must be prefixed with "oci://".
+	// +kubebuilder:validation:Enum=default;oci
+	// +optional
+	Type string `json:"type,omitempty"`
+
+	// Provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'.
+	// This field is optional, and only taken into account if the .spec.type field is set to 'oci'.
+	// When not specified, defaults to 'generic'.
+	// +kubebuilder:validation:Enum=generic;aws;azure;gcp
+	// +kubebuilder:default:=generic
+	// +optional
+	Provider string `json:"provider,omitempty"`
+}
+
+// HelmRepositoryStatus records the observed state of the HelmRepository.
+type HelmRepositoryStatus struct {
+	// ObservedGeneration is the last observed generation of the HelmRepository
+	// object.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// Conditions holds the conditions for the HelmRepository.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// URL is the dynamic fetch link for the latest Artifact.
+	// It is provided on a "best effort" basis, and using the precise
+	// HelmRepositoryStatus.Artifact data is recommended.
+	// +optional
+	URL string `json:"url,omitempty"`
+
+	// Artifact represents the last successful HelmRepository reconciliation.
+	// +optional
+	Artifact *Artifact `json:"artifact,omitempty"`
+
+	meta.ReconcileRequestStatus `json:",inline"`
+}
+
+const (
+	// IndexationFailedReason signals that the HelmRepository index fetch
+	// failed.
+	IndexationFailedReason string = "IndexationFailed"
+)
+
+// GetConditions returns the status conditions of the object.
+func (in HelmRepository) GetConditions() []metav1.Condition {
+	return in.Status.Conditions
+}
+
+// SetConditions sets the status conditions on the object.
+func (in *HelmRepository) SetConditions(conditions []metav1.Condition) {
+	in.Status.Conditions = conditions
+}
+
+// GetRequeueAfter returns the duration after which the source must be
+// reconciled again.
+func (in HelmRepository) GetRequeueAfter() time.Duration {
+	if in.Spec.Interval.Duration != 0 {
+		return in.Spec.Interval.Duration
+	}
+	return time.Minute
+}
+
+// GetTimeout returns the timeout duration used for various operations related
+// to this HelmRepository.
+func (in HelmRepository) GetTimeout() time.Duration {
+	if in.Spec.Timeout != nil {
+		return in.Spec.Timeout.Duration
+	}
+	return time.Minute
+}
+
+// GetArtifact returns the latest artifact from the source if present in the
+// status sub-resource.
+func (in *HelmRepository) GetArtifact() *Artifact {
+	return in.Status.Artifact
+}
+
+// +genclient
+// +kubebuilder:storageversion
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=helmrepo
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="URL",type=string,JSONPath=`.spec.url`
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
+
+// HelmRepository is the Schema for the helmrepositories API.
+type HelmRepository struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec HelmRepositorySpec `json:"spec,omitempty"`
+	// +kubebuilder:default={"observedGeneration":-1}
+	Status HelmRepositoryStatus `json:"status,omitempty"`
+}
+
+// HelmRepositoryList contains a list of HelmRepository objects.
+// +kubebuilder:object:root=true
+type HelmRepositoryList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []HelmRepository `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&HelmRepository{}, &HelmRepositoryList{})
+}

api/v1/ocirepository_types.go

@@ -0,0 +1,296 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/pkg/apis/meta"
+)
+
+const (
+	// OCIRepositoryKind is the string representation of an OCIRepository.
+	OCIRepositoryKind = "OCIRepository"
+
+	// OCIRepositoryPrefix is the prefix used for OCIRepository URLs.
+	OCIRepositoryPrefix = "oci://"
+
+	// GenericOCIProvider provides support for authentication using static credentials
+	// for any OCI compatible API such as Docker Registry, GitHub Container Registry,
+	// Docker Hub, Quay, etc.
+	GenericOCIProvider string = "generic"
+
+	// AmazonOCIProvider provides support for OCI authentication using AWS IRSA.
+	AmazonOCIProvider string = "aws"
+
+	// GoogleOCIProvider provides support for OCI authentication using GCP workload identity.
+	GoogleOCIProvider string = "gcp"
+
+	// AzureOCIProvider provides support for OCI authentication using a Azure Service Principal,
+	// Managed Identity or Shared Key.
+	AzureOCIProvider string = "azure"
+
+	// OCILayerExtract defines the operation type for extracting the content from an OCI artifact layer.
+	OCILayerExtract = "extract"
+
+	// OCILayerCopy defines the operation type for copying the content from an OCI artifact layer.
+	OCILayerCopy = "copy"
+)
+
+// OCIRepositorySpec defines the desired state of OCIRepository
+type OCIRepositorySpec struct {
+	// URL is a reference to an OCI artifact repository hosted
+	// on a remote container registry.
+	// +kubebuilder:validation:Pattern="^oci://.*$"
+	// +required
+	URL string `json:"url"`
+
+	// The OCI reference to pull and monitor for changes,
+	// defaults to the latest tag.
+	// +optional
+	Reference *OCIRepositoryRef `json:"ref,omitempty"`
+
+	// LayerSelector specifies which layer should be extracted from the OCI artifact.
+	// When not specified, the first layer found in the artifact is selected.
+	// +optional
+	LayerSelector *OCILayerSelector `json:"layerSelector,omitempty"`
+
+	// The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'.
+	// When not specified, defaults to 'generic'.
+	// +kubebuilder:validation:Enum=generic;aws;azure;gcp
+	// +kubebuilder:default:=generic
+	// +optional
+	Provider string `json:"provider,omitempty"`
+
+	// SecretRef contains the secret name containing the registry login
+	// credentials to resolve image metadata.
+	// The secret must be of type kubernetes.io/dockerconfigjson.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// Verify contains the secret name containing the trusted public keys
+	// used to verify the signature and specifies which provider to use to check
+	// whether OCI image is authentic.
+	// +optional
+	Verify *OCIRepositoryVerification `json:"verify,omitempty"`
+
+	// ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate
+	// the image pull if the service account has attached pull secrets. For more information:
+	// https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+
+	// CertSecretRef can be given the name of a Secret containing
+	// either or both of
+	//
+	// - a PEM-encoded client certificate (`tls.crt`) and private
+	// key (`tls.key`);
+	// - a PEM-encoded CA certificate (`ca.crt`)
+	//
+	// and whichever are supplied, will be used for connecting to the
+	// registry. The client cert and key are useful if you are
+	// authenticating with a certificate; the CA cert is useful if
+	// you are using a self-signed server certificate. The Secret must
+	// be of type `Opaque` or `kubernetes.io/tls`.
+	// +optional
+	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
+
+	// ProxySecretRef specifies the Secret containing the proxy configuration
+	// to use while communicating with the container registry.
+	// +optional
+	ProxySecretRef *meta.LocalObjectReference `json:"proxySecretRef,omitempty"`
+
+	// Interval at which the OCIRepository URL is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +required
+	Interval metav1.Duration `json:"interval"`
+
+	// The timeout for remote OCI Repository operations like pulling, defaults to 60s.
+	// +kubebuilder:default="60s"
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+	// +optional
+	Timeout *metav1.Duration `json:"timeout,omitempty"`
+
+	// Ignore overrides the set of excluded patterns in the .sourceignore format
+	// (which is the same as .gitignore). If not provided, a default will be used,
+	// consult the documentation for your version to find out what those are.
+	// +optional
+	Ignore *string `json:"ignore,omitempty"`
+
+	// Insecure allows connecting to a non-TLS HTTP container registry.
+	// +optional
+	Insecure bool `json:"insecure,omitempty"`
+
+	// This flag tells the controller to suspend the reconciliation of this source.
+	// +optional
+	Suspend bool `json:"suspend,omitempty"`
+}
+
+// OCIRepositoryRef defines the image reference for the OCIRepository's URL
+type OCIRepositoryRef struct {
+	// Digest is the image digest to pull, takes precedence over SemVer.
+	// The value should be in the format 'sha256:<HASH>'.
+	// +optional
+	Digest string `json:"digest,omitempty"`
+
+	// SemVer is the range of tags to pull selecting the latest within
+	// the range, takes precedence over Tag.
+	// +optional
+	SemVer string `json:"semver,omitempty"`
+
+	// SemverFilter is a regex pattern to filter the tags within the SemVer range.
+	// +optional
+	SemverFilter string `json:"semverFilter,omitempty"`
+
+	// Tag is the image tag to pull, defaults to latest.
+	// +optional
+	Tag string `json:"tag,omitempty"`
+}
+
+// OCILayerSelector specifies which layer should be extracted from an OCI Artifact
+type OCILayerSelector struct {
+	// MediaType specifies the OCI media type of the layer
+	// which should be extracted from the OCI Artifact. The
+	// first layer matching this type is selected.
+	// +optional
+	MediaType string `json:"mediaType,omitempty"`
+
+	// Operation specifies how the selected layer should be processed.
+	// By default, the layer compressed content is extracted to storage.
+	// When the operation is set to 'copy', the layer compressed content
+	// is persisted to storage as it is.
+	// +kubebuilder:validation:Enum=extract;copy
+	// +optional
+	Operation string `json:"operation,omitempty"`
+}
+
+// OCIRepositoryStatus defines the observed state of OCIRepository
+type OCIRepositoryStatus struct {
+	// ObservedGeneration is the last observed generation.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// Conditions holds the conditions for the OCIRepository.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// URL is the download link for the artifact output of the last OCI Repository sync.
+	// +optional
+	URL string `json:"url,omitempty"`
+
+	// Artifact represents the output of the last successful OCI Repository sync.
+	// +optional
+	Artifact *Artifact `json:"artifact,omitempty"`
+
+	// ObservedIgnore is the observed exclusion patterns used for constructing
+	// the source artifact.
+	// +optional
+	ObservedIgnore *string `json:"observedIgnore,omitempty"`
+
+	// ObservedLayerSelector is the observed layer selector used for constructing
+	// the source artifact.
+	// +optional
+	ObservedLayerSelector *OCILayerSelector `json:"observedLayerSelector,omitempty"`
+
+	meta.ReconcileRequestStatus `json:",inline"`
+}
+
+const (
+	// OCIPullFailedReason signals that a pull operation failed.
+	OCIPullFailedReason string = "OCIArtifactPullFailed"
+
+	// OCILayerOperationFailedReason signals that an OCI layer operation failed.
+	OCILayerOperationFailedReason string = "OCIArtifactLayerOperationFailed"
+)
+
+// GetConditions returns the status conditions of the object.
+func (in OCIRepository) GetConditions() []metav1.Condition {
+	return in.Status.Conditions
+}
+
+// SetConditions sets the status conditions on the object.
+func (in *OCIRepository) SetConditions(conditions []metav1.Condition) {
+	in.Status.Conditions = conditions
+}
+
+// GetRequeueAfter returns the duration after which the OCIRepository must be
+// reconciled again.
+func (in OCIRepository) GetRequeueAfter() time.Duration {
+	return in.Spec.Interval.Duration
+}
+
+// GetArtifact returns the latest Artifact from the OCIRepository if present in
+// the status sub-resource.
+func (in *OCIRepository) GetArtifact() *Artifact {
+	return in.Status.Artifact
+}
+
+// GetLayerMediaType returns the media type layer selector if found in spec.
+func (in *OCIRepository) GetLayerMediaType() string {
+	if in.Spec.LayerSelector == nil {
+		return ""
+	}
+
+	return in.Spec.LayerSelector.MediaType
+}
+
+// GetLayerOperation returns the layer selector operation (defaults to extract).
+func (in *OCIRepository) GetLayerOperation() string {
+	if in.Spec.LayerSelector == nil || in.Spec.LayerSelector.Operation == "" {
+		return OCILayerExtract
+	}
+
+	return in.Spec.LayerSelector.Operation
+}
+
+// +genclient
+// +kubebuilder:storageversion
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=ocirepo
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="URL",type=string,JSONPath=`.spec.url`
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
+
+// OCIRepository is the Schema for the ocirepositories API
+type OCIRepository struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec OCIRepositorySpec `json:"spec,omitempty"`
+	// +kubebuilder:default={"observedGeneration":-1}
+	Status OCIRepositoryStatus `json:"status,omitempty"`
+}
+
+// OCIRepositoryList contains a list of OCIRepository
+// +kubebuilder:object:root=true
+type OCIRepositoryList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []OCIRepository `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&OCIRepository{}, &OCIRepositoryList{})
+}

api/v1/ociverification_types.go

@@ -0,0 +1,56 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"github.com/fluxcd/pkg/apis/meta"
+)
+
+// OCIRepositoryVerification verifies the authenticity of an OCI Artifact
+type OCIRepositoryVerification struct {
+	// Provider specifies the technology used to sign the OCI Artifact.
+	// +kubebuilder:validation:Enum=cosign;notation
+	// +kubebuilder:default:=cosign
+	Provider string `json:"provider"`
+
+	// SecretRef specifies the Kubernetes Secret containing the
+	// trusted public keys.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// MatchOIDCIdentity specifies the identity matching criteria to use
+	// while verifying an OCI artifact which was signed using Cosign keyless
+	// signing. The artifact's identity is deemed to be verified if any of the
+	// specified matchers match against the identity.
+	// +optional
+	MatchOIDCIdentity []OIDCIdentityMatch `json:"matchOIDCIdentity,omitempty"`
+}
+
+// OIDCIdentityMatch specifies options for verifying the certificate identity,
+// i.e. the issuer and the subject of the certificate.
+type OIDCIdentityMatch struct {
+	// Issuer specifies the regex pattern to match against to verify
+	// the OIDC issuer in the Fulcio certificate. The pattern must be a
+	// valid Go regular expression.
+	// +required
+	Issuer string `json:"issuer"`
+	// Subject specifies the regex pattern to match against to verify
+	// the identity subject in the Fulcio certificate. The pattern must
+	// be a valid Go regular expression.
+	// +required
+	Subject string `json:"subject"`
+}

api/v1/source.go

@@ -0,0 +1,45 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"time"
+
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+const (
+	// SourceIndexKey is the key used for indexing objects based on their
+	// referenced Source.
+	SourceIndexKey string = ".metadata.source"
+)
+
+// Source interface must be supported by all API types.
+// Source is the interface that provides generic access to the Artifact and
+// interval. It must be supported by all kinds of the source.toolkit.fluxcd.io
+// API group.
+//
+// +k8s:deepcopy-gen=false
+type Source interface {
+	runtime.Object
+	// GetRequeueAfter returns the duration after which the source must be
+	// reconciled again.
+	GetRequeueAfter() time.Duration
+	// GetArtifact returns the latest artifact from the source if present in
+	// the status sub-resource.
+	GetArtifact() *Artifact
+}

api/v1/sts_types.go

@@ -0,0 +1,26 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+const (
+	// STSProviderAmazon represents the AWS provider for Security Token Service.
+	// Provides support for fetching temporary credentials from an AWS STS endpoint.
+	STSProviderAmazon string = "aws"
+	// STSProviderLDAP represents the LDAP provider for Security Token Service.
+	// Provides support for fetching temporary credentials from an LDAP endpoint.
+	STSProviderLDAP string = "ldap"
+)

api/v1/zz_generated.deepcopy.go

@@ -0,0 +1,920 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	"github.com/fluxcd/pkg/apis/acl"
+	"github.com/fluxcd/pkg/apis/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Artifact) DeepCopyInto(out *Artifact) {
+	*out = *in
+	in.LastUpdateTime.DeepCopyInto(&out.LastUpdateTime)
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(int64)
+		**out = **in
+	}
+	if in.Metadata != nil {
+		in, out := &in.Metadata, &out.Metadata
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Artifact.
+func (in *Artifact) DeepCopy() *Artifact {
+	if in == nil {
+		return nil
+	}
+	out := new(Artifact)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Bucket) DeepCopyInto(out *Bucket) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Bucket.
+func (in *Bucket) DeepCopy() *Bucket {
+	if in == nil {
+		return nil
+	}
+	out := new(Bucket)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Bucket) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BucketList) DeepCopyInto(out *BucketList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Bucket, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketList.
+func (in *BucketList) DeepCopy() *BucketList {
+	if in == nil {
+		return nil
+	}
+	out := new(BucketList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *BucketList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BucketSTSSpec) DeepCopyInto(out *BucketSTSSpec) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.CertSecretRef != nil {
+		in, out := &in.CertSecretRef, &out.CertSecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketSTSSpec.
+func (in *BucketSTSSpec) DeepCopy() *BucketSTSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(BucketSTSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BucketSpec) DeepCopyInto(out *BucketSpec) {
+	*out = *in
+	if in.STS != nil {
+		in, out := &in.STS, &out.STS
+		*out = new(BucketSTSSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.CertSecretRef != nil {
+		in, out := &in.CertSecretRef, &out.CertSecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.ProxySecretRef != nil {
+		in, out := &in.ProxySecretRef, &out.ProxySecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	out.Interval = in.Interval
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	if in.Ignore != nil {
+		in, out := &in.Ignore, &out.Ignore
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketSpec.
+func (in *BucketSpec) DeepCopy() *BucketSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(BucketSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BucketStatus) DeepCopyInto(out *BucketStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Artifact != nil {
+		in, out := &in.Artifact, &out.Artifact
+		*out = new(Artifact)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ObservedIgnore != nil {
+		in, out := &in.ObservedIgnore, &out.ObservedIgnore
+		*out = new(string)
+		**out = **in
+	}
+	out.ReconcileRequestStatus = in.ReconcileRequestStatus
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketStatus.
+func (in *BucketStatus) DeepCopy() *BucketStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(BucketStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitRepository) DeepCopyInto(out *GitRepository) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitRepository.
+func (in *GitRepository) DeepCopy() *GitRepository {
+	if in == nil {
+		return nil
+	}
+	out := new(GitRepository)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *GitRepository) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitRepositoryInclude) DeepCopyInto(out *GitRepositoryInclude) {
+	*out = *in
+	out.GitRepositoryRef = in.GitRepositoryRef
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitRepositoryInclude.
+func (in *GitRepositoryInclude) DeepCopy() *GitRepositoryInclude {
+	if in == nil {
+		return nil
+	}
+	out := new(GitRepositoryInclude)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitRepositoryList) DeepCopyInto(out *GitRepositoryList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]GitRepository, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitRepositoryList.
+func (in *GitRepositoryList) DeepCopy() *GitRepositoryList {
+	if in == nil {
+		return nil
+	}
+	out := new(GitRepositoryList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *GitRepositoryList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitRepositoryRef) DeepCopyInto(out *GitRepositoryRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitRepositoryRef.
+func (in *GitRepositoryRef) DeepCopy() *GitRepositoryRef {
+	if in == nil {
+		return nil
+	}
+	out := new(GitRepositoryRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitRepositorySpec) DeepCopyInto(out *GitRepositorySpec) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	out.Interval = in.Interval
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	if in.Reference != nil {
+		in, out := &in.Reference, &out.Reference
+		*out = new(GitRepositoryRef)
+		**out = **in
+	}
+	if in.Verification != nil {
+		in, out := &in.Verification, &out.Verification
+		*out = new(GitRepositoryVerification)
+		**out = **in
+	}
+	if in.ProxySecretRef != nil {
+		in, out := &in.ProxySecretRef, &out.ProxySecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.Ignore != nil {
+		in, out := &in.Ignore, &out.Ignore
+		*out = new(string)
+		**out = **in
+	}
+	if in.Include != nil {
+		in, out := &in.Include, &out.Include
+		*out = make([]GitRepositoryInclude, len(*in))
+		copy(*out, *in)
+	}
+	if in.SparseCheckout != nil {
+		in, out := &in.SparseCheckout, &out.SparseCheckout
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitRepositorySpec.
+func (in *GitRepositorySpec) DeepCopy() *GitRepositorySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(GitRepositorySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitRepositoryStatus) DeepCopyInto(out *GitRepositoryStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Artifact != nil {
+		in, out := &in.Artifact, &out.Artifact
+		*out = new(Artifact)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.IncludedArtifacts != nil {
+		in, out := &in.IncludedArtifacts, &out.IncludedArtifacts
+		*out = make([]*Artifact, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(Artifact)
+				(*in).DeepCopyInto(*out)
+			}
+		}
+	}
+	if in.ObservedIgnore != nil {
+		in, out := &in.ObservedIgnore, &out.ObservedIgnore
+		*out = new(string)
+		**out = **in
+	}
+	if in.ObservedInclude != nil {
+		in, out := &in.ObservedInclude, &out.ObservedInclude
+		*out = make([]GitRepositoryInclude, len(*in))
+		copy(*out, *in)
+	}
+	if in.ObservedSparseCheckout != nil {
+		in, out := &in.ObservedSparseCheckout, &out.ObservedSparseCheckout
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.SourceVerificationMode != nil {
+		in, out := &in.SourceVerificationMode, &out.SourceVerificationMode
+		*out = new(GitVerificationMode)
+		**out = **in
+	}
+	out.ReconcileRequestStatus = in.ReconcileRequestStatus
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitRepositoryStatus.
+func (in *GitRepositoryStatus) DeepCopy() *GitRepositoryStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(GitRepositoryStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitRepositoryVerification) DeepCopyInto(out *GitRepositoryVerification) {
+	*out = *in
+	out.SecretRef = in.SecretRef
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitRepositoryVerification.
+func (in *GitRepositoryVerification) DeepCopy() *GitRepositoryVerification {
+	if in == nil {
+		return nil
+	}
+	out := new(GitRepositoryVerification)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HelmChart) DeepCopyInto(out *HelmChart) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmChart.
+func (in *HelmChart) DeepCopy() *HelmChart {
+	if in == nil {
+		return nil
+	}
+	out := new(HelmChart)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *HelmChart) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HelmChartList) DeepCopyInto(out *HelmChartList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]HelmChart, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmChartList.
+func (in *HelmChartList) DeepCopy() *HelmChartList {
+	if in == nil {
+		return nil
+	}
+	out := new(HelmChartList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *HelmChartList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HelmChartSpec) DeepCopyInto(out *HelmChartSpec) {
+	*out = *in
+	out.SourceRef = in.SourceRef
+	out.Interval = in.Interval
+	if in.ValuesFiles != nil {
+		in, out := &in.ValuesFiles, &out.ValuesFiles
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Verify != nil {
+		in, out := &in.Verify, &out.Verify
+		*out = new(OCIRepositoryVerification)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmChartSpec.
+func (in *HelmChartSpec) DeepCopy() *HelmChartSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(HelmChartSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HelmChartStatus) DeepCopyInto(out *HelmChartStatus) {
+	*out = *in
+	if in.ObservedValuesFiles != nil {
+		in, out := &in.ObservedValuesFiles, &out.ObservedValuesFiles
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Artifact != nil {
+		in, out := &in.Artifact, &out.Artifact
+		*out = new(Artifact)
+		(*in).DeepCopyInto(*out)
+	}
+	out.ReconcileRequestStatus = in.ReconcileRequestStatus
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmChartStatus.
+func (in *HelmChartStatus) DeepCopy() *HelmChartStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(HelmChartStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HelmRepository) DeepCopyInto(out *HelmRepository) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmRepository.
+func (in *HelmRepository) DeepCopy() *HelmRepository {
+	if in == nil {
+		return nil
+	}
+	out := new(HelmRepository)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *HelmRepository) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HelmRepositoryList) DeepCopyInto(out *HelmRepositoryList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]HelmRepository, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmRepositoryList.
+func (in *HelmRepositoryList) DeepCopy() *HelmRepositoryList {
+	if in == nil {
+		return nil
+	}
+	out := new(HelmRepositoryList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *HelmRepositoryList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HelmRepositorySpec) DeepCopyInto(out *HelmRepositorySpec) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.CertSecretRef != nil {
+		in, out := &in.CertSecretRef, &out.CertSecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	out.Interval = in.Interval
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	if in.AccessFrom != nil {
+		in, out := &in.AccessFrom, &out.AccessFrom
+		*out = new(acl.AccessFrom)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmRepositorySpec.
+func (in *HelmRepositorySpec) DeepCopy() *HelmRepositorySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(HelmRepositorySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HelmRepositoryStatus) DeepCopyInto(out *HelmRepositoryStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Artifact != nil {
+		in, out := &in.Artifact, &out.Artifact
+		*out = new(Artifact)
+		(*in).DeepCopyInto(*out)
+	}
+	out.ReconcileRequestStatus = in.ReconcileRequestStatus
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmRepositoryStatus.
+func (in *HelmRepositoryStatus) DeepCopy() *HelmRepositoryStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(HelmRepositoryStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LocalHelmChartSourceReference) DeepCopyInto(out *LocalHelmChartSourceReference) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalHelmChartSourceReference.
+func (in *LocalHelmChartSourceReference) DeepCopy() *LocalHelmChartSourceReference {
+	if in == nil {
+		return nil
+	}
+	out := new(LocalHelmChartSourceReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OCILayerSelector) DeepCopyInto(out *OCILayerSelector) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OCILayerSelector.
+func (in *OCILayerSelector) DeepCopy() *OCILayerSelector {
+	if in == nil {
+		return nil
+	}
+	out := new(OCILayerSelector)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OCIRepository) DeepCopyInto(out *OCIRepository) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OCIRepository.
+func (in *OCIRepository) DeepCopy() *OCIRepository {
+	if in == nil {
+		return nil
+	}
+	out := new(OCIRepository)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OCIRepository) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OCIRepositoryList) DeepCopyInto(out *OCIRepositoryList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OCIRepository, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OCIRepositoryList.
+func (in *OCIRepositoryList) DeepCopy() *OCIRepositoryList {
+	if in == nil {
+		return nil
+	}
+	out := new(OCIRepositoryList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OCIRepositoryList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OCIRepositoryRef) DeepCopyInto(out *OCIRepositoryRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OCIRepositoryRef.
+func (in *OCIRepositoryRef) DeepCopy() *OCIRepositoryRef {
+	if in == nil {
+		return nil
+	}
+	out := new(OCIRepositoryRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OCIRepositorySpec) DeepCopyInto(out *OCIRepositorySpec) {
+	*out = *in
+	if in.Reference != nil {
+		in, out := &in.Reference, &out.Reference
+		*out = new(OCIRepositoryRef)
+		**out = **in
+	}
+	if in.LayerSelector != nil {
+		in, out := &in.LayerSelector, &out.LayerSelector
+		*out = new(OCILayerSelector)
+		**out = **in
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.Verify != nil {
+		in, out := &in.Verify, &out.Verify
+		*out = new(OCIRepositoryVerification)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.CertSecretRef != nil {
+		in, out := &in.CertSecretRef, &out.CertSecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.ProxySecretRef != nil {
+		in, out := &in.ProxySecretRef, &out.ProxySecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	out.Interval = in.Interval
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	if in.Ignore != nil {
+		in, out := &in.Ignore, &out.Ignore
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OCIRepositorySpec.
+func (in *OCIRepositorySpec) DeepCopy() *OCIRepositorySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OCIRepositorySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OCIRepositoryStatus) DeepCopyInto(out *OCIRepositoryStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Artifact != nil {
+		in, out := &in.Artifact, &out.Artifact
+		*out = new(Artifact)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ObservedIgnore != nil {
+		in, out := &in.ObservedIgnore, &out.ObservedIgnore
+		*out = new(string)
+		**out = **in
+	}
+	if in.ObservedLayerSelector != nil {
+		in, out := &in.ObservedLayerSelector, &out.ObservedLayerSelector
+		*out = new(OCILayerSelector)
+		**out = **in
+	}
+	out.ReconcileRequestStatus = in.ReconcileRequestStatus
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OCIRepositoryStatus.
+func (in *OCIRepositoryStatus) DeepCopy() *OCIRepositoryStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OCIRepositoryStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OCIRepositoryVerification) DeepCopyInto(out *OCIRepositoryVerification) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.MatchOIDCIdentity != nil {
+		in, out := &in.MatchOIDCIdentity, &out.MatchOIDCIdentity
+		*out = make([]OIDCIdentityMatch, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OCIRepositoryVerification.
+func (in *OCIRepositoryVerification) DeepCopy() *OCIRepositoryVerification {
+	if in == nil {
+		return nil
+	}
+	out := new(OCIRepositoryVerification)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCIdentityMatch) DeepCopyInto(out *OIDCIdentityMatch) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityMatch.
+func (in *OIDCIdentityMatch) DeepCopy() *OIDCIdentityMatch {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCIdentityMatch)
+	in.DeepCopyInto(out)
+	return out
+}

api/v1beta1/bucket_types.go

@@ -193,9 +193,9 @@ func (in *Bucket) GetInterval() metav1.Duration {
 }
 
 // +genclient
-// +genclient:Namespaced
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion:warning="v1beta1 Bucket is deprecated, upgrade to v1"
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
 // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""

api/v1beta1/gitrepository_types.go

@@ -265,10 +265,10 @@ func (in *GitRepository) GetInterval() metav1.Duration {
 }
 
 // +genclient
-// +genclient:Namespaced
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=gitrepo
 // +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion:warning="v1beta1 GitRepository is deprecated, upgrade to v1"
 // +kubebuilder:printcolumn:name="URL",type=string,JSONPath=`.spec.url`
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
 // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""

api/v1beta1/helmchart_types.go

@@ -231,10 +231,10 @@ func (in *HelmChart) GetValuesFiles() []string {
 }
 
 // +genclient
-// +genclient:Namespaced
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=hc
 // +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion:warning="v1beta1 HelmChart is deprecated, upgrade to v1"
 // +kubebuilder:printcolumn:name="Chart",type=string,JSONPath=`.spec.chart`
 // +kubebuilder:printcolumn:name="Version",type=string,JSONPath=`.spec.version`
 // +kubebuilder:printcolumn:name="Source Kind",type=string,JSONPath=`.spec.sourceRef.kind`

api/v1beta1/helmrepository_types.go

@@ -43,7 +43,7 @@ type HelmRepositorySpec struct {
 	// For HTTP/S basic auth the secret must contain username and
 	// password fields.
 	// For TLS the secret must contain a certFile and keyFile, and/or
-	// caCert fields.
+	// caFile fields.
 	// +optional
 	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
 
@@ -181,10 +181,10 @@ func (in *HelmRepository) GetInterval() metav1.Duration {
 }
 
 // +genclient
-// +genclient:Namespaced
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=helmrepo
 // +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion:warning="v1beta1 HelmRepository is deprecated, upgrade to v1"
 // +kubebuilder:printcolumn:name="URL",type=string,JSONPath=`.spec.url`
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
 // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""

api/v1beta1/zz_generated.deepcopy.go

@@ -1,8 +1,7 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated
 
 /*
-Copyright 2022 The Flux authors
+Copyright 2024 The Flux authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

api/v1beta2/artifact_types.go

@@ -18,12 +18,16 @@ package v1beta2
 
 import (
 	"path"
+	"regexp"
 	"strings"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // Artifact represents the output of a Source reconciliation.
+//
+// Deprecated: use Artifact from api/v1 instead. This type will be removed in
+// a future release.
 type Artifact struct {
 	// Path is the relative file path of the Artifact. It can be used to locate
 	// the file in the root of the Artifact storage on the local file system of
@@ -43,8 +47,14 @@ type Artifact struct {
 	Revision string `json:"revision"`
 
 	// Checksum is the SHA256 checksum of the Artifact file.
+	// Deprecated: use Artifact.Digest instead.
 	// +optional
-	Checksum string `json:"checksum"`
+	Checksum string `json:"checksum,omitempty"`
+
+	// Digest is the digest of the file in the form of '<algorithm>:<checksum>'.
+	// +optional
+	// +kubebuilder:validation:Pattern="^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$"
+	Digest string `json:"digest,omitempty"`
 
 	// LastUpdateTime is the timestamp corresponding to the last update of the
 	// Artifact.
@@ -66,7 +76,7 @@ func (in *Artifact) HasRevision(revision string) bool {
 	if in == nil {
 		return false
 	}
-	return in.Revision == revision
+	return TransformLegacyRevision(in.Revision) == TransformLegacyRevision(revision)
 }
 
 // HasChecksum returns if the given checksum matches the current Checksum of
@@ -90,3 +100,60 @@ func ArtifactDir(kind, namespace, name string) string {
 func ArtifactPath(kind, namespace, name, filename string) string {
 	return path.Join(ArtifactDir(kind, namespace, name), filename)
 }
+
+// TransformLegacyRevision transforms a "legacy" revision string into a "new"
+// revision string. It accepts the following formats:
+//
+//   - main/5394cb7f48332b2de7c17dd8b8384bbc84b7e738
+//   - feature/branch/5394cb7f48332b2de7c17dd8b8384bbc84b7e738
+//   - HEAD/5394cb7f48332b2de7c17dd8b8384bbc84b7e738
+//   - tag/55609ff9d959589ed917ce32e6bc0f0a36809565f308602c15c3668965979edc
+//   - d52bde83c5b2bd0fa7910264e0afc3ac9cfe9b6636ca29c05c09742f01d5a4bd
+//
+// Which are transformed into the following formats respectively:
+//
+//   - main@sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738
+//   - feature/branch@sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738
+//   - sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738
+//   - tag@sha256:55609ff9d959589ed917ce32e6bc0f0a36809565f308602c15c3668965979edc
+//   - sha256:d52bde83c5b2bd0fa7910264e0afc3ac9cfe9b6636ca29c05c09742f01d5a4bd
+//
+// Deprecated, this function exists for backwards compatibility with existing
+// resources, and to provide a transition period. Will be removed in a future
+// release.
+func TransformLegacyRevision(rev string) string {
+	if rev != "" && strings.LastIndex(rev, ":") == -1 {
+		if i := strings.LastIndex(rev, "/"); i >= 0 {
+			sha := rev[i+1:]
+			if algo := determineSHAType(sha); algo != "" {
+				if name := rev[:i]; name != "HEAD" {
+					return name + "@" + algo + ":" + sha
+				}
+				return algo + ":" + sha
+			}
+		}
+		if algo := determineSHAType(rev); algo != "" {
+			return algo + ":" + rev
+		}
+	}
+	return rev
+}
+
+// isAlphaNumHex returns true if the given string only contains 0-9 and a-f
+// characters.
+var isAlphaNumHex = regexp.MustCompile(`^[0-9a-f]+$`).MatchString
+
+// determineSHAType returns the SHA algorithm used to compute the provided hex.
+// The determination is heuristic and based on the length of the hex string. If
+// the size is not recognized, an empty string is returned.
+func determineSHAType(hex string) string {
+	if isAlphaNumHex(hex) {
+		switch len(hex) {
+		case 40:
+			return "sha1"
+		case 64:
+			return "sha256"
+		}
+	}
+	return ""
+}

api/v1beta2/artifact_types_test.go

@@ -0,0 +1,78 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+import "testing"
+
+func TestTransformLegacyRevision(t *testing.T) {
+	tests := []struct {
+		rev  string
+		want string
+	}{
+		{
+			rev:  "HEAD/5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+			want: "sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+		},
+		{
+			rev:  "main/5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+			want: "main@sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+		},
+		{
+			rev:  "main@sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+			want: "main@sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+		},
+		{
+			rev:  "feature/branch/5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+			want: "feature/branch@sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+		},
+		{
+			rev:  "feature/branch@sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+			want: "feature/branch@sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+		},
+		{
+			rev:  "5ac85ca617f3774baff4ae0a420b810b2546dbc9af9f346b1d55c5ed9873c55c",
+			want: "sha256:5ac85ca617f3774baff4ae0a420b810b2546dbc9af9f346b1d55c5ed9873c55c",
+		},
+		{
+			rev:  "v1.0.0",
+			want: "v1.0.0",
+		},
+		{
+			rev:  "v1.0.0-rc1",
+			want: "v1.0.0-rc1",
+		},
+		{
+			rev:  "v1.0.0-rc1+metadata",
+			want: "v1.0.0-rc1+metadata",
+		},
+		{
+			rev:  "arbitrary/revision",
+			want: "arbitrary/revision",
+		},
+		{
+			rev:  "5394cb7f48332b2de7c17dd8b8384bbc84b7xxxx",
+			want: "5394cb7f48332b2de7c17dd8b8384bbc84b7xxxx",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.rev, func(t *testing.T) {
+			if got := TransformLegacyRevision(tt.rev); got != tt.want {
+				t.Errorf("TransformLegacyRevision() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

api/v1beta2/bucket_types.go

@@ -23,6 +23,8 @@ import (
 
 	"github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
+
+	apiv1 "github.com/fluxcd/source-controller/api/v1"
 )
 
 const (
@@ -31,22 +33,48 @@ const (
 )
 
 const (
+	// BucketProviderGeneric for any S3 API compatible storage Bucket.
+	BucketProviderGeneric string = apiv1.BucketProviderGeneric
+	// BucketProviderAmazon for an AWS S3 object storage Bucket.
+	// Provides support for retrieving credentials from the AWS EC2 service.
+	BucketProviderAmazon string = apiv1.BucketProviderAmazon
+	// BucketProviderGoogle for a Google Cloud Storage Bucket.
+	// Provides support for authentication using a workload identity.
+	BucketProviderGoogle string = apiv1.BucketProviderGoogle
+	// BucketProviderAzure for an Azure Blob Storage Bucket.
+	// Provides support for authentication using a Service Principal,
+	// Managed Identity or Shared Key.
+	BucketProviderAzure string = apiv1.BucketProviderAzure
+
 	// GenericBucketProvider for any S3 API compatible storage Bucket.
-	GenericBucketProvider string = "generic"
+	//
+	// Deprecated: use BucketProviderGeneric.
+	GenericBucketProvider string = apiv1.BucketProviderGeneric
 	// AmazonBucketProvider for an AWS S3 object storage Bucket.
 	// Provides support for retrieving credentials from the AWS EC2 service.
-	AmazonBucketProvider string = "aws"
+	//
+	// Deprecated: use BucketProviderAmazon.
+	AmazonBucketProvider string = apiv1.BucketProviderAmazon
 	// GoogleBucketProvider for a Google Cloud Storage Bucket.
 	// Provides support for authentication using a workload identity.
-	GoogleBucketProvider string = "gcp"
+	//
+	// Deprecated: use BucketProviderGoogle.
+	GoogleBucketProvider string = apiv1.BucketProviderGoogle
 	// AzureBucketProvider for an Azure Blob Storage Bucket.
 	// Provides support for authentication using a Service Principal,
 	// Managed Identity or Shared Key.
-	AzureBucketProvider string = "azure"
+	//
+	// Deprecated: use BucketProviderAzure.
+	AzureBucketProvider string = apiv1.BucketProviderAzure
 )
 
 // BucketSpec specifies the required configuration to produce an Artifact for
 // an object storage bucket.
+// +kubebuilder:validation:XValidation:rule="self.provider == 'aws' || self.provider == 'generic' || !has(self.sts)", message="STS configuration is only supported for the 'aws' and 'generic' Bucket providers"
+// +kubebuilder:validation:XValidation:rule="self.provider != 'aws' || !has(self.sts) || self.sts.provider == 'aws'", message="'aws' is the only supported STS provider for the 'aws' Bucket provider"
+// +kubebuilder:validation:XValidation:rule="self.provider != 'generic' || !has(self.sts) || self.sts.provider == 'ldap'", message="'ldap' is the only supported STS provider for the 'generic' Bucket provider"
+// +kubebuilder:validation:XValidation:rule="!has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.secretRef)", message="spec.sts.secretRef is not required for the 'aws' STS provider"
+// +kubebuilder:validation:XValidation:rule="!has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.certSecretRef)", message="spec.sts.certSecretRef is not required for the 'aws' STS provider"
 type BucketSpec struct {
 	// Provider of the object storage bucket.
 	// Defaults to 'generic', which expects an S3 (API) compatible object
@@ -64,6 +92,14 @@ type BucketSpec struct {
 	// +required
 	Endpoint string `json:"endpoint"`
 
