Merge pull request #1808 from TerryHowe/harden-blob-test

fix: blob test cores if no error

.github/dependabot.yaml

@@ -1,9 +1,40 @@
 version: 2
 
 updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    labels: ["dependencies"]
+    schedule