+	// STS specifies the required configuration to use a Security Token
+	// Service for fetching temporary credentials to authenticate in a
+	// Bucket provider.
+	//
+	// This field is only supported for the `aws` and `generic` providers.
+	// +optional
+	STS *BucketSTSSpec `json:"sts,omitempty"`
+
 	// Insecure allows connecting to a non-TLS HTTP Endpoint.
 	// +optional
 	Insecure bool `json:"insecure,omitempty"`
@@ -72,12 +108,40 @@ type BucketSpec struct {
 	// +optional
 	Region string `json:"region,omitempty"`
 
+	// Prefix to use for server-side filtering of files in the Bucket.
+	// +optional
+	Prefix string `json:"prefix,omitempty"`
+
 	// SecretRef specifies the Secret containing authentication credentials
 	// for the Bucket.
 	// +optional
 	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
 
-	// Interval at which to check the Endpoint for updates.
+	// CertSecretRef can be given the name of a Secret containing
+	// either or both of
+	//
+	// - a PEM-encoded client certificate (`tls.crt`) and private
+	// key (`tls.key`);
+	// - a PEM-encoded CA certificate (`ca.crt`)
+	//
+	// and whichever are supplied, will be used for connecting to the
+	// bucket. The client cert and key are useful if you are
+	// authenticating with a certificate; the CA cert is useful if
+	// you are using a self-signed server certificate. The Secret must
+	// be of type `Opaque` or `kubernetes.io/tls`.
+	//
+	// This field is only supported for the `generic` provider.
+	// +optional
+	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
+
+	// ProxySecretRef specifies the Secret containing the proxy configuration
+	// to use while communicating with the Bucket server.
+	// +optional
+	ProxySecretRef *meta.LocalObjectReference `json:"proxySecretRef,omitempty"`
+
+	// Interval at which the Bucket Endpoint is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
 	// +kubebuilder:validation:Type=string
 	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
 	// +required
@@ -108,6 +172,45 @@ type BucketSpec struct {
 	AccessFrom *acl.AccessFrom `json:"accessFrom,omitempty"`
 }
 
+// BucketSTSSpec specifies the required configuration to use a Security Token
+// Service for fetching temporary credentials to authenticate in a Bucket
+// provider.
+type BucketSTSSpec struct {
+	// Provider of the Security Token Service.
+	// +kubebuilder:validation:Enum=aws;ldap
+	// +required
+	Provider string `json:"provider"`
+
+	// Endpoint is the HTTP/S endpoint of the Security Token Service from
+	// where temporary credentials will be fetched.
+	// +required
+	// +kubebuilder:validation:Pattern="^(http|https)://.*$"
+	Endpoint string `json:"endpoint"`
+
+	// SecretRef specifies the Secret containing authentication credentials
+	// for the STS endpoint. This Secret must contain the fields `username`
+	// and `password` and is supported only for the `ldap` provider.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// CertSecretRef can be given the name of a Secret containing
+	// either or both of
+	//
+	// - a PEM-encoded client certificate (`tls.crt`) and private
+	// key (`tls.key`);
+	// - a PEM-encoded CA certificate (`ca.crt`)
+	//
+	// and whichever are supplied, will be used for connecting to the
+	// STS endpoint. The client cert and key are useful if you are
+	// authenticating with a certificate; the CA cert is useful if
+	// you are using a self-signed server certificate. The Secret must
+	// be of type `Opaque` or `kubernetes.io/tls`.
+	//
+	// This field is only supported for the `ldap` provider.
+	// +optional
+	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
+}
+
 // BucketStatus records the observed state of a Bucket.
 type BucketStatus struct {
 	// ObservedGeneration is the last observed generation of the Bucket object.
@@ -126,7 +229,7 @@ type BucketStatus struct {
 
 	// Artifact represents the last successful Bucket reconciliation.
 	// +optional
-	Artifact *Artifact `json:"artifact,omitempty"`
+	Artifact *apiv1.Artifact `json:"artifact,omitempty"`
 
 	// ObservedIgnore is the observed exclusion patterns used for constructing
 	// the source artifact.
@@ -162,15 +265,14 @@ func (in Bucket) GetRequeueAfter() time.Duration {
 }
 
 // GetArtifact returns the latest artifact from the source if present in the status sub-resource.
-func (in *Bucket) GetArtifact() *Artifact {
+func (in *Bucket) GetArtifact() *apiv1.Artifact {
 	return in.Status.Artifact
 }
 
 // +genclient
-// +genclient:Namespaced
-// +kubebuilder:storageversion
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion:warning="v1beta2 Bucket is deprecated, upgrade to v1"
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""

api/v1beta2/gitrepository_types.go

@@ -23,6 +23,8 @@ import (
 
 	"github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
+
+	apiv1 "github.com/fluxcd/source-controller/api/v1"
 )
 
 const (
@@ -55,7 +57,7 @@ type GitRepositorySpec struct {
 	// SecretRef specifies the Secret containing authentication credentials for
 	// the GitRepository.
 	// For HTTPS repositories the Secret must contain 'username' and 'password'
-	// fields.
+	// fields for basic auth or 'bearerToken' field for token auth.
 	// For SSH repositories the Secret must contain 'identity'
 	// and 'known_hosts' fields.
 	// +optional
@@ -106,7 +108,6 @@ type GitRepositorySpec struct {
 
 	// RecurseSubmodules enables the initialization of all submodules within
 	// the GitRepository as cloned from the URL, using their default settings.
-	// This option is available only when using the 'go-git' GitImplementation.
 	// +optional
 	RecurseSubmodules bool `json:"recurseSubmodules,omitempty"`
 
@@ -156,9 +157,6 @@ func (in *GitRepositoryInclude) GetToPath() string {
 // GitRepositoryRef specifies the Git reference to resolve and checkout.
 type GitRepositoryRef struct {
 	// Branch to check out, defaults to 'master' if no other field is defined.
-	//
-	// When GitRepositorySpec.GitImplementation is set to 'go-git', a shallow
-	// clone of the specified branch is performed.
 	// +optional
 	Branch string `json:"branch,omitempty"`
 
@@ -170,11 +168,17 @@ type GitRepositoryRef struct {
 	// +optional
 	SemVer string `json:"semver,omitempty"`
 
+	// Name of the reference to check out; takes precedence over Branch, Tag and SemVer.
+	//
+	// It must be a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description
+	// Examples: "refs/heads/main", "refs/tags/v0.1.0", "refs/pull/420/head", "refs/merge-requests/1/head"
+	// +optional
+	Name string `json:"name,omitempty"`
+
 	// Commit SHA to check out, takes precedence over all reference fields.
 	//
-	// When GitRepositorySpec.GitImplementation is set to 'go-git', this can be
-	// combined with Branch to shallow clone the branch, in which the commit is
-	// expected to exist.
+	// This can be combined with Branch to shallow clone the branch, in which
+	// the commit is expected to exist.
 	// +optional
 	Commit string `json:"commit,omitempty"`
 }
@@ -188,7 +192,7 @@ type GitRepositoryVerification struct {
 
 	// SecretRef specifies the Secret containing the public keys of trusted Git
 	// authors.
-	SecretRef meta.LocalObjectReference `json:"secretRef,omitempty"`
+	SecretRef meta.LocalObjectReference `json:"secretRef"`
 }
 
 // GitRepositoryStatus records the observed state of a Git repository.
@@ -210,12 +214,12 @@ type GitRepositoryStatus struct {
 
 	// Artifact represents the last successful GitRepository reconciliation.
 	// +optional
-	Artifact *Artifact `json:"artifact,omitempty"`
+	Artifact *apiv1.Artifact `json:"artifact,omitempty"`
 
 	// IncludedArtifacts contains a list of the last successfully included
 	// Artifacts as instructed by GitRepositorySpec.Include.
 	// +optional
-	IncludedArtifacts []*Artifact `json:"includedArtifacts,omitempty"`
+	IncludedArtifacts []*apiv1.Artifact `json:"includedArtifacts,omitempty"`
 
 	// ContentConfigChecksum is a checksum of all the configurations related to
 	// the content of the source artifact:
@@ -278,16 +282,15 @@ func (in GitRepository) GetRequeueAfter() time.Duration {
 
 // GetArtifact returns the latest Artifact from the GitRepository if present in
 // the status sub-resource.
-func (in *GitRepository) GetArtifact() *Artifact {
+func (in *GitRepository) GetArtifact() *apiv1.Artifact {
 	return in.Status.Artifact
 }
 
 // +genclient
-// +genclient:Namespaced
-// +kubebuilder:storageversion
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=gitrepo
 // +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion:warning="v1beta2 GitRepository is deprecated, upgrade to v1"
 // +kubebuilder:printcolumn:name="URL",type=string,JSONPath=`.spec.url`
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""

api/v1beta2/helmchart_types.go

@@ -23,6 +23,8 @@ import (
 
 	"github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
+
+	apiv1 "github.com/fluxcd/source-controller/api/v1"
 )
 
 // HelmChartKind is the string representation of a HelmChart.
@@ -45,7 +47,9 @@ type HelmChartSpec struct {
 	// +required
 	SourceRef LocalHelmChartSourceReference `json:"sourceRef"`
 
-	// Interval is the interval at which to check the Source for updates.
+	// Interval at which the HelmChart SourceRef is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
 	// +kubebuilder:validation:Type=string
 	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
 	// +required
@@ -76,6 +80,11 @@ type HelmChartSpec struct {
 	// +deprecated
 	ValuesFile string `json:"valuesFile,omitempty"`
 
+	// IgnoreMissingValuesFiles controls whether to silently ignore missing values
+	// files rather than failing.
+	// +optional
+	IgnoreMissingValuesFiles bool `json:"ignoreMissingValuesFiles,omitempty"`
+
 	// Suspend tells the controller to suspend the reconciliation of this
 	// source.
 	// +optional
@@ -93,7 +102,7 @@ type HelmChartSpec struct {
 	// This field is only supported when using HelmRepository source with spec.type 'oci'.
 	// Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.
 	// +optional
-	Verify *OCIRepositoryVerification `json:"verify,omitempty"`
+	Verify *apiv1.OCIRepositoryVerification `json:"verify,omitempty"`
 }
 
 const (
@@ -139,6 +148,12 @@ type HelmChartStatus struct {
 	// +optional
 	ObservedChartName string `json:"observedChartName,omitempty"`
 
+	// ObservedValuesFiles are the observed value files of the last successful
+	// reconciliation.
+	// It matches the chart in the last successfully reconciled artifact.
+	// +optional
+	ObservedValuesFiles []string `json:"observedValuesFiles,omitempty"`
+
 	// Conditions holds the conditions for the HelmChart.
 	// +optional
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
@@ -151,7 +166,7 @@ type HelmChartStatus struct {
 
 	// Artifact represents the output of the last successful reconciliation.
 	// +optional
-	Artifact *Artifact `json:"artifact,omitempty"`
+	Artifact *apiv1.Artifact `json:"artifact,omitempty"`
 
 	meta.ReconcileRequestStatus `json:",inline"`
 }
@@ -184,7 +199,7 @@ func (in HelmChart) GetRequeueAfter() time.Duration {
 
 // GetArtifact returns the latest artifact from the source if present in the
 // status sub-resource.
-func (in *HelmChart) GetArtifact() *Artifact {
+func (in *HelmChart) GetArtifact() *apiv1.Artifact {
 	return in.Status.Artifact
 }
 
@@ -200,11 +215,10 @@ func (in *HelmChart) GetValuesFiles() []string {
 }
 
 // +genclient
-// +genclient:Namespaced
-// +kubebuilder:storageversion
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=hc
 // +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion:warning="v1beta2 HelmChart is deprecated, upgrade to v1"
 // +kubebuilder:printcolumn:name="Chart",type=string,JSONPath=`.spec.chart`
 // +kubebuilder:printcolumn:name="Version",type=string,JSONPath=`.spec.version`
 // +kubebuilder:printcolumn:name="Source Kind",type=string,JSONPath=`.spec.sourceRef.kind`

api/v1beta2/helmrepository_types.go

@@ -23,6 +23,8 @@ import (
 
 	"github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
+
+	apiv1 "github.com/fluxcd/source-controller/api/v1"
 )
 
 const (
@@ -43,6 +45,7 @@ const (
 type HelmRepositorySpec struct {
 	// URL of the Helm repository, a valid URL contains at least a protocol and
 	// host.
+	// +kubebuilder:validation:Pattern="^(http|https|oci)://.*$"
 	// +required
 	URL string `json:"url"`
 
@@ -50,11 +53,29 @@ type HelmRepositorySpec struct {
 	// for the HelmRepository.
 	// For HTTP/S basic auth the secret must contain 'username' and 'password'
 	// fields.
-	// For TLS the secret must contain a 'certFile' and 'keyFile', and/or
-	// 'caCert' fields.
+	// Support for TLS auth using the 'certFile' and 'keyFile', and/or 'caFile'
+	// keys is deprecated. Please use `.spec.certSecretRef` instead.
 	// +optional
 	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
 
+	// CertSecretRef can be given the name of a Secret containing
+	// either or both of
+	//
+	// - a PEM-encoded client certificate (`tls.crt`) and private
+	// key (`tls.key`);
+	// - a PEM-encoded CA certificate (`ca.crt`)
+	//
+	// and whichever are supplied, will be used for connecting to the
+	// registry. The client cert and key are useful if you are
+	// authenticating with a certificate; the CA cert is useful if
+	// you are using a self-signed server certificate. The Secret must
+	// be of type `Opaque` or `kubernetes.io/tls`.
+	//
+	// It takes precedence over the values specified in the Secret referred
+	// to by `.spec.secretRef`.
+	// +optional
+	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
+
 	// PassCredentials allows the credentials from the SecretRef to be passed
 	// on to a host that does not match the host as defined in URL.
 	// This may be required if the host of the advertised chart URLs in the
@@ -64,16 +85,23 @@ type HelmRepositorySpec struct {
 	// +optional
 	PassCredentials bool `json:"passCredentials,omitempty"`
 
-	// Interval at which to check the URL for updates.
+	// Interval at which the HelmRepository URL is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
 	// +kubebuilder:validation:Type=string
 	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-	// +required
-	Interval metav1.Duration `json:"interval"`
+	// +optional
+	Interval metav1.Duration `json:"interval,omitempty"`
+
+	// Insecure allows connecting to a non-TLS HTTP container registry.
+	// This field is only taken into account if the .spec.type field is set to 'oci'.
+	// +optional
+	Insecure bool `json:"insecure,omitempty"`
 
 	// Timeout is used for the index fetch operation for an HTTPS helm repository,
-	// and for remote OCI Repository operations like pulling for an OCI helm repository.
+	// and for remote OCI Repository operations like pulling for an OCI helm
+	// chart by the associated HelmChart.
 	// Its default value is 60s.
-	// +kubebuilder:default:="60s"
 	// +kubebuilder:validation:Type=string
 	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
 	// +optional
@@ -124,7 +152,7 @@ type HelmRepositoryStatus struct {
 
 	// Artifact represents the last successful HelmRepository reconciliation.
 	// +optional
-	Artifact *Artifact `json:"artifact,omitempty"`
+	Artifact *apiv1.Artifact `json:"artifact,omitempty"`
 
 	meta.ReconcileRequestStatus `json:",inline"`
 }
@@ -148,21 +176,32 @@ func (in *HelmRepository) SetConditions(conditions []metav1.Condition) {
 // GetRequeueAfter returns the duration after which the source must be
 // reconciled again.
 func (in HelmRepository) GetRequeueAfter() time.Duration {
-	return in.Spec.Interval.Duration
+	if in.Spec.Interval.Duration != 0 {
+		return in.Spec.Interval.Duration
+	}
+	return time.Minute
+}
+
+// GetTimeout returns the timeout duration used for various operations related
+// to this HelmRepository.
+func (in HelmRepository) GetTimeout() time.Duration {
+	if in.Spec.Timeout != nil {
+		return in.Spec.Timeout.Duration
+	}
+	return time.Minute
 }
 
 // GetArtifact returns the latest artifact from the source if present in the
 // status sub-resource.
-func (in *HelmRepository) GetArtifact() *Artifact {
+func (in *HelmRepository) GetArtifact() *apiv1.Artifact {
 	return in.Status.Artifact
 }
 
 // +genclient
-// +genclient:Namespaced
-// +kubebuilder:storageversion
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=helmrepo
 // +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion:warning="v1beta2 HelmRepository is deprecated, upgrade to v1"
 // +kubebuilder:printcolumn:name="URL",type=string,JSONPath=`.spec.url`
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""

api/v1beta2/ocirepository_types.go

@@ -22,6 +22,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/fluxcd/pkg/apis/meta"
+
+	apiv1 "github.com/fluxcd/source-controller/api/v1"
 )
 
 const (
@@ -88,7 +90,7 @@ type OCIRepositorySpec struct {
 	// used to verify the signature and specifies which provider to use to check
 	// whether OCI image is authentic.
 	// +optional
-	Verify *OCIRepositoryVerification `json:"verify,omitempty"`
+	Verify *apiv1.OCIRepositoryVerification `json:"verify,omitempty"`
 
 	// ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate
 	// the image pull if the service account has attached pull secrets. For more information:
@@ -96,21 +98,32 @@ type OCIRepositorySpec struct {
 	// +optional
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 
-	// CertSecretRef can be given the name of a secret containing
+	// CertSecretRef can be given the name of a Secret containing
 	// either or both of
 	//
-	//  - a PEM-encoded client certificate (`certFile`) and private
-	//  key (`keyFile`);
-	//  - a PEM-encoded CA certificate (`caFile`)
+	// - a PEM-encoded client certificate (`tls.crt`) and private
+	// key (`tls.key`);
+	// - a PEM-encoded CA certificate (`ca.crt`)
 	//
-	//  and whichever are supplied, will be used for connecting to the
-	//  registry. The client cert and key are useful if you are
-	//  authenticating with a certificate; the CA cert is useful if
-	//  you are using a self-signed server certificate.
+	// and whichever are supplied, will be used for connecting to the
+	// registry. The client cert and key are useful if you are
+	// authenticating with a certificate; the CA cert is useful if
+	// you are using a self-signed server certificate. The Secret must
+	// be of type `Opaque` or `kubernetes.io/tls`.
+	//
+	// Note: Support for the `caFile`, `certFile` and `keyFile` keys have
+	// been deprecated.
 	// +optional
 	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
 
-	// The interval at which to check for image updates.
+	// ProxySecretRef specifies the Secret containing the proxy configuration
+	// to use while communicating with the container registry.
+	// +optional
+	ProxySecretRef *meta.LocalObjectReference `json:"proxySecretRef,omitempty"`
+
+	// Interval at which the OCIRepository URL is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
 	// +kubebuilder:validation:Type=string
 	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
 	// +required
@@ -150,6 +163,10 @@ type OCIRepositoryRef struct {
 	// +optional
 	SemVer string `json:"semver,omitempty"`
 
+	// SemverFilter is a regex pattern to filter the tags within the SemVer range.
+	// +optional
+	SemverFilter string `json:"semverFilter,omitempty"`
+
 	// Tag is the image tag to pull, defaults to latest.
 	// +optional
 	Tag string `json:"tag,omitempty"`
@@ -172,19 +189,6 @@ type OCILayerSelector struct {
 	Operation string `json:"operation,omitempty"`
 }
 
-// OCIRepositoryVerification verifies the authenticity of an OCI Artifact
-type OCIRepositoryVerification struct {
-	// Provider specifies the technology used to sign the OCI Artifact.
-	// +kubebuilder:validation:Enum=cosign
-	// +kubebuilder:default:=cosign
-	Provider string `json:"provider"`
-
-	// SecretRef specifies the Kubernetes Secret containing the
-	// trusted public keys.
-	// +optional
-	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
-}
-
 // OCIRepositoryStatus defines the observed state of OCIRepository
 type OCIRepositoryStatus struct {
 	// ObservedGeneration is the last observed generation.
@@ -201,7 +205,7 @@ type OCIRepositoryStatus struct {
 
 	// Artifact represents the output of the last successful OCI Repository sync.
 	// +optional
-	Artifact *Artifact `json:"artifact,omitempty"`
+	Artifact *apiv1.Artifact `json:"artifact,omitempty"`
 
 	// ContentConfigChecksum is a checksum of all the configurations related to
 	// the content of the source artifact:
@@ -256,7 +260,7 @@ func (in OCIRepository) GetRequeueAfter() time.Duration {
 
 // GetArtifact returns the latest Artifact from the OCIRepository if present in
 // the status sub-resource.
-func (in *OCIRepository) GetArtifact() *Artifact {
+func (in *OCIRepository) GetArtifact() *apiv1.Artifact {
 	return in.Status.Artifact
 }
 
@@ -279,11 +283,10 @@ func (in *OCIRepository) GetLayerOperation() string {
 }
 
 // +genclient
-// +genclient:Namespaced
-// +kubebuilder:storageversion
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=ocirepo
 // +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion:warning="v1beta2 OCIRepository is deprecated, upgrade to v1"
 // +kubebuilder:printcolumn:name="URL",type=string,JSONPath=`.spec.url`
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
 // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""

api/v1beta2/source.go

@@ -33,6 +33,9 @@ const (
 // interval. It must be supported by all kinds of the source.toolkit.fluxcd.io
 // API group.
 //
+// Deprecated: use the Source interface from api/v1 instead. This type will be
+// removed in a future release.
+//
 // +k8s:deepcopy-gen=false
 type Source interface {
 	runtime.Object

api/v1beta2/sts_types.go

@@ -0,0 +1,26 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+const (
+	// STSProviderAmazon represents the AWS provider for Security Token Service.
+	// Provides support for fetching temporary credentials from an AWS STS endpoint.
+	STSProviderAmazon string = "aws"
+	// STSProviderLDAP represents the LDAP provider for Security Token Service.
+	// Provides support for fetching temporary credentials from an LDAP endpoint.
+	STSProviderLDAP string = "ldap"
+)

api/v1beta2/zz_generated.deepcopy.go

@@ -1,8 +1,7 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated
 
 /*
-Copyright 2022 The Flux authors
+Copyright 2024 The Flux authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -24,6 +23,7 @@ package v1beta2
 import (
 	"github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
+	apiv1 "github.com/fluxcd/source-controller/api/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
@@ -116,13 +116,53 @@ func (in *BucketList) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BucketSpec) DeepCopyInto(out *BucketSpec) {
+func (in *BucketSTSSpec) DeepCopyInto(out *BucketSTSSpec) {
 	*out = *in
 	if in.SecretRef != nil {
 		in, out := &in.SecretRef, &out.SecretRef
 		*out = new(meta.LocalObjectReference)
 		**out = **in
 	}
+	if in.CertSecretRef != nil {
+		in, out := &in.CertSecretRef, &out.CertSecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketSTSSpec.
+func (in *BucketSTSSpec) DeepCopy() *BucketSTSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(BucketSTSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BucketSpec) DeepCopyInto(out *BucketSpec) {
+	*out = *in
+	if in.STS != nil {
+		in, out := &in.STS, &out.STS
+		*out = new(BucketSTSSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.CertSecretRef != nil {
+		in, out := &in.CertSecretRef, &out.CertSecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.ProxySecretRef != nil {
+		in, out := &in.ProxySecretRef, &out.ProxySecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
 	out.Interval = in.Interval
 	if in.Timeout != nil {
 		in, out := &in.Timeout, &out.Timeout
@@ -163,7 +203,7 @@ func (in *BucketStatus) DeepCopyInto(out *BucketStatus) {
 	}
 	if in.Artifact != nil {
 		in, out := &in.Artifact, &out.Artifact
-		*out = new(Artifact)
+		*out = new(apiv1.Artifact)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.ObservedIgnore != nil {
@@ -337,16 +377,16 @@ func (in *GitRepositoryStatus) DeepCopyInto(out *GitRepositoryStatus) {
 	}
 	if in.Artifact != nil {
 		in, out := &in.Artifact, &out.Artifact
-		*out = new(Artifact)
+		*out = new(apiv1.Artifact)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.IncludedArtifacts != nil {
 		in, out := &in.IncludedArtifacts, &out.IncludedArtifacts
-		*out = make([]*Artifact, len(*in))
+		*out = make([]*apiv1.Artifact, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
 				in, out := &(*in)[i], &(*out)[i]
-				*out = new(Artifact)
+				*out = new(apiv1.Artifact)
 				(*in).DeepCopyInto(*out)
 			}
 		}
@@ -466,7 +506,7 @@ func (in *HelmChartSpec) DeepCopyInto(out *HelmChartSpec) {
 	}
 	if in.Verify != nil {
 		in, out := &in.Verify, &out.Verify
-		*out = new(OCIRepositoryVerification)
+		*out = new(apiv1.OCIRepositoryVerification)
 		(*in).DeepCopyInto(*out)
 	}
 }
@@ -484,6 +524,11 @@ func (in *HelmChartSpec) DeepCopy() *HelmChartSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HelmChartStatus) DeepCopyInto(out *HelmChartStatus) {
 	*out = *in
+	if in.ObservedValuesFiles != nil {
+		in, out := &in.ObservedValuesFiles, &out.ObservedValuesFiles
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
 		*out = make([]v1.Condition, len(*in))
@@ -493,7 +538,7 @@ func (in *HelmChartStatus) DeepCopyInto(out *HelmChartStatus) {
 	}
 	if in.Artifact != nil {
 		in, out := &in.Artifact, &out.Artifact
-		*out = new(Artifact)
+		*out = new(apiv1.Artifact)
 		(*in).DeepCopyInto(*out)
 	}
 	out.ReconcileRequestStatus = in.ReconcileRequestStatus
@@ -576,6 +621,11 @@ func (in *HelmRepositorySpec) DeepCopyInto(out *HelmRepositorySpec) {
 		*out = new(meta.LocalObjectReference)
 		**out = **in
 	}
+	if in.CertSecretRef != nil {
+		in, out := &in.CertSecretRef, &out.CertSecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
 	out.Interval = in.Interval
 	if in.Timeout != nil {
 		in, out := &in.Timeout, &out.Timeout
@@ -611,7 +661,7 @@ func (in *HelmRepositoryStatus) DeepCopyInto(out *HelmRepositoryStatus) {
 	}
 	if in.Artifact != nil {
 		in, out := &in.Artifact, &out.Artifact
-		*out = new(Artifact)
+		*out = new(apiv1.Artifact)
 		(*in).DeepCopyInto(*out)
 	}
 	out.ReconcileRequestStatus = in.ReconcileRequestStatus
@@ -751,7 +801,7 @@ func (in *OCIRepositorySpec) DeepCopyInto(out *OCIRepositorySpec) {
 	}
 	if in.Verify != nil {
 		in, out := &in.Verify, &out.Verify
-		*out = new(OCIRepositoryVerification)
+		*out = new(apiv1.OCIRepositoryVerification)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.CertSecretRef != nil {
@@ -759,6 +809,11 @@ func (in *OCIRepositorySpec) DeepCopyInto(out *OCIRepositorySpec) {
 		*out = new(meta.LocalObjectReference)
 		**out = **in
 	}
+	if in.ProxySecretRef != nil {
+		in, out := &in.ProxySecretRef, &out.ProxySecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
 	out.Interval = in.Interval
 	if in.Timeout != nil {
 		in, out := &in.Timeout, &out.Timeout
@@ -794,7 +849,7 @@ func (in *OCIRepositoryStatus) DeepCopyInto(out *OCIRepositoryStatus) {
 	}
 	if in.Artifact != nil {
 		in, out := &in.Artifact, &out.Artifact
-		*out = new(Artifact)
+		*out = new(apiv1.Artifact)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.ObservedIgnore != nil {
@@ -819,23 +874,3 @@ func (in *OCIRepositoryStatus) DeepCopy() *OCIRepositoryStatus {
 	in.DeepCopyInto(out)
 	return out
 }
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OCIRepositoryVerification) DeepCopyInto(out *OCIRepositoryVerification) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(meta.LocalObjectReference)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OCIRepositoryVerification.
-func (in *OCIRepositoryVerification) DeepCopy() *OCIRepositoryVerification {
-	if in == nil {
-		return nil
-	}
-	out := new(OCIRepositoryVerification)
-	in.DeepCopyInto(out)
-	return out
-}

config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: helmrepositories.source.toolkit.fluxcd.io
 spec:
   group: source.toolkit.fluxcd.io
@@ -17,6 +16,308 @@ spec:
     singular: helmrepository
   scope: Namespaced
   versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.url
+      name: URL
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: HelmRepository is the Schema for the helmrepositories API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: |-
+              HelmRepositorySpec specifies the required configuration to produce an
+              Artifact for a Helm repository index YAML.
+            properties:
+              accessFrom:
+                description: |-
+                  AccessFrom specifies an Access Control List for allowing cross-namespace
+                  references to this object.
+                  NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092
+                properties:
+                  namespaceSelectors:
+                    description: |-
+                      NamespaceSelectors is the list of namespace selectors to which this ACL applies.
+                      Items in this list are evaluated using a logical OR operation.
+                    items:
+                      description: |-
+                        NamespaceSelector selects the namespaces to which this ACL applies.
+                        An empty map of MatchLabels matches all namespaces in a cluster.
+                      properties:
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: |-
+                            MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                    type: array
+                required:
+                - namespaceSelectors
+                type: object
+              certSecretRef:
+                description: |-
+                  CertSecretRef can be given the name of a Secret containing
+                  either or both of
+
+                  - a PEM-encoded client certificate (`tls.crt`) and private
+                  key (`tls.key`);
+                  - a PEM-encoded CA certificate (`ca.crt`)
+
+                  and whichever are supplied, will be used for connecting to the
+                  registry. The client cert and key are useful if you are
+                  authenticating with a certificate; the CA cert is useful if
+                  you are using a self-signed server certificate. The Secret must
+                  be of type `Opaque` or `kubernetes.io/tls`.
+
+                  It takes precedence over the values specified in the Secret referred
+                  to by `.spec.secretRef`.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              insecure:
+                description: |-
+                  Insecure allows connecting to a non-TLS HTTP container registry.
+                  This field is only taken into account if the .spec.type field is set to 'oci'.
+                type: boolean
+              interval:
+                description: |-
+                  Interval at which the HelmRepository URL is checked for updates.
+                  This interval is approximate and may be subject to jitter to ensure
+                  efficient use of resources.
+                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
+                type: string
+              passCredentials:
+                description: |-
+                  PassCredentials allows the credentials from the SecretRef to be passed
+                  on to a host that does not match the host as defined in URL.
+                  This may be required if the host of the advertised chart URLs in the
+                  index differ from the defined URL.
+                  Enabling this should be done with caution, as it can potentially result
+                  in credentials getting stolen in a MITM-attack.
+                type: boolean
+              provider:
+                default: generic
+                description: |-
+                  Provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'.
+                  This field is optional, and only taken into account if the .spec.type field is set to 'oci'.
+                  When not specified, defaults to 'generic'.
+                enum:
+                - generic
+                - aws
+                - azure
+                - gcp
+                type: string
+              secretRef:
+                description: |-
+                  SecretRef specifies the Secret containing authentication credentials
+                  for the HelmRepository.
+                  For HTTP/S basic auth the secret must contain 'username' and 'password'
+                  fields.
+                  Support for TLS auth using the 'certFile' and 'keyFile', and/or 'caFile'
+                  keys is deprecated. Please use `.spec.certSecretRef` instead.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              suspend:
+                description: |-
+                  Suspend tells the controller to suspend the reconciliation of this
+                  HelmRepository.
+                type: boolean
+              timeout:
+                description: |-
+                  Timeout is used for the index fetch operation for an HTTPS helm repository,
+                  and for remote OCI Repository operations like pulling for an OCI helm
+                  chart by the associated HelmChart.
+                  Its default value is 60s.
+                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
+                type: string
+              type:
+                description: |-
+                  Type of the HelmRepository.
+                  When this field is set to  "oci", the URL field value must be prefixed with "oci://".
+                enum:
+                - default
+                - oci
+                type: string
+              url:
+                description: |-
+                  URL of the Helm repository, a valid URL contains at least a protocol and
+                  host.
+                pattern: ^(http|https|oci)://.*$
+                type: string
+            required:
+            - url
+            type: object
+          status:
+            default:
+              observedGeneration: -1
+            description: HelmRepositoryStatus records the observed state of the HelmRepository.
+            properties:
+              artifact:
+                description: Artifact represents the last successful HelmRepository
+                  reconciliation.
+                properties:
+                  digest:
+                    description: Digest is the digest of the file in the form of '<algorithm>:<checksum>'.
+                    pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$
+                    type: string
+                  lastUpdateTime:
+                    description: |-
+                      LastUpdateTime is the timestamp corresponding to the last update of the
+                      Artifact.
+                    format: date-time
+                    type: string
+                  metadata:
+                    additionalProperties:
+                      type: string
+                    description: Metadata holds upstream information such as OCI annotations.
+                    type: object
+                  path:
+                    description: |-
+                      Path is the relative file path of the Artifact. It can be used to locate
+                      the file in the root of the Artifact storage on the local file system of
+                      the controller managing the Source.
+                    type: string
+                  revision:
+                    description: |-
+                      Revision is a human-readable identifier traceable in the origin source
+                      system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.
+                    type: string
+                  size:
+                    description: Size is the number of bytes in the file.
+                    format: int64
+                    type: integer
+                  url:
+                    description: |-
+                      URL is the HTTP address of the Artifact as exposed by the controller
+                      managing the Source. It can be used to retrieve the Artifact for
+                      consumption, e.g. by another controller applying the Artifact contents.
+                    type: string
+                required:
+                - lastUpdateTime
+                - path
+                - revision
+                - url
+                type: object
+              conditions:
+                description: Conditions holds the conditions for the HelmRepository.
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              lastHandledReconcileAt:
+                description: |-
+                  LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value
+                  can be detected.
+                type: string
+              observedGeneration:
+                description: |-
+                  ObservedGeneration is the last observed generation of the HelmRepository
+                  object.
+                format: int64
+                type: integer
+              url:
+                description: |-
+                  URL is the dynamic fetch link for the latest Artifact.
+                  It is provided on a "best effort" basis, and using the precise
+                  HelmRepositoryStatus.Artifact data is recommended.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
   - additionalPrinterColumns:
     - jsonPath: .spec.url
       name: URL
@@ -30,20 +331,27 @@ spec:
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
+    deprecated: true
+    deprecationWarning: v1beta1 HelmRepository is deprecated, upgrade to v1
     name: v1beta1
     schema:
       openAPIV3Schema:
         description: HelmRepository is the Schema for the helmrepositories API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -55,22 +363,21 @@ spec:
                   cross-namespace references to this object.
                 properties:
                   namespaceSelectors:
-                    description: NamespaceSelectors is the list of namespace selectors
-                      to which this ACL applies. Items in this list are evaluated
-                      using a logical OR operation.
+                    description: |-
+                      NamespaceSelectors is the list of namespace selectors to which this ACL applies.
+                      Items in this list are evaluated using a logical OR operation.
                     items:
-                      description: NamespaceSelector selects the namespaces to which
-                        this ACL applies. An empty map of MatchLabels matches all
-                        namespaces in a cluster.
+                      description: |-
+                        NamespaceSelector selects the namespaces to which this ACL applies.
+                        An empty map of MatchLabels matches all namespaces in a cluster.
                       properties:
                         matchLabels:
                           additionalProperties:
                             type: string
-                          description: MatchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
+                          description: |-
+                            MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                           type: object
                       type: object
                     type: array
@@ -81,18 +388,22 @@ spec:
                 description: The interval at which to check the upstream for updates.
                 type: string
               passCredentials:
-                description: PassCredentials allows the credentials from the SecretRef
-                  to be passed on to a host that does not match the host as defined
-                  in URL. This may be required if the host of the advertised chart
-                  URLs in the index differ from the defined URL. Enabling this should
-                  be done with caution, as it can potentially result in credentials
-                  getting stolen in a MITM-attack.
+                description: |-
+                  PassCredentials allows the credentials from the SecretRef to be passed on to
+                  a host that does not match the host as defined in URL.
+                  This may be required if the host of the advertised chart URLs in the index
+                  differ from the defined URL.
+                  Enabling this should be done with caution, as it can potentially result in
+                  credentials getting stolen in a MITM-attack.
                 type: boolean
               secretRef:
-                description: The name of the secret containing authentication credentials
-                  for the Helm repository. For HTTP/S basic auth the secret must contain
-                  username and password fields. For TLS the secret must contain a
-                  certFile and keyFile, and/or caCert fields.
+                description: |-
+                  The name of the secret containing authentication credentials for the Helm
+                  repository.
+                  For HTTP/S basic auth the secret must contain username and
+                  password fields.
+                  For TLS the secret must contain a certFile and keyFile, and/or
+                  caFile fields.
                 properties:
                   name:
                     description: Name of the referent.
@@ -129,65 +440,60 @@ spec:
                     description: Checksum is the SHA256 checksum of the artifact.
                     type: string
                   lastUpdateTime:
-                    description: LastUpdateTime is the timestamp corresponding to
-                      the last update of this artifact.
+                    description: |-
+                      LastUpdateTime is the timestamp corresponding to the last update of this
+                      artifact.
                     format: date-time
                     type: string
                   path:
                     description: Path is the relative file path of this artifact.
                     type: string
                   revision:
-                    description: Revision is a human readable identifier traceable
-                      in the origin source system. It can be a Git commit SHA, Git
-                      tag, a Helm index timestamp, a Helm chart version, etc.
+                    description: |-
+                      Revision is a human readable identifier traceable in the origin source
+                      system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm
+                      chart version, etc.
                     type: string
                   url:
                     description: URL is the HTTP address of this artifact.
                     type: string
                 required:
+                - lastUpdateTime
                 - path
                 - url
                 type: object
               conditions:
                 description: Conditions holds the conditions for the HelmRepository.
                 items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
                   properties:
                     lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                       format: date-time
                       type: string
                     message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
                       maxLength: 32768
                       type: string
                     observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
                       format: int64
                       minimum: 0
                       type: integer
                     reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
                         This field may not be empty.
                       maxLength: 1024
                       minLength: 1
@@ -202,10 +508,6 @@ spec:
                       type: string
                     type:
                       description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                       type: string
@@ -218,9 +520,10 @@ spec:
                   type: object
                 type: array
               lastHandledReconcileAt:
-                description: LastHandledReconcileAt holds the value of the most recent
-                  reconcile request value, so a change of the annotation value can
-                  be detected.
+                description: |-
+                  LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value
+                  can be detected.
                 type: string
               observedGeneration:
                 description: ObservedGeneration is the last observed generation.
@@ -248,73 +551,114 @@ spec:
     - jsonPath: .status.conditions[?(@.type=="Ready")].message
       name: Status
       type: string
+    deprecated: true
+    deprecationWarning: v1beta2 HelmRepository is deprecated, upgrade to v1
     name: v1beta2
     schema:
       openAPIV3Schema:
         description: HelmRepository is the Schema for the helmrepositories API.
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
           spec:
-            description: HelmRepositorySpec specifies the required configuration to
-              produce an Artifact for a Helm repository index YAML.
+            description: |-
+              HelmRepositorySpec specifies the required configuration to produce an
+              Artifact for a Helm repository index YAML.
             properties:
               accessFrom:
-                description: 'AccessFrom specifies an Access Control List for allowing
-                  cross-namespace references to this object. NOTE: Not implemented,
-                  provisional as of https://github.com/fluxcd/flux2/pull/2092'
+                description: |-
+                  AccessFrom specifies an Access Control List for allowing cross-namespace
+                  references to this object.
+                  NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092
                 properties:
                   namespaceSelectors:
-                    description: NamespaceSelectors is the list of namespace selectors
-                      to which this ACL applies. Items in this list are evaluated
-                      using a logical OR operation.
+                    description: |-
+                      NamespaceSelectors is the list of namespace selectors to which this ACL applies.
+                      Items in this list are evaluated using a logical OR operation.
                     items:
-                      description: NamespaceSelector selects the namespaces to which
-                        this ACL applies. An empty map of MatchLabels matches all
-                        namespaces in a cluster.
+                      description: |-
+                        NamespaceSelector selects the namespaces to which this ACL applies.
+                        An empty map of MatchLabels matches all namespaces in a cluster.
                       properties:
                         matchLabels:
                           additionalProperties:
                             type: string
-                          description: MatchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
+                          description: |-
+                            MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                           type: object
                       type: object
                     type: array
                 required:
                 - namespaceSelectors
                 type: object
+              certSecretRef:
+                description: |-
+                  CertSecretRef can be given the name of a Secret containing
+                  either or both of
+
+                  - a PEM-encoded client certificate (`tls.crt`) and private
+                  key (`tls.key`);
+                  - a PEM-encoded CA certificate (`ca.crt`)
+
+                  and whichever are supplied, will be used for connecting to the
+                  registry. The client cert and key are useful if you are
+                  authenticating with a certificate; the CA cert is useful if
+                  you are using a self-signed server certificate. The Secret must
+                  be of type `Opaque` or `kubernetes.io/tls`.
+
+                  It takes precedence over the values specified in the Secret referred
+                  to by `.spec.secretRef`.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              insecure:
+                description: |-
+                  Insecure allows connecting to a non-TLS HTTP container registry.
+                  This field is only taken into account if the .spec.type field is set to 'oci'.
+                type: boolean
               interval:
-                description: Interval at which to check the URL for updates.
+                description: |-
+                  Interval at which the HelmRepository URL is checked for updates.
+                  This interval is approximate and may be subject to jitter to ensure
+                  efficient use of resources.
                 pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
                 type: string
               passCredentials:
-                description: PassCredentials allows the credentials from the SecretRef
-                  to be passed on to a host that does not match the host as defined
-                  in URL. This may be required if the host of the advertised chart
-                  URLs in the index differ from the defined URL. Enabling this should
-                  be done with caution, as it can potentially result in credentials
-                  getting stolen in a MITM-attack.
+                description: |-
+                  PassCredentials allows the credentials from the SecretRef to be passed
+                  on to a host that does not match the host as defined in URL.
+                  This may be required if the host of the advertised chart URLs in the
+                  index differ from the defined URL.
+                  Enabling this should be done with caution, as it can potentially result
+                  in credentials getting stolen in a MITM-attack.
                 type: boolean
               provider:
                 default: generic
-                description: Provider used for authentication, can be 'aws', 'azure',
-                  'gcp' or 'generic'. This field is optional, and only taken into
-                  account if the .spec.type field is set to 'oci'. When not specified,
-                  defaults to 'generic'.
+                description: |-
+                  Provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'.
+                  This field is optional, and only taken into account if the .spec.type field is set to 'oci'.
+                  When not specified, defaults to 'generic'.
                 enum:
                 - generic
                 - aws
@@ -322,10 +666,13 @@ spec:
                 - gcp
                 type: string
               secretRef:
-                description: SecretRef specifies the Secret containing authentication
-                  credentials for the HelmRepository. For HTTP/S basic auth the secret
-                  must contain 'username' and 'password' fields. For TLS the secret
-                  must contain a 'certFile' and 'keyFile', and/or 'caCert' fields.
+                description: |-
+                  SecretRef specifies the Secret containing authentication credentials
+                  for the HelmRepository.
+                  For HTTP/S basic auth the secret must contain 'username' and 'password'
+                  fields.
+                  Support for TLS auth using the 'certFile' and 'keyFile', and/or 'caFile'
+                  keys is deprecated. Please use `.spec.certSecretRef` instead.
                 properties:
                   name:
                     description: Name of the referent.
@@ -334,29 +681,33 @@ spec:
                 - name
                 type: object
               suspend:
-                description: Suspend tells the controller to suspend the reconciliation
-                  of this HelmRepository.
+                description: |-
+                  Suspend tells the controller to suspend the reconciliation of this
+                  HelmRepository.
                 type: boolean
               timeout:
-                default: 60s
-                description: Timeout is used for the index fetch operation for an
-                  HTTPS helm repository, and for remote OCI Repository operations
-                  like pulling for an OCI helm repository. Its default value is 60s.
+                description: |-
+                  Timeout is used for the index fetch operation for an HTTPS helm repository,
+                  and for remote OCI Repository operations like pulling for an OCI helm
+                  chart by the associated HelmChart.
+                  Its default value is 60s.
                 pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
                 type: string
               type:
-                description: Type of the HelmRepository. When this field is set to  "oci",
-                  the URL field value must be prefixed with "oci://".
+                description: |-
+                  Type of the HelmRepository.
+                  When this field is set to  "oci", the URL field value must be prefixed with "oci://".
                 enum:
                 - default
                 - oci
                 type: string
               url:
-                description: URL of the Helm repository, a valid URL contains at least
-                  a protocol and host.
+                description: |-
+                  URL of the Helm repository, a valid URL contains at least a protocol and
+                  host.
+                pattern: ^(http|https|oci)://.*$
                 type: string
             required:
-            - interval
             - url
             type: object
           status:
@@ -368,12 +719,14 @@ spec:
                 description: Artifact represents the last successful HelmRepository
                   reconciliation.
                 properties:
-                  checksum:
-                    description: Checksum is the SHA256 checksum of the Artifact file.
+                  digest:
+                    description: Digest is the digest of the file in the form of '<algorithm>:<checksum>'.
+                    pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$
                     type: string
                   lastUpdateTime:
-                    description: LastUpdateTime is the timestamp corresponding to
-                      the last update of the Artifact.
+                    description: |-
+                      LastUpdateTime is the timestamp corresponding to the last update of the
+                      Artifact.
                     format: date-time
                     type: string
                   metadata:
@@ -382,69 +735,64 @@ spec:
                     description: Metadata holds upstream information such as OCI annotations.
                     type: object
                   path:
-                    description: Path is the relative file path of the Artifact. It
-                      can be used to locate the file in the root of the Artifact storage
-                      on the local file system of the controller managing the Source.
+                    description: |-
+                      Path is the relative file path of the Artifact. It can be used to locate
+                      the file in the root of the Artifact storage on the local file system of
+                      the controller managing the Source.
                     type: string
                   revision:
-                    description: Revision is a human-readable identifier traceable
-                      in the origin source system. It can be a Git commit SHA, Git
-                      tag, a Helm chart version, etc.
+                    description: |-
+                      Revision is a human-readable identifier traceable in the origin source
+                      system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.
                     type: string
                   size:
                     description: Size is the number of bytes in the file.
                     format: int64
                     type: integer
                   url:
-                    description: URL is the HTTP address of the Artifact as exposed
-                      by the controller managing the Source. It can be used to retrieve
-                      the Artifact for consumption, e.g. by another controller applying
-                      the Artifact contents.
+                    description: |-
+                      URL is the HTTP address of the Artifact as exposed by the controller
+                      managing the Source. It can be used to retrieve the Artifact for
+                      consumption, e.g. by another controller applying the Artifact contents.
                     type: string
                 required:
+                - lastUpdateTime
                 - path
+                - revision
                 - url
                 type: object
               conditions:
                 description: Conditions holds the conditions for the HelmRepository.
                 items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
                   properties:
                     lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                       format: date-time
                       type: string
                     message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
                       maxLength: 32768
                       type: string
                     observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
                       format: int64
                       minimum: 0
                       type: integer
                     reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
                         This field may not be empty.
                       maxLength: 1024
                       minLength: 1
@@ -459,10 +807,6 @@ spec:
                       type: string
                     type:
                       description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                       type: string
@@ -475,29 +819,26 @@ spec:
                   type: object
                 type: array
               lastHandledReconcileAt:
-                description: LastHandledReconcileAt holds the value of the most recent
-                  reconcile request value, so a change of the annotation value can
-                  be detected.
+                description: |-
+                  LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value
+                  can be detected.
                 type: string
               observedGeneration:
-                description: ObservedGeneration is the last observed generation of
-                  the HelmRepository object.
+                description: |-
+                  ObservedGeneration is the last observed generation of the HelmRepository
+                  object.
                 format: int64
                 type: integer
               url:
-                description: URL is the dynamic fetch link for the latest Artifact.
-                  It is provided on a "best effort" basis, and using the precise HelmRepositoryStatus.Artifact
-                  data is recommended.
+                description: |-
+                  URL is the dynamic fetch link for the latest Artifact.
+                  It is provided on a "best effort" basis, and using the precise
+                  HelmRepositoryStatus.Artifact data is recommended.
                 type: string
             type: object
         type: object
     served: true
-    storage: true
+    storage: false
     subresources:
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []

config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ocirepositories.source.toolkit.fluxcd.io
 spec:
   group: source.toolkit.fluxcd.io
@@ -30,20 +29,25 @@ spec:
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
-    name: v1beta2
+    name: v1
     schema:
       openAPIV3Schema:
         description: OCIRepository is the Schema for the ocirepositories API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -51,13 +55,19 @@ spec:
             description: OCIRepositorySpec defines the desired state of OCIRepository
             properties:
               certSecretRef:
-                description: "CertSecretRef can be given the name of a secret containing
-                  either or both of \n - a PEM-encoded client certificate (`certFile`)
-                  and private key (`keyFile`); - a PEM-encoded CA certificate (`caFile`)
-                  \n and whichever are supplied, will be used for connecting to the
-                  registry. The client cert and key are useful if you are authenticating
-                  with a certificate; the CA cert is useful if you are using a self-signed
-                  server certificate."
+                description: |-
+                  CertSecretRef can be given the name of a Secret containing
+                  either or both of
+
+                  - a PEM-encoded client certificate (`tls.crt`) and private
+                  key (`tls.key`);
+                  - a PEM-encoded CA certificate (`ca.crt`)
+
+                  and whichever are supplied, will be used for connecting to the
+                  registry. The client cert and key are useful if you are
+                  authenticating with a certificate; the CA cert is useful if
+                  you are using a self-signed server certificate. The Secret must
+                  be of type `Opaque` or `kubernetes.io/tls`.
                 properties:
                   name:
                     description: Name of the referent.
@@ -66,34 +76,39 @@ spec:
                 - name
                 type: object
               ignore:
-                description: Ignore overrides the set of excluded patterns in the
-                  .sourceignore format (which is the same as .gitignore). If not provided,
-                  a default will be used, consult the documentation for your version
-                  to find out what those are.
+                description: |-
+                  Ignore overrides the set of excluded patterns in the .sourceignore format
+                  (which is the same as .gitignore). If not provided, a default will be used,
+                  consult the documentation for your version to find out what those are.
                 type: string
               insecure:
                 description: Insecure allows connecting to a non-TLS HTTP container
                   registry.
                 type: boolean
               interval:
-                description: The interval at which to check for image updates.
+                description: |-
+                  Interval at which the OCIRepository URL is checked for updates.
+                  This interval is approximate and may be subject to jitter to ensure
+                  efficient use of resources.
                 pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
                 type: string
               layerSelector:
-                description: LayerSelector specifies which layer should be extracted
-                  from the OCI artifact. When not specified, the first layer found
-                  in the artifact is selected.
+                description: |-
+                  LayerSelector specifies which layer should be extracted from the OCI artifact.
+                  When not specified, the first layer found in the artifact is selected.
                 properties:
                   mediaType:
-                    description: MediaType specifies the OCI media type of the layer
-                      which should be extracted from the OCI Artifact. The first layer
-                      matching this type is selected.
+                    description: |-
+                      MediaType specifies the OCI media type of the layer
+                      which should be extracted from the OCI Artifact. The
+                      first layer matching this type is selected.
                     type: string
                   operation:
-                    description: Operation specifies how the selected layer should
-                      be processed. By default, the layer compressed content is extracted
-                      to storage. When the operation is set to 'copy', the layer compressed
-                      content is persisted to storage as it is.
+                    description: |-
+                      Operation specifies how the selected layer should be processed.
+                      By default, the layer compressed content is extracted to storage.
+                      When the operation is set to 'copy', the layer compressed content
+                      is persisted to storage as it is.
                     enum:
                     - extract
                     - copy
@@ -101,34 +116,54 @@ spec:
                 type: object
               provider:
                 default: generic
-                description: The provider used for authentication, can be 'aws', 'azure',
-                  'gcp' or 'generic'. When not specified, defaults to 'generic'.
+                description: |-
+                  The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'.
+                  When not specified, defaults to 'generic'.
                 enum:
                 - generic
                 - aws
                 - azure
                 - gcp
                 type: string
+              proxySecretRef:
+                description: |-
+                  ProxySecretRef specifies the Secret containing the proxy configuration
+                  to use while communicating with the container registry.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
               ref:
-                description: The OCI reference to pull and monitor for changes, defaults
-                  to the latest tag.
+                description: |-
+                  The OCI reference to pull and monitor for changes,
+                  defaults to the latest tag.
                 properties:
                   digest:
-                    description: Digest is the image digest to pull, takes precedence
-                      over SemVer. The value should be in the format 'sha256:<HASH>'.
+                    description: |-
+                      Digest is the image digest to pull, takes precedence over SemVer.
+                      The value should be in the format 'sha256:<HASH>'.
                     type: string
                   semver:
-                    description: SemVer is the range of tags to pull selecting the
-                      latest within the range, takes precedence over Tag.
+                    description: |-
+                      SemVer is the range of tags to pull selecting the latest within
+                      the range, takes precedence over Tag.
+                    type: string
+                  semverFilter:
+                    description: SemverFilter is a regex pattern to filter the tags
+                      within the SemVer range.
                     type: string
                   tag:
                     description: Tag is the image tag to pull, defaults to latest.
                     type: string
                 type: object
               secretRef:
-                description: SecretRef contains the secret name containing the registry
-                  login credentials to resolve image metadata. The secret must be
-                  of type kubernetes.io/dockerconfigjson.
+                description: |-
+                  SecretRef contains the secret name containing the registry login
+                  credentials to resolve image metadata.
+                  The secret must be of type kubernetes.io/dockerconfigjson.
                 properties:
                   name:
                     description: Name of the referent.
@@ -137,9 +172,10 @@ spec:
                 - name
                 type: object
               serviceAccountName:
-                description: 'ServiceAccountName is the name of the Kubernetes ServiceAccount
-                  used to authenticate the image pull if the service account has attached
-                  pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account'
+                description: |-
+                  ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate
+                  the image pull if the service account has attached pull secrets. For more information:
+                  https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
                 type: string
               suspend:
                 description: This flag tells the controller to suspend the reconciliation
@@ -152,25 +188,57 @@ spec:
                 pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
                 type: string
               url:
-                description: URL is a reference to an OCI artifact repository hosted
+                description: |-
+                  URL is a reference to an OCI artifact repository hosted
                   on a remote container registry.
                 pattern: ^oci://.*$
                 type: string
               verify:
-                description: Verify contains the secret name containing the trusted
-                  public keys used to verify the signature and specifies which provider
-                  to use to check whether OCI image is authentic.
+                description: |-
+                  Verify contains the secret name containing the trusted public keys
+                  used to verify the signature and specifies which provider to use to check
+                  whether OCI image is authentic.
                 properties:
+                  matchOIDCIdentity:
+                    description: |-
+                      MatchOIDCIdentity specifies the identity matching criteria to use
+                      while verifying an OCI artifact which was signed using Cosign keyless
+                      signing. The artifact's identity is deemed to be verified if any of the
+                      specified matchers match against the identity.
+                    items:
+                      description: |-
+                        OIDCIdentityMatch specifies options for verifying the certificate identity,
+                        i.e. the issuer and the subject of the certificate.
+                      properties:
+                        issuer:
+                          description: |-
+                            Issuer specifies the regex pattern to match against to verify
+                            the OIDC issuer in the Fulcio certificate. The pattern must be a
+                            valid Go regular expression.
+                          type: string
+                        subject:
+                          description: |-
+                            Subject specifies the regex pattern to match against to verify
+                            the identity subject in the Fulcio certificate. The pattern must
+                            be a valid Go regular expression.
+                          type: string
+                      required:
+                      - issuer
+                      - subject
+                      type: object
+                    type: array
                   provider:
                     default: cosign
                     description: Provider specifies the technology used to sign the
                       OCI Artifact.
                     enum:
                     - cosign
+                    - notation
                     type: string
                   secretRef:
-                    description: SecretRef specifies the Kubernetes Secret containing
-                      the trusted public keys.
+                    description: |-
+                      SecretRef specifies the Kubernetes Secret containing the
+                      trusted public keys.
                     properties:
                       name:
                         description: Name of the referent.
@@ -194,12 +262,14 @@ spec:
                 description: Artifact represents the output of the last successful
                   OCI Repository sync.
                 properties:
-                  checksum:
-                    description: Checksum is the SHA256 checksum of the Artifact file.
+                  digest:
+                    description: Digest is the digest of the file in the form of '<algorithm>:<checksum>'.
+                    pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$
                     type: string
                   lastUpdateTime:
-                    description: LastUpdateTime is the timestamp corresponding to
-                      the last update of the Artifact.
+                    description: |-
+                      LastUpdateTime is the timestamp corresponding to the last update of the
+                      Artifact.
                     format: date-time
                     type: string
                   metadata:
@@ -208,69 +278,64 @@ spec:
                     description: Metadata holds upstream information such as OCI annotations.
                     type: object
                   path:
-                    description: Path is the relative file path of the Artifact. It
-                      can be used to locate the file in the root of the Artifact storage
-                      on the local file system of the controller managing the Source.
+                    description: |-
+                      Path is the relative file path of the Artifact. It can be used to locate
+                      the file in the root of the Artifact storage on the local file system of
+                      the controller managing the Source.
                     type: string
                   revision:
-                    description: Revision is a human-readable identifier traceable
-                      in the origin source system. It can be a Git commit SHA, Git
-                      tag, a Helm chart version, etc.
+                    description: |-
+                      Revision is a human-readable identifier traceable in the origin source
+                      system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.
                     type: string
                   size:
                     description: Size is the number of bytes in the file.
                     format: int64
                     type: integer
                   url:
-                    description: URL is the HTTP address of the Artifact as exposed
-                      by the controller managing the Source. It can be used to retrieve
-                      the Artifact for consumption, e.g. by another controller applying
-                      the Artifact contents.
+                    description: |-
+                      URL is the HTTP address of the Artifact as exposed by the controller
+                      managing the Source. It can be used to retrieve the Artifact for
+                      consumption, e.g. by another controller applying the Artifact contents.
                     type: string
                 required:
+                - lastUpdateTime
                 - path
+                - revision
                 - url
                 type: object
               conditions:
                 description: Conditions holds the conditions for the OCIRepository.
                 items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
                   properties:
                     lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                       format: date-time
                       type: string
                     message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
                       maxLength: 32768
                       type: string
                     observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
                       format: int64
                       minimum: 0
                       type: integer
                     reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
                         This field may not be empty.
                       maxLength: 1024
                       minLength: 1
@@ -285,10 +350,6 @@ spec:
                       type: string
                     type:
                       description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                       type: string
@@ -300,43 +361,38 @@ spec:
                   - type
                   type: object
                 type: array
-              contentConfigChecksum:
-                description: "ContentConfigChecksum is a checksum of all the configurations
-                  related to the content of the source artifact: - .spec.ignore -
-                  .spec.layerSelector observed in .status.observedGeneration version
-                  of the object. This can be used to determine if the content configuration
-                  has changed and the artifact needs to be rebuilt. It has the format
-                  of `<algo>:<checksum>`, for example: `sha256:<checksum>`. \n Deprecated:
-                  Replaced with explicit fields for observed artifact content config
-                  in the status."
-                type: string
               lastHandledReconcileAt:
-                description: LastHandledReconcileAt holds the value of the most recent
-                  reconcile request value, so a change of the annotation value can
-                  be detected.
+                description: |-
+                  LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value
+                  can be detected.
                 type: string
               observedGeneration:
                 description: ObservedGeneration is the last observed generation.
                 format: int64
                 type: integer
               observedIgnore:
-                description: ObservedIgnore is the observed exclusion patterns used
-                  for constructing the source artifact.
+                description: |-
+                  ObservedIgnore is the observed exclusion patterns used for constructing
+                  the source artifact.
                 type: string
               observedLayerSelector:
-                description: ObservedLayerSelector is the observed layer selector
-                  used for constructing the source artifact.
+                description: |-
+                  ObservedLayerSelector is the observed layer selector used for constructing
+                  the source artifact.
                 properties:
                   mediaType:
-                    description: MediaType specifies the OCI media type of the layer
-                      which should be extracted from the OCI Artifact. The first layer
-                      matching this type is selected.
+                    description: |-
+                      MediaType specifies the OCI media type of the layer
+                      which should be extracted from the OCI Artifact. The
+                      first layer matching this type is selected.
                     type: string
                   operation:
-                    description: Operation specifies how the selected layer should
-                      be processed. By default, the layer compressed content is extracted
-                      to storage. When the operation is set to 'copy', the layer compressed
-                      content is persisted to storage as it is.
+                    description: |-
+                      Operation specifies how the selected layer should be processed.
+                      By default, the layer compressed content is extracted to storage.
+                      When the operation is set to 'copy', the layer compressed content
+                      is persisted to storage as it is.
                     enum:
                     - extract
                     - copy
@@ -352,9 +408,414 @@ spec:
     storage: true
     subresources:
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
+  - additionalPrinterColumns:
+    - jsonPath: .spec.url
+      name: URL
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    deprecated: true
+    deprecationWarning: v1beta2 OCIRepository is deprecated, upgrade to v1
+    name: v1beta2
+    schema:
+      openAPIV3Schema:
+        description: OCIRepository is the Schema for the ocirepositories API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: OCIRepositorySpec defines the desired state of OCIRepository
+            properties:
+              certSecretRef:
+                description: |-
+                  CertSecretRef can be given the name of a Secret containing
+                  either or both of
+
+                  - a PEM-encoded client certificate (`tls.crt`) and private
+                  key (`tls.key`);
+                  - a PEM-encoded CA certificate (`ca.crt`)
+
+                  and whichever are supplied, will be used for connecting to the
+                  registry. The client cert and key are useful if you are
+                  authenticating with a certificate; the CA cert is useful if
+                  you are using a self-signed server certificate. The Secret must
+                  be of type `Opaque` or `kubernetes.io/tls`.
+
+                  Note: Support for the `caFile`, `certFile` and `keyFile` keys have
+                  been deprecated.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              ignore:
+                description: |-
+                  Ignore overrides the set of excluded patterns in the .sourceignore format
+                  (which is the same as .gitignore). If not provided, a default will be used,
+                  consult the documentation for your version to find out what those are.
+                type: string
+              insecure:
+                description: Insecure allows connecting to a non-TLS HTTP container
+                  registry.
+                type: boolean
+              interval:
+                description: |-
+                  Interval at which the OCIRepository URL is checked for updates.
+                  This interval is approximate and may be subject to jitter to ensure
+                  efficient use of resources.
+                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
+                type: string
+              layerSelector:
+                description: |-
+                  LayerSelector specifies which layer should be extracted from the OCI artifact.
+                  When not specified, the first layer found in the artifact is selected.
+                properties:
+                  mediaType:
+                    description: |-
+                      MediaType specifies the OCI media type of the layer
+                      which should be extracted from the OCI Artifact. The
+                      first layer matching this type is selected.
+                    type: string
+                  operation:
+                    description: |-
+                      Operation specifies how the selected layer should be processed.
+                      By default, the layer compressed content is extracted to storage.
+                      When the operation is set to 'copy', the layer compressed content
+                      is persisted to storage as it is.
+                    enum:
+                    - extract
+                    - copy
+                    type: string
+                type: object
+              provider:
+                default: generic
+                description: |-
+                  The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'.
+                  When not specified, defaults to 'generic'.
+                enum:
+                - generic
+                - aws
+                - azure
+                - gcp
+                type: string
+              proxySecretRef:
+                description: |-
+                  ProxySecretRef specifies the Secret containing the proxy configuration
+                  to use while communicating with the container registry.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              ref:
+                description: |-
+                  The OCI reference to pull and monitor for changes,
+                  defaults to the latest tag.
+                properties:
+                  digest:
+                    description: |-
+                      Digest is the image digest to pull, takes precedence over SemVer.
+                      The value should be in the format 'sha256:<HASH>'.
+                    type: string
+                  semver:
+                    description: |-
+                      SemVer is the range of tags to pull selecting the latest within
+                      the range, takes precedence over Tag.
+                    type: string
+                  semverFilter:
+                    description: SemverFilter is a regex pattern to filter the tags
+                      within the SemVer range.
+                    type: string
+                  tag:
+                    description: Tag is the image tag to pull, defaults to latest.
+                    type: string
+                type: object
+              secretRef:
+                description: |-
+                  SecretRef contains the secret name containing the registry login
+                  credentials to resolve image metadata.
+                  The secret must be of type kubernetes.io/dockerconfigjson.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              serviceAccountName:
+                description: |-
+                  ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate
+                  the image pull if the service account has attached pull secrets. For more information:
+                  https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
+                type: string
+              suspend:
+                description: This flag tells the controller to suspend the reconciliation
+                  of this source.
+                type: boolean
+              timeout:
+                default: 60s
+                description: The timeout for remote OCI Repository operations like
+                  pulling, defaults to 60s.
+                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
+                type: string
+              url:
+                description: |-
+                  URL is a reference to an OCI artifact repository hosted
+                  on a remote container registry.
+                pattern: ^oci://.*$
+                type: string
+              verify:
+                description: |-
+                  Verify contains the secret name containing the trusted public keys
+                  used to verify the signature and specifies which provider to use to check
+                  whether OCI image is authentic.
+                properties:
+                  matchOIDCIdentity:
+                    description: |-
+                      MatchOIDCIdentity specifies the identity matching criteria to use
+                      while verifying an OCI artifact which was signed using Cosign keyless
+                      signing. The artifact's identity is deemed to be verified if any of the
+                      specified matchers match against the identity.
+                    items:
+                      description: |-
+                        OIDCIdentityMatch specifies options for verifying the certificate identity,
+                        i.e. the issuer and the subject of the certificate.
+                      properties:
+                        issuer:
+                          description: |-
+                            Issuer specifies the regex pattern to match against to verify
+                            the OIDC issuer in the Fulcio certificate. The pattern must be a
+                            valid Go regular expression.
+                          type: string
+                        subject:
+                          description: |-
+                            Subject specifies the regex pattern to match against to verify
+                            the identity subject in the Fulcio certificate. The pattern must
+                            be a valid Go regular expression.
+                          type: string
+                      required:
+                      - issuer
+                      - subject
+                      type: object
+                    type: array
+                  provider:
+                    default: cosign
+                    description: Provider specifies the technology used to sign the
+                      OCI Artifact.
+                    enum:
+                    - cosign
+                    - notation
+                    type: string
+                  secretRef:
+                    description: |-
+                      SecretRef specifies the Kubernetes Secret containing the
+                      trusted public keys.
+                    properties:
+                      name:
+                        description: Name of the referent.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                required:
+                - provider
+                type: object
+            required:
+            - interval
+            - url
+            type: object
+          status:
+            default:
+              observedGeneration: -1
+            description: OCIRepositoryStatus defines the observed state of OCIRepository
+            properties:
+              artifact:
+                description: Artifact represents the output of the last successful
+                  OCI Repository sync.
+                properties:
+                  digest:
+                    description: Digest is the digest of the file in the form of '<algorithm>:<checksum>'.
+                    pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$
+                    type: string
+                  lastUpdateTime:
+                    description: |-
+                      LastUpdateTime is the timestamp corresponding to the last update of the
+                      Artifact.
+                    format: date-time
+                    type: string
+                  metadata:
+                    additionalProperties:
+                      type: string
+                    description: Metadata holds upstream information such as OCI annotations.
+                    type: object
+                  path:
+                    description: |-
+                      Path is the relative file path of the Artifact. It can be used to locate
+                      the file in the root of the Artifact storage on the local file system of
+                      the controller managing the Source.
+                    type: string
+                  revision:
+                    description: |-
+                      Revision is a human-readable identifier traceable in the origin source
+                      system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.
+                    type: string
+                  size:
+                    description: Size is the number of bytes in the file.
+                    format: int64
+                    type: integer
+                  url:
+                    description: |-
+                      URL is the HTTP address of the Artifact as exposed by the controller
+                      managing the Source. It can be used to retrieve the Artifact for
+                      consumption, e.g. by another controller applying the Artifact contents.
+                    type: string
+                required:
+                - lastUpdateTime
+                - path
+                - revision
+                - url
+                type: object
+              conditions:
+                description: Conditions holds the conditions for the OCIRepository.
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              contentConfigChecksum:
+                description: |-
+                  ContentConfigChecksum is a checksum of all the configurations related to
+                  the content of the source artifact:
+                   - .spec.ignore
+                   - .spec.layerSelector
+                  observed in .status.observedGeneration version of the object. This can
+                  be used to determine if the content configuration has changed and the
+                  artifact needs to be rebuilt.
+                  It has the format of `<algo>:<checksum>`, for example: `sha256:<checksum>`.
+
+                  Deprecated: Replaced with explicit fields for observed artifact content
+                  config in the status.
+                type: string
+              lastHandledReconcileAt:
+                description: |-
+                  LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value
+                  can be detected.
+                type: string
+              observedGeneration:
+                description: ObservedGeneration is the last observed generation.
+                format: int64
+                type: integer
+              observedIgnore:
+                description: |-
+                  ObservedIgnore is the observed exclusion patterns used for constructing
+                  the source artifact.
+                type: string
+              observedLayerSelector:
+                description: |-
+                  ObservedLayerSelector is the observed layer selector used for constructing
+                  the source artifact.
+                properties:
+                  mediaType:
+                    description: |-
+                      MediaType specifies the OCI media type of the layer
+                      which should be extracted from the OCI Artifact. The
+                      first layer matching this type is selected.
+                    type: string
+                  operation:
+                    description: |-
+                      Operation specifies how the selected layer should be processed.
+                      By default, the layer compressed content is extracted to storage.
+                      When the operation is set to 'copy', the layer compressed content
+                      is persisted to storage as it is.
+                    enum:
+                    - extract
+                    - copy
+                    type: string
+                type: object
+              url:
+                description: URL is the download link for the artifact output of the
+                  last OCI Repository sync.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}

config/manager/kustomization.yaml

@@ -6,4 +6,4 @@ resources:
 images:
 - name: fluxcd/source-controller
   newName: fluxcd/source-controller
-  newTag: v0.32.1
+  newTag: v1.6.0

config/rbac/role.yaml

@@ -2,7 +2,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: manager-role
 rules:
 - apiGroups:
@@ -20,129 +19,19 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
 - apiGroups:
   - source.toolkit.fluxcd.io
   resources:
   - buckets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
-  - buckets/finalizers
-  verbs:
-  - create
-  - delete
-  - get
-  - patch
-  - update
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
-  - buckets/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
   - gitrepositories
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
-  - gitrepositories/finalizers
-  verbs:
-  - create
-  - delete
-  - get
-  - patch
-  - update
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
-  - gitrepositories/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
   - helmcharts
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
-  - helmcharts/finalizers
-  verbs:
-  - create
-  - delete
-  - get
-  - patch
-  - update
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
-  - helmcharts/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
   - helmrepositories
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
-  - helmrepositories/finalizers
-  verbs:
-  - create
-  - delete
-  - get
-  - patch
-  - update
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
-  - helmrepositories/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
   - ocirepositories
   verbs:
   - create
@@ -155,6 +44,10 @@ rules:
 - apiGroups:
   - source.toolkit.fluxcd.io
   resources:
+  - buckets/finalizers
+  - gitrepositories/finalizers
+  - helmcharts/finalizers
+  - helmrepositories/finalizers
   - ocirepositories/finalizers
   verbs:
   - create
@@ -165,6 +58,10 @@ rules:
 - apiGroups:
   - source.toolkit.fluxcd.io
   resources:
+  - buckets/status
+  - gitrepositories/status
+  - helmcharts/status
+  - helmrepositories/status
   - ocirepositories/status
   verbs:
   - get

config/samples/source_v1_bucket.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: Bucket
 metadata:
   name: bucket-sample

config/samples/source_v1_gitrepository.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
   name: gitrepository-sample

config/samples/source_v1_helmchart_gitrepository.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmChart
 metadata:
   name: helmchart-git-sample

config/samples/source_v1_helmchart_helmrepository-oci.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmChart
 metadata:
   name: helmchart-sample-oci

config/samples/source_v1_helmchart_helmrepository.yaml

@@ -1,11 +1,12 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmChart
 metadata:
   name: helmchart-sample
 spec:
   chart: podinfo
-  version: '>=2.0.0 <3.0.0'
+  version: '6.x'
   sourceRef:
     kind: HelmRepository
     name: helmrepository-sample
   interval: 1m
+  ignoreMissingValuesFiles: true

config/samples/source_v1_helmrepository-oci.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: helmrepository-sample-oci

config/samples/source_v1_helmrepository.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: helmrepository-sample

config/samples/source_v1_ocirepository.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: OCIRepository
 metadata:
   name: ocirepository-sample

config/testdata/bucket/source.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: Bucket
 metadata:
   name: podinfo

config/testdata/git/large-repo.yaml

@@ -1,13 +1,10 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
   name: large-repo
 spec:
   interval: 10m
   timeout: 2m
-  url: https://github.com/hashgraph/hedera-mirror-node.git
+  url: https://github.com/nodejs/node.git
   ref:
     branch: main
-  ignore: |
-    /*
-    !/charts

config/testdata/helmchart-from-bucket/source.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: Bucket
 metadata:
   name: charts
@@ -13,7 +13,7 @@ spec:
   secretRef:
     name: minio-credentials
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmChart
 metadata:
   name: helmchart-bucket

config/testdata/helmchart-from-oci/notation.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: podinfo-notation
+spec:
+  url: oci://ghcr.io/stefanprodan/charts
+  type: "oci"
+  interval: 1m
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: podinfo-notation
+spec:
+  chart: podinfo
+  sourceRef:
+    kind: HelmRepository
+    name: podinfo-notation
+  version: '6.6.0'
+  interval: 1m
+  verify:
+    provider: notation
+    secretRef:
+      name: notation-config

config/testdata/helmchart-from-oci/source.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: podinfo
@@ -8,7 +8,7 @@ spec:
   type: "oci"
   interval: 1m
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmChart
 metadata:
   name: podinfo
@@ -20,7 +20,7 @@ spec:
   version: '6.1.*'
   interval: 1m
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmChart
 metadata:
   name: podinfo-keyless

config/testdata/ocirepository/signed-with-key.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: OCIRepository
 metadata:
   name: podinfo-deploy-signed-with-key

config/testdata/ocirepository/signed-with-keyless.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: OCIRepository
 metadata:
   name: podinfo-deploy-signed-with-keyless

config/testdata/ocirepository/signed-with-notation.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: podinfo-deploy-signed-with-notation
+spec:
+  interval: 5m
+  url: oci://ghcr.io/stefanprodan/podinfo-deploy
+  ref:
+    semver: "6.6.x"
+  verify:
+    provider: notation
+    secretRef:
+      name: notation-config

controllers/helmrepository_controller_oci.go

@@ -1,404 +0,0 @@
-/*
-Copyright 2022 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controllers
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/url"
-	"os"
-	"time"
-
-	helmgetter "helm.sh/helm/v3/pkg/getter"
-	helmreg "helm.sh/helm/v3/pkg/registry"
-	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
-	kerrors "k8s.io/apimachinery/pkg/util/errors"
-	kuberecorder "k8s.io/client-go/tools/record"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/controller"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-	"sigs.k8s.io/controller-runtime/pkg/predicate"
-
-	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/oci"
-	"github.com/fluxcd/pkg/runtime/conditions"
-	helper "github.com/fluxcd/pkg/runtime/controller"
-	"github.com/fluxcd/pkg/runtime/patch"
-	"github.com/fluxcd/pkg/runtime/predicates"
-	"github.com/google/go-containerregistry/pkg/authn"
-
-	"github.com/fluxcd/source-controller/api/v1beta2"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
-	"github.com/fluxcd/source-controller/internal/helm/registry"
-	"github.com/fluxcd/source-controller/internal/helm/repository"
-	"github.com/fluxcd/source-controller/internal/object"
-	intpredicates "github.com/fluxcd/source-controller/internal/predicates"
-)
-
-var helmRepositoryOCIOwnedConditions = []string{
-	meta.ReadyCondition,
-	meta.ReconcilingCondition,
-	meta.StalledCondition,
-}
-
-var helmRepositoryOCINegativeConditions = []string{
-	meta.StalledCondition,
-	meta.ReconcilingCondition,
-}
-
-// +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=helmrepositories,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=helmrepositories/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=helmrepositories/finalizers,verbs=get;create;update;patch;delete
-// +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
-
-// HelmRepositoryOCI Reconciler reconciles a v1beta2.HelmRepository object of type OCI.
-type HelmRepositoryOCIReconciler struct {
-	client.Client
-	kuberecorder.EventRecorder
-	helper.Metrics
-	Getters                 helmgetter.Providers
-	ControllerName          string
-	RegistryClientGenerator RegistryClientGeneratorFunc
-}
-
-// RegistryClientGeneratorFunc is a function that returns a registry client
-// and an optional file name.
-// The file is used to store the registry client credentials.
-// The caller is responsible for deleting the file.
-type RegistryClientGeneratorFunc func(isLogin bool) (*helmreg.Client, string, error)
-
-func (r *HelmRepositoryOCIReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	return r.SetupWithManagerAndOptions(mgr, HelmRepositoryReconcilerOptions{})
-}
-
-func (r *HelmRepositoryOCIReconciler) SetupWithManagerAndOptions(mgr ctrl.Manager, opts HelmRepositoryReconcilerOptions) error {
-	return ctrl.NewControllerManagedBy(mgr).
-		For(&sourcev1.HelmRepository{}).
-		WithEventFilter(
-			predicate.And(
-				intpredicates.HelmRepositoryTypePredicate{RepositoryType: sourcev1.HelmRepositoryTypeOCI},
-				predicate.Or(predicate.GenerationChangedPredicate{}, predicates.ReconcileRequestedPredicate{}),
-			),
-		).
-		WithOptions(controller.Options{
-			MaxConcurrentReconciles: opts.MaxConcurrentReconciles,
-			RateLimiter:             opts.RateLimiter,
-			RecoverPanic:            true,
-		}).
-		Complete(r)
-}
-
-func (r *HelmRepositoryOCIReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, retErr error) {
-	start := time.Now()
-	log := ctrl.LoggerFrom(ctx)
-
-	// Fetch the HelmRepository
-	obj := &sourcev1.HelmRepository{}
-	if err := r.Get(ctx, req.NamespacedName, obj); err != nil {
-		return ctrl.Result{}, client.IgnoreNotFound(err)
-	}
-
-	// Record suspended status metric
-	r.RecordSuspend(ctx, obj, obj.Spec.Suspend)
-
-	// Initialize the patch helper with the current version of the object.
-	patchHelper, err := patch.NewHelper(obj, r.Client)
-	if err != nil {
-		return ctrl.Result{}, err
-	}
-
-	// Always attempt to patch the object after each reconciliation.
-	defer func() {
-		// Patch the object, prioritizing the conditions owned by the controller in
-		// case of any conflicts.
-		patchOpts := []patch.Option{
-			patch.WithOwnedConditions{
-				Conditions: helmRepositoryOCIOwnedConditions,
-			},
-		}
-		patchOpts = append(patchOpts, patch.WithFieldOwner(r.ControllerName))
-		// If a reconcile annotation value is found, set it in the object status
-		// as status.lastHandledReconcileAt.
-		if v, ok := meta.ReconcileAnnotationValue(obj.GetAnnotations()); ok {
-			object.SetStatusLastHandledReconcileAt(obj, v)
-		}
-
-		// Set status observed generation option if the object is stalled, or
-		// if the object is ready.
-		if conditions.IsStalled(obj) || conditions.IsReady(obj) {
-			patchOpts = append(patchOpts, patch.WithStatusObservedGeneration{})
-		}
-
-		if err = patchHelper.Patch(ctx, obj, patchOpts...); err != nil {
-			// Ignore patch error "not found" when the object is being deleted.
-			if !obj.GetDeletionTimestamp().IsZero() {
-				err = kerrors.FilterOut(err, func(e error) bool { return apierrors.IsNotFound(e) })
-			}
-			retErr = kerrors.NewAggregate([]error{retErr, err})
-		}
-
-		// Always record readiness and duration metrics
-		r.Metrics.RecordReadiness(ctx, obj)
-		r.Metrics.RecordDuration(ctx, obj, start)
-	}()
-
-	// Add finalizer first if it doesn't exist to avoid the race condition
-	// between init and delete.
-	if !controllerutil.ContainsFinalizer(obj, sourcev1.SourceFinalizer) {
-		controllerutil.AddFinalizer(obj, sourcev1.SourceFinalizer)
-		return ctrl.Result{Requeue: true}, nil
-	}
-
-	// Examine if the object is under deletion.
-	if !obj.ObjectMeta.DeletionTimestamp.IsZero() {
-		return r.reconcileDelete(ctx, obj)
-	}
-
-	// Return if the object is suspended.
-	if obj.Spec.Suspend {
-		log.Info("reconciliation is suspended for this object")
-		return ctrl.Result{}, nil
-	}
-
-	// Examine if a type change has happened and act accordingly
-	if obj.Spec.Type != sourcev1.HelmRepositoryTypeOCI {
-		// Remove any stale condition and ignore the object if the type has
-		// changed.
-		obj.Status.Conditions = nil
-		return ctrl.Result{}, nil
-	}
-
-	result, retErr = r.reconcile(ctx, obj)
-	return
-}
-
-// reconcile reconciles the HelmRepository object. While reconciling, when an
-// error is encountered, it sets the failure details in the appropriate status
-// condition type and returns the error with appropriate ctrl.Result. The object
-// status conditions and the returned results are evaluated in the deferred
-// block at the very end to summarize the conditions to be in a consistent
-// state.
-func (r *HelmRepositoryOCIReconciler) reconcile(ctx context.Context, obj *v1beta2.HelmRepository) (result ctrl.Result, retErr error) {
-	ctxTimeout, cancel := context.WithTimeout(ctx, obj.Spec.Timeout.Duration)
-	defer cancel()
-
-	oldObj := obj.DeepCopy()
-
-	defer func() {
-		// If it's stalled, ensure reconciling is removed.
-		if sc := conditions.Get(obj, meta.StalledCondition); sc != nil && sc.Status == metav1.ConditionTrue {
-			conditions.Delete(obj, meta.ReconcilingCondition)
-		}
-
-		// Check if it's a successful reconciliation.
-		if result.RequeueAfter == obj.GetRequeueAfter() && result.Requeue == false &&
-			retErr == nil {
-			// Remove reconciling condition if the reconciliation was successful.
-			conditions.Delete(obj, meta.ReconcilingCondition)
-			// If it's not ready even though it's not reconciling or stalled,
-			// set the ready failure message as the error.
-			// Based on isNonStalledSuccess() from internal/reconcile/summarize.
-			if ready := conditions.Get(obj, meta.ReadyCondition); ready != nil &&
-				ready.Status == metav1.ConditionFalse && !conditions.IsStalled(obj) {
-				retErr = errors.New(conditions.GetMessage(obj, meta.ReadyCondition))
-			}
-		}
-
-		// If it's still a successful reconciliation and it's not reconciling or
-		// stalled, mark Ready=True.
-		if !conditions.IsReconciling(obj) && !conditions.IsStalled(obj) &&
-			retErr == nil && result.RequeueAfter == obj.GetRequeueAfter() {
-			conditions.MarkTrue(obj, meta.ReadyCondition, meta.SucceededReason, "Helm repository is ready")
-		}
-
-		// Emit events when object's state changes.
-		ready := conditions.Get(obj, meta.ReadyCondition)
-		// Became ready from not ready.
-		if !conditions.IsReady(oldObj) && conditions.IsReady(obj) {
-			r.eventLogf(ctx, obj, corev1.EventTypeNormal, ready.Reason, ready.Message)
-		}
-		// Became not ready from ready.
-		if conditions.IsReady(oldObj) && !conditions.IsReady(obj) {
-			r.eventLogf(ctx, obj, corev1.EventTypeWarning, ready.Reason, ready.Message)
-		}
-	}()
-
-	// Set reconciling condition.
-	if obj.Generation != obj.Status.ObservedGeneration {
-		conditions.MarkReconciling(obj, "NewGeneration", "reconciling new object generation (%d)", obj.Generation)
-	}
-
-	// Ensure that it's an OCI URL before continuing.
-	if !helmreg.IsOCI(obj.Spec.URL) {
-		u, err := url.Parse(obj.Spec.URL)
-		if err != nil {
-			err = fmt.Errorf("failed to parse URL: %w", err)
-		} else {
-			err = fmt.Errorf("URL scheme '%s' in '%s' is not supported", u.Scheme, obj.Spec.URL)
-		}
-		conditions.MarkStalled(obj, sourcev1.URLInvalidReason, err.Error())
-		conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.URLInvalidReason, err.Error())
-		ctrl.LoggerFrom(ctx).Error(err, "reconciliation stalled")
-		result, retErr = ctrl.Result{}, nil
-		return
-	}
-	conditions.Delete(obj, meta.StalledCondition)
-
-	var (
-		authenticator authn.Authenticator
-		keychain      authn.Keychain
-		err           error
-	)
-	// Configure any authentication related options.
-	if obj.Spec.SecretRef != nil {
-		keychain, err = authFromSecret(ctx, r.Client, obj)
-		if err != nil {
-			conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.AuthenticationFailedReason, err.Error())
-			result, retErr = ctrl.Result{}, err
-			return
-		}
-	} else if obj.Spec.Provider != sourcev1.GenericOCIProvider && obj.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
-		auth, authErr := oidcAuth(ctxTimeout, obj.Spec.URL, obj.Spec.Provider)
-		if authErr != nil && !errors.Is(authErr, oci.ErrUnconfiguredProvider) {
-			e := fmt.Errorf("failed to get credential from %s: %w", obj.Spec.Provider, authErr)
-			conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.AuthenticationFailedReason, e.Error())
-			result, retErr = ctrl.Result{}, e
-			return
-		}
-		if auth != nil {
-			authenticator = auth
-		}
-	}
-
-	loginOpt, err := makeLoginOption(authenticator, keychain, obj.Spec.URL)
-	if err != nil {
-		conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.AuthenticationFailedReason, err.Error())
-		result, retErr = ctrl.Result{}, err
-		return
-	}
-
-	// Create registry client and login if needed.
-	registryClient, file, err := r.RegistryClientGenerator(loginOpt != nil)
-	if err != nil {
-		e := fmt.Errorf("failed to create registry client: %w", err)
-		conditions.MarkFalse(obj, meta.ReadyCondition, meta.FailedReason, e.Error())
-		result, retErr = ctrl.Result{}, e
-		return
-	}
-	if file != "" {
-		defer func() {
-			if err := os.Remove(file); err != nil {
-				r.eventLogf(ctx, obj, corev1.EventTypeWarning, meta.FailedReason,
-					"failed to delete temporary credentials file: %s", err)
-			}
-		}()
-	}
-
-	chartRepo, err := repository.NewOCIChartRepository(obj.Spec.URL, repository.WithOCIRegistryClient(registryClient))
-	if err != nil {
-		e := fmt.Errorf("failed to parse URL '%s': %w", obj.Spec.URL, err)
-		conditions.MarkStalled(obj, sourcev1.URLInvalidReason, e.Error())
-		conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.URLInvalidReason, e.Error())
-		result, retErr = ctrl.Result{}, nil
-		return
-	}
-	conditions.Delete(obj, meta.StalledCondition)
-
-	// Attempt to login to the registry if credentials are provided.
-	if loginOpt != nil {
-		err = chartRepo.Login(loginOpt)
-		if err != nil {
-			e := fmt.Errorf("failed to login to registry '%s': %w", obj.Spec.URL, err)
-			conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.AuthenticationFailedReason, e.Error())
-			result, retErr = ctrl.Result{}, e
-			return
-		}
-	}
-
-	// Remove any stale Ready condition, most likely False, set above. Its value
-	// is derived from the overall result of the reconciliation in the deferred
-	// block at the very end.
-	conditions.Delete(obj, meta.ReadyCondition)
-
-	result, retErr = ctrl.Result{RequeueAfter: obj.GetRequeueAfter()}, nil
-	return
-}
-
-func (r *HelmRepositoryOCIReconciler) reconcileDelete(ctx context.Context, obj *sourcev1.HelmRepository) (ctrl.Result, error) {
-	// Remove our finalizer from the list
-	controllerutil.RemoveFinalizer(obj, sourcev1.SourceFinalizer)
-
-	// Stop reconciliation as the object is being deleted
-	return ctrl.Result{}, nil
-}
-
-// eventLogf records events, and logs at the same time.
-//
-// This log is different from the debug log in the EventRecorder, in the sense
-// that this is a simple log. While the debug log contains complete details
-// about the event.
-func (r *HelmRepositoryOCIReconciler) eventLogf(ctx context.Context, obj runtime.Object, eventType string, reason string, messageFmt string, args ...interface{}) {
-	msg := fmt.Sprintf(messageFmt, args...)
-	// Log and emit event.
-	if eventType == corev1.EventTypeWarning {
-		ctrl.LoggerFrom(ctx).Error(errors.New(reason), msg)
-	} else {
-		ctrl.LoggerFrom(ctx).Info(msg)
-	}
-	r.Eventf(obj, eventType, reason, msg)
-}
-
-// authFromSecret returns an authn.Keychain for the given HelmRepository.
-// If the HelmRepository does not specify a secretRef, an anonymous keychain is returned.
-func authFromSecret(ctx context.Context, client client.Client, obj *sourcev1.HelmRepository) (authn.Keychain, error) {
-	// Attempt to retrieve secret.
-	name := types.NamespacedName{
-		Namespace: obj.GetNamespace(),
-		Name:      obj.Spec.SecretRef.Name,
-	}
-	var secret corev1.Secret
-	if err := client.Get(ctx, name, &secret); err != nil {
-		return nil, fmt.Errorf("failed to get secret '%s': %w", name.String(), err)
-	}
-
-	// Construct login options.
-	keychain, err := registry.LoginOptionFromSecret(obj.Spec.URL, secret)
-	if err != nil {
-		return nil, fmt.Errorf("failed to configure Helm client with secret data: %w", err)
-	}
-	return keychain, nil
-}
-
-// makeLoginOption returns a registry login option for the given HelmRepository.
-// If the HelmRepository does not specify a secretRef, a nil login option is returned.
-func makeLoginOption(auth authn.Authenticator, keychain authn.Keychain, registryURL string) (helmreg.LoginOption, error) {
-	if auth != nil {
-		return registry.AuthAdaptHelper(auth)
-	}
-
-	if keychain != nil {
-		return registry.KeychainAdaptHelper(keychain)(registryURL)
-	}
-
-	return nil, nil
-}

controllers/helmrepository_controller_oci_test.go

@@ -1,304 +0,0 @@
-/*
-Copyright 2022 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controllers
-
-import (
-	"encoding/base64"
-	"fmt"
-	"testing"
-
-	. "github.com/onsi/gomega"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/tools/record"
-	kstatus "sigs.k8s.io/cli-utils/pkg/kstatus/status"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
-
-	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/conditions"
-	conditionscheck "github.com/fluxcd/pkg/runtime/conditions/check"
-	"github.com/fluxcd/pkg/runtime/patch"
-
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
-	"github.com/fluxcd/source-controller/internal/helm/registry"
-)
-
-func TestHelmRepositoryOCIReconciler_Reconcile(t *testing.T) {
-	tests := []struct {
-		name       string
-		secretType corev1.SecretType
-		secretData map[string][]byte
-	}{
-		{
-			name: "valid auth data",
-			secretData: map[string][]byte{
-				"username": []byte(testRegistryUsername),
-				"password": []byte(testRegistryPassword),
-			},
-		},
-		{
-			name:       "no auth data",
-			secretData: nil,
-		},
-		{
-			name:       "dockerconfigjson Secret",
-			secretType: corev1.SecretTypeDockerConfigJson,
-			secretData: map[string][]byte{
-				".dockerconfigjson": []byte(`{"auths":{"` +
-					testRegistryServer.registryHost + `":{"` +
-					`auth":"` + base64.StdEncoding.EncodeToString([]byte(testRegistryUsername+":"+testRegistryPassword)) + `"}}}`),
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			g := NewWithT(t)
-
-			ns, err := testEnv.CreateNamespace(ctx, "helmrepository-oci-reconcile-test")
-			g.Expect(err).ToNot(HaveOccurred())
-			defer func() { g.Expect(testEnv.Delete(ctx, ns)).To(Succeed()) }()
-
-			secret := &corev1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					GenerateName: "helmrepository-",
-					Namespace:    ns.Name,
-				},
-				Data: tt.secretData,
-			}
-			if tt.secretType != "" {
-				secret.Type = tt.secretType
-			}
-
-			g.Expect(testEnv.CreateAndWait(ctx, secret)).To(Succeed())
-
-			origObj := &sourcev1.HelmRepository{
-				ObjectMeta: metav1.ObjectMeta{
-					GenerateName: "helmrepository-oci-reconcile-",
-					Namespace:    ns.Name,
-				},
-				Spec: sourcev1.HelmRepositorySpec{
-					Interval: metav1.Duration{Duration: interval},
-					URL:      fmt.Sprintf("oci://%s", testRegistryServer.registryHost),
-					SecretRef: &meta.LocalObjectReference{
-						Name: secret.Name,
-					},
-					Provider: sourcev1.GenericOCIProvider,
-					Type:     sourcev1.HelmRepositoryTypeOCI,
-				},
-			}
-			obj := origObj.DeepCopy()
-			g.Expect(testEnv.Create(ctx, obj)).To(Succeed())
-
-			key := client.ObjectKey{Name: obj.Name, Namespace: obj.Namespace}
-
-			// Wait for finalizer to be set
-			g.Eventually(func() bool {
-				if err := testEnv.Get(ctx, key, obj); err != nil {
-					return false
-				}
-				return len(obj.Finalizers) > 0
-			}, timeout).Should(BeTrue())
-
-			// Wait for HelmRepository to be Ready
-			waitForSourceReadyWithoutArtifact(ctx, g, obj)
-
-			// Check if the object status is valid.
-			condns := &conditionscheck.Conditions{NegativePolarity: helmRepositoryReadyCondition.NegativePolarity}
-			checker := conditionscheck.NewChecker(testEnv.Client, condns)
-			checker.CheckErr(ctx, obj)
-
-			// kstatus client conformance check.
-			u, err := patch.ToUnstructured(obj)
-			g.Expect(err).ToNot(HaveOccurred())
-			res, err := kstatus.Compute(u)
-			g.Expect(err).ToNot(HaveOccurred())
-			g.Expect(res.Status).To(Equal(kstatus.CurrentStatus))
-
-			// Patch the object with reconcile request annotation.
-			patchHelper, err := patch.NewHelper(obj, testEnv.Client)
-			g.Expect(err).ToNot(HaveOccurred())
-			annotations := map[string]string{
-				meta.ReconcileRequestAnnotation: "now",
-			}
-			obj.SetAnnotations(annotations)
-			g.Expect(patchHelper.Patch(ctx, obj)).ToNot(HaveOccurred())
-			g.Eventually(func() bool {
-				if err := testEnv.Get(ctx, key, obj); err != nil {
-					return false
-				}
-				return obj.Status.LastHandledReconcileAt == "now"
-			}, timeout).Should(BeTrue())
-
-			g.Expect(testEnv.Delete(ctx, obj)).To(Succeed())
-
-			// Wait for HelmRepository to be deleted
-			waitForSourceDeletion(ctx, g, obj)
-
-			// Check if a suspended object gets deleted.
-			obj = origObj.DeepCopy()
-			testSuspendedObjectDeleteWithoutArtifact(ctx, g, obj)
-		})
-	}
-}
-
-func TestHelmRepositoryOCIReconciler_authStrategy(t *testing.T) {
-	type secretOptions struct {
-		username string
-		password string
-	}
-
-	tests := []struct {
-		name             string
-		url              string
-		registryOpts     registryOptions
-		secretOpts       secretOptions
-		provider         string
-		providerImg      string
-		want             ctrl.Result
-		wantErr          bool
-		assertConditions []metav1.Condition
-	}{
-		{
-			name: "HTTP without basic auth",
-			want: ctrl.Result{RequeueAfter: interval},
-			assertConditions: []metav1.Condition{
-				*conditions.TrueCondition(meta.ReadyCondition, meta.SucceededReason, "Helm repository is ready"),
-			},
-		},
-		{
-			name: "HTTP with basic auth secret",
-			want: ctrl.Result{RequeueAfter: interval},
-			registryOpts: registryOptions{
-				withBasicAuth: true,
-			},
-			secretOpts: secretOptions{
-				username: testRegistryUsername,
-				password: testRegistryPassword,
-			},
-			assertConditions: []metav1.Condition{
-				*conditions.TrueCondition(meta.ReadyCondition, meta.SucceededReason, "Helm repository is ready"),
-			},
-		},
-		{
-			name:    "HTTP registry - basic auth with invalid secret",
-			want:    ctrl.Result{},
-			wantErr: true,
-			registryOpts: registryOptions{
-				withBasicAuth: true,
-			},
-			secretOpts: secretOptions{
-				username: "wrong-pass",
-				password: "wrong-pass",
-			},
-			assertConditions: []metav1.Condition{
-				*conditions.FalseCondition(meta.ReadyCondition, sourcev1.AuthenticationFailedReason, "failed to login to registry"),
-			},
-		},
-		{
-			name:        "with contextual login provider",
-			wantErr:     true,
-			provider:    "aws",
-			providerImg: "oci://123456789000.dkr.ecr.us-east-2.amazonaws.com/test",
-			assertConditions: []metav1.Condition{
-				*conditions.FalseCondition(meta.ReadyCondition, sourcev1.AuthenticationFailedReason, "failed to get credential from"),
-			},
-		},
-		{
-			name: "with contextual login provider and secretRef",
-			want: ctrl.Result{RequeueAfter: interval},
-			registryOpts: registryOptions{
-				withBasicAuth: true,
-			},
-			secretOpts: secretOptions{
-				username: testRegistryUsername,
-				password: testRegistryPassword,
-			},
-			provider: "azure",
-			assertConditions: []metav1.Condition{
-				*conditions.TrueCondition(meta.ReadyCondition, meta.SucceededReason, "Helm repository is ready"),
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			g := NewWithT(t)
-
-			builder := fakeclient.NewClientBuilder().WithScheme(testEnv.GetScheme())
-			workspaceDir := t.TempDir()
-			server, err := setupRegistryServer(ctx, workspaceDir, tt.registryOpts)
-			g.Expect(err).NotTo(HaveOccurred())
-
-			obj := &sourcev1.HelmRepository{
-				ObjectMeta: metav1.ObjectMeta{
-					GenerateName: "auth-strategy-",
-				},
-				Spec: sourcev1.HelmRepositorySpec{
-					Interval: metav1.Duration{Duration: interval},
-					Timeout:  &metav1.Duration{Duration: timeout},
-					Type:     sourcev1.HelmRepositoryTypeOCI,
-					Provider: sourcev1.GenericOCIProvider,
-					URL:      fmt.Sprintf("oci://%s", server.registryHost),
-				},
-			}
-
-			if tt.provider != "" {
-				obj.Spec.Provider = tt.provider
-			}
-			// If a provider specific image is provided, overwrite existing URL
-			// set earlier. It'll fail but it's necessary to set them because
-			// the login check expects the URLs to be of certain pattern.
-			if tt.providerImg != "" {
-				obj.Spec.URL = tt.providerImg
-			}
-
-			if tt.secretOpts.username != "" && tt.secretOpts.password != "" {
-				secret := &corev1.Secret{
-					ObjectMeta: metav1.ObjectMeta{
-						Name: "auth-secretref",
-					},
-					Type: corev1.SecretTypeDockerConfigJson,
-					Data: map[string][]byte{
-						".dockerconfigjson": []byte(fmt.Sprintf(`{"auths": {%q: {"username": %q, "password": %q}}}`,
-							server.registryHost, tt.secretOpts.username, tt.secretOpts.password)),
-					},
-				}
-
-				builder.WithObjects(secret)
-
-				obj.Spec.SecretRef = &meta.LocalObjectReference{
-					Name: secret.Name,
-				}
-			}
-
-			r := &HelmRepositoryOCIReconciler{
-				Client:                  builder.Build(),
-				EventRecorder:           record.NewFakeRecorder(32),
-				Getters:                 testGetters,
-				RegistryClientGenerator: registry.ClientGenerator,
-			}
-
-			got, err := r.reconcile(ctx, obj)
-			g.Expect(err != nil).To(Equal(tt.wantErr))
-			g.Expect(got).To(Equal(tt.want))
-			g.Expect(obj.Status.Conditions).To(conditions.MatchConditions(tt.assertConditions))
-		})
-	}
-}

controllers/testdata/certs/ca-key.pem

@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIOH/u9dMcpVcZ0+X9Fc78dCTj8SHuXawhLjhu/ej64WToAoGCCqGSM49
-AwEHoUQDQgAEruH/kPxtX3cyYR2G7TYmxLq6AHyzo/NGXc9XjGzdJutE2SQzn37H
-dvSJbH+Lvqo9ik0uiJVRVdCYD1j7gNszGA==
------END EC PRIVATE KEY-----

controllers/testdata/certs/ca.csr

@@ -1,9 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBIDCBxgIBADAZMRcwFQYDVQQDEw5leGFtcGxlLmNvbSBDQTBZMBMGByqGSM49
-AgEGCCqGSM49AwEHA0IABK7h/5D8bV93MmEdhu02JsS6ugB8s6PzRl3PV4xs3Sbr
-RNkkM59+x3b0iWx/i76qPYpNLoiVUVXQmA9Y+4DbMxigSzBJBgkqhkiG9w0BCQ4x
-PDA6MDgGA1UdEQQxMC+CCWxvY2FsaG9zdIILZXhhbXBsZS5jb22CD3d3dy5leGFt
-cGxlLmNvbYcEfwAAATAKBggqhkjOPQQDAgNJADBGAiEAkw85nyLhJssyCYsaFvRU
-EErhu66xHPJug/nG50uV5OoCIQCUorrflOSxfChPeCe4xfwcPv7FpcCYbKVYtGzz
-b34Wow==
------END CERTIFICATE REQUEST-----

controllers/testdata/certs/ca.pem

@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBhzCCAS2gAwIBAgIUdsAtiX3gN0uk7ddxASWYE/tdv0wwCgYIKoZIzj0EAwIw
-GTEXMBUGA1UEAxMOZXhhbXBsZS5jb20gQ0EwHhcNMjAwNDE3MDgxODAwWhcNMjUw
-NDE2MDgxODAwWjAZMRcwFQYDVQQDEw5leGFtcGxlLmNvbSBDQTBZMBMGByqGSM49
-AgEGCCqGSM49AwEHA0IABK7h/5D8bV93MmEdhu02JsS6ugB8s6PzRl3PV4xs3Sbr
-RNkkM59+x3b0iWx/i76qPYpNLoiVUVXQmA9Y+4DbMxijUzBRMA4GA1UdDwEB/wQE
-AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQGyUiU1QEZiMAqjsnIYTwZ
-4yp5wzAPBgNVHREECDAGhwR/AAABMAoGCCqGSM49BAMCA0gAMEUCIQDzdtvKdE8O
-1+WRTZ9MuSiFYcrEz7Zne7VXouDEKqKEigIgM4WlbDeuNCKbqhqj+xZV0pa3rweb
-OD8EjjCMY69RMO0=
------END CERTIFICATE-----

controllers/testdata/certs/server-key.pem

@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIKQbEXV6nljOHMmPrWVWQ+JrAE5wsbE9iMhfY7wlJgXOoAoGCCqGSM49
-AwEHoUQDQgAE+53oBGlrvVUTelSGYji8GNHVhVg8jOs1PeeLuXCIZjQmctHLFEq3
-fE+mGxCL93MtpYzlwIWBf0m7pEGQre6bzg==
------END EC PRIVATE KEY-----

controllers/testdata/certs/server.csr

@@ -1,8 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBHDCBwwIBADAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG
-CCqGSM49AwEHA0IABPud6ARpa71VE3pUhmI4vBjR1YVYPIzrNT3ni7lwiGY0JnLR
-yxRKt3xPphsQi/dzLaWM5cCFgX9Ju6RBkK3um86gSzBJBgkqhkiG9w0BCQ4xPDA6
-MDgGA1UdEQQxMC+CCWxvY2FsaG9zdIILZXhhbXBsZS5jb22CD3d3dy5leGFtcGxl
-LmNvbYcEfwAAATAKBggqhkjOPQQDAgNIADBFAiB5A6wvQ5x6g/zhiyn+wLzXsOaB
-Gb/F25p/zTHHQqZbkwIhAPUgWzy/2bs6eZEi97bSlaRdmrqHwqT842t5sEwGyXNV
------END CERTIFICATE REQUEST-----

controllers/testdata/certs/server.pem

@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB7TCCAZKgAwIBAgIUB+17B8PU05wVTzRHLeG+S+ybZK4wCgYIKoZIzj0EAwIw
-GTEXMBUGA1UEAxMOZXhhbXBsZS5jb20gQ0EwHhcNMjAwNDE3MDgxODAwWhcNMzAw
-NDE1MDgxODAwWjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTBZMBMGByqGSM49AgEG
-CCqGSM49AwEHA0IABPud6ARpa71VE3pUhmI4vBjR1YVYPIzrNT3ni7lwiGY0JnLR
-yxRKt3xPphsQi/dzLaWM5cCFgX9Ju6RBkK3um86jgbowgbcwDgYDVR0PAQH/BAQD
-AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
-MB0GA1UdDgQWBBTM8HS5EIlVMBYv/300jN8PEArUgDAfBgNVHSMEGDAWgBQGyUiU
-1QEZiMAqjsnIYTwZ4yp5wzA4BgNVHREEMTAvgglsb2NhbGhvc3SCC2V4YW1wbGUu
-Y29tgg93d3cuZXhhbXBsZS5jb22HBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAOgB
-5W82FEgiTTOmsNRekkK5jUPbj4D4eHtb2/BI7ph4AiEA2AxHASIFBdv5b7Qf5prb
-bdNmUCzAvVuCAKuMjg2OPrE=
------END CERTIFICATE-----

docs/spec/README.md

@@ -1,66 +1,7 @@
 # Source Controller
 
-The main goal is to define a set of Kubernetes objects that cluster
-admins and various automated operators can interact with to offload
-the sources (e.g. Git and Helm repositories) registration, authentication,
-verification and resource fetching to a dedicated controller.
-
-## Motivation
-
-Each Flux and each Helm operator mirrors the Git repositories they are
-using, in the same way, using the same code. But other components
-might benefit from access to the source mirrors, and Flux and the Helm
-operator could work more in sympathy with Kubernetes by factoring it out.
-
-If "sources" (usually git repos, but also Helm charts and potentially
-other things) existed in their own right as Kubernetes resources,
-components like Flux and Helm operator could use standard Kubernetes
-mechanisms to build on them; and, they could be managed independently
-of the components using them.
-
 ## API Specification
 
+* [v1](v1/README.md)
 * [v1beta2](v1beta2/README.md)
 * [v1beta1](v1beta1/README.md)
-
-## Implementation
-
-The controller implementation will watch for source objects in a cluster and act on them.
-The actions performed by the source controller could be:
-
-* validate source definitions
-* authenticate to sources and validate authenticity
-* detect source changes based on update policies (semver)
-* fetch resources on-demand and on-a-schedule
-* package the fetched resources into a well known format (tar.gz, yaml)
-* store the artifacts locally
-* make the artifacts addressable by their source identifier (sha, version, ts)
-* make the artifacts available in-cluster to interested 3rd parties
-* notify interested 3rd parties of source changes and availability (status conditions, events, hooks)
-
-## Impact to Flux
-
-Having a dedicated controller that manages Git repositories defined with Kubernetes custom resources would:
-
-* simplify Flux configuration as fluxd could subscribe to Git sources in-cluster and pull the artifacts
-automatically without manual intervention from users to reconfigure and redeploy FLux
-* improve the installation experience as users will not have to patch fluxd's deployment to inject
-the HTTPS basic auth credentials, change the source URL or other Git and PGP related settings
-* enable fluxd to compose the desired state of a cluster from multiple sources by applying all artifacts present in flux namespace
-* enable fluxd to apply manifests coming from other sources than Git, e.g. S3 buckets
-* allow fluxd to run under a non-root user as it wouldn't need to shell out to ssh-keygen, git or pgp 
-* enable fluxd to apply manifests coming from the most recent semver tag of a Git repository
-* allow user to pin the cluster desired state to a specific Git commit or Git tag
-
-## Impact to Helm Operator
-
-Having a dedicated controller that manages Helm repositories and charts defined with Kubernetes custom
-resources would:
-
-* simplify the Helm Operator configuration as repository and chart definitions can be re-used across
-  `HelmRelease` resources (see [fluxcd/helm-operator#142](https://github.com/fluxcd/helm-operator/issues/142))
-* improve the user experience as repositories requiring authentication will no longer require a
-  `repositories.yaml` import / file mount
-* simplify the architecture of the Helm Operator as it allows the operator to work with a single
-  source type (`HelmChart`) and way of preparing and executing installations and/or upgrades
-* allow the Helm Operator to run under a non-root user as it wouldn't need to shell out to git

docs/spec/v1/README.md

@@ -0,0 +1,21 @@
+# source.toolkit.fluxcd.io/v1
+
+This is the v1 API specification for defining the desired state sources of Kubernetes clusters.
+
+## Specification
+
+* Source kinds:
+  + [GitRepository](gitrepositories.md)
+  + [OCIRepository](ocirepositories.md)
+  + [HelmRepository](helmrepositories.md)
+  + [HelmChart](helmcharts.md)
+  + [Bucket](buckets.md)
+
+## Implementation
+
+* [source-controller](https://github.com/fluxcd/source-controller/)
+
+## Consumers
+
+* [kustomize-controller](https://github.com/fluxcd/kustomize-controller/)
+* [helm-controller](https://github.com/fluxcd/helm-controller/)

docs/spec/v1/helmcharts.md

@@ -0,0 +1,865 @@
+# Helm Charts
+
+<!-- menuweight:50 -->
+
+The `HelmChart` API defines a Source to produce an Artifact for a Helm chart
+archive with a set of specific configurations.
+
+## Example
+
+The following is an example of a HelmChart. It fetches and/or packages a Helm
+chart and exposes it as a tarball (`.tgz`) Artifact for the specified
+configuration:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 5m0s
+  chart: podinfo
+  reconcileStrategy: ChartVersion
+  sourceRef:
+    kind: HelmRepository
+    name: podinfo
+  version: '5.*'
+```
+
+In the above example:
+
+- A HelmChart named `podinfo` is created, indicated by the `.metadata.name`
+  field.
+- The source-controller fetches the Helm chart every five minutes from the
+  `podinfo` HelmRepository source reference, indicated by the
+  `.spec.sourceRef.kind` and `.spec.sourceRef.name` fields.
+- The fetched Helm chart version is the latest available chart
+  version in the range specified in `spec.version`. This version is also used as
+  Artifact revision, reported in-cluster in the `.status.artifact.revision`
+  field.
+- When the current Helm Chart version differs from the latest available chart
+  in the version range, it is fetched and/or packaged as a new Artifact.
+- The new Artifact is reported in the `.status.artifact` field.
+
+You can run this example by saving the manifest into `helmchart.yaml`.
+
+**Note:** HelmChart is usually used by the helm-controller. Based on the
+HelmRelease configuration, an associated HelmChart is created by the 
+helm-controller.
+
+1. Apply the resource on the cluster:
+
+   ```sh
+   kubectl apply -f helmchart.yaml
+   ```
+
+2. Run `kubectl get helmchart` to see the HelmChart:
+
+   ```console
+   NAME      CHART     VERSION   SOURCE KIND      SOURCE NAME   AGE   READY   STATUS                                     
+   podinfo   podinfo   5.*       HelmRepository   podinfo       53s   True    pulled 'podinfo' chart with version '5.2.1'
+   ```
+
+3. Run `kubectl describe helmchart podinfo` to see the [Artifact](#artifact) and
+   [Conditions](#conditions) in the HelmChart's Status:
+
+   ```console
+   Status:
+     Observed Source Artifact Revision:  sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
+     Artifact:
+       Digest:            sha256:6c3cc3b955bce1686036ae6822ee2ca0ef6ecb994e3f2d19eaf3ec03dcba84b3
+       Last Update Time:  2022-02-13T11:24:10Z
+       Path:              helmchart/default/podinfo/podinfo-5.2.1.tgz
+       Revision:          5.2.1
+       Size:              14166
+       URL:               http://source-controller.flux-system.svc.cluster.local./helmchart/default/podinfo/podinfo-5.2.1.tgz
+     Conditions:
+       Last Transition Time:  2022-02-13T11:24:10Z
+       Message:               pulled 'podinfo' chart with version '5.2.1'
+       Observed Generation:   1
+       Reason:                ChartPullSucceeded
+       Status:                True
+       Type:                  Ready
+       Last Transition Time:  2022-02-13T11:24:10Z
+       Message:               pulled 'podinfo' chart with version '5.2.1'
+       Observed Generation:   1
+       Reason:                ChartPullSucceeded
+       Status:                True
+       Type:                  ArtifactInStorage
+     Observed Chart Name:     podinfo
+     Observed Generation:     1
+     URL:                     http://source-controller.flux-system.svc.cluster.local./helmchart/default/podinfo/latest.tar.gz
+   Events:
+     Type    Reason              Age    From               Message
+     ----    ------              ----   ----               -------
+     Normal  ChartPullSucceeded  2m51s  source-controller  pulled 'podinfo' chart with version '5.2.1'
+   ```
+
+## Writing a HelmChart spec
+
+As with all other Kubernetes config, a HelmChart needs `apiVersion`, `kind`, and
+`metadata` fields. The name of a HelmChart object must be a valid 
+[DNS subdomain name](https://kubernetes.io/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
+
+A HelmChart also needs a
+[`.spec` section](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status).
+
+### Source reference
+
+`.spec.sourceRef` is a required field that specifies a reference to the Source
+the chart is available at.
+
+Supported references are:
+- [`HelmRepository`](helmrepositories.md)
+- [`GitRepository`](gitrepositories.md)
+- [`Bucket`](buckets.md)
+
+Although there are three kinds of source references, there are only two
+underlying implementations. The artifact building process for `GitRepository`
+and `Bucket` are the same as they are already built source artifacts. In case
+of `HelmRepository`, a chart is fetched and/or packaged based on the
+configuration of the Helm chart.
+
+For a `HelmChart` to be reconciled, the associated artifact in the source
+reference must be ready. If the source artifact is not ready, the `HelmChart`
+reconciliation is retried.
+
+When the `metadata.generation` of the `HelmChart` don't match with the
+`status.observedGeneration`, the chart is fetched from source and/or packaged.
+If there's no `.spec.valuesFiles` specified, the chart is only fetched from the
+source, and not packaged. If `.spec.valuesFiles` are specified, the chart is
+fetched and packaged with the values files. When the `metadata.generation`
+matches the `status.observedGeneration`, the chart is only fetched from source
+or from the cache if available, and not packaged.
+
+When using a `HelmRepository` source reference, the secret reference defined in
+the Helm repository is used to fetch the chart.
+
+The HelmChart reconciliation behavior varies depending on the source reference
+kind, see [reconcile strategy](#reconcile-strategy).
+
+The attributes of the generated artifact also varies depending on the source
+reference kind, see [artifact](#artifact).
+
+### Chart
+
+`.spec.chart` is a required field that specifies the name or path the Helm chart
+is available at in the [Source reference](#source-reference).
+
+For `HelmRepository` Source reference, it'll be just the name of the chart.
+
+```yaml
+spec:
+  chart: podinfo
+  sourceRef:
+    name: podinfo
+    kind: HelmRepository
+```
+
+For `GitRepository` and `Bucket` Source reference, it'll be the path to the
+Helm chart directory.
+
+```yaml
+spec:
+  chart: ./charts/podinfo
+  sourceRef:
+    name: podinfo
+    kind: <GitRepository|Bucket>
+```
+
+### Version
+
+`.spec.version` is an optional field to specify the version of the chart in
+semver. It is applicable only when the Source reference is a `HelmRepository`.
+It is ignored for `GitRepository` and `Bucket` Source reference. It defaults to
+the latest version of the chart with value `*`.
+
+Version can be a fixed semver, minor or patch semver range of a specific
+version (i.e. `4.0.x`) or any semver range (i.e. `>=4.0.0 <5.0.0`).
+
+### Values files
+
+`.spec.valuesFiles` is an optional field to specify an alternative list of
+values files to use as the chart values (values.yaml). The file paths are
+expected to be relative to the Source reference. Values files are merged in the
+order of the list with the last file overriding the first. It is ignored when
+omitted. When values files are specified, the chart is fetched and packaged
+with the provided values.
+
+```yaml
+spec:
+  chart:
+    spec:
+      chart: podinfo
+      ...
+      valuesFiles:
+        - values.yaml
+        - values-production.yaml
+```
+
+Values files also affect the generated artifact revision, see
+[artifact](#artifact).
+
+### Ignore missing values files
+
+`.spec.ignoreMissingValuesFiles` is an optional field to specify whether missing
+values files should be ignored rather than be considered errors.  It defaults to
+`false`.
+
+When `.spec.valuesFiles` and  `.spec.ignoreMissingValuesFiles` are specified,
+the `.status.observedValuesFiles` field is populated with the list of values
+files that were found and actually contributed to the packaged chart.
+
+### Reconcile strategy
+
+`.spec.reconcileStrategy` is an optional field to specify what enables the
+creation of a new Artifact. Valid values are `ChartVersion` and `Revision`.
+`ChartVersion` is used for creating a new artifact when the chart version
+changes in a `HelmRepository`. `Revision` is used for creating a new artifact
+when the source revision changes in a `GitRepository` or a `Bucket` Source. It
+defaults to `ChartVersion`.
+
+**Note:** If the reconcile strategy is `ChartVersion` and the source reference
+is a `GitRepository` or a `Bucket`, no new chart artifact is produced on updates
+to the source unless the `version` in `Chart.yaml` is incremented. To produce
+new chart artifact on change in source revision, set the reconcile strategy to
+`Revision`.
+
+Reconcile strategy also affects the artifact version, see [artifact](#artifact)
+for more details.
+
+### Interval
+
+`.spec.interval` is a required field that specifies the interval at which the
+Helm Chart source must be checked for updates.
+
+After successfully reconciling a HelmChart object, the source-controller
+requeues the object for inspection after the specified interval. The value must
+be in a [Go recognized duration string format](https://pkg.go.dev/time#ParseDuration),
+e.g. `10m0s` to look at the source for updates every 10 minutes.
+
+If the `.metadata.generation` of a resource changes (due to e.g. applying a
+change to the spec), this is handled instantly outside the interval window.
+
+**Note:** The controller can be configured to apply a jitter to the interval in
+order to distribute the load more evenly when multiple HelmChart objects are set
+up with the same interval. For more information, please refer to the
+[source-controller configuration options](https://fluxcd.io/flux/components/source/options/).
+
+### Suspend
+
+`.spec.suspend` is an optional field to suspend the reconciliation of a
+HelmChart. When set to `true`, the controller will stop reconciling the
+HelmChart, and changes to the resource or the Helm chart Source will not result
+in a new Artifact. When the field is set to `false` or removed, it will resume.
+
+For practical information, see
+[suspending and resuming](#suspending-and-resuming).
+
+### Verification
+
+**Note:** This feature is available only for Helm charts fetched from an OCI Registry.
+
+`.spec.verify` is an optional field to enable the verification of [Cosign](https://github.com/sigstore/cosign) or [Notation](https://github.com/notaryproject/notation)
+signatures. The field offers three subfields:
+
+- `.provider`, to specify the verification provider. The supported options are `cosign` and `notation` at present.
+- `.secretRef.name`, to specify a reference to a Secret in the same namespace as
+  the HelmChart, containing the public keys of trusted authors. For Notation this Secret should also include the [trust policy](https://github.com/notaryproject/specifications/blob/v1.0.0/specs/trust-store-trust-policy.md#trust-policy) in
+  addition to the CA certificate.
+- `.matchOIDCIdentity`, to specify a list of OIDC identity matchers (only supported when using `cosign` as the verification provider). Please see
+   [Keyless verification](#keyless-verification) for more details.
+
+#### Cosign
+
+The `cosign` provider can be used to verify the signature of an OCI artifact using either a known public key or via the [Cosign Keyless](https://github.com/sigstore/cosign/blob/main/KEYLESS.md) procedure.
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: podinfo
+spec:
+  verify:
+    provider: cosign
+    secretRef:
+      name: cosign-public-keys
+```
+
+When the verification succeeds, the controller adds a Condition with the
+following attributes to the HelmChart's `.status.conditions`:
+
+- `type: SourceVerified`
+- `status: "True"`
+- `reason: Succeeded`
+
+##### Public keys verification
+
+To verify the authenticity of HelmChart hosted in an OCI Registry, create a Kubernetes
+secret with the Cosign public keys:
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cosign-public-keys
+type: Opaque
+data:
+  key1.pub: <BASE64>
+  key2.pub: <BASE64>
+```
+
+Note that the keys must have the `.pub` extension for Flux to make use of them.
+
+Flux will loop over the public keys and use them to verify a HelmChart's signature.
+This allows for older HelmCharts to be valid as long as the right key is in the secret.
+
+##### Keyless verification
+
+For publicly available HelmCharts, which are signed using the
+[Cosign Keyless](https://github.com/sigstore/cosign/blob/main/KEYLESS.md) procedure,
+you can enable the verification by omitting the `.verify.secretRef` field.
+
+To verify the identity's subject and the OIDC issuer present in the Fulcio
+certificate, you can specify a list of OIDC identity matchers using
+`.spec.verify.matchOIDCIdentity`. The matcher provides two required fields:
+
+- `.issuer`, to specify a regexp that matches against the OIDC issuer.
+- `.subject`, to specify a regexp that matches against the subject identity in
+   the certificate.
+Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax).
+
+The matchers are evaluated in an OR fashion, i.e. the identity is deemed to be
+verified if any one matcher successfully matches against the identity.
+
+Example of verifying  HelmCharts signed by the
+[Cosign GitHub Action](https://github.com/sigstore/cosign-installer) with GitHub OIDC Token:
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: podinfo
+spec:
+  interval: 5m
+  chart: podinfo
+  reconcileStrategy: ChartVersion
+  sourceRef:
+    kind: HelmRepository
+    name: podinfo
+  version: ">=6.1.6"
+  verify:
+    provider: cosign
+    matchOIDCIdentity:
+      - issuer: "^https://token.actions.githubusercontent.com$"
+        subject: "^https://github.com/stefanprodan/podinfo.*$"
+```
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: podinfo
+spec:
+  interval: 1m0s
+  url: oci://ghcr.io/stefanprodan/charts
+  type: "oci"
+```
+
+The controller verifies the signatures using the Fulcio root CA and the Rekor
+instance hosted at [rekor.sigstore.dev](https://rekor.sigstore.dev/).
+
+Note that keyless verification is an **experimental feature**, using
+custom root CAs or self-hosted Rekor instances are not currently supported.
+
+#### Notation
+
+The `notation` provider can be used to verify the signature of an OCI artifact using known
+trust policy and CA certificate.
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: podinfo
+spec:
+  verify:
+    provider: notation
+    secretRef:
+      name: notation-config
+```
+
+When the verification succeeds, the controller adds a Condition with the
+following attributes to the HelmChart's `.status.conditions`:
+
+- `type: SourceVerified`
+- `status: "True"`
+- `reason: Succeeded`
+
+To verify the authenticity of an OCI artifact, create a Kubernetes secret
+containing Certificate Authority (CA) root certificates and the a `trust policy`
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: notation-config
+type: Opaque
+data:
+  certificate1.pem: <BASE64>
+  certificate2.crt: <BASE64>
+  trustpolicy.json: <BASE64>
+```
+
+Note that the CA certificates must have either `.pem` or `.crt` extension and your trust policy must
+be named `trustpolicy.json` for Flux to make use of them.
+
+For more information on the signing and verification process see [Signing and Verification Workflow](https://github.com/notaryproject/specifications/blob/v1.0.0/specs/signing-and-verification-workflow.md).
+
+Flux will loop over the certificates and use them to verify an artifact's signature.
+This allows for older artifacts to be valid as long as the right certificate is in the secret.
+
+## Working with HelmCharts
+
+### Triggering a reconcile
+
+To manually tell the source-controller to reconcile a HelmChart outside the
+[specified interval window](#interval), a HelmCHart can be annotated with
+`reconcile.fluxcd.io/requestedAt: <arbitrary value>`. Annotating the resource
+queues the object for reconciliation if the `<arbitrary-value>` differs from
+the last value the controller acted on, as reported in
+[`.status.lastHandledReconcileAt`](#last-handled-reconcile-at).
+
+Using `kubectl`:
+
+```sh
+kubectl annotate --field-manager=flux-client-side-apply --overwrite helmchart/<chart-name> reconcile.fluxcd.io/requestedAt="$(date +%s)"
+```
+
+### Waiting for `Ready`
+
+When a change is applied, it is possible to wait for the HelmChart to reach a
+[ready state](#ready-helmchart) using `kubectl`:
+
+```sh
+kubectl wait helmchart/<chart-name> --for=condition=ready --timeout=1m
+```
+
+### Suspending and resuming
+
+When you find yourself in a situation where you temporarily want to pause the
+reconciliation of a HelmChart, you can suspend it using the
+[`.spec.suspend` field](#suspend).
+
+#### Suspend a HelmChart
+
+In your YAML declaration:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: <chart-name>
+spec:
+  suspend: true
+```
+
+Using `kubectl`:
+
+```sh
+kubectl patch helmchart <chart-name> --field-manager=flux-client-side-apply -p '{\"spec\": {\"suspend\" : true }}'
+```
+
+**Note:** When a HelmChart has an Artifact and is suspended, and this
+Artifact later disappears from the storage due to e.g. the source-controller
+Pod being evicted from a Node, this will not be reflected in the
+HelmChart's Status until it is resumed.
+
+#### Resume a HelmChart
+
+In your YAML declaration, comment out (or remove) the field:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: <chart-name>
+spec:
+  # suspend: true
+```
+
+**Note:** Setting the field value to `false` has the same effect as removing
+it, but does not allow for "hot patching" using e.g. `kubectl` while practicing
+GitOps; as the manually applied patch would be overwritten by the declared
+state in Git.
+
+Using `kubectl`:
+
+```sh
+kubectl patch helmchart <chart-name> --field-manager=flux-client-side-apply -p '{\"spec\" : {\"suspend\" : false }}'
+```
+
+### Debugging a HelmChart
+
+There are several ways to gather information about a HelmChart for debugging
+purposes.
+
+#### Describe the HelmChart
+
+Describing a HelmChart using `kubectl describe helmchart <chart-name>` displays
+the latest recorded information for the resource in the `Status` and `Events`
+sections:
+
+```console
+...
+Status:
+...
+  Conditions:
+    Last Transition Time:     2022-02-13T14:06:27Z
+    Message:                  invalid chart reference: failed to get chart version for remote reference: no 'podinfo' chart with version matching '9.*' found
+    Observed Generation:      3
+    Reason:                   InvalidChartReference
+    Status:                   True
+    Type:                     Stalled
+    Last Transition Time:     2022-02-13T14:06:27Z
+    Message:                  invalid chart reference: failed to get chart version for remote reference: no 'podinfo' chart with version matching '9.*' found
+    Observed Generation:      3
+    Reason:                   InvalidChartReference
+    Status:                   False
+    Type:                     Ready
+    Last Transition Time:     2022-02-13T14:06:27Z
+    Message:                  invalid chart reference: failed to get chart version for remote reference: no 'podinfo' chart with version matching '9.*' found
+    Observed Generation:      3
+    Reason:                   InvalidChartReference
+    Status:                   True
+    Type:                     FetchFailed
+  Last Handled Reconcile At:  1644759954
+  Observed Chart Name:        podinfo
+  Observed Generation:        3
+  URL:                        http://source-controller.flux-system.svc.cluster.local./helmchart/default/podinfo/latest.tar.gz
+Events:
+  Type     Reason                      Age                  From               Message
+  ----     ------                      ----                 ----               -------
+  Warning  InvalidChartReference       11s                  source-controller  invalid chart reference: failed to get chart version for remote reference: no 'podinfo' chart with ver
+sion matching '9.*' found
+```
+
+#### Trace emitted Events
+
+To view events for specific HelmChart(s), `kubectl events` can be used in
+combination with `--for` to list the Events for specific objects. For example,
+running
+
+```sh
+kubectl events --for HelmChart/<chart-name>
+```
+
+lists
+
+```console
+LAST SEEN   TYPE      REASON                       OBJECT                   MESSAGE
+22s         Warning   InvalidChartReference        helmchart/<chart-name>   invalid chart reference: failed to get chart version for remote reference: no 'podinfo' chart with version matching '9.*' found
+2s          Normal    ChartPullSucceeded           helmchart/<chart-name>   pulled 'podinfo' chart with version '6.0.3'
+2s          Normal    ArtifactUpToDate             helmchart/<chart-name>   artifact up-to-date with remote revision: '6.0.3'
+```
+
+Besides being reported in Events, the reconciliation errors are also logged by
+the controller. The Flux CLI offer commands for filtering the logs for a
+specific HelmChart, e.g. `flux logs --level=error --kind=HelmChart --name=<chart-name>`.
+
+### Improving resource consumption by enabling the cache
+
+When using a `HelmRepository` as Source for a `HelmChart`, the controller loads
+the repository index in memory to find the latest version of the chart.
+
+The controller can be configured to cache Helm repository indexes in memory.
+The cache is used to avoid loading repository indexes for every `HelmChart`
+reconciliation.
+
+The following flags are provided to enable and configure the cache:
+- `helm-cache-max-size`: The maximum size of the cache in number of indexes.
+  If `0`, then the cache is disabled.
+- `helm-cache-ttl`: The TTL of an index in the cache.
+- `helm-cache-purge-interval`: The interval at which the cache is purged of
+  expired items. 
+
+The caching strategy is to pull a repository index from the cache if it is 
+available, otherwise to load the index, retrieve and build the chart,
+then cache the index. The cached index TTL is refreshed every time the
+Helm repository index is loaded with the `helm-cache-ttl` value.
+
+The cache is purged of expired items every `helm-cache-purge-interval`.
+
+When the cache is full, no more items can be added to the cache, and the
+source-controller will report a warning event instead.
+
+In order to use the cache, set the related flags in the source-controller
+Deployment config:
+
+```yaml
+    spec:
+      containers:
+      - args:
+        - --watch-all-namespaces
+        - --log-level=info
+        - --log-encoding=json
+        - --enable-leader-election
+        - --storage-path=/data
+        - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.cluster.local.
+        ## Helm cache with up to 10 items, i.e. 10 indexes.
+        - --helm-cache-max-size=10
+        ## TTL of an index is 1 hour.
+        - --helm-cache-ttl=1h
+        ## Purge expired index every 10 minutes.
+        - --helm-cache-purge-interval=10m
+```
+
+## HelmChart Status
+
+### Artifact
+
+The HelmChart reports the last built chart as an Artifact object in the
+`.status.artifact` of the resource.
+
+The Artifact file is a gzip compressed TAR archive (`<chart-name>-<chart-version>.tgz`),
+and can be retrieved in-cluster from the `.status.artifact.url` HTTP address.
+
+#### Artifact example
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: <chart-name>
+status:
+  artifact:
+    digest: sha256:e30b95a08787de69ffdad3c232d65cfb131b5b50c6fd44295f48a078fceaa44e
+    lastUpdateTime: "2022-02-10T18:53:47Z"
+    path: helmchart/<source-namespace>/<chart-name>/<chart-name>-<chart-version>.tgz
+    revision: 6.0.3
+    size: 14166
+    url: http://source-controller.flux-system.svc.cluster.local./helmchart/<source-namespace>/<chart-name>/<chart-name>-<chart-version>.tgz
+```
+
+When using a `HelmRepository` as the source reference and values files are
+provided, the value of `status.artifact.revision` is the chart version combined
+with the `HelmChart` object generation. For example, if the chart version is
+`6.0.3` and the `HelmChart` object generation is `1`, the
+`status.artifact.revision` value will be `6.0.3+1`.
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: <chart-name>
+status:
+  artifact:
+    digest: sha256:ee68224ded207ebb18a8e9730cf3313fa6bc1f31e6d8d3943ab541113559bb52
+    lastUpdateTime: "2022-02-28T08:07:12Z"
+    path: helmchart/<source-namespace>/<chart-name>/<chart-name>-6.0.3+1.tgz
+    revision: 6.0.3+1
+    size: 14166
+    url: http://source-controller.flux-system.svc.cluster.local./helmchart/<source-namespace>/<chart-name>/<chart-name>-6.0.3+1.tgz
+  observedGeneration: 1
+  ...
+```
+
+When using a `GitRepository` or a `Bucket` as the source reference and
+`Revision` as the reconcile strategy, the value of `status.artifact.revision` is
+the chart version combined with the first 12 characters of the revision of the
+`GitRepository` or `Bucket`. For example if the chart version is `6.0.3` and the
+revision of the `Bucket` is `4e5cbb7b97d00a8039b8810b90b922f4256fd3bd8f78b934b4892dae13f7ca87`,
+the `status.artifact.revision` value will be `6.0.3+4e5cbb7b97d0`.
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: <chart-name>
+status:
+  artifact:
+    digest: sha256:8d1f0ac3f4b0e8759a32180086f17ac87ca04e5d46c356e67f97e97616ef4718
+    lastUpdateTime: "2022-02-28T08:07:12Z"
+    path: helmchart/<source-namespace>/<chart-name>/<chart-name>-6.0.3+4e5cbb7b97d0.tgz
+    revision: 6.0.3+4e5cbb7b97d0
+    size: 14166
+    url: http://source-controller.flux-system.svc.cluster.local./helmchart/<source-namespace>/<chart-name>/<chart-name>-6.0.3+4e5cbb7b97d0.tgz
+```
+
+### Conditions
+
+A HelmChart enters various states during its lifecycle, reflected as [Kubernetes
+Conditions][typical-status-properties].
+It can be [reconciling](#reconciling-helmchart) while fetching or building the
+chart,  it can be [ready](#ready-helmchart), it can
+[fail during reconciliation](#failed-helmchart), or it can
+[stall](#stalled-helmchart).
+
+The HelmChart API is compatible with the [kstatus
+specification][kstatus-spec],
+and reports `Reconciling` and `Stalled` conditions where applicable to
+provide better (timeout) support to solutions polling the HelmChart to become
+`Ready`.
+
+#### Reconciling HelmChart
+
+The source-controller marks a HelmChart as _reconciling_ when one of the
+following is true:
+
+- There is no current Artifact for the HelmChart, or the reported Artifact is
+  determined to have disappeared from the storage.
+- The generation of the HelmChart is newer than the [Observed
+  Generation](#observed-generation).
+- The newly fetched Artifact revision differs from the current Artifact.
+
+When the HelmChart is "reconciling", the `Ready` Condition status becomes
+`Unknown` when the controller detects drift, and the controller adds a Condition
+with the following attributes to the HelmChart's `.status.conditions`:
+
+- `type: Reconciling`
+- `status: "True"`
+- `reason: Progressing` | `reason: ProgressingWithRetry`
+
+If the reconciling state is due to a new version, it adds an additional
+Condition with the following attributes:
+
+- `type: ArtifactOutdated`
+- `status: "True"`
+- `reason: NewChart`
+
+Both Conditions have a ["negative polarity"][typical-status-properties],
+and are only present on the HelmChart while their status value is `"True"`.
+
+#### Ready HelmChart
+
+The source-controller marks a HelmChart as _ready_ when it has the following
+characteristics:
+
+- The HelmChart reports an [Artifact](#artifact).
+- The reported Artifact exists in the controller's Artifact storage.
+- The controller was able to fetch and build the Helm chart using the current
+  spec.
+- The version/revision of the reported Artifact is up-to-date with the
+  latest version/revision of the Helm chart.
+
+When the HelmChart is "ready", the controller sets a Condition with the
+following attributes in the HelmChart's `.status.conditions`:
+
+- `type: Ready`
+- `status: "True"`
+- `reason: Succeeded`
+
+This `Ready` Condition will retain a status value of `"True"` until the
+HelmChart is marked as [reconciling](#reconciling-helmchart), or e.g.
+a [transient error](#failed-helmchart) occurs due to a temporary network issue.
+
+When the HelmChart Artifact is archived in the controller's Artifact
+storage, the controller sets a Condition with the following attributes in the
+HelmChart's `.status.conditions`:
+
+- `type: ArtifactInStorage`
+- `status: "True"`
+- `reason: Succeeded`
+
+This `ArtifactInStorage` Condition will retain a status value of `"True"` until
+the Artifact in the storage no longer exists.
+
+#### Failed HelmChart
+
+The source-controller may get stuck trying to produce an Artifact for a
+HelmChart without completing. This can occur due to some of the following
+factors:
+
+- The Helm chart Source is temporarily unavailable.
+- The credentials in the [Source reference](#source-reference) Secret are
+  invalid.
+- The HelmChart spec contains a generic misconfiguration.
+- A storage related failure when storing the artifact.
+
+When this happens, the controller sets the `Ready` Condition status to `False`,
+and adds a Condition with the following attributes to the HelmChart's
+`.status.conditions`:
+
+- `type: FetchFailed` | `type: StorageOperationFailed`
+- `status: "True"`
+- `reason: AuthenticationFailed` | `reason: StorageOperationFailed` | `reason: URLInvalid` | `reason: IllegalPath` | `reason: Failed`
+
+This condition has a ["negative polarity"][typical-status-properties],
+and is only present on the HelmChart while the status value is `"True"`.
+There may be more arbitrary values for the `reason` field to provide accurate
+reason for a condition.
+
+While the HelmChart has this Condition, the controller will continue to
+attempt to produce an Artifact for the resource with an exponential backoff,
+until it succeeds and the HelmChart is marked as [ready](#ready-helmchart).
+
+Note that a HelmChart can be [reconciling](#reconciling-helmchart)
+while failing at the same time, for example due to a newly introduced
+configuration issue in the HelmChart spec. When a reconciliation fails, the
+`Reconciling` Condition reason would be `ProgressingWithRetry`. When the
+reconciliation is performed again after the failure, the reason is updated to
+`Progressing`.
+
+#### Stalled HelmChart
+
+The source-controller can mark a HelmChart as _stalled_ when it determines that
+without changes to the spec, the reconciliation can not succeed.
+For example because a HelmChart Version is set to a non-existing version.
+
+When this happens, the controller sets the same Conditions as when it
+[fails](#failed-helmchart), but adds another Condition with the following
+attributes to the HelmChart's `.status.conditions`:
+
+- `type: Stalled`
+- `status: "True"`
+- `reason: InvalidChartReference`
+
+While the HelmChart has this Condition, the controller will not requeue the
+resource any further, and will stop reconciling the resource until a change to
+the spec is made.
+
+### Observed Source Artifact Revision
+
+The source-controller reports the revision of the last
+[Source reference's](#source-reference) Artifact the current chart was fetched
+from in the HelmChart's `.status.observedSourceArtifactRevision`. It is used to
+keep track of the source artifact revision and detect when a new source
+artifact is available.
+
+### Observed Chart Name
+
+The source-controller reports the last resolved chart name of the Artifact
+for the [`.spec.chart` field](#chart) in the HelmChart's
+`.status.observedChartName`. It is used to keep track of the chart and detect
+when a new chart is found.
+
+### Observed Generation
+
+The source-controller reports an [observed generation][typical-status-properties]
+in the HelmChart's `.status.observedGeneration`. The observed generation is the
+latest `.metadata.generation` which resulted in either a [ready state](#ready-helmchart),
+or stalled due to error it can not recover from without human
+intervention.
+
+### Last Handled Reconcile At
+
+The source-controller reports the last `reconcile.fluxcd.io/requestedAt`
+annotation value it acted on in the `.status.lastHandledReconcileAt` field.
+
+For practical information about this field, see [triggering a
+reconcile](#triggering-a-reconcile).
+
+[typical-status-properties]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+[kstatus-spec]: https://github.com/kubernetes-sigs/cli-utils/tree/master/pkg/kstatus

docs/spec/v1/helmrepositories.md

@@ -0,0 +1,878 @@
+# Helm Repositories
+
+<!-- menuweight:40 -->
+
+There are 2 [Helm repository types](#type) defined by the `HelmRepository` API:
+- Helm HTTP/S repository, which defines a Source to produce an Artifact for a Helm
+repository index YAML (`index.yaml`). 
+- OCI Helm repository, which defines a source that does not produce an Artifact.
+  It's a data container to store the information about the OCI repository that
+  can be used by [HelmChart](helmcharts.md) to access OCI Helm charts.
+
+## Examples
+
+### Helm HTTP/S repository
+
+The following is an example of a HelmRepository. It creates a YAML (`.yaml`)
+Artifact from the fetched Helm repository index (in this example the [podinfo
+repository](https://github.com/stefanprodan/podinfo)):
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 5m0s
+  url: https://stefanprodan.github.io/podinfo
+```
+
+In the above example:
+
+- A HelmRepository named `podinfo` is created, indicated by the
+  `.metadata.name` field.
+- The source-controller fetches the Helm repository index YAML every five
+  minutes from `https://stefanprodan.github.io/podinfo`, indicated by the
+  `.spec.interval` and `.spec.url` fields.
+- The digest (algorithm defaults to SHA256) of the Helm repository index after
+  stable sorting the entries is used as Artifact revision, reported in-cluster
+  in the `.status.artifact.revision` field.
+- When the current HelmRepository revision differs from the latest fetched 
+  revision, it is stored as a new Artifact.
+- The new Artifact is reported in the `.status.artifact` field.
+
+You can run this example by saving the manifest into `helmrepository.yaml`.
+
+1. Apply the resource on the cluster:
+
+   ```sh
+   kubectl apply -f helmrepository.yaml
+   ```
+
+2. Run `kubectl get helmrepository` to see the HelmRepository:
+
+   ```console
+   NAME      URL                                      AGE   READY   STATUS                                                                                         
+   podinfo   https://stefanprodan.github.io/podinfo   4s    True    stored artifact for revision 'sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111'
+   ```
+
+3. Run `kubectl describe helmrepository podinfo` to see the [Artifact](#artifact)
+   and [Conditions](#conditions) in the HelmRepository's Status:
+
+   ```console
+   ...
+   Status:
+     Artifact:
+       Digest:            sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
+       Last Update Time:  2022-02-04T09:55:58Z
+       Path:              helmrepository/default/podinfo/index-83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111.yaml
+       Revision:          sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
+       Size:              40898
+       URL:               http://source-controller.flux-system.svc.cluster.local./helmrepository/default/podinfo/index-83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111.yaml
+     Conditions:
+       Last Transition Time:  2022-02-04T09:55:58Z
+       Message:               stored artifact for revision 'sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111'
+       Observed Generation:   1
+       Reason:                Succeeded
+       Status:                True
+       Type:                  Ready
+       Last Transition Time:  2022-02-04T09:55:58Z
+       Message:               stored artifact for revision 'sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111'
+       Observed Generation:   1
+       Reason:                Succeeded
+       Status:                True
+       Type:                  ArtifactInStorage
+     Observed Generation:     1
+     URL:                     http://source-controller.flux-system.svc.cluster.local./helmrepository/default/podinfo/index.yaml
+   Events:
+     Type    Reason                      Age                From               Message
+     ----    ------                      ----               ----               -------
+     Normal  NewArtifact                 1m                 source-controller  fetched index of size 30.88kB from 'https://stefanprodan.github.io/podinfo'
+   ```
+
+### Helm OCI repository
+
+The following is an example of an OCI HelmRepository.
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  type: "oci"
+  interval: 5m0s
+  url: oci://ghcr.io/stefanprodan/charts
+```
+
+In the above example:
+
+- A HelmRepository named `podinfo` is created, indicated by the
+  `.metadata.name` field.
+- A HelmChart that refers to this HelmRepository uses the URL in the `.spec.url`
+  field to access the OCI Helm chart.
+
+**NOTE:** The `.spec.interval` field is only used by the `default` Helm
+repository and is ignored for any value in `oci` Helm repository.
+
+You can run this example by saving the manifest into `helmrepository.yaml`.
+
+1. Apply the resource on the cluster:
+
+   ```sh
+   kubectl apply -f helmrepository.yaml
+   ```
+
+2. Run `kubectl get helmrepository` to see the HelmRepository:
+
+   ```console
+   NAME      URL                                 AGE     READY   STATUS
+   podinfo   oci://ghcr.io/stefanprodan/charts   3m22s
+   ```
+
+Because the OCI Helm repository is a data container, there's nothing to report
+for `READY` and `STATUS` columns above. The existence of the object can be
+considered to be ready for use.
+
+## Writing a HelmRepository spec
+
+As with all other Kubernetes config, a HelmRepository needs `apiVersion`,
+`kind`, and `metadata` fields. The name of a HelmRepository object must be a
+valid [DNS subdomain name](https://kubernetes.io/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
+
+A HelmRepository also needs a
+[`.spec` section](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status).
+
+### Type
+
+`.spec.type` is an optional field that specifies the Helm repository type. 
+
+Possible values are `default` for a Helm HTTP/S repository, or `oci` for an OCI Helm repository.
+
+### Provider
+
+`.spec.provider` is an optional field that allows specifying an OIDC provider used
+for authentication purposes.
+
+Supported options are:
+- `generic`
+- `aws`
+- `azure`
+- `gcp`
+
+The `generic` provider can be used for public repositories or when static credentials
+are used for authentication. If you do not specify `.spec.provider`, it defaults
+to `generic`.
+
+**Note**: The provider field is supported only for Helm OCI repositories. The `spec.type`
+field must be set to `oci`.
+
+#### AWS
+
+The `aws` provider can be used to authenticate automatically using the EKS worker
+node IAM role or IAM Role for Service Accounts (IRSA), and by extension gain access
+to ECR.
+
+##### EKS Worker Node IAM Role
+
+When the worker node IAM role has access to ECR, source-controller running on it
+will also have access to ECR.
+
+##### IAM Role for Service Accounts (IRSA)
+
+When using IRSA to enable access to ECR, add the following patch to your bootstrap
+repository, in the `flux-system/kustomization.yaml` file:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - gotk-components.yaml
+  - gotk-sync.yaml
+patches:
+  - patch: |
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: source-controller
+        annotations:
+          eks.amazonaws.com/role-arn: <role arn>
+    target:
+      kind: ServiceAccount
+      name: source-controller
+```
+
+Note that you can attach the AWS managed policy `arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly`
+to the IAM role when using IRSA.
+
+#### Azure
+
+The `azure` provider can be used to authenticate automatically using Workload Identity and Kubelet Managed
+Identity to gain access to ACR.
+
+##### Kubelet Managed Identity
+
+When the kubelet managed identity has access to ACR, source-controller running on 
+it will also have access to ACR.
+
+**Note:** If you have more than one identity configured on the cluster, you have to specify which one to use
+by setting the `AZURE_CLIENT_ID` environment variable in the source-controller deployment.
+
+If you are running into further issues, please look at the
+[troubleshooting guide](https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/TROUBLESHOOTING.md#azure-virtual-machine-managed-identity).
+
+##### Azure Workload Identity
+
+When using Workload Identity to enable access to ACR, add the following patch to
+your bootstrap repository, in the `flux-system/kustomization.yaml` file:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - gotk-components.yaml
+  - gotk-sync.yaml
+patches:
+  - patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: source-controller
+        namespace: flux-system
+        annotations:
+          azure.workload.identity/client-id: <AZURE_CLIENT_ID>
+        labels:
+          azure.workload.identity/use: "true"
+  - patch: |-
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: source-controller
+        namespace: flux-system
+        labels:
+          azure.workload.identity/use: "true"
+      spec:
+        template:
+          metadata:
+            labels:
+              azure.workload.identity/use: "true"
+```
+
+Ensure Workload Identity is properly set up on your cluster and the mutating webhook is installed.
+Create an identity that has access to ACR. Next, establish
+a federated identity between the source-controller ServiceAccount and the
+identity. Patch the source-controller Deployment and ServiceAccount as shown in the patch
+above. Please take a look at this [guide](https://azure.github.io/azure-workload-identity/docs/quick-start.html#6-establish-federated-identity-credential-between-the-identity-and-the-service-account-issuer--subject).
+
+#### GCP
+
+The `gcp` provider can be used to authenticate automatically using OAuth scopes or
+Workload Identity, and by extension gain access to GCR or Artifact Registry.
+
+##### Access Scopes
+
+When the GKE nodes have the appropriate OAuth scope for accessing GCR and Artifact Registry,
+source-controller running on it will also have access to them.
+
+##### GKE Workload Identity
+
+When using Workload Identity to enable access to GCR or Artifact Registry, add the
+following patch to your bootstrap repository, in the `flux-system/kustomization.yaml`
+file:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - gotk-components.yaml
+  - gotk-sync.yaml
+patches:
+  - patch: |
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: source-controller
+        annotations:
+          iam.gke.io/gcp-service-account: <identity-name>
+    target:
+      kind: ServiceAccount
+      name: source-controller
+```
+
+The Artifact Registry service uses the permission `artifactregistry.repositories.downloadArtifacts`
+that is located under the Artifact Registry Reader role. If you are using Google Container Registry service,
+the needed permission is instead `storage.objects.list` which can be bound as part
+of the Container Registry Service Agent role. Take a look at [this guide](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
+for more information about setting up GKE Workload Identity.
+
+### Insecure
+
+`.spec.insecure` is an optional field to allow connecting to an insecure (HTTP)
+container registry server, if set to `true`. The default value is `false`,
+denying insecure non-TLS connections when fetching Helm chart OCI artifacts.
+
+**Note**: The insecure field is supported only for Helm OCI repositories.
+The `spec.type` field must be set to `oci`.
+
+### Interval
+
+**Note:** This field is ineffectual for [OCI Helm
+Repositories](#helm-oci-repository).
+
+`.spec.interval` is a an optional field that specifies the interval which the
+Helm repository index must be consulted at. When not set, the default value is
+`1m`.
+
+After successfully reconciling a HelmRepository object, the source-controller
+requeues the object for inspection after the specified interval. The value
+must be in a [Go recognized duration string format](https://pkg.go.dev/time#ParseDuration),
+e.g. `10m0s` to fetch the HelmRepository index YAML every 10 minutes.
+
+If the `.metadata.generation` of a resource changes (due to e.g. applying a
+change to the spec), this is handled instantly outside the interval window.
+
+**Note:** The controller can be configured to apply a jitter to the interval in
+order to distribute the load more evenly when multiple HelmRepository objects
+are set up with the same interval. For more information, please refer to the
+[source-controller configuration options](https://fluxcd.io/flux/components/source/options/).
+
+### URL
+
+`.spec.url` is a required field that depending on the [type of the HelmRepository object](#type)
+specifies the HTTP/S or OCI address of a Helm repository.
+
+For OCI, the URL is expected to point to a registry repository, e.g. `oci://ghcr.io/fluxcd/source-controller`.
+
+For Helm repositories which require authentication, see [Secret reference](#secret-reference).
+
+### Timeout
+
+**Note:** This field is not applicable to [OCI Helm
+Repositories](#helm-oci-repository).
+
+`.spec.timeout` is an optional field to specify a timeout for the fetch
+operation. The value must be in a
+[Go recognized duration string format](https://pkg.go.dev/time#ParseDuration),
+e.g. `1m30s` for a timeout of one minute and thirty seconds. When not set, the
+default value is `1m`.
+
+### Secret reference
+
+`.spec.secretRef.name` is an optional field to specify a name reference to a
+Secret in the same namespace as the HelmRepository, containing authentication
+credentials for the repository.
+
+#### Basic access authentication
+
+To authenticate towards a Helm repository using basic access authentication
+(in other words: using a username and password), the referenced Secret is
+expected to contain `.data.username` and `.data.password` values.
+
+For example:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: example
+  namespace: default
+spec:
+  interval: 5m0s
+  url: https://example.com
+  secretRef:
+    name: example-user
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: example-user
+  namespace: default
+stringData:
+  username: "user-123456"
+  password: "pass-123456"
+```
+
+OCI Helm repository example:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 5m0s
+  url: oci://ghcr.io/my-user/my-private-repo
+  type: "oci"
+  secretRef:
+    name: oci-creds
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: oci-creds
+  namespace: default
+stringData:
+  username: "user-123456"
+  password: "pass-123456"
+```
+
+For OCI Helm repositories, Kubernetes secrets of type [kubernetes.io/dockerconfigjson](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types) are also supported.
+It is possible to create one such secret with `kubectl create secret docker-registry`
+or using the Flux CLI:
+
+```yaml
+flux create secret oci ghcr-auth \
+  --url=ghcr.io \
+  --username=flux \
+  --password=${GITHUB_PAT}
+```
+
+**Warning:** Support for specifying TLS authentication data using this API has been
+deprecated. Please use [`.spec.certSecretRef`](#cert-secret-reference) instead.
+If the controller uses the secret specified by this field to configure TLS, then
+a deprecation warning will be logged.
+
+### Cert secret reference
+
+`.spec.certSecretRef.name` is an optional field to specify a secret containing
+TLS certificate data. The secret can contain the following keys:
+
+* `tls.crt` and `tls.key`, to specify the client certificate and private key used
+for TLS client authentication. These must be used in conjunction, i.e.
+specifying one without the other will lead to an error.
+* `ca.crt`, to specify the CA certificate used to verify the server, which is
+required if the server is using a self-signed certificate.
+
+If the server is using a self-signed certificate and has TLS client
+authentication enabled, all three values are required.
+
+The Secret should be of type `Opaque` or `kubernetes.io/tls`. All the files in
+the Secret are expected to be [PEM-encoded][pem-encoding]. Assuming you have
+three files; `client.key`, `client.crt` and `ca.crt` for the client private key,
+client certificate and the CA certificate respectively, you can generate the
+required Secret using the `flux create secret tls` command:
+
+```sh
+flux create secret tls --tls-key-file=client.key --tls-crt-file=client.crt --ca-crt-file=ca.crt
+```
+
+Example usage:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: example
+  namespace: default
+spec:
+  interval: 5m0s
+  url: https://example.com
+  certSecretRef:
+    name: example-tls
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: example-tls
+  namespace: default
+type: kubernetes.io/tls # or Opaque
+data:
+  tls.crt: <BASE64>
+  tls.key: <BASE64>
+  # NOTE: Can be supplied without the above values
+  ca.crt: <BASE64>
+```
+
+### Pass credentials
+
+`.spec.passCredentials` is an optional field to allow the credentials from the
+[Secret reference](#secret-reference) to be passed on to a host that does not
+match the host as defined in URL. This may for example be required if the host
+advertised chart URLs in the index differ from the specified URL.
+
+Enabling this should be done with caution, as it can potentially result in
+credentials getting stolen in a man-in-the-middle attack. This feature only applies
+to HTTP/S Helm repositories.
+
+### Suspend
+
+**Note:** This field is not applicable to [OCI Helm
+Repositories](#helm-oci-repository).
+
+`.spec.suspend` is an optional field to suspend the reconciliation of a
+HelmRepository. When set to `true`, the controller will stop reconciling the
+HelmRepository, and changes to the resource or the Helm repository index will
+not result in a new Artifact. When the field is set to `false` or removed, it
+will resume.
+
+For practical information, see
+[suspending and resuming](#suspending-and-resuming).
+
+## Working with HelmRepositories
+
+**Note:** This section does not apply to [OCI Helm
+Repositories](#helm-oci-repository), being a data container, once created, they
+are ready to used by [HelmCharts](helmcharts.md).
+ 
+### Triggering a reconcile
+
+To manually tell the source-controller to reconcile a HelmRepository outside the
+[specified interval window](#interval), a HelmRepository can be annotated with
+`reconcile.fluxcd.io/requestedAt: <arbitrary value>`. Annotating the resource
+queues the object for reconciliation if the `<arbitrary-value>` differs from
+the last value the controller acted on, as reported in
+[`.status.lastHandledReconcileAt`](#last-handled-reconcile-at).
+
+Using `kubectl`:
+
+```sh
+kubectl annotate --field-manager=flux-client-side-apply --overwrite helmrepository/<repository-name> reconcile.fluxcd.io/requestedAt="$(date +%s)"
+```
+
+Using `flux`:
+
+```sh
+flux reconcile source helm <repository-name>
+```
+
+### Waiting for `Ready`
+
+When a change is applied, it is possible to wait for the HelmRepository to
+reach a [ready state](#ready-helmrepository) using `kubectl`:
+
+```sh
+kubectl wait helmrepository/<repository-name> --for=condition=ready --timeout=1m
+```
+
+### Suspending and resuming
+
+When you find yourself in a situation where you temporarily want to pause the
+reconciliation of a HelmRepository, you can suspend it using the
+[`.spec.suspend` field](#suspend).
+
+#### Suspend a HelmRepository
+
+In your YAML declaration:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: <repository-name>
+spec:
+  suspend: true
+```
+
+Using `kubectl`:
+
+```sh
+kubectl patch helmrepository <repository-name> --field-manager=flux-client-side-apply -p '{\"spec\": {\"suspend\" : true }}'
+```
+
+Using `flux`:
+
+```sh
+flux suspend source helm <repository-name>
+```
+
+**Note:** When a HelmRepository has an Artifact and is suspended, and this
+Artifact later disappears from the storage due to e.g. the source-controller
+Pod being  evicted from a Node, this will not be reflected in the
+HelmRepository's Status until it is resumed.
+
+#### Resume a HelmRepository
+
+In your YAML declaration, comment out (or remove) the field:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: <repository-name>
+spec:
+  # suspend: true
+```
+
+**Note:** Setting the field value to `false` has the same effect as removing
+it, but does not allow for "hot patching" using e.g. `kubectl` while practicing
+GitOps; as the manually applied patch would be overwritten by the declared
+state in Git.
+
+Using `kubectl`:
+
+```sh
+kubectl patch helmrepository <repository-name> --field-manager=flux-client-side-apply -p '{\"spec\" : {\"suspend\" : false }}'
+```
+
+Using `flux`:
+
+```sh
+flux resume source helm <repository-name>
+```
+
+### Debugging a HelmRepository
+
+**Note:** This section does not apply to [OCI Helm
+Repositories](#helm-oci-repository), being a data container, they are static
+objects that don't require debugging if valid.
+
+There are several ways to gather information about a HelmRepository for debugging
+purposes.
+
+#### Describe the HelmRepository
+
+Describing a HelmRepository using `kubectl describe helmrepository <repository-name>`
+displays the latest recorded information for the resource in the `Status` and
+`Events` sections:
+
+```console
+...
+Status:
+...
+  Conditions:
+    Last Transition Time:  2022-02-04T13:41:56Z
+    Message:               failed to construct Helm client: scheme "invalid" not supported
+    Observed Generation:   2
+    Reason:                Failed
+    Status:                True
+    Type:                  Stalled
+    Last Transition Time:  2022-02-04T13:41:56Z
+    Message:               failed to construct Helm client: scheme "invalid" not supported
+    Observed Generation:   2
+    Reason:                Failed
+    Status:                False
+    Type:                  Ready
+    Last Transition Time:  2022-02-04T13:41:56Z
+    Message:               failed to construct Helm client: scheme "invalid" not supported
+    Observed Generation:   2
+    Reason:                Failed
+    Status:                True
+    Type:                  FetchFailed
+  Observed Generation:     2
+  URL:                     http://source-controller.source-system.svc.cluster.local./helmrepository/default/podinfo/index.yaml
+Events:
+  Type     Reason                      Age                  From               Message
+  ----     ------                      ----                 ----               -------
+  Warning  Failed                      6s                   source-controller  failed to construct Helm client: scheme "invalid" not supported
+```
+
+#### Trace emitted Events
+
+To view events for specific HelmRepository(s), `kubectl events` can be used in
+combination with `--for` to list the Events for specific objects. For example,
+running
+
+```sh
+kubectl events --for HelmRepository/<repository-name>
+```
+
+lists
+
+```console
+LAST SEEN   TYPE      REASON           OBJECT                             MESSAGE
+107s        Warning   Failed           helmrepository/<repository-name>   failed to construct Helm client: scheme "invalid" not supported
+7s          Normal    NewArtifact      helmrepository/<repository-name>   fetched index of size 30.88kB from 'https://stefanprodan.github.io/podinfo'
+3s          Normal    ArtifactUpToDate helmrepository/<repository-name>   artifact up-to-date with remote revision: 'sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111'
+```
+
+Besides being reported in Events, the reconciliation errors are also logged by
+the controller. The Flux CLI offer commands for filtering the logs for a
+specific HelmRepository, e.g. `flux logs --level=error --kind=HelmRepository --name=<chart-name>`.
+
+## HelmRepository Status
+
+**Note:** This section does not apply to [OCI Helm
+Repositories](#helm-oci-repository), they do not contain any information in the
+status.
+
+### Artifact
+
+The HelmRepository reports the last fetched repository index as an Artifact
+object in the `.status.artifact` of the resource.
+
+The Artifact file is an exact copy of the Helm repository index YAML
+(`index-<revision>.yaml`) as fetched, and can be retrieved in-cluster from the
+`.status.artifact.url` HTTP address.
+
+#### Artifact example
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: <repository-name>
+status:
+  artifact:
+    digest: sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
+    lastUpdateTime: "2022-02-04T09:55:58Z"
+    path: helmrepository/<namespace>/<repository-name>/index-83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111.yaml
+    revision: sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
+    size: 40898
+    url: http://source-controller.flux-system.svc.cluster.local./helmrepository/<namespace>/<repository-name>/index-83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111.yaml
+```
+
+### Conditions
+
+A HelmRepository enters various states during its lifecycle, reflected as [Kubernetes
+Conditions][typical-status-properties].
+It can be [reconciling](#reconciling-helmrepository) while fetching the
+repository index,  it can be [ready](#ready-helmrepository), it can
+[fail during reconciliation](#failed-helmrepository), or it can
+[stall](#stalled-helmrepository).
+
+The HelmRepository API is compatible with the [kstatus
+specification][kstatus-spec],
+and reports `Reconciling` and `Stalled` conditions where applicable to
+provide better (timeout) support to solutions polling the HelmRepository to become
+`Ready`.
+
+#### Reconciling HelmRepository
+
+The source-controller marks a HelmRepository as _reconciling_ when one of the following
+is true:
+
+- There is no current Artifact for the HelmRepository, or the reported Artifact
+  is determined to have disappeared from the storage.
+- The generation of the HelmRepository is newer than the [Observed
+  Generation](#observed-generation).
+- The newly fetched Artifact revision differs from the current Artifact.
+
+When the HelmRepository is "reconciling", the `Ready` Condition status becomes
+`Unknown` when the controller detects drift, and the controller adds a Condition
+with the following attributes to the HelmRepository's `.status.conditions`:
+
+- `type: Reconciling`
+- `status: "True"`
+- `reason: Progressing` | `reason: ProgressingWithRetry`
+
+If the reconciling state is due to a new revision, it adds an additional
+Condition with the following attributes:
+
+- `type: ArtifactOutdated`
+- `status: "True"`
+- `reason: NewRevision`
+
+Both Conditions have a ["negative polarity"][typical-status-properties],
+and are only present on the HelmRepository while their status value is `"True"`.
+
+#### Ready HelmRepository
+
+The source-controller marks a HelmRepository as _ready_ when it has the following
+characteristics:
+
+- The HelmRepository reports an [Artifact](#artifact).
+- The reported Artifact exists in the controller's Artifact storage.
+- The controller was able to fetch the Helm repository index using the current
+  spec.
+- The revision of the reported Artifact is up-to-date with the latest
+  revision of the Helm repository.
+
+When the HelmRepository is "ready", the controller sets a Condition with the following
+attributes in the HelmRepository's `.status.conditions`:
+
+- `type: Ready`
+- `status: "True"`
+- `reason: Succeeded`
+
+This `Ready` Condition will retain a status value of `"True"` until the
+HelmRepository is marked as [reconciling](#reconciling-helmrepository), or e.g.
+a [transient error](#failed-helmrepository) occurs due to a temporary network
+issue.
+
+When the HelmRepository Artifact is archived in the controller's Artifact
+storage, the controller sets a Condition with the following attributes in the
+HelmRepository's `.status.conditions`:
+
+- `type: ArtifactInStorage`
+- `status: "True"`
+- `reason: Succeeded`
+
+This `ArtifactInStorage` Condition will retain a status value of `"True"` until
+the Artifact in the storage no longer exists.
+
+#### Failed HelmRepository
+
+The source-controller may get stuck trying to produce an Artifact for a
+HelmRepository without completing. This can occur due to some of the following
+factors:
+
+- The Helm repository [URL](#url) is temporarily unavailable.
+- The [Secret reference](#secret-reference) contains a reference to a
+  non-existing Secret.
+- The credentials in the referenced Secret are invalid.
+- The HelmRepository spec contains a generic misconfiguration.
+- A storage related failure when storing the artifact.
+
+When this happens, the controller sets the `Ready` Condition status to `False`,
+and adds a Condition with the following attributes to the HelmRepository's
+`.status.conditions`:
+
+- `type: FetchFailed` | `type: StorageOperationFailed`
+- `status: "True"`
+- `reason: AuthenticationFailed` | `reason: IndexationFailed` | `reason: Failed`
+
+This condition has a ["negative polarity"][typical-status-properties],
+and is only present on the HelmRepository while the status value is `"True"`.
+There may be more arbitrary values for the `reason` field to provide accurate
+reason for a condition.
+
+While the HelmRepository has this Condition, the controller will continue to
+attempt to produce an Artifact for the resource with an exponential backoff,
+until it succeeds and the HelmRepository is marked as [ready](#ready-helmrepository).
+
+Note that a HelmRepository can be [reconciling](#reconciling-helmrepository)
+while failing at the same time, for example due to a newly introduced
+configuration issue in the HelmRepository spec. When a reconciliation fails, the
+`Reconciling` Condition reason would be `ProgressingWithRetry`. When the
+reconciliation is performed again after the failure, the reason is updated to
+`Progressing`.
+
+#### Stalled HelmRepository
+
+The source-controller can mark a HelmRepository as _stalled_ when it determines
+that without changes to the spec, the reconciliation can not succeed.
+For example because a Helm repository URL with an unsupported protocol is
+specified.
+
+When this happens, the controller sets the same Conditions as when it
+[fails](#failed-helmrepository), but adds another Condition with the following
+attributes to the HelmRepository's
+`.status.conditions`:
+
+- `type: Stalled`
+- `status: "True"`
+- `reason: URLInvalid`
+
+While the HelmRepository has this Condition, the controller will not requeue
+the resource any further, and will stop reconciling the resource until a change
+to the spec is made.
+
+### Observed Generation
+
+The source-controller reports an [observed generation][typical-status-properties]
+in the HelmRepository's `.status.observedGeneration`. The observed generation is
+the latest `.metadata.generation` which resulted in either a [ready state](#ready-helmrepository),
+or stalled due to error it can not recover from without human intervention.
+
+### Last Handled Reconcile At
+
+The source-controller reports the last `reconcile.fluxcd.io/requestedAt`
+annotation value it acted on in the `.status.lastHandledReconcileAt` field.
+
+For practical information about this field, see [triggering a
+reconcile](#triggering-a-reconcile).
+
+[pem-encoding]: https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail
+[typical-status-properties]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+[kstatus-spec]: https://github.com/kubernetes-sigs/cli-utils/tree/master/pkg/kstatus

docs/spec/v1alpha1/helmrepositories.md

@@ -19,7 +19,7 @@ type HelmRepositorySpec struct {
 	// repository.
 	// For HTTP/S basic auth the secret must contain username and
 	// password fields.
-	// For TLS the secret must contain caFile, keyFile and caCert
+	// For TLS the secret must contain caFile, keyFile and caFile
 	// fields.
     // +optional
 	SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"`

docs/spec/v1beta1/helmrepositories.md

@@ -20,7 +20,7 @@ type HelmRepositorySpec struct {
 	// For HTTP/S basic auth the secret must contain username and
 	// password fields.
 	// For TLS the secret must contain a certFile and keyFile, and/or
-	// caCert fields.
+	// caFile fields.
 	// +optional
 	SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"`
 

docs/spec/v1beta2/buckets.md

@@ -1,5 +1,7 @@
 # Buckets
 
+<!-- menuweight:30 -->
+
 The `Bucket` API defines a Source to produce an Artifact for objects from storage
 solutions like Amazon S3, Google Cloud Storage buckets, or any other solution
 with a S3 compatible API such as Minio, Alibaba Cloud OSS and others.
@@ -48,8 +50,8 @@ In the above example:
 - A list of object keys and their [etags](https://en.wikipedia.org/wiki/HTTP_ETag)
   in the `.spec.bucketName` bucket is compiled, while filtering the keys using
   [default ignore rules](#default-exclusions).
-- The SHA256 sum of the list is used as Artifact revision, reported
-  in-cluster in the `.status.artifact.revision` field.
+- The digest (algorithm defaults to SHA256) of the list is used as Artifact
+  revision, reported in-cluster in the `.status.artifact.revision` field.
 - When the current Bucket revision differs from the latest calculated revision,
   all objects are fetched and archived.
 - The new Artifact is reported in the `.status.artifact` field.
@@ -71,7 +73,7 @@ control over.
 
    ```console
    NAME           ENDPOINT            AGE   READY   STATUS                                                                                         
-   minio-bucket   minio.example.com   34s   True    stored artifact for revision 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
+   minio-bucket   minio.example.com   34s   True    stored artifact for revision 'sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
    ```
 
 3. Run `kubectl describe bucket minio-bucket` to see the [Artifact](#artifact)
@@ -81,20 +83,21 @@ control over.
    ...
    Status:
      Artifact:
-       Checksum:          72aa638abb455ca5f9ef4825b949fd2de4d4be0a74895bf7ed2338622cd12686
+       Digest:            sha256:72aa638abb455ca5f9ef4825b949fd2de4d4be0a74895bf7ed2338622cd12686
        Last Update Time:  2022-02-01T23:43:38Z
        Path:              bucket/default/minio-bucket/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.tar.gz
-       Revision:          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+       Revision:          sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+       Size:              38099
        URL:               http://source-controller.source-system.svc.cluster.local./bucket/default/minio-bucket/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.tar.gz
      Conditions:
        Last Transition Time:  2022-02-01T23:43:38Z
-       Message:               stored artifact for revision 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
+       Message:               stored artifact for revision 'sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
        Observed Generation:   1
        Reason:                Succeeded
        Status:                True
        Type:                  Ready
        Last Transition Time:  2022-02-01T23:43:38Z
-       Message:               stored artifact for revision 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
+       Message:               stored artifact for revision 'sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
        Observed Generation:   1
        Reason:                Succeeded
        Status:                True
@@ -104,7 +107,7 @@ control over.
    Events:
      Type    Reason                  Age   From               Message
      ----    ------                  ----  ----               -------
-     Normal  NewArtifact             82s   source-controller  fetched 16 files from 'example'
+     Normal  NewArtifact             82s   source-controller  stored artifact with 16 fetched files from 'example' bucket
    ```
 
 ## Writing a Bucket spec
@@ -277,6 +280,7 @@ Without a [Secret reference](#secret-reference), authentication using a chain
 with:
 
 - [Environment credentials](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#EnvironmentCredential)
+- [Workload Identity](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.3.0-beta.4#WorkloadIdentityCredential)
 - [Managed Identity](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ManagedIdentityCredential)
   with the `AZURE_CLIENT_ID`
 - Managed Identity with a system-assigned identity
@@ -433,22 +437,103 @@ data:
   accountKey: <BASE64>
 ```
 
-#### Managed Identity with AAD Pod Identity
+##### Workload Identity
 
-If you are using [aad pod identity](https://azure.github.io/aad-pod-identity/docs), you can create an identity that has access to Azure Storage.
+If you have [Workload Identity](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html)
+set up on your cluster, you need to create an Azure Identity and give it
+access to Azure Blob Storage.
+
+```shell
+export IDENTITY_NAME="blob-access"
+
+az role assignment create --role "Storage Blob Data Reader" \
+--assignee-object-id "$(az identity show -n $IDENTITY_NAME  -o tsv --query principalId  -g $RESOURCE_GROUP)" \
+--scope "/subscriptions/<SUBSCRIPTION-ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Storage/storageAccounts/<account-name>/blobServices/default/containers/<container-name>"
+```
+
+Establish a federated identity between the Identity and the source-controller
+ServiceAccount.
+
+```shell
+export SERVICE_ACCOUNT_ISSUER="$(az aks show --resource-group <RESOURCE_GROUP> --name <CLUSTER-NAME> --query "oidcIssuerProfile.issuerUrl" -otsv)"
+
+az identity federated-credential create \
+  --name "kubernetes-federated-credential" \
+  --identity-name "${IDENTITY_NAME}" \
+  --resource-group "${RESOURCE_GROUP}" \
+  --issuer "${SERVICE_ACCOUNT_ISSUER}" \
+  --subject "system:serviceaccount:flux-system:source-controller"
+```
+
+Add a patch to label and annotate the source-controller Deployment and ServiceAccount
+correctly so that it can match an identity binding:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - gotk-components.yaml
+  - gotk-sync.yaml
+patches:
+  - patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: source-controller
+        namespace: flux-system
+        annotations:
+          azure.workload.identity/client-id: <AZURE_CLIENT_ID>
+        labels:
+          azure.workload.identity/use: "true"
+  - patch: |-
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: source-controller
+        namespace: flux-system
+        labels:
+          azure.workload.identity/use: "true"
+      spec:
+        template:
+          metadata:
+            labels:
+              azure.workload.identity/use: "true"
+```
+
+If you have set up Workload Identity correctly and labeled the source-controller
+Deployment and ServiceAccount, then you don't need to reference a Secret. For more information,
+please see [documentation](https://azure.github.io/azure-workload-identity/docs/quick-start.html).
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: Bucket
+metadata:
+  name: azure-bucket
+  namespace: flux-system
+spec:
+  interval: 5m0s
+  provider: azure
+  bucketName: testsas
+  endpoint: https://testfluxsas.blob.core.windows.net
+```
+
+##### Deprecated: Managed Identity with AAD Pod Identity
+
+If you are using [aad pod identity](https://azure.github.io/aad-pod-identity/docs),
+You need to create an Azure Identity and give it access to Azure Blob Storage.
 
 ```sh
 export IDENTITY_NAME="blob-access"
 
-az role assignment create --role "Storage Blob Data Contributor"  \
---assignee-object-id "$(az identity show -n blob-access  -o tsv --query principalId  -g $RESOURCE_GROUP)" \
---scope "/subscriptions/<SUBSCRIPTION-ID>/resourceGroups/aks-somto/providers/Microsoft.Storage/storageAccounts/<account-name>/blobServices/default/containers/<container-name>"
+az role assignment create --role "Storage Blob Data Reader"  \
+--assignee-object-id "$(az identity show -n $IDENTITY_NAME -o tsv --query principalId  -g $RESOURCE_GROUP)" \
+--scope "/subscriptions/<SUBSCRIPTION-ID>/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Storage/storageAccounts/<account-name>/blobServices/default/containers/<container-name>"
 
 export IDENTITY_CLIENT_ID="$(az identity show -n ${IDENTITY_NAME} -g ${RESOURCE_GROUP} -otsv --query clientId)"
 export IDENTITY_RESOURCE_ID="$(az identity show -n ${IDENTITY_NAME} -otsv --query id)"
 ```
 
-Create an `AzureIdentity` object that references the identity created above:
+Create an AzureIdentity object that references the identity created above:
 
 ```yaml
 ---
@@ -463,7 +548,8 @@ spec:
   type: 0  # user-managed identity
 ```
 
-Create an `AzureIdentityBinding` object that binds pods with a specific selector with the `AzureIdentity` created:
+Create an AzureIdentityBinding object that binds Pods with a specific selector
+with the AzureIdentity created:
 
 ```yaml
 apiVersion: "aadpodidentity.k8s.io/v1"
@@ -475,7 +561,7 @@ spec:
   selector: ${IDENTITY_NAME}
 ```
 
-Label the source-controller correctly so that it can match an identity binding:
+Label the source-controller Deployment correctly so that it can match an identity binding:
 
 ```yaml
 apiVersion: apps/v1
@@ -490,7 +576,8 @@ spec:
         aadpodidbinding: ${IDENTITY_NAME}  # match the AzureIdentity name
 ```
 
-If you have set aad-pod-identity up correctly and labeled the source-controller pod, then you don't need to reference a secret.
+If you have set up aad-pod-identity correctly and labeled the source-controller
+Deployment, then you don't need to reference a Secret.
 
 ```yaml
 apiVersion: source.toolkit.fluxcd.io/v1beta2
@@ -532,13 +619,16 @@ data:
   sasKey: <base64>
 ```
 
-The sasKey only contains the SAS token e.g `?sv=2020-08-0&ss=bfqt&srt=co&sp=rwdlacupitfx&se=2022-05-26T21:55:35Z&st=2022-05...`.
-The leading question mark is optional.
-The query values from the `sasKey` data field in the Secrets gets merged with the ones in the `spec.endpoint` of the `Bucket`.
-If the same key is present in the both of them, the value in the `sasKey` takes precedence.
+The `sasKey` only contains the SAS token e.g
+`?sv=2020-08-0&ss=bfqt&srt=co&sp=rwdlacupitfx&se=2022-05-26T21:55:35Z&st=2022-05...`.
+The leading question mark (`?`) is optional. The query values from the `sasKey`
+data field in the Secrets gets merged with the ones in the `.spec.endpoint` of
+the Bucket. If the same key is present in the both of them, the value in the
+`sasKey` takes precedence.
 
-**Note:** The SAS token has an expiry date and it must be updated before it expires to allow Flux to
-continue to access Azure Storage. It is allowed to use an account-level or container-level SAS token.
+**Note:** The SAS token has an expiry date, and it must be updated before it
+expires to allow Flux to continue to access Azure Storage. It is allowed to use
+an account-level or container-level SAS token.
 
 The minimum permissions for an account-level SAS token are:
 
@@ -634,7 +724,7 @@ Where the (base64 decoded) value of `.data.serviceaccount` looks like this:
 
 ### Interval
 
-`.spec.interval` is a required field that specifices the interval which the
+`.spec.interval` is a required field that specifies the interval which the
 object storage bucket must be consulted at.
 
 After successfully reconciling a Bucket object, the source-controller requeues
@@ -643,7 +733,12 @@ the object for inspection after the specified interval. The value must be in a
 e.g. `10m0s` to look at the object storage bucket every 10 minutes.
 
 If the `.metadata.generation` of a resource changes (due to e.g. the apply of a
-change to the spec), this is handled instantly outside of the interval window.
+change to the spec), this is handled instantly outside the interval window.
+
+**Note:** The controller can be configured to apply a jitter to the interval in
+order to distribute the load more evenly when multiple Bucket objects are set up
+with the same interval. For more information, please refer to the
+[source-controller configuration options](https://fluxcd.io/flux/components/source/options/).
 
 ### Endpoint
 
@@ -654,6 +749,83 @@ HTTP endpoint requires enabling [`.spec.insecure`](#insecure).
 Some endpoints require the specification of a [`.spec.region`](#region),
 see [Provider](#provider) for more (provider specific) examples.
 
+### STS
+
+`.spec.sts` is an optional field for specifying the Security Token Service
+configuration. A Security Token Service (STS) is a web service that issues
+temporary security credentials. By adding this field, one may specify the
+STS endpoint from where temporary credentials will be fetched.
+
+This field is only supported for the `aws` and `generic` bucket [providers](#provider).
+
+If using `.spec.sts`, the following fields are required:
+
+- `.spec.sts.provider`, the Security Token Service provider. The only supported
+  option for the `generic` bucket provider is `ldap`. The only supported option
+  for the `aws` bucket provider is `aws`.
+- `.spec.sts.endpoint`, the HTTP/S endpoint of the Security Token Service. In
+  the case of `aws` this can be `https://sts.amazonaws.com`, or a Regional STS
+  Endpoint, or an Interface Endpoint created inside a VPC. In the case of
+  `ldap` this must be the LDAP server endpoint.
+
+When using the `ldap` provider, the following fields may also be specified:
+
+- `.spec.sts.secretRef.name`, the name of the Secret containing the LDAP
+  credentials. The Secret must contain the following keys:
+  - `username`, the username to authenticate with.
+  - `password`, the password to authenticate with.
+- `.spec.sts.certSecretRef.name`, the name of the Secret containing the
+  TLS configuration for communicating with the STS endpoint. The contents
+  of this Secret must follow the same structure of
+  [`.spec.certSecretRef.name`](#cert-secret-reference).
+
+If [`.spec.proxySecretRef.name`](#proxy-secret-reference) is specified,
+the proxy configuration will be used for commucating with the STS endpoint.
+
+Example for the `ldap` provider:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: Bucket
+metadata:
+  name: example
+  namespace: example
+spec:
+  interval: 5m
+  bucketName: example
+  provider: generic
+  endpoint: minio.example.com
+  sts:
+    provider: ldap
+    endpoint: https://ldap.example.com
+    secretRef:
+      name: ldap-credentials
+    certSecretRef:
+      name: ldap-tls
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ldap-credentials
+  namespace: example
+type: Opaque
+stringData:
+  username: <username>
+  password: <password>
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ldap-tls
+  namespace: example
+type: kubernetes.io/tls # or Opaque
+stringData:
+  tls.crt: <PEM-encoded cert>
+  tls.key: <PEM-encoded key>
+  ca.crt: <PEM-encoded cert>
+```
+
 ### Bucket name
 
 `.spec.bucketName` is a required field that specifies which object storage
@@ -668,6 +840,100 @@ See [Provider](#provider) for more (provider specific) examples.
 
 See [Provider](#provider) for more (provider specific) examples.
 
+### Cert secret reference
+
+`.spec.certSecretRef.name` is an optional field to specify a secret containing
+TLS certificate data. The secret can contain the following keys:
+
+* `tls.crt` and `tls.key`, to specify the client certificate and private key used
+for TLS client authentication. These must be used in conjunction, i.e.
+specifying one without the other will lead to an error.
+* `ca.crt`, to specify the CA certificate used to verify the server, which is
+required if the server is using a self-signed certificate.
+
+If the server is using a self-signed certificate and has TLS client
+authentication enabled, all three values are required.
+
+The Secret should be of type `Opaque` or `kubernetes.io/tls`. All the files in
+the Secret are expected to be [PEM-encoded][pem-encoding]. Assuming you have
+three files; `client.key`, `client.crt` and `ca.crt` for the client private key,
+client certificate and the CA certificate respectively, you can generate the
+required Secret using the `flux create secret tls` command:
+
+```sh
+flux create secret tls minio-tls --tls-key-file=client.key --tls-crt-file=client.crt --ca-crt-file=ca.crt
+```
+
+If TLS client authentication is not required, you can generate the secret with:
+
+```sh
+flux create secret tls minio-tls --ca-crt-file=ca.crt
+```
+
+This API is only supported for the `generic` [provider](#provider).
+
+Example usage:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: Bucket
+metadata:
+  name: example
+  namespace: example
+spec:
+  interval: 5m
+  bucketName: example
+  provider: generic
+  endpoint: minio.example.com
+  certSecretRef:
+    name: minio-tls
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: minio-tls
+  namespace: example
+type: kubernetes.io/tls # or Opaque
+stringData:
+  tls.crt: <PEM-encoded cert>
+  tls.key: <PEM-encoded key>
+  ca.crt: <PEM-encoded cert>
+```
+
+### Proxy secret reference
+
+`.spec.proxySecretRef.name` is an optional field used to specify the name of a
+Secret that contains the proxy settings for the object. These settings are used
+for all the remote operations related to the Bucket.
+The Secret can contain three keys:
+
+- `address`, to specify the address of the proxy server. This is a required key.
+- `username`, to specify the username to use if the proxy server is protected by
+   basic authentication. This is an optional key.
+- `password`, to specify the password to use if the proxy server is protected by
+   basic authentication. This is an optional key.
+
+Example:
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: http-proxy
+type: Opaque
+stringData:
+  address: http://proxy.com
+  username: mandalorian
+  password: grogu
+```
+
+Proxying can also be configured in the source-controller Deployment directly by
+using the standard environment variables such as `HTTPS_PROXY`, `ALL_PROXY`, etc.
+
+`.spec.proxySecretRef.name` takes precedence over all environment variables.
+
 ### Insecure
 
 `.spec.insecure` is an optional field to allow connecting to an insecure (HTTP)
@@ -690,6 +956,15 @@ credentials for the object storage. For some `.spec.provider` implementations
 the presence of the field is required, see [Provider](#provider) for more
 details and examples.
 
+### Prefix
+
+`.spec.prefix` is an optional field to enable server-side filtering
+of files in the Bucket.
+
+**Note:** The server-side filtering works only with the `generic`, `aws`
+and `gcp` [provider](#provider) and is preferred over [`.spec.ignore`](#ignore)
+as a more efficient way of excluding files. 
+
 ### Ignore
 
 `.spec.ignore` is an optional field to specify rules in [the `.gitignore`
@@ -753,7 +1028,7 @@ spec:
 
 ### Triggering a reconcile
 
-To manually tell the source-controller to reconcile a Bucket outside of the
+To manually tell the source-controller to reconcile a Bucket outside the
 [specified interval window](#interval), a Bucket can be annotated with
 `reconcile.fluxcd.io/requestedAt: <arbitrary value>`. Annotating the resource
 queues the Bucket for reconciliation if the `<arbitrary-value>` differs from
@@ -866,9 +1141,9 @@ Status:
 ...
   Conditions:
     Last Transition Time:  2022-02-02T13:26:55Z
-    Message:               reconciling new object generation (2)
+    Message:               processing object: new generation 1 -> 2
     Observed Generation:   2
-    Reason:                NewGeneration
+    Reason:                ProgressingWithRetry
     Status:                True
     Type:                  Reconciling
     Last Transition Time:  2022-02-02T13:26:55Z
@@ -893,12 +1168,12 @@ Events:
 
 #### Trace emitted Events
 
-To view events for specific Bucket(s), `kubectl get events` can be used in
-combination with `--field-sector` to list the Events for specific objects.
-For example, running
+To view events for specific Bucket(s), `kubectl events` can be used in
+combination with `--for` to list the Events for specific objects. For example,
+running
 
 ```sh
-kubectl get events --field-selector involvedObject.kind=Bucket,involvedObject.name=<bucket-name>
+kubectl events --for Bucket/<bucket-name>
 ```
 
 lists
@@ -906,7 +1181,7 @@ lists
 ```console
 LAST SEEN   TYPE      REASON                       OBJECT                 MESSAGE
 2m30s       Normal    NewArtifact                  bucket/<bucket-name>   fetched 16 files with revision from 'my-new-bucket'
-36s         Normal    ArtifactUpToDate             bucket/<bucket-name>   artifact up-to-date with remote revision: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
+36s         Normal    ArtifactUpToDate             bucket/<bucket-name>   artifact up-to-date with remote revision: 'sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
 18s         Warning   BucketOperationFailed        bucket/<bucket-name>   bucket 'my-new-bucket' does not exist
 ```
 
@@ -935,10 +1210,11 @@ metadata:
   name: <bucket-name>
 status:
   artifact:
-    checksum: cbec34947cc2f36dee8adcdd12ee62ca6a8a36699fc6e56f6220385ad5bd421a
+    digest: sha256:cbec34947cc2f36dee8adcdd12ee62ca6a8a36699fc6e56f6220385ad5bd421a
     lastUpdateTime: "2022-01-28T10:30:30Z"
     path: bucket/<namespace>/<bucket-name>/c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2.tar.gz
-    revision: c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2
+    revision: sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2
+    size: 38099
     url: http://source-controller.<namespace>.svc.cluster.local./bucket/<namespace>/<bucket-name>/c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2.tar.gz
 ```
 
@@ -978,13 +1254,13 @@ is true:
 - The generation of the Bucket is newer than the [Observed Generation](#observed-generation).
 - The newly calculated Artifact revision differs from the current Artifact.
 
-When the Bucket is "reconciling", the `Ready` Condition status becomes `False`,
-and the controller adds a Condition with the following attributes to the
-Bucket's `.status.conditions`:
+When the Bucket is "reconciling", the `Ready` Condition status becomes
+`Unknown` when the controller detects drift, and the controller adds a Condition
+with the following attributes to the Bucket's `.status.conditions`:
 
 - `type: Reconciling`
 - `status: "True"`
-- `reason: NewGeneration` | `reason: NoArtifact` | `reason: NewRevision`
+- `reason: Progressing` | `reason: ProgressingWithRetry`
 
 If the reconciling state is due to a new revision, an additional Condition is
 added with the following attributes:
@@ -1062,7 +1338,9 @@ it succeeds and the Bucket is marked as [ready](#ready-bucket).
 
 Note that a Bucket can be [reconciling](#reconciling-bucket) while failing at
 the same time, for example due to a newly introduced configuration issue in the
-Bucket spec.
+Bucket spec. When a reconciliation fails, the `Reconciling` Condition reason
+would be `ProgressingWithRetry`. When the reconciliation is performed again
+after the failure, the reason is updated to `Progressing`.
 
 ### Observed Ignore
 

docs/spec/v1beta2/gitrepositories.md

@@ -1,5 +1,7 @@
 # Git Repositories
 
+<!-- menuweight:10 -->
+
 The `GitRepository` API defines a Source to produce an Artifact for a Git
 repository revision.
 
@@ -49,7 +51,7 @@ You can run this example by saving the manifest into `gitrepository.yaml`.
 
    ```console
    NAME      URL                                       AGE   READY   STATUS                                                                        
-   podinfo   https://github.com/stefanprodan/podinfo   5s    True    stored artifact for revision 'master/132f4e719209eb10b9485302f8593fc0e680f4fc'
+   podinfo   https://github.com/stefanprodan/podinfo   5s    True    stored artifact for revision 'master@sha1:132f4e719209eb10b9485302f8593fc0e680f4fc'
    ```
 
 3. Run `kubectl describe gitrepository podinfo` to see the [Artifact](#artifact)
@@ -59,20 +61,21 @@ You can run this example by saving the manifest into `gitrepository.yaml`.
    ...
    Status:
      Artifact:
-       Checksum:          95e386f421272710c4cedbbd8607dbbaa019d500e7a5a0b6720bc7bebefc7bf2
+       Digest:            sha256:95e386f421272710c4cedbbd8607dbbaa019d500e7a5a0b6720bc7bebefc7bf2
        Last Update Time:  2022-02-14T11:23:36Z
        Path:              gitrepository/default/podinfo/132f4e719209eb10b9485302f8593fc0e680f4fc.tar.gz
-       Revision:          master/132f4e719209eb10b9485302f8593fc0e680f4fc
+       Revision:          master@sha1:132f4e719209eb10b9485302f8593fc0e680f4fc
+       Size:              91318
        URL:               http://source-controller.source-system.svc.cluster.local./gitrepository/default/podinfo/132f4e719209eb10b9485302f8593fc0e680f4fc.tar.gz
      Conditions:
        Last Transition Time:  2022-02-14T11:23:36Z
-       Message:               stored artifact for revision 'master/132f4e719209eb10b9485302f8593fc0e680f4fc'
+       Message:               stored artifact for revision 'master@sha1:132f4e719209eb10b9485302f8593fc0e680f4fc'
        Observed Generation:   1
        Reason:                Succeeded
        Status:                True
        Type:                  Ready
        Last Transition Time:  2022-02-14T11:23:36Z
-       Message:               stored artifact for revision 'master/132f4e719209eb10b9485302f8593fc0e680f4fc'
+       Message:               stored artifact for revision 'master@sha1:132f4e719209eb10b9485302f8593fc0e680f4fc'
        Observed Generation:   1
        Reason:                Succeeded
        Status:                True
@@ -131,6 +134,31 @@ data:
   password: <BASE64>
 ```
 
+#### Bearer token authentication
+
+To authenticate towards a Git repository over HTTPS using bearer token
+authentication (in other words: using a `Authorization: Bearer` header), the referenced
+Secret is expected to contain the token in `.data.bearerToken`.
+
+**Note:** If you are looking to use OAuth tokens with popular servers (e.g.
+[GitHub](https://docs.github.com/en/rest/overview/authenticating-to-the-rest-api?apiVersion=2022-11-28#authenticating-with-a-token-generated-by-an-app),
+[Bitbucket](https://support.atlassian.com/bitbucket-cloud/docs/using-access-tokens/),
+[GitLab](https://docs.gitlab.com/ee/gitlab-basics/start-using-git.html#clone-using-a-token)),
+you should use basic access authentication instead. These servers use basic HTTP
+authentication, with the OAuth token as the password. Check the documentation of
+your Git server for details.
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: bearer-token-auth
+type: Opaque
+data:
+  bearerToken: <BASE64>
+```
+
 #### HTTPS Certificate Authority
 
 To provide a Certificate Authority to trust while connecting with a Git
@@ -209,7 +237,7 @@ is `60s`.
 
 `.spec.ref` is an optional field to specify the Git reference to resolve and
 watch for changes. References are specified in one or more subfields
-(`.branch`, `.tag`, `.semver`, `.commit`), with latter listed fields taking
+(`.branch`, `.tag`, `.semver`, `.name`, `.commit`), with latter listed fields taking
 precedence over earlier ones. If not specified, it defaults to a `master`
 branch reference.
 
@@ -268,6 +296,30 @@ spec:
 This field takes precedence over [`.branch`](#branch-example) and
 [`.tag`](#tag-example).
 
+
+#### Name example
+
+To Git checkout a specfied [reference](https://git-scm.com/book/en/v2/Git-Internals-Git-References),
+use `.spec.ref.name`:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: GitRepository
+metadata:
+  name: <repository-name>
+spec:
+  ref:
+    # Ref name format reference: https://git-scm.com/docs/git-check-ref-format#_description
+    name: <reference-name>
+```
+
+Valid examples are: `refs/heads/main`, `refs/tags/v0.1.0`, `refs/pull/420/head`,
+`refs/merge-requests/1/head`.
+
+This field takes precedence over [`.branch`](#branch-example),
+[`.tag`](#tag-example), and [`.semver`](#semver-example).
+
 #### Commit example
 
 To Git checkout a specified commit, use `.spec.ref.commit`:
@@ -470,6 +522,9 @@ repository. The `.sourceignore` file follows [the `.gitignore` pattern
 format](https://git-scm.com/docs/gitignore#_pattern_format), and
 pattern entries may overrule [default exclusions](#default-exclusions).
 
+The controller recursively loads ignore files so a `.sourceignore` can be
+placed in the repository root or in subdirectories.
+
 #### Ignore spec
 
 Another option is to define the exclusions within the GitRepository spec, using
@@ -610,9 +665,9 @@ Status:
 ...
   Conditions:
     Last Transition Time:  2022-02-14T09:40:27Z
-    Message:               reconciling new object generation (2)
+    Message:               processing object: new generation 1 -> 2
     Observed Generation:   2
-    Reason:                NewGeneration
+    Reason:                ProgressingWithRetry
     Status:                True
     Type:                  Reconciling
     Last Transition Time:  2022-02-14T09:40:27Z
@@ -650,7 +705,7 @@ lists
 ```console
 LAST SEEN   TYPE     REASON                OBJECT                               MESSAGE
 2m14s       Normal   NewArtifact           gitrepository/<repository-name>      stored artifact for commit 'Merge pull request #160 from stefanprodan/release-6.0.3'
-36s         Normal   ArtifactUpToDate      gitrepository/<repository-name>      artifact up-to-date with remote revision: 'master/132f4e719209eb10b9485302f8593fc0e680f4fc'
+36s         Normal   ArtifactUpToDate      gitrepository/<repository-name>      artifact up-to-date with remote revision: 'master@sha1:132f4e719209eb10b9485302f8593fc0e680f4fc'
 94s         Warning  GitOperationFailed    gitrepository/<repository-name>      failed to checkout and determine revision: unable to clone 'https://github.com/stefanprodan/podinfo': couldn't find remote ref "refs/heads/invalid"
 ```
 
@@ -679,10 +734,11 @@ metadata:
   name: <repository-name>
 status:
   artifact:
-    checksum: e750c7a46724acaef8f8aa926259af30bbd9face2ae065ae8896ba5ee5ab832b
+    digest: sha256:e750c7a46724acaef8f8aa926259af30bbd9face2ae065ae8896ba5ee5ab832b
     lastUpdateTime: "2022-01-29T06:59:23Z"
     path: gitrepository/<namespace>/<repository-name>/c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2.tar.gz
-    revision: master/363a6a8fe6a7f13e05d34c163b0ef02a777da20a
+    revision: master@sha1:363a6a8fe6a7f13e05d34c163b0ef02a777da20a
+    size: 91318
     url: http://source-controller.<namespace>.svc.cluster.local./gitrepository/<namespace>/<repository-name>/363a6a8fe6a7f13e05d34c163b0ef02a777da20a.tar.gz
 ```
 
@@ -724,12 +780,13 @@ following is true:
 - The newly resolved Artifact revision differs from the current Artifact.
 
 When the GitRepository is "reconciling", the `Ready` Condition status becomes
-`False`, and the controller adds a Condition with the following attributes to
-the GitRepository's `.status.conditions`:
+`Unknown` when the controller detects drift, and the controller adds a Condition
+with the following attributes to the GitRepository's
+`.status.conditions`:
 
 - `type: Reconciling`
 - `status: "True"`
-- `reason: NewGeneration` | `reason: NoArtifact` | `reason: NewRevision`
+- `reason: Progressing` | `reason: ProgressingWithRetry`
 
 If the reconciling state is due to a new revision, an additional Condition is
 added with the following attributes:
@@ -819,7 +876,10 @@ exponential backoff, until it succeeds and the GitRepository is marked as
 
 Note that a GitRepository can be [reconciling](#reconciling-gitrepository)
 while failing at the same time, for example due to a newly introduced
-configuration issue in the GitRepository spec.
+configuration issue in the GitRepository spec. When a reconciliation fails, the
+`Reconciling` Condition reason would be `ProgressingWithRetry`. When the
+reconciliation is performed again after the failure, the reason is updated to
+`Progressing`.
 
 ### Content Configuration Checksum
 

docs/spec/v1beta2/helmcharts.md

@@ -1,5 +1,7 @@
 # Helm Charts
 
+<!-- menuweight:50 -->
+
 The `HelmChart` API defines a Source to produce an Artifact for a Helm chart
 archive with a set of specific configurations.
 
@@ -43,7 +45,7 @@ In the above example:
 
 You can run this example by saving the manifest into `helmchart.yaml`.
 
-**NOTE:** HelmChart is usually used by the helm-controller. Based on the
+**Note:** HelmChart is usually used by the helm-controller. Based on the
 HelmRelease configuration, an associated HelmChart is created by the 
 helm-controller.
 
@@ -65,12 +67,13 @@ helm-controller.
 
    ```console
    Status:
-     Observed Source Artifact Revision:  83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
+     Observed Source Artifact Revision:  sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
      Artifact:
-       Checksum:          6c3cc3b955bce1686036ae6822ee2ca0ef6ecb994e3f2d19eaf3ec03dcba84b3
+       Digest:            sha256:6c3cc3b955bce1686036ae6822ee2ca0ef6ecb994e3f2d19eaf3ec03dcba84b3
        Last Update Time:  2022-02-13T11:24:10Z
        Path:              helmchart/default/podinfo/podinfo-5.2.1.tgz
        Revision:          5.2.1
+       Size:              14166
        URL:               http://source-controller.flux-system.svc.cluster.local./helmchart/default/podinfo/podinfo-5.2.1.tgz
      Conditions:
        Last Transition Time:  2022-02-13T11:24:10Z
@@ -199,6 +202,16 @@ spec:
 Values files also affect the generated artifact revision, see
 [artifact](#artifact).
 
+### Ignore missing values files
+
+`.spec.ignoreMissingValuesFiles` is an optional field to specify whether missing
+values files should be ignored rather than be considered errors.  It defaults to
+`false`.
+
+When `.spec.valuesFiles` and  `.spec.ignoreMissingValuesFiles` are specified,
+the `.status.observedValuesFiles` field is populated with the list of values
+files that were found and actually contributed to the packaged chart.
+
 ### Reconcile strategy
 
 `.spec.reconcileStrategy` is an optional field to specify what enables the
@@ -208,7 +221,7 @@ changes in a `HelmRepository`. `Revision` is used for creating a new artifact
 when the source revision changes in a `GitRepository` or a `Bucket` Source. It
 defaults to `ChartVersion`.
 
-**NOTE:** If the reconcile strategy is `ChartVersion` and the source reference
+**Note:** If the reconcile strategy is `ChartVersion` and the source reference
 is a `GitRepository` or a `Bucket`, no new chart artifact is produced on updates
 to the source unless the `version` in `Chart.yaml` is incremented. To produce
 new chart artifact on change in source revision, set the reconcile strategy to
@@ -230,6 +243,11 @@ e.g. `10m0s` to look at the source for updates every 10 minutes.
 If the `.metadata.generation` of a resource changes (due to e.g. applying a
 change to the spec), this is handled instantly outside the interval window.
 
+**Note:** The controller can be configured to apply a jitter to the interval in
+order to distribute the load more evenly when multiple HelmChart objects are set
+up with the same interval. For more information, please refer to the
+[source-controller configuration options](https://fluxcd.io/flux/components/source/options/).
+
 ### Suspend
 
 `.spec.suspend` is an optional field to suspend the reconciliation of a
@@ -244,12 +262,19 @@ For practical information, see
 
 **Note:** This feature is available only for Helm charts fetched from an OCI Registry.
 
-`.spec.verify` is an optional field to enable the verification of [Cosign](https://github.com/sigstore/cosign)
-signatures. The field offers two subfields:
+`.spec.verify` is an optional field to enable the verification of [Cosign](https://github.com/sigstore/cosign) or [Notation](https://github.com/notaryproject/notation)
+signatures. The field offers three subfields:
 
-- `.provider`, to specify the verification provider. Only supports `cosign` at present.
+- `.provider`, to specify the verification provider. The supported options are `cosign` and `notation` at present.
 - `.secretRef.name`, to specify a reference to a Secret in the same namespace as
-  the HelmChart, containing the Cosign public keys of trusted authors.
+  the HelmChart, containing the public keys of trusted authors. For Notation this Secret should also include the [trust policy](https://github.com/notaryproject/specifications/blob/v1.0.0/specs/trust-store-trust-policy.md#trust-policy) in
+  addition to the CA certificate.
+- `.matchOIDCIdentity`, to specify a list of OIDC identity matchers (only supported when using `cosign` as the verification provider). Please see
+   [Keyless verification](#keyless-verification) for more details.
+
+#### Cosign
+
+The `cosign` provider can be used to verify the signature of an OCI artifact using either a known public key or via the [Cosign Keyless](https://github.com/sigstore/cosign/blob/main/KEYLESS.md) procedure.
 
 ```yaml
 ---
@@ -271,7 +296,7 @@ following attributes to the HelmChart's `.status.conditions`:
 - `status: "True"`
 - `reason: Succeeded`
 
-#### Public keys verification
+##### Public keys verification
 
 To verify the authenticity of HelmChart hosted in an OCI Registry, create a Kubernetes
 secret with the Cosign public keys:
@@ -293,12 +318,24 @@ Note that the keys must have the `.pub` extension for Flux to make use of them.
 Flux will loop over the public keys and use them to verify a HelmChart's signature.
 This allows for older HelmCharts to be valid as long as the right key is in the secret.
 
-#### Keyless verification
+##### Keyless verification
 
 For publicly available HelmCharts, which are signed using the
 [Cosign Keyless](https://github.com/sigstore/cosign/blob/main/KEYLESS.md) procedure,
 you can enable the verification by omitting the `.verify.secretRef` field.
 
+To verify the identity's subject and the OIDC issuer present in the Fulcio
+certificate, you can specify a list of OIDC identity matchers using
+`.spec.verify.matchOIDCIdentity`. The matcher provides two required fields:
+
+- `.issuer`, to specify a regexp that matches against the OIDC issuer.
+- `.subject`, to specify a regexp that matches against the subject identity in
+   the certificate.
+Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax).
+
+The matchers are evaluated in an OR fashion, i.e. the identity is deemed to be
+verified if any one matcher successfully matches against the identity.
+
 Example of verifying  HelmCharts signed by the
 [Cosign GitHub Action](https://github.com/sigstore/cosign-installer) with GitHub OIDC Token:
 
@@ -317,6 +354,9 @@ spec:
   version: ">=6.1.6"
   verify:
     provider: cosign
+    matchOIDCIdentity:
+      - issuer: "^https://token.actions.githubusercontent.com$"
+        subject: "^https://github.com/stefanprodan/podinfo.*$"
 ```
 
 ```yaml
@@ -337,6 +377,55 @@ instance hosted at [rekor.sigstore.dev](https://rekor.sigstore.dev/).
 Note that keyless verification is an **experimental feature**, using
 custom root CAs or self-hosted Rekor instances are not currently supported.
 
+#### Notation
+
+The `notation` provider can be used to verify the signature of an OCI artifact using known
+trust policy and CA certificate.
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmChart
+metadata:
+  name: podinfo
+spec:
+  verify:
+    provider: notation
+    secretRef:
+      name: notation-config
+```
+
+When the verification succeeds, the controller adds a Condition with the
+following attributes to the HelmChart's `.status.conditions`:
+
+- `type: SourceVerified`
+- `status: "True"`
+- `reason: Succeeded`
+
+To verify the authenticity of an OCI artifact, create a Kubernetes secret
+containing Certificate Authority (CA) root certificates and the a `trust policy`
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: notation-config
+type: Opaque
+data:
+  certificate1.pem: <BASE64>
+  certificate2.crt: <BASE64>
+  trustpolicy.json: <BASE64>
+```
+
+Note that the CA certificates must have either `.pem` or `.crt` extension and your trust policy must
+be named `trustpolicy.json` for Flux to make use of them.
+
+For more information on the signing and verification process see [Signing and Verification Workflow](https://github.com/notaryproject/specifications/blob/v1.0.0/specs/signing-and-verification-workflow.md).
+
+Flux will loop over the certificates and use them to verify an artifact's signature.
+This allows for older artifacts to be valid as long as the right certificate is in the secret.
+
 ## Working with HelmCharts
 
 ### Triggering a reconcile
@@ -466,12 +555,12 @@ sion matching '9.*' found
 
 #### Trace emitted Events
 
-To view events for specific HelmChart(s), `kubectl get events` can be used in
-combination with `--field-selector` to list the Events for specific objects.
-For example, running
+To view events for specific HelmChart(s), `kubectl events` can be used in
+combination with `--for` to list the Events for specific objects. For example,
+running
 
 ```sh
-kubectl get events --field-selector involvedObject.kind=HelmChart,involvedObject.name=<chart-name>
+kubectl events --for HelmChart/<chart-name>
 ```
 
 lists
@@ -554,10 +643,11 @@ metadata:
   name: <chart-name>
 status:
   artifact:
-    checksum: e30b95a08787de69ffdad3c232d65cfb131b5b50c6fd44295f48a078fceaa44e
+    digest: sha256:e30b95a08787de69ffdad3c232d65cfb131b5b50c6fd44295f48a078fceaa44e
     lastUpdateTime: "2022-02-10T18:53:47Z"
     path: helmchart/<source-namespace>/<chart-name>/<chart-name>-<chart-version>.tgz
     revision: 6.0.3
+    size: 14166
     url: http://source-controller.flux-system.svc.cluster.local./helmchart/<source-namespace>/<chart-name>/<chart-name>-<chart-version>.tgz
 ```
 
@@ -575,10 +665,11 @@ metadata:
   name: <chart-name>
 status:
   artifact:
-    checksum: ee68224ded207ebb18a8e9730cf3313fa6bc1f31e6d8d3943ab541113559bb52
+    digest: sha256:ee68224ded207ebb18a8e9730cf3313fa6bc1f31e6d8d3943ab541113559bb52
     lastUpdateTime: "2022-02-28T08:07:12Z"
     path: helmchart/<source-namespace>/<chart-name>/<chart-name>-6.0.3+1.tgz
     revision: 6.0.3+1
+    size: 14166
     url: http://source-controller.flux-system.svc.cluster.local./helmchart/<source-namespace>/<chart-name>/<chart-name>-6.0.3+1.tgz
   observedGeneration: 1
   ...
@@ -599,10 +690,11 @@ metadata:
   name: <chart-name>
 status:
   artifact:
-    checksum: 8d1f0ac3f4b0e8759a32180086f17ac87ca04e5d46c356e67f97e97616ef4718
+    digest: sha256:8d1f0ac3f4b0e8759a32180086f17ac87ca04e5d46c356e67f97e97616ef4718
     lastUpdateTime: "2022-02-28T08:07:12Z"
     path: helmchart/<source-namespace>/<chart-name>/<chart-name>-6.0.3+4e5cbb7b97d0.tgz
     revision: 6.0.3+4e5cbb7b97d0
+    size: 14166
     url: http://source-controller.flux-system.svc.cluster.local./helmchart/<source-namespace>/<chart-name>/<chart-name>-6.0.3+4e5cbb7b97d0.tgz
 ```
 
@@ -633,12 +725,12 @@ following is true:
 - The newly fetched Artifact revision differs from the current Artifact.
 
 When the HelmChart is "reconciling", the `Ready` Condition status becomes
-`False`, and the controller adds a Condition with the following attributes to
-the HelmChart's `.status.conditions`:
+`Unknown` when the controller detects drift, and the controller adds a Condition
+with the following attributes to the HelmChart's `.status.conditions`:
 
 - `type: Reconciling`
 - `status: "True"`
-- `reason: NewGeneration` | `reason: NoArtifact`
+- `reason: Progressing` | `reason: ProgressingWithRetry`
 
 If the reconciling state is due to a new version, it adds an additional
 Condition with the following attributes:
@@ -715,7 +807,10 @@ until it succeeds and the HelmChart is marked as [ready](#ready-helmchart).
 
 Note that a HelmChart can be [reconciling](#reconciling-helmchart)
 while failing at the same time, for example due to a newly introduced
-configuration issue in the HelmChart spec.
+configuration issue in the HelmChart spec. When a reconciliation fails, the
+`Reconciling` Condition reason would be `ProgressingWithRetry`. When the
+reconciliation is performed again after the failure, the reason is updated to
+`Progressing`.
 
 #### Stalled HelmChart
 

docs/spec/v1beta2/helmrepositories.md

@@ -1,11 +1,13 @@
 # Helm Repositories
 
+<!-- menuweight:40 -->
+
 There are 2 [Helm repository types](#type) defined by the `HelmRepository` API:
 - Helm HTTP/S repository, which defines a Source to produce an Artifact for a Helm
 repository index YAML (`index.yaml`). 
-- OCI Helm repository, which defines a source that does not produce an Artifact. 
-Instead a validation of the Helm repository is performed and the outcome is reported in the
-`.status.conditions` field.
+- OCI Helm repository, which defines a source that does not produce an Artifact.
+  It's a data container to store the information about the OCI repository that
+  can be used by [HelmChart](helmcharts.md) to access OCI Helm charts.
 
 ## Examples
 
@@ -34,9 +36,9 @@ In the above example:
 - The source-controller fetches the Helm repository index YAML every five
   minutes from `https://stefanprodan.github.io/podinfo`, indicated by the
   `.spec.interval` and `.spec.url` fields.
-- The SHA256 sum of the Helm repository index after stable sorting the entries
-  is used as Artifact revision, reported in-cluster in the
-  `.status.artifact.revision` field.
+- The digest (algorithm defaults to SHA256) of the Helm repository index after
+  stable sorting the entries is used as Artifact revision, reported in-cluster
+  in the `.status.artifact.revision` field.
 - When the current HelmRepository revision differs from the latest fetched 
   revision, it is stored as a new Artifact.
 - The new Artifact is reported in the `.status.artifact` field.
@@ -53,7 +55,7 @@ You can run this example by saving the manifest into `helmrepository.yaml`.
 
    ```console
    NAME      URL                                      AGE   READY   STATUS                                                                                         
-   podinfo   https://stefanprodan.github.io/podinfo   4s    True    stored artifact for revision '83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111'
+   podinfo   https://stefanprodan.github.io/podinfo   4s    True    stored artifact for revision 'sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111'
    ```
 
 3. Run `kubectl describe helmrepository podinfo` to see the [Artifact](#artifact)
@@ -63,20 +65,21 @@ You can run this example by saving the manifest into `helmrepository.yaml`.
    ...
    Status:
      Artifact:
-       Checksum:          83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
+       Digest:            sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
        Last Update Time:  2022-02-04T09:55:58Z
        Path:              helmrepository/default/podinfo/index-83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111.yaml
-       Revision:          83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
+       Revision:          sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
+       Size:              40898
        URL:               http://source-controller.flux-system.svc.cluster.local./helmrepository/default/podinfo/index-83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111.yaml
      Conditions:
        Last Transition Time:  2022-02-04T09:55:58Z
-       Message:               stored artifact for revision '83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111'
+       Message:               stored artifact for revision 'sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111'
        Observed Generation:   1
        Reason:                Succeeded
        Status:                True
        Type:                  Ready
        Last Transition Time:  2022-02-04T09:55:58Z
-       Message:               stored artifact for revision '83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111'
+       Message:               stored artifact for revision 'sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111'
        Observed Generation:   1
        Reason:                Succeeded
        Status:                True
@@ -110,9 +113,11 @@ In the above example:
 
 - A HelmRepository named `podinfo` is created, indicated by the
   `.metadata.name` field.
-- The source-controller performs the Helm repository url validation i.e. the url 
-is a valid OCI registry url, every five minutes with the information indicated by the
-`.spec.interval` and `.spec.url` fields.
+- A HelmChart that refers to this HelmRepository uses the URL in the `.spec.url`
+  field to access the OCI Helm chart.
+
+**NOTE:** The `.spec.interval` field is only used by the `default` Helm
+repository and is ignored for any value in `oci` Helm repository.
 
 You can run this example by saving the manifest into `helmrepository.yaml`.
 
@@ -126,25 +131,12 @@ You can run this example by saving the manifest into `helmrepository.yaml`.
 
    ```console
    NAME      URL                                 AGE     READY   STATUS
-   podinfo   oci://ghcr.io/stefanprodan/charts   3m22s   True    Helm repository "podinfo" is ready
+   podinfo   oci://ghcr.io/stefanprodan/charts   3m22s
    ```
 
-3. Run `kubectl describe helmrepository podinfo` to see the [Conditions](#conditions) 
-in the HelmRepository's Status:
-
-   ```console
-   ...
-   Status:
-     Conditions:
-       Last Transition Time:  2022-05-12T14:02:12Z
-       Message:               Helm repository "podinfo" is ready
-       Observed Generation:   1
-       Reason:                Succeeded
-       Status:                True
-       Type:                  Ready
-     Observed Generation:     1
-   Events:                    <none>
-   ```
+Because the OCI Helm repository is a data container, there's nothing to report
+for `READY` and `STATUS` columns above. The existence of the object can be
+considered to be ready for use.
 
 ## Writing a HelmRepository spec
 
@@ -155,14 +147,12 @@ valid [DNS subdomain name](https://kubernetes.io/docs/concepts/overview/working-
 A HelmRepository also needs a
 [`.spec` section](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status).
 
-
 ### Type
 
 `.spec.type` is an optional field that specifies the Helm repository type. 
 
 Possible values are `default` for a Helm HTTP/S repository, or `oci` for an OCI Helm repository.
 
-
 ### Provider
 
 `.spec.provider` is an optional field that allows specifying an OIDC provider used
@@ -187,9 +177,13 @@ The `aws` provider can be used to authenticate automatically using the EKS worke
 node IAM role or IAM Role for Service Accounts (IRSA), and by extension gain access
 to ECR.
 
+##### EKS Worker Node IAM Role
+
 When the worker node IAM role has access to ECR, source-controller running on it
 will also have access to ECR.
 
+##### IAM Role for Service Accounts (IRSA)
+
 When using IRSA to enable access to ECR, add the following patch to your bootstrap
 repository, in the `flux-system/kustomization.yaml` file:
 
@@ -217,13 +211,70 @@ to the IAM role when using IRSA.
 
 #### Azure
 
-The `azure` provider can be used to authenticate automatically using kubelet managed
-identity or Azure Active Directory pod-managed identity (aad-pod-identity), and 
+The `azure` provider can be used to authenticate automatically using Workload Identity, Kubelet Managed
+Identity or Azure Active Directory pod-managed identity (aad-pod-identity), and
 by extension gain access to ACR.
 
+##### Kubelet Managed Identity
+
 When the kubelet managed identity has access to ACR, source-controller running on 
 it will also have access to ACR.
 
+**Note:** If you have more than one identity configured on the cluster, you have to specify which one to use
+by setting the `AZURE_CLIENT_ID` environment variable in the source-controller deployment.
+
+If you are running into further issues, please look at the
+[troubleshooting guide](https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/TROUBLESHOOTING.md#azure-virtual-machine-managed-identity).
+
+##### Azure Workload Identity
+
+When using Workload Identity to enable access to ACR, add the following patch to
+your bootstrap repository, in the `flux-system/kustomization.yaml` file:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - gotk-components.yaml
+  - gotk-sync.yaml
+patches:
+  - patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: source-controller
+        namespace: flux-system
+        annotations:
+          azure.workload.identity/client-id: <AZURE_CLIENT_ID>
+        labels:
+          azure.workload.identity/use: "true"
+  - patch: |-
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: source-controller
+        namespace: flux-system
+        labels:
+          azure.workload.identity/use: "true"
+      spec:
+        template:
+          metadata:
+            labels:
+              azure.workload.identity/use: "true"
+```
+
+Ensure Workload Identity is properly set up on your cluster and the mutating webhook is installed.
+Create an identity that has access to ACR. Next, establish
+a federated identity between the source-controller ServiceAccount and the
+identity. Patch the source-controller Deployment and ServiceAccount as shown in the patch
+above. Please take a look at this [guide](https://azure.github.io/azure-workload-identity/docs/quick-start.html#6-establish-federated-identity-credential-between-the-identity-and-the-service-account-issuer--subject).
+
+##### Deprecated: AAD Pod Identity
+
+**Warning:** The AAD Pod Identity project will be archived in
+[September 2023](https://github.com/Azure/aad-pod-identity#-announcement),
+and you are advised to use Workload Identity instead.
+
 When using aad-pod-identity to enable access to ACR, add the following patch to
 your bootstrap repository, in the `flux-system/kustomization.yaml` file:
 
@@ -248,7 +299,7 @@ to give the `source-controller` pod access to the ACR. To do this, you have to i
 `aad-pod-identity` on your cluster, create a managed identity that has access to the
 container registry (this can also be the Kubelet identity if it has `AcrPull` role
 assignment on the ACR), create an `AzureIdentity` and `AzureIdentityBinding` that describe
-the managed identity and then label the `source-controller` pods with the name of the
+the managed identity and then label the `source-controller` deployment with the name of the
 AzureIdentity as shown in the patch above. Please take a look at [this guide](https://azure.github.io/aad-pod-identity/docs/)
 or [this one](https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity)
 if you want to use AKS pod-managed identities add-on that is in preview.
@@ -258,9 +309,13 @@ if you want to use AKS pod-managed identities add-on that is in preview.
 The `gcp` provider can be used to authenticate automatically using OAuth scopes or
 Workload Identity, and by extension gain access to GCR or Artifact Registry.
 
+##### Access Scopes
+
 When the GKE nodes have the appropriate OAuth scope for accessing GCR and Artifact Registry,
 source-controller running on it will also have access to them.
 
+##### GKE Workload Identity
+
 When using Workload Identity to enable access to GCR or Artifact Registry, add the
 following patch to your bootstrap repository, in the `flux-system/kustomization.yaml`
 file:
@@ -290,10 +345,23 @@ the needed permission is instead `storage.objects.list` which can be bound as pa
 of the Container Registry Service Agent role. Take a look at [this guide](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
 for more information about setting up GKE Workload Identity.
 
+### Insecure
+
+`.spec.insecure` is an optional field to allow connecting to an insecure (HTTP)
+container registry server, if set to `true`. The default value is `false`,
+denying insecure non-TLS connections when fetching Helm chart OCI artifacts.
+
+**Note**: The insecure field is supported only for Helm OCI repositories.
+The `spec.type` field must be set to `oci`.
+
 ### Interval
 
-`.spec.interval` is a required field that specifies the interval which the
-Helm repository index must be consulted at.
+**Note:** This field is ineffectual for [OCI Helm
+Repositories](#helm-oci-repository).
+
+`.spec.interval` is a an optional field that specifies the interval which the
+Helm repository index must be consulted at. When not set, the default value is
+`1m`.
 
 After successfully reconciling a HelmRepository object, the source-controller
 requeues the object for inspection after the specified interval. The value
@@ -303,6 +371,11 @@ e.g. `10m0s` to fetch the HelmRepository index YAML every 10 minutes.
 If the `.metadata.generation` of a resource changes (due to e.g. applying a
 change to the spec), this is handled instantly outside the interval window.
 
+**Note:** The controller can be configured to apply a jitter to the interval in
+order to distribute the load more evenly when multiple HelmRepository objects
+are set up with the same interval. For more information, please refer to the
+[source-controller configuration options](https://fluxcd.io/flux/components/source/options/).
+
 ### URL
 
 `.spec.url` is a required field that depending on the [type of the HelmRepository object](#type)
@@ -314,11 +387,14 @@ For Helm repositories which require authentication, see [Secret reference](#secr
 
 ### Timeout
 
+**Note:** This field is not applicable to [OCI Helm
+Repositories](#helm-oci-repository).
+
 `.spec.timeout` is an optional field to specify a timeout for the fetch
 operation. The value must be in a
 [Go recognized duration string format](https://pkg.go.dev/time#ParseDuration),
-e.g. `1m30s` for a timeout of one minute and thirty seconds. The default value
-is `60s`.
+e.g. `1m30s` for a timeout of one minute and thirty seconds. When not set, the
+default value is `1m`.
 
 ### Secret reference
 
@@ -353,8 +429,8 @@ metadata:
   name: example-user
   namespace: default
 stringData:
-  username: example
-  password: 123456
+  username: "user-123456"
+  password: "pass-123456"
 ```
 
 OCI Helm repository example:
@@ -379,8 +455,8 @@ metadata:
   name: oci-creds
   namespace: default
 stringData:
-  username: example
-  password: 123456
+  username: "user-123456"
+  password: "pass-123456"
 ```
 
 For OCI Helm repositories, Kubernetes secrets of type [kubernetes.io/dockerconfigjson](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types) are also supported.
@@ -394,15 +470,36 @@ flux create secret oci ghcr-auth \
   --password=${GITHUB_PAT}
 ```
 
-#### TLS authentication
+**Warning:** Support for specifying TLS authentication data using this API has been
+deprecated. Please use [`.spec.certSecretRef`](#cert-secret-reference) instead.
+If the controller uses the secret specified by this field to configure TLS, then
+a deprecation warning will be logged.
 
-**Note:** TLS authentication is not yet supported by OCI Helm repositories.
+### Cert secret reference
 
-To provide TLS credentials to use while connecting with the Helm repository,
-the referenced Secret is expected to contain `.data.certFile` and
-`.data.keyFile`, and/or `.data.caFile` values.
+`.spec.certSecretRef.name` is an optional field to specify a secret containing
+TLS certificate data. The secret can contain the following keys:
 
-For example:
+* `tls.crt` and `tls.key`, to specify the client certificate and private key used
+for TLS client authentication. These must be used in conjunction, i.e.
+specifying one without the other will lead to an error.
+* `ca.crt`, to specify the CA certificate used to verify the server, which is
+required if the server is using a self-signed certificate.
+
+If the server is using a self-signed certificate and has TLS client
+authentication enabled, all three values are required.
+
+The Secret should be of type `Opaque` or `kubernetes.io/tls`. All the files in
+the Secret are expected to be [PEM-encoded][pem-encoding]. Assuming you have
+three files; `client.key`, `client.crt` and `ca.crt` for the client private key,
+client certificate and the CA certificate respectively, you can generate the
+required Secret using the `flux create secret tls` command:
+
+```sh
+flux create secret tls --tls-key-file=client.key --tls-crt-file=client.crt --ca-crt-file=ca.crt
+```
+
+Example usage:
 
 ```yaml
 ---
@@ -414,7 +511,7 @@ metadata:
 spec:
   interval: 5m0s
   url: https://example.com
-  secretRef:
+  certSecretRef:
     name: example-tls
 ---
 apiVersion: v1
@@ -422,11 +519,12 @@ kind: Secret
 metadata:
   name: example-tls
   namespace: default
+type: kubernetes.io/tls # or Opaque
 data:
-  certFile: <BASE64>
-  keyFile: <BASE64>
+  tls.crt: <BASE64>
+  tls.key: <BASE64>
   # NOTE: Can be supplied without the above values
-  caFile: <BASE64>
+  ca.crt: <BASE64>
 ```
 
 ### Pass credentials
@@ -442,6 +540,9 @@ to HTTP/S Helm repositories.
 
 ### Suspend
 
+**Note:** This field is not applicable to [OCI Helm
+Repositories](#helm-oci-repository).
+
 `.spec.suspend` is an optional field to suspend the reconciliation of a
 HelmRepository. When set to `true`, the controller will stop reconciling the
 HelmRepository, and changes to the resource or the Helm repository index will
@@ -452,6 +553,10 @@ For practical information, see
 [suspending and resuming](#suspending-and-resuming).
 
 ## Working with HelmRepositories
+
+**Note:** This section does not apply to [OCI Helm
+Repositories](#helm-oci-repository), being a data container, once created, they
+are ready to used by [HelmCharts](helmcharts.md).
  
 ### Triggering a reconcile
 
@@ -553,6 +658,10 @@ flux resume source helm <repository-name>
 
 ### Debugging a HelmRepository
 
+**Note:** This section does not apply to [OCI Helm
+Repositories](#helm-oci-repository), being a data container, they are static
+objects that don't require debugging if valid.
+
 There are several ways to gather information about a HelmRepository for debugging
 purposes.
 
@@ -595,12 +704,12 @@ Events:
 
 #### Trace emitted Events
 
-To view events for specific HelmRepository(s), `kubectl get events` can be used in
-combination with `--field-sector` to list the Events for specific objects.
-For example, running
+To view events for specific HelmRepository(s), `kubectl events` can be used in
+combination with `--for` to list the Events for specific objects. For example,
+running
 
 ```sh
-kubectl get events --field-selector involvedObject.kind=HelmRepository,involvedObject.name=<repository-name>
+kubectl events --for HelmRepository/<repository-name>
 ```
 
 lists
@@ -609,7 +718,7 @@ lists
 LAST SEEN   TYPE      REASON           OBJECT                             MESSAGE
 107s        Warning   Failed           helmrepository/<repository-name>   failed to construct Helm client: scheme "invalid" not supported
 7s          Normal    NewArtifact      helmrepository/<repository-name>   fetched index of size 30.88kB from 'https://stefanprodan.github.io/podinfo'
-3s          Normal    ArtifactUpToDate helmrepository/<repository-name>   artifact up-to-date with remote revision: '83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111'
+3s          Normal    ArtifactUpToDate helmrepository/<repository-name>   artifact up-to-date with remote revision: 'sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111'
 ```
 
 Besides being reported in Events, the reconciliation errors are also logged by
@@ -618,9 +727,11 @@ specific HelmRepository, e.g. `flux logs --level=error --kind=HelmRepository --n
 
 ## HelmRepository Status
 
-### Artifact
+**Note:** This section does not apply to [OCI Helm
+Repositories](#helm-oci-repository), they do not contain any information in the
+status.
 
-**Note:** This section does not apply to [OCI Helm Repositories](#oci-helm-repositories), they do not emit artifacts.
+### Artifact
 
 The HelmRepository reports the last fetched repository index as an Artifact
 object in the `.status.artifact` of the resource.
@@ -639,10 +750,11 @@ metadata:
   name: <repository-name>
 status:
   artifact:
-    checksum: 83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
+    digest: sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
     lastUpdateTime: "2022-02-04T09:55:58Z"
     path: helmrepository/<namespace>/<repository-name>/index-83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111.yaml
-    revision: 83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
+    revision: sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
+    size: 40898
     url: http://source-controller.flux-system.svc.cluster.local./helmrepository/<namespace>/<repository-name>/index-83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111.yaml
 ```
 
@@ -661,9 +773,6 @@ and reports `Reconciling` and `Stalled` conditions where applicable to
 provide better (timeout) support to solutions polling the HelmRepository to become
 `Ready`.
 
- OCI Helm repositories use only `Reconciling`, `Ready`, `FetchFailed`, and `Stalled`
- condition types.
-
 #### Reconciling HelmRepository
 
 The source-controller marks a HelmRepository as _reconciling_ when one of the following
@@ -676,12 +785,12 @@ is true:
 - The newly fetched Artifact revision differs from the current Artifact.
 
 When the HelmRepository is "reconciling", the `Ready` Condition status becomes
-`False`, and the controller adds a Condition with the following attributes to
-the HelmRepository's `.status.conditions`:
+`Unknown` when the controller detects drift, and the controller adds a Condition
+with the following attributes to the HelmRepository's `.status.conditions`:
 
 - `type: Reconciling`
 - `status: "True"`
-- `reason: NewGeneration` | `reason: NoArtifact` | `reason: NewRevision`
+- `reason: Progressing` | `reason: ProgressingWithRetry`
 
 If the reconciling state is due to a new revision, it adds an additional
 Condition with the following attributes:
@@ -760,7 +869,10 @@ until it succeeds and the HelmRepository is marked as [ready](#ready-helmreposit
 
 Note that a HelmRepository can be [reconciling](#reconciling-helmrepository)
 while failing at the same time, for example due to a newly introduced
-configuration issue in the HelmRepository spec.
+configuration issue in the HelmRepository spec. When a reconciliation fails, the
+`Reconciling` Condition reason would be `ProgressingWithRetry`. When the
+reconciliation is performed again after the failure, the reason is updated to
+`Progressing`.
 
 #### Stalled HelmRepository
 
@@ -797,5 +909,6 @@ annotation value it acted on in the `.status.lastHandledReconcileAt` field.
 For practical information about this field, see [triggering a
 reconcile](#triggering-a-reconcile).
 
+[pem-encoding]: https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail
 [typical-status-properties]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
 [kstatus-spec]: https://github.com/kubernetes-sigs/cli-utils/tree/master/pkg/kstatus

docs/spec/v1beta2/ocirepositories.md

@@ -1,5 +1,7 @@
 # OCI Repositories
 
+<!-- menuweight:20 -->
+
 The `OCIRepository` API defines a Source to produce an Artifact for an OCI
 repository.
 
@@ -49,7 +51,7 @@ You can run this example by saving the manifest into `ocirepository.yaml`.
 
    ```console
    NAME      URL                                            AGE   READY   STATUS                                                                        
-   podinfo   oci://ghcr.io/stefanprodan/manifests/podinfo   5s    True    stored artifact with revision 'latest/3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
+   podinfo   oci://ghcr.io/stefanprodan/manifests/podinfo   5s    True    stored artifact with revision 'latest@sha256:3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
    ```
 
 3. Run `kubectl describe ocirepository podinfo` to see the [Artifact](#artifact)
@@ -59,20 +61,21 @@ You can run this example by saving the manifest into `ocirepository.yaml`.
    ...
    Status:
      Artifact:
-       Checksum:          d7e924b4882e55b97627355c7b3d2e711e9b54303afa2f50c25377f4df66a83b
+       Digest:            sha256:d7e924b4882e55b97627355c7b3d2e711e9b54303afa2f50c25377f4df66a83b
        Last Update Time:  2022-06-14T11:23:36Z
        Path:              ocirepository/default/podinfo/3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de.tar.gz
-       Revision:          latest/3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de
+       Revision:          latest@sha256:3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de
+       Size:              1105
        URL:               http://source-controller.flux-system.svc.cluster.local./ocirepository/oci/podinfo/3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de.tar.gz
      Conditions:
        Last Transition Time:  2022-06-14T11:23:36Z
-       Message:               stored artifact for revision 'latest/3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
+       Message:               stored artifact for revision 'latest@sha256:3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
        Observed Generation:   1
        Reason:                Succeeded
        Status:                True
        Type:                  Ready
        Last Transition Time:  2022-06-14T11:23:36Z
-       Message:               stored artifact for revision 'latest/3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
+       Message:               stored artifact for revision 'latest@sha256:3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
        Observed Generation:   1
        Reason:                Succeeded
        Status:                True
@@ -154,14 +157,23 @@ to the IAM role when using IRSA.
 
 #### Azure
 
-The `azure` provider can be used to authenticate automatically using kubelet
-managed identity or Azure Active Directory pod-managed identity (aad-pod-identity),
-and by extension gain access to ACR.
+The `azure` provider can be used to authenticate automatically using Workload Identity and Kubelet Managed
+Identity to gain access to ACR.
+
+##### Kubelet Managed Identity
 
 When the kubelet managed identity has access to ACR, source-controller running
 on it will also have access to ACR.
 
-When using aad-pod-identity to enable access to ACR, add the following patch to
+**Note:** If you have more than one identity configured on the cluster, you have to specify which one to use
+by setting the `AZURE_CLIENT_ID` environment variable in the source-controller deployment.
+
+If you are running into further issues, please look at the
+[troubleshooting guide](https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/TROUBLESHOOTING.md#azure-virtual-machine-managed-identity).
+
+##### Workload Identity
+
+When using Workload Identity to enable access to ACR, add the following patch to
 your bootstrap repository, in the `flux-system/kustomization.yaml` file:
 
 ```yaml
@@ -171,25 +183,36 @@ resources:
   - gotk-components.yaml
   - gotk-sync.yaml
 patches:
-  - patch: |
-      - op: add
-        path: /spec/template/metadata/labels/aadpodidbinding
-        value: <identity-name>
-    target:
+  - patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: source-controller
+        namespace: flux-system
+        annotations:
+          azure.workload.identity/client-id: <AZURE_CLIENT_ID>
+        labels:
+          azure.workload.identity/use: "true"
+  - patch: |-
+      apiVersion: apps/v1
       kind: Deployment
-      name: source-controller
-``` 
+      metadata:
+        name: source-controller
+        namespace: flux-system
+        labels:
+          azure.workload.identity/use: "true"
+      spec:
+        template:
+          metadata:
+            labels:
+              azure.workload.identity/use: "true"
+```
 
-When using pod-managed identity on an AKS cluster, AAD Pod Identity
-has to be used to give the `source-controller` pod access to the ACR.
-To do this, you have to install `aad-pod-identity` on your cluster, create a managed identity
-that has access to the container registry (this can also be the Kubelet identity
-if it has `AcrPull` role assignment on the ACR), create an `AzureIdentity` and `AzureIdentityBinding`
-that describe the managed identity and then label the `source-controller` pods
-with the name of the AzureIdentity as shown in the patch above. Please take a look
-at [this guide](https://azure.github.io/aad-pod-identity/docs/) or
-[this one](https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity)
-if you want to use AKS pod-managed identities add-on that is in preview.
+Ensure Workload Identity is properly set up on your cluster and the mutating webhook is installed.
+Create an identity that has access to ACR. Next, establish
+a federated identity between the source-controller ServiceAccount and the
+identity. Patch the source-controller Deployment and ServiceAccount as shown in the patch
+above. Please take a look at this [guide](https://azure.github.io/azure-workload-identity/docs/quick-start.html#6-establish-federated-identity-credential-between-the-identity-and-the-service-account-issuer--subject).
 
 #### GCP
 
@@ -220,7 +243,7 @@ patches:
     target:
       kind: ServiceAccount
       name: source-controller
-``` 
+```
 
 The Artifact Registry service uses the permission `artifactregistry.repositories.downloadArtifacts`
 that is located under the Artifact Registry Reader role. If you are using
@@ -251,42 +274,103 @@ fetch the image pull secrets attached to the service account and use them for au
 **Note:** that for a publicly accessible image repository, you don't need to provide a `secretRef`
 nor `serviceAccountName`.
 
-### TLS Certificates
+### Cert secret reference
 
-`.spec.certSecretRef` field names a secret with TLS certificate data. This is for two separate
-purposes:
+`.spec.certSecretRef.name` is an optional field to specify a secret containing
+TLS certificate data. The secret can contain the following keys:
 
-- to provide a client certificate and private key, if you use a certificate to authenticate with
-  the container registry; and,
-- to provide a CA certificate, if the registry uses a self-signed certificate.
+* `tls.crt` and `tls.key`, to specify the client certificate and private key used
+for TLS client authentication. These must be used in conjunction, i.e.
+specifying one without the other will lead to an error.
+* `ca.crt`, to specify the CA certificate used to verify the server, which is
+required if the server is using a self-signed certificate.
 
-These will often go together, if you are hosting a container registry yourself. All the files in the
-secret are expected to be [PEM-encoded][pem-encoding]. This is an ASCII format for certificates and
-keys; `openssl` and such tools will typically give you an option of PEM output.
+If the server is using a self-signed certificate and has TLS client
+authentication enabled, all three values are required.
 
-Assuming you have obtained a certificate file and private key and put them in the files `client.crt`
-and `client.key` respectively, you can create a secret with `kubectl` like this:
+The Secret should be of type `Opaque` or `kubernetes.io/tls`. All the files in
+the Secret are expected to be [PEM-encoded][pem-encoding]. Assuming you have
+three files; `client.key`, `client.crt` and `ca.crt` for the client private key,
+client certificate and the CA certificate respectively, you can generate the
+required Secret using the `flux create secret tls` command:
 
-```bash
-kubectl create secret generic tls-certs \
-  --from-file=certFile=client.crt \
-  --from-file=keyFile=client.key
+```sh
+flux create secret tls --tls-key-file=client.key --tls-crt-file=client.crt --ca-crt-file=ca.crt
 ```
 
-You could also [prepare a secret and encrypt it][sops-guide]; the important bit is that the data
-keys in the secret are `certFile` and `keyFile`.
+Example usage:
 
-If you have a CA certificate for the client to use, the data key for that is `caFile`. Adapting the
-previous example, if you have the certificate in the file `ca.crt`, and the client certificate and
-key as before, the whole command would be:
-
-```bash
-kubectl create secret generic tls-certs \
-  --from-file=certFile=client.crt \
-  --from-file=keyFile=client.key \
-  --from-file=caFile=ca.crt
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: example
+  namespace: default
+spec:
+  interval: 5m0s
+  url: oci://example.com
+  certSecretRef:
+    name: example-tls
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: example-tls
+  namespace: default
+type: kubernetes.io/tls # or Opaque
+data:
+  tls.crt: <BASE64>
+  tls.key: <BASE64>
+  # NOTE: Can be supplied without the above values
+  ca.crt: <BASE64>
 ```
 
+**Warning:** Support for the `caFile`, `certFile` and `keyFile` keys have been
+deprecated. If you have any Secrets using these keys and specified in an
+OCIRepository, the controller will log a deprecation warning.
+
+### Proxy secret reference
+
+`.spec.proxySecretRef.name` is an optional field used to specify the name of a
+Secret that contains the proxy settings for the object. These settings are used
+for all the remote operations related to the OCIRepository.
+The Secret can contain three keys:
+
+- `address`, to specify the address of the proxy server. This is a required key.
+- `username`, to specify the username to use if the proxy server is protected by
+   basic authentication. This is an optional key.
+- `password`, to specify the password to use if the proxy server is protected by
+   basic authentication. This is an optional key.
+
+Example:
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: http-proxy
+type: Opaque
+stringData:
+  address: http://proxy.com
+  username: mandalorian
+  password: grogu
+```
+
+Proxying can also be configured in the source-controller Deployment directly by
+using the standard environment variables such as `HTTPS_PROXY`, `ALL_PROXY`, etc.
+
+`.spec.proxySecretRef.name` takes precedence over all environment variables.
+
+**Warning:** [Cosign](https://github.com/sigstore/cosign) *keyless*
+[verification](#verification) is not supported for this API. If you
+require cosign keyless verification to use a proxy you must use the
+standard environment variables mentioned above. If you specify a
+`proxySecretRef` the controller will simply send out the requests
+needed for keyless verification without the associated object-level
+proxy settings.
+
 ### Insecure
 
 `.spec.insecure` is an optional field to allow connecting to an insecure (HTTP)
@@ -306,6 +390,11 @@ e.g. `10m0s` to reconcile the object every 10 minutes.
 If the `.metadata.generation` of a resource changes (due to e.g. a change to
 the spec), this is handled instantly outside the interval window.
 
+**Note:** The controller can be configured to apply a jitter to the interval in
+order to distribute the load more evenly when multiple OCIRepository objects are
+set up with the same interval. For more information, please refer to the
+[source-controller configuration options](https://fluxcd.io/flux/components/source/options/).
+
 ### Timeout
 
 `.spec.timeout` is an optional field to specify a timeout for OCI operations
@@ -357,6 +446,37 @@ spec:
 
 This field takes precedence over [`.tag`](#tag-example).
 
+#### SemverFilter example
+
+`.spec.ref.semverFilter` is an optional field to specify a SemVer filter to apply
+when fetching tags from the OCI repository. The filter is a regular expression
+that is applied to the tags fetched from the repository. Only tags that match
+the filter are considered for the semver range resolution.
+
+**Note:** The filter is only taken into account when the `.spec.ref.semver` field
+is set.
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 5m0s
+  url: oci://ghcr.io/stefanprodan/manifests/podinfo
+  ref:
+    # SemVer comparisons using constraints without a prerelease comparator will skip prerelease versions.
+    # Adding a `-0` suffix to the semver range will include prerelease versions.
+    semver: ">= 6.1.x-0"
+    semverFilter: ".*-rc.*"
+```
+
+In the above example, the controller fetches tags from the `ghcr.io/stefanprodan/manifests/podinfo`
+repository and filters them using the regular expression `.*-rc.*`. Only tags that
+contain the `-rc` suffix are considered for the semver range resolution.
+
 #### Digest example
 
 To pull a specific digest, use `.spec.ref.digest`:
@@ -370,7 +490,7 @@ metadata:
 spec:
   ref:
     digest: "sha256:<SHA-value>"
-``` 
+```
 
 This field takes precedence over all other fields.
 
@@ -417,11 +537,22 @@ for more information.
 ### Verification
 
 `.spec.verify` is an optional field to enable the verification of [Cosign](https://github.com/sigstore/cosign)
-signatures. The field offers two subfields:
+or [Notation](https://github.com/notaryproject/notation)
+signatures. The field offers three subfields:
 
-- `.provider`, to specify the verification provider. Only supports `cosign` at present.
+- `.provider`, to specify the verification provider. The supported options are `cosign` and `notation` at present.
 - `.secretRef.name`, to specify a reference to a Secret in the same namespace as
-  the OCIRepository, containing the Cosign public keys of trusted authors.
+  the OCIRepository, containing the Cosign public keys of trusted authors. For Notation this Secret should also
+  include the [trust policy](https://github.com/notaryproject/specifications/blob/v1.0.0/specs/trust-store-trust-policy.md#trust-policy) in
+  addition to the CA certificate.
+- `.matchOIDCIdentity`, to specify a list of OIDC identity matchers (only supported when using `cosign` as the
+  verification provider). Please see
+   [Keyless verification](#keyless-verification) for more details.
+
+#### Cosign
+
+The `cosign` provider can be used to verify the signature of an OCI artifact using either a known public key
+or via the [Cosign Keyless](https://github.com/sigstore/cosign/blob/main/KEYLESS.md) procedure.
 
 ```yaml
 ---
@@ -443,7 +574,7 @@ following attributes to the OCIRepository's `.status.conditions`:
 - `status: "True"`
 - `reason: Succeeded`
 
-#### Public keys verification
+##### Public keys verification
 
 To verify the authenticity of an OCI artifact, create a Kubernetes secret
 with the Cosign public keys:
@@ -465,12 +596,24 @@ Note that the keys must have the `.pub` extension for Flux to make use of them.
 Flux will loop over the public keys and use them to verify an artifact's signature.
 This allows for older artifacts to be valid as long as the right key is in the secret.
 
-#### Keyless verification
+##### Keyless verification
 
 For publicly available OCI artifacts, which are signed using the
 [Cosign Keyless](https://github.com/sigstore/cosign/blob/main/KEYLESS.md) procedure,
 you can enable the verification by omitting the `.verify.secretRef` field.
 
+To verify the identity's subject and the OIDC issuer present in the Fulcio
+certificate, you can specify a list of OIDC identity matchers using
+`.spec.verify.matchOIDCIdentity`. The matcher provides two required fields:
+
+- `.issuer`, to specify a regexp that matches against the OIDC issuer.
+- `.subject`, to specify a regexp that matches against the subject identity in
+   the certificate.
+Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax).
+
+The matchers are evaluated in an OR fashion, i.e. the identity is deemed to be
+verified if any one matcher successfully matches against the identity.
+
 Example of verifying artifacts signed by the
 [Cosign GitHub Action](https://github.com/sigstore/cosign-installer) with GitHub OIDC Token:
 
@@ -484,6 +627,9 @@ spec:
   url: oci://ghcr.io/stefanprodan/manifests/podinfo
   verify:
     provider: cosign
+    matchOIDCIdentity:
+      - issuer: "^https://token.actions.githubusercontent.com$"
+        subject: "^https://github.com/stefanprodan/podinfo.*$"
 ```
 
 The controller verifies the signatures using the Fulcio root CA and the Rekor
@@ -492,6 +638,55 @@ instance hosted at [rekor.sigstore.dev](https://rekor.sigstore.dev/).
 Note that keyless verification is an **experimental feature**, using
 custom root CAs or self-hosted Rekor instances are not currently supported.
 
+#### Notation
+
+The `notation` provider can be used to verify the signature of an OCI artifact using known
+trust policy and CA certificate.
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: <repository-name>
+spec:
+  verify:
+    provider: notation
+    secretRef:
+      name: notation-config
+```
+
+When the verification succeeds, the controller adds a Condition with the
+following attributes to the OCIRepository's `.status.conditions`:
+
+- `type: SourceVerified`
+- `status: "True"`
+- `reason: Succeeded`
+
+To verify the authenticity of an OCI artifact, create a Kubernetes secret
+containing Certificate Authority (CA) root certificates and the a `trust policy`
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: notation-config
+type: Opaque
+data:
+  certificate1.pem: <BASE64>
+  certificate2.crt: <BASE64>
+  trustpolicy.json: <BASE64>
+```
+
+Note that the CA certificates must have either `.pem` or `.crt` extension and your trust policy must
+be named `trustpolicy.json` for Flux to make use of them.
+
+For more information on the signing and verification process see [Signing and Verification Workflow](https://github.com/notaryproject/specifications/blob/v1.0.0/specs/signing-and-verification-workflow.md).
+
+Flux will loop over the certificates and use them to verify an artifact's signature.
+This allows for older artifacts to be valid as long as the right certificate is in the secret.
+
 ### Suspend
 
 `.spec.suspend` is an optional field to suspend the reconciliation of a
@@ -526,6 +721,16 @@ spec:
     /deploy/**/*.txt
 ```
 
+#### `.sourceignore` file
+
+Excluding files is possible by adding a `.sourceignore` file in the artifact.
+The `.sourceignore` file follows [the `.gitignore` pattern
+format](https://git-scm.com/docs/gitignore#_pattern_format), and pattern
+entries may overrule [default exclusions](#default-exclusions).
+
+The controller recursively loads ignore files so a `.sourceignore` can be
+placed in the artifact root or in subdirectories.
+
 ### Triggering a reconcile
 
 To manually tell the source-controller to reconcile a OCIRepository outside the
@@ -550,7 +755,7 @@ flux reconcile source oci <repository-name>
 ### Waiting for `Ready`
 
 When a change is applied, it is possible to wait for the OCIRepository to reach
-a [ready state](#ready-gitrepository) using `kubectl`:
+a [ready state](#ready-ocirepository) using `kubectl`:
 
 ```sh
 kubectl wait gitrepository/<repository-name> --for=condition=ready --timeout=1m
@@ -642,9 +847,9 @@ Status:
 ...
   Conditions:
     Last Transition Time:  2022-02-14T09:40:27Z
-    Message:               reconciling new object generation (2)
+    Message:               processing object: new generation 1 -> 2
     Observed Generation:   2
-    Reason:                NewGeneration
+    Reason:                ProgressingWithRetry
     Status:                True
     Type:                  Reconciling
     Last Transition Time:  2022-02-14T09:40:27Z
@@ -669,20 +874,20 @@ Events:
 
 #### Trace emitted Events
 
-To view events for specific OCIRepository(s), `kubectl get events` can be used
-in combination with `--field-sector` to list the Events for specific objects.
-For example, running
+To view events for specific OCIRepository(s), `kubectl events` can be used
+in combination with `--for` to list the Events for specific objects. For
+example, running
 
 ```sh
-kubectl get events --field-selector involvedObject.kind=OCIRepository,involvedObject.name=<repository-name>
+kubectl events --for OCIRepository/<repository-name>
 ```
 
 lists
 
 ```console
 LAST SEEN   TYPE     REASON                OBJECT                               MESSAGE
-2m14s       Normal   NewArtifact           ocirepository/<repository-name>      stored artifact for revision 'latest/3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
-36s         Normal   ArtifactUpToDate      ocirepository/<repository-name>      artifact up-to-date with remote revision: 'latest/3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
+2m14s       Normal   NewArtifact           ocirepository/<repository-name>      stored artifact for revision 'latest@sha256:3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
+36s         Normal   ArtifactUpToDate      ocirepository/<repository-name>      artifact up-to-date with remote revision: 'latest@sha256:3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
 94s         Warning  OCIOperationFailed    ocirepository/<repository-name>      failed to pull artifact from 'oci://ghcr.io/stefanprodan/manifests/podinfo': couldn't find tag "0.0.1"
 ```
 
@@ -720,14 +925,15 @@ metadata:
   name: <repository-name>
 status:
   artifact:
-    checksum: 9f3bc0f341d4ecf2bab460cc59320a2a9ea292f01d7b96e32740a9abfd341088
+    digest: sha256:9f3bc0f341d4ecf2bab460cc59320a2a9ea292f01d7b96e32740a9abfd341088
     lastUpdateTime: "2022-08-08T09:35:45Z"
     metadata:
       org.opencontainers.image.created: "2022-08-08T12:31:41+03:00"
       org.opencontainers.image.revision: 6.1.8/b3b00fe35424a45d373bf4c7214178bc36fd7872
       org.opencontainers.image.source: https://github.com/stefanprodan/podinfo.git
     path: ocirepository/<namespace>/<repository-name>/<digest>.tar.gz
-    revision: <tag>/<digest>
+    revision: <tag>@<digest>
+    size: 1105
     url: http://source-controller.<namespace>.svc.cluster.local./ocirepository/<namespace>/<repository-name>/<digest>.tar.gz
 ```
 
@@ -769,12 +975,12 @@ following is true:
 - The newly resolved Artifact digest differs from the current Artifact.
 
 When the OCIRepository is "reconciling", the `Ready` Condition status becomes
-`False`, and the controller adds a Condition with the following attributes to
-the OCIRepository's `.status.conditions`:
+`Unknown` when the controller detects drift, and the controller adds a Condition
+with the following attributes to the OCIRepository's `.status.conditions`:
 
 - `type: Reconciling`
 - `status: "True"`
-- `reason: NewGeneration` | `reason: NoArtifact` | `reason: NewRevision`
+- `reason: Progressing` | `reason: ProgressingWithRetry`
 
 If the reconciling state is due to a new revision, an additional Condition is
 added with the following attributes:
@@ -806,8 +1012,8 @@ following attributes in the OCIRepository's `.status.conditions`:
 - `reason: Succeeded`
 
 This `Ready` Condition will retain a status value of `"True"` until the
-OCIRepository is marked as [reconciling](#reconciling-gitrepository), or e.g. a
-[transient error](#failed-gitrepository) occurs due to a temporary network issue.
+OCIRepository is marked as [reconciling](#reconciling-ocirepository), or e.g. a
+[transient error](#failed-ocirepository) occurs due to a temporary network issue.
 
 When the OCIRepository Artifact is archived in the controller's Artifact
 storage, the controller sets a Condition with the following attributes in the
@@ -862,7 +1068,10 @@ exponential backoff, until it succeeds and the OCIRepository is marked as
 
 Note that a OCIRepository can be [reconciling](#reconciling-ocirepository)
 while failing at the same time, for example due to a newly introduced
-configuration issue in the OCIRepository spec.
+configuration issue in the OCIRepository spec. When a reconciliation fails, the
+`Reconciling` Condition reason would be `ProgressingWithRetry`. When the
+reconciliation is performed again after the failure, the reason is updated to
+`Progressing`.
 
 ### Content Configuration Checksum
 

go.mod

@@ -1,402 +1,425 @@
 module github.com/fluxcd/source-controller
 
-go 1.18
+go 1.24.0
 
 replace github.com/fluxcd/source-controller/api => ./api
 
-// Fix CVE-2022-1996 (for v2, Go Modules incompatible)
-replace github.com/emicklei/go-restful => github.com/emicklei/go-restful v2.16.0+incompatible
+// Pin semver to v3.3.0 to avoid breaking changes in v3.3.1
+// xref: https://github.com/fluxcd/source-controller/issues/1738
+replace github.com/Masterminds/semver/v3 => github.com/Masterminds/semver/v3 v3.3.0
 
-// The util.Walk func was never release as a tag.
-replace github.com/go-git/go-billy/v5 => github.com/go-git/go-billy/v5 v5.0.0-20210804024030-7ab80d7c013d
+// Replace digest lib to master to gather access to BLAKE3.
+// xref: https://github.com/opencontainers/go-digest/pull/66
+replace github.com/opencontainers/go-digest => github.com/opencontainers/go-digest v1.0.1-0.20220411205349-bde1400a84be
 
 require (
-	cloud.google.com/go/storage v1.28.1
-	github.com/AdaLogics/go-fuzz-headers v0.0.0-20221206110420-d395f97c4830
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.0
-	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.6.1
-	github.com/Masterminds/semver/v3 v3.2.0
-	github.com/cyphar/filepath-securejoin v0.2.3
-	github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2
-	github.com/docker/cli v20.10.22+incompatible
+	cloud.google.com/go/compute/metadata v0.6.0
+	cloud.google.com/go/storage v1.50.0
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.0
+	github.com/Masterminds/semver/v3 v3.3.1
+	github.com/cyphar/filepath-securejoin v0.4.1
+	github.com/distribution/distribution/v3 v3.0.0
+	github.com/docker/cli v28.1.1+incompatible
 	github.com/docker/go-units v0.5.0
-	github.com/fluxcd/go-git/v5 v5.0.0-20221206140629-ec778c2c37df
-	github.com/fluxcd/pkg/apis/event v0.2.0
-	github.com/fluxcd/pkg/apis/meta v0.18.0
-	github.com/fluxcd/pkg/git v0.7.0
-	github.com/fluxcd/pkg/git/gogit v0.4.0
-	github.com/fluxcd/pkg/gittestserver v0.8.0
-	github.com/fluxcd/pkg/helmtestserver v0.10.0
-	github.com/fluxcd/pkg/lockedfile v0.1.0
-	github.com/fluxcd/pkg/masktoken v0.2.0
-	github.com/fluxcd/pkg/oci v0.17.0
-	github.com/fluxcd/pkg/runtime v0.24.0
-	github.com/fluxcd/pkg/sourceignore v0.3.0
-	github.com/fluxcd/pkg/ssh v0.7.0
-	github.com/fluxcd/pkg/testserver v0.4.0
-	github.com/fluxcd/pkg/untar v0.2.0
-	github.com/fluxcd/pkg/version v0.2.0
-	github.com/fluxcd/source-controller/api v0.32.1
-	github.com/go-git/go-billy/v5 v5.3.1
-	github.com/go-logr/logr v1.2.3
-	github.com/google/go-containerregistry v0.12.1
-	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20221213180026-23d895d08035
-	github.com/google/uuid v1.3.0
-	github.com/minio/minio-go/v7 v7.0.45
-	github.com/onsi/gomega v1.24.2
-	github.com/ory/dockertest/v3 v3.9.1
-	github.com/otiai10/copy v1.9.0
+	github.com/elazarl/goproxy v1.7.2
+	github.com/fluxcd/cli-utils v0.36.0-flux.13
+	github.com/fluxcd/pkg/apis/event v0.17.0
+	github.com/fluxcd/pkg/apis/meta v1.12.0
+	github.com/fluxcd/pkg/auth v0.18.0
+	github.com/fluxcd/pkg/cache v0.9.0
+	github.com/fluxcd/pkg/git v0.32.0
+	github.com/fluxcd/pkg/git/gogit v0.35.1
+	github.com/fluxcd/pkg/gittestserver v0.17.0
+	github.com/fluxcd/pkg/helmtestserver v0.24.0
+	github.com/fluxcd/pkg/lockedfile v0.6.0
+	github.com/fluxcd/pkg/masktoken v0.7.0
+	github.com/fluxcd/pkg/oci v0.49.0
+	github.com/fluxcd/pkg/runtime v0.60.0
+	github.com/fluxcd/pkg/sourceignore v0.12.0
+	github.com/fluxcd/pkg/ssh v0.19.0
+	github.com/fluxcd/pkg/tar v0.12.0
+	github.com/fluxcd/pkg/testserver v0.11.0
+	github.com/fluxcd/pkg/version v0.7.0
+	github.com/fluxcd/source-controller/api v1.6.0
+	github.com/foxcpp/go-mockdns v1.1.0
+	github.com/go-git/go-billy/v5 v5.6.2
+	github.com/go-git/go-git/v5 v5.16.2
+	github.com/go-logr/logr v1.4.2
+	github.com/google/go-containerregistry v0.20.5
+	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20241111191718-6bce25ecf029
+	github.com/google/uuid v1.6.0
+	github.com/minio/minio-go/v7 v7.0.92
+	github.com/notaryproject/notation-core-go v1.3.0
+	github.com/notaryproject/notation-go v1.3.2
+	github.com/onsi/gomega v1.37.0
+	github.com/opencontainers/go-digest v1.0.0
+	github.com/opencontainers/go-digest/blake3 v0.0.0-20240426182413-22b78e47854a
+	github.com/opencontainers/image-spec v1.1.1
+	github.com/ory/dockertest/v3 v3.12.0
+	github.com/otiai10/copy v1.14.1
 	github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5
-	github.com/prometheus/client_golang v1.14.0
-	github.com/sigstore/cosign v1.13.1
-	github.com/sigstore/sigstore v1.5.0
-	github.com/sirupsen/logrus v1.9.0
-	github.com/spf13/pflag v1.0.5
-	golang.org/x/crypto v0.4.0
-	golang.org/x/sync v0.1.0
-	google.golang.org/api v0.105.0
+	github.com/prometheus/client_golang v1.22.0
+	github.com/sigstore/cosign/v2 v2.5.0
+	github.com/sigstore/sigstore v1.9.1
+	github.com/sirupsen/logrus v1.9.3
+	github.com/spf13/pflag v1.0.6
+	golang.org/x/crypto v0.39.0
+	golang.org/x/oauth2 v0.30.0
+	golang.org/x/sync v0.15.0
+	google.golang.org/api v0.227.0
 	gotest.tools v2.2.0+incompatible
-	helm.sh/helm/v3 v3.10.3
-	k8s.io/api v0.25.4
-	k8s.io/apimachinery v0.25.4
-	k8s.io/client-go v0.25.4
-	k8s.io/utils v0.0.0-20221128185143-99ec85e7a448
-	sigs.k8s.io/cli-utils v0.34.0
-	sigs.k8s.io/controller-runtime v0.13.1
-	sigs.k8s.io/yaml v1.3.0
+	helm.sh/helm/v3 v3.17.3
+	k8s.io/api v0.33.0
+	k8s.io/apimachinery v0.33.0
+	k8s.io/client-go v0.33.0
+	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e
+	oras.land/oras-go/v2 v2.5.0
+	sigs.k8s.io/controller-runtime v0.21.0
+	sigs.k8s.io/yaml v1.4.0
 )
 
 require (
-	bitbucket.org/creachadair/shell v0.0.7 // indirect
-	cloud.google.com/go v0.105.0 // indirect
-	cloud.google.com/go/compute v1.13.0 // indirect
-	cloud.google.com/go/compute/metadata v0.2.2 // indirect
-	cloud.google.com/go/iam v0.8.0 // indirect
-	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
-	github.com/Azure/azure-sdk-for-go v67.1.0+incompatible // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.1 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
+	cel.dev/expr v0.19.1 // indirect
+	cloud.google.com/go v0.118.3 // indirect
+	cloud.google.com/go/auth v0.15.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect
+	cloud.google.com/go/iam v1.4.1 // indirect
+	cloud.google.com/go/monitoring v1.24.0 // indirect
+	dario.cat/mergo v1.0.1 // indirect
+	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect
+	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.28 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.21 // indirect
-	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
+	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect
 	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0 // indirect
-	github.com/BurntSushi/toml v1.2.1 // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.49.0 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
-	github.com/Masterminds/squirrel v1.5.3 // indirect
-	github.com/Microsoft/go-winio v0.6.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
+	github.com/Masterminds/squirrel v1.5.4 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20221026131551-cf6655e29de4 // indirect
-	github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d // indirect
+	github.com/ProtonMail/go-crypto v1.2.0 // indirect
 	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
-	github.com/acomagu/bufpipe v1.0.3 // indirect
 	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect
 	github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect
 	github.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect
-	github.com/alibabacloud-go/darabonba-openapi v0.1.18 // indirect
-	github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68 // indirect
+	github.com/alibabacloud-go/darabonba-openapi v0.2.1 // indirect
+	github.com/alibabacloud-go/debug v1.0.0 // indirect
 	github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
-	github.com/alibabacloud-go/openapi-util v0.0.11 // indirect
-	github.com/alibabacloud-go/tea v1.1.18 // indirect
-	github.com/alibabacloud-go/tea-utils v1.4.4 // indirect
-	github.com/alibabacloud-go/tea-xml v1.1.2 // indirect
-	github.com/aliyun/credentials-go v1.2.3 // indirect
-	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
-	github.com/aws/aws-sdk-go-v2 v1.17.2 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.18.4 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.13.4 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.20 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.27 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.17.22 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.13.17 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.11.26 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.17.6 // indirect
-	github.com/aws/smithy-go v1.13.5 // indirect
-	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20221004211355-a250ad2ca1e3 // indirect
-	github.com/benbjohnson/clock v1.1.0 // indirect
+	github.com/alibabacloud-go/openapi-util v0.1.0 // indirect
+	github.com/alibabacloud-go/tea v1.2.1 // indirect
+	github.com/alibabacloud-go/tea-utils v1.4.5 // indirect
+	github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
+	github.com/aliyun/credentials-go v1.3.2 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.29.14 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.43.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
+	github.com/aws/smithy-go v1.22.3 // indirect
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bgentry/speakeasy v0.1.0 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
-	github.com/bshuster-repo/logrus-logstash-hook v1.0.2 // indirect
-	github.com/bugsnag/bugsnag-go v2.1.2+incompatible // indirect
-	github.com/bugsnag/panicwrap v1.3.4 // indirect
-	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
-	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/bradleyfalzon/ghinstallation/v2 v2.15.0 // indirect
+	github.com/bshuster-repo/logrus-logstash-hook v1.0.0 // indirect
+	github.com/buildkite/agent/v3 v3.95.1 // indirect
+	github.com/buildkite/go-pipeline v0.13.3 // indirect
+	github.com/buildkite/interpolate v0.1.5 // indirect
+	github.com/buildkite/roko v1.3.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
-	github.com/chrismellard/docker-credential-acr-env v0.0.0-20221002210726-e883f69e0206 // indirect
-	github.com/clbanning/mxj/v2 v2.5.6 // indirect
-	github.com/cloudflare/circl v1.3.0 // indirect
-	github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4 // indirect
-	github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490 // indirect
+	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
+	github.com/clbanning/mxj/v2 v2.7.0 // indirect
+	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3 // indirect
 	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
-	github.com/containerd/containerd v1.6.10 // indirect
-	github.com/containerd/continuity v0.3.0 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.12.1 // indirect
-	github.com/coreos/go-oidc/v3 v3.4.0 // indirect
-	github.com/coreos/go-semver v0.3.0 // indirect
-	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
-	github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/containerd/containerd v1.7.27 // indirect
+	github.com/containerd/continuity v0.4.5 // indirect
+	github.com/containerd/errdefs v0.3.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/platforms v0.2.1 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
+	github.com/coreos/go-oidc/v3 v3.14.1 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
+	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
-	github.com/docker/distribution v2.8.1+incompatible // indirect
-	github.com/docker/docker v20.10.21+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.7.0 // indirect
-	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker v28.1.1+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.9.3 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
-	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
-	github.com/dustin/go-humanize v1.0.0 // indirect
-	github.com/emicklei/go-restful/v3 v3.10.0 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.1 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1 // indirect
-	github.com/envoyproxy/protoc-gen-validate v0.6.2 // indirect
-	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
-	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
+	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
+	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
+	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
-	github.com/fatih/color v1.13.0 // indirect
-	github.com/felixge/httpsnoop v1.0.3 // indirect
+	github.com/fatih/color v1.17.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fluxcd/gitkit v0.6.0 // indirect
-	github.com/fluxcd/pkg/apis/acl v0.1.0 // indirect
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/fullstorydev/grpcurl v1.8.7 // indirect
+	github.com/fluxcd/pkg/apis/acl v0.7.0 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
-	github.com/go-errors/errors v1.4.2 // indirect
-	github.com/go-git/gcfg v1.5.0 // indirect
+	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
+	github.com/go-ini/ini v1.67.0 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-ldap/ldap/v3 v3.4.10 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-logr/zapr v1.2.3 // indirect
-	github.com/go-openapi/analysis v0.21.4 // indirect
-	github.com/go-openapi/errors v0.20.3 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.20.0 // indirect
-	github.com/go-openapi/loads v0.21.2 // indirect
-	github.com/go-openapi/runtime v0.24.2 // indirect
-	github.com/go-openapi/spec v0.20.7 // indirect
-	github.com/go-openapi/strfmt v0.21.3 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
-	github.com/go-openapi/validate v0.22.0 // indirect
-	github.com/go-piv/piv-go v1.10.0 // indirect
-	github.com/go-playground/locales v0.14.0 // indirect
-	github.com/go-playground/universal-translator v0.18.0 // indirect
-	github.com/go-playground/validator/v10 v10.11.0 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
+	github.com/go-openapi/analysis v0.23.0 // indirect
+	github.com/go-openapi/errors v0.22.1 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/loads v0.22.0 // indirect
+	github.com/go-openapi/runtime v0.28.0 // indirect
+	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/strfmt v0.23.0 // indirect
+	github.com/go-openapi/swag v0.23.1 // indirect
+	github.com/go-openapi/validate v0.24.0 // indirect
+	github.com/go-piv/piv-go/v2 v2.3.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
-	github.com/gofrs/uuid v4.2.0+incompatible // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/gofrs/uuid v4.4.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
-	github.com/golang-jwt/jwt/v4 v4.4.2 // indirect
-	github.com/golang/glog v1.0.0 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/mock v1.6.0 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/gomodule/redigo v1.8.2 // indirect
-	github.com/google/btree v1.1.2 // indirect
-	github.com/google/certificate-transparency-go v1.1.3 // indirect
-	github.com/google/gnostic v0.6.9 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
-	github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20221017135236-9b4fdd506cdd // indirect
-	github.com/google/go-github/v45 v45.2.0 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/google/certificate-transparency-go v1.3.1 // indirect
+	github.com/google/gnostic-models v0.6.9 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20230516205744-dbecb1de8cfa // indirect
+	github.com/google/go-github/v55 v55.0.0 // indirect
+	github.com/google/go-github/v71 v71.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/google/trillian v1.5.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect
-	github.com/googleapis/gax-go/v2 v2.7.0 // indirect
-	github.com/gorilla/handlers v1.5.1 // indirect
-	github.com/gorilla/mux v1.8.0 // indirect
-	github.com/gorilla/websocket v1.4.2 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
+	github.com/gorilla/handlers v1.5.2 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
+	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
-	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
-	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
-	github.com/hashicorp/golang-lru v0.5.4 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/huandu/xstrings v1.3.3 // indirect
-	github.com/imdario/mergo v0.3.13 // indirect
-	github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/hashicorp/golang-lru/arc/v2 v2.0.5 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/in-toto/attestation v1.1.1 // indirect
+	github.com/in-toto/in-toto-golang v0.9.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
-	github.com/jhump/protoreflect v1.14.0 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/jmoiron/sqlx v1.3.5 // indirect
-	github.com/jonboulle/clockwork v0.3.0 // indirect
+	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
+	github.com/jmoiron/sqlx v1.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.15.12 // indirect
-	github.com/klauspost/cpuid/v2 v2.1.0 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
-	github.com/leodido/go-urn v1.2.1 // indirect
-	github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect
-	github.com/lib/pq v1.10.7 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
+	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
-	github.com/magiconair/properties v1.8.6 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.16 // indirect
-	github.com/mattn/go-runewidth v0.0.14 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/miekg/dns v1.1.58 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/minio/crc64nvme v1.0.1 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
-	github.com/minio/sha256-simd v1.0.0 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
-	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/term v0.0.0-20221105221325-4eb28fa6025c // indirect
+	github.com/moby/spdystream v0.5.0 // indirect
+	github.com/moby/sys/user v0.3.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
-	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect
+	github.com/mozillazg/docker-credential-acr-helper v0.4.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+	github.com/notaryproject/notation-plugin-framework-go v1.0.0 // indirect
+	github.com/notaryproject/tspclient-go v1.0.0 // indirect
+	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
-	github.com/olekukonko/tablewriter v0.0.5 // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
-	github.com/opencontainers/runc v1.1.2 // indirect
+	github.com/oleiade/reflections v1.1.0 // indirect
+	github.com/opencontainers/runc v1.2.4 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/pelletier/go-toml v1.9.5 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.5 // indirect
+	github.com/otiai10/mint v1.6.3 // indirect
+	github.com/pborman/uuid v1.2.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
-	github.com/pjbgf/sha1cd v0.2.3 // indirect
-	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
+	github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c // indirect
+	github.com/pjbgf/sha1cd v0.3.2 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/common v0.37.0 // indirect
-	github.com/prometheus/procfs v0.8.0 // indirect
-	github.com/rivo/uniseg v0.4.2 // indirect
-	github.com/rs/xid v1.4.0 // indirect
-	github.com/rubenv/sql-migrate v1.2.0 // indirect
-	github.com/russross/blackfriday v1.6.0 // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.63.0 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5 // indirect
+	github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 // indirect
+	github.com/redis/go-redis/v9 v9.7.3 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/rs/xid v1.6.0 // indirect
+	github.com/rubenv/sql-migrate v1.7.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 // indirect
-	github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
+	github.com/sagikazarmark/locafero v0.7.0 // indirect
+	github.com/sassoftware/relic v7.2.1+incompatible // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
-	github.com/sergi/go-diff v1.2.0 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/shopspring/decimal v1.3.1 // indirect
-	github.com/sigstore/fulcio v0.6.0 // indirect
-	github.com/sigstore/rekor v0.12.1-0.20220915152154-4bb6f441c1b2 // indirect
-	github.com/skeema/knownhosts v1.1.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/sigstore/fulcio v1.6.6 // indirect
+	github.com/sigstore/protobuf-specs v0.4.1 // indirect
+	github.com/sigstore/rekor v1.3.9 // indirect
+	github.com/sigstore/sigstore-go v0.7.1 // indirect
+	github.com/sigstore/timestamp-authority v1.2.5 // indirect
+	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
-	github.com/soheilhy/cmux v0.1.5 // indirect
-	github.com/spf13/afero v1.8.2 // indirect
-	github.com/spf13/cast v1.5.0 // indirect
-	github.com/spf13/cobra v1.6.1 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/spf13/viper v1.13.0 // indirect
-	github.com/spiffe/go-spiffe/v2 v2.1.1 // indirect
-	github.com/stretchr/testify v1.8.1 // indirect
-	github.com/subosito/gotenv v1.4.1 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.12.0 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/viper v1.20.1 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
-	github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
-	github.com/theupdateframework/go-tuf v0.5.2-0.20220930112810-3890c1e7ace4 // indirect
+	github.com/theupdateframework/go-tuf v0.7.0 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.0.2 // indirect
+	github.com/tinylib/msgp v1.3.0 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
-	github.com/tjfoc/gmsm v1.3.2 // indirect
-	github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect
-	github.com/transparency-dev/merkle v0.0.1 // indirect
-	github.com/urfave/cli v1.22.7 // indirect
-	github.com/vbatts/tar-split v0.11.2 // indirect
-	github.com/xanzy/go-gitlab v0.73.1 // indirect
+	github.com/tjfoc/gmsm v1.4.1 // indirect
+	github.com/transparency-dev/merkle v0.0.2 // indirect
+	github.com/vbatts/tar-split v0.12.1 // indirect
+	github.com/veraison/go-cose v1.3.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
-	github.com/xlab/treeprint v1.1.0 // indirect
-	github.com/yvasiyarov/go-metrics v0.0.0-20150112132944-c25f46c4b940 // indirect
-	github.com/yvasiyarov/gorelic v0.0.7 // indirect
-	github.com/yvasiyarov/newrelic_platform_go v0.0.0-20160601141957-9c099fbc30e9 // indirect
-	github.com/zeebo/errs v1.2.2 // indirect
-	go.etcd.io/bbolt v1.3.6 // indirect
-	go.etcd.io/etcd/api/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/client/v2 v2.306.0-alpha.0 // indirect
-	go.etcd.io/etcd/client/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/etcdctl/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/etcdutl/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/pkg/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/raft/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/server/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/tests/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/v3 v3.6.0-alpha.0 // indirect
-	go.mongodb.org/mongo-driver v1.10.1 // indirect
-	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.28.0 // indirect
-	go.opentelemetry.io/otel v1.7.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.7.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.7.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.7.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.7.0 // indirect
-	go.opentelemetry.io/otel/trace v1.7.0 // indirect
-	go.opentelemetry.io/proto/otlp v0.16.0 // indirect
-	go.starlark.net v0.0.0-20221028183056-acb66ad56dd2 // indirect
-	go.uber.org/atomic v1.10.0 // indirect
-	go.uber.org/multierr v1.8.0 // indirect
-	go.uber.org/zap v1.23.0 // indirect
-	golang.org/x/exp v0.0.0-20220823124025-807a23277127 // indirect
-	golang.org/x/mod v0.7.0 // indirect
-	golang.org/x/net v0.4.0 // indirect
-	golang.org/x/oauth2 v0.3.0 // indirect
-	golang.org/x/sys v0.3.0 // indirect
-	golang.org/x/term v0.3.0 // indirect
-	golang.org/x/text v0.5.0 // indirect
-	golang.org/x/time v0.2.0 // indirect
-	golang.org/x/tools v0.3.0 // indirect
-	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20221206210731-b1a01be3a5f6 // indirect
-	google.golang.org/grpc v1.51.0 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
-	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
+	github.com/xlab/treeprint v1.2.0 // indirect
+	github.com/zeebo/blake3 v0.2.3 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
+	gitlab.com/gitlab-org/api/client-go v0.127.0 // indirect
+	go.mongodb.org/mongo-driver v1.14.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/bridges/prometheus v0.57.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.34.0 // indirect
+	go.opentelemetry.io/contrib/exporters/autoexport v0.57.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0 // indirect
+	go.opentelemetry.io/otel/exporters/prometheus v0.54.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0 // indirect
+	go.opentelemetry.io/otel/log v0.8.0 // indirect
+	go.opentelemetry.io/otel/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
+	go.opentelemetry.io/otel/sdk/log v0.8.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
+	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect
+	golang.org/x/mod v0.25.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/time v0.11.0 // indirect
+	golang.org/x/tools v0.33.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+	google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
+	google.golang.org/grpc v1.71.0 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
-	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.25.4 // indirect
-	k8s.io/apiserver v0.25.4 // indirect
-	k8s.io/cli-runtime v0.25.4 // indirect
-	k8s.io/component-base v0.25.4 // indirect
-	k8s.io/klog/v2 v2.80.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20221110221610-a28e98eb7c70 // indirect
-	k8s.io/kubectl v0.25.4 // indirect
-	oras.land/oras-go v1.2.1 // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/kustomize/api v0.12.1 // indirect
-	sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect
-	sigs.k8s.io/release-utils v0.7.3 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	k8s.io/apiextensions-apiserver v0.33.0 // indirect
+	k8s.io/apiserver v0.33.0 // indirect
+	k8s.io/cli-runtime v0.33.0 // indirect
+	k8s.io/component-base v0.33.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
+	k8s.io/kubectl v0.33.0 // indirect
+	oras.land/oras-go v1.2.5 // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/kustomize/api v0.19.0 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.19.0 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/release-utils v0.11.1 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
 )
 
 retract v0.32.0 // Refers to incorrect ./api version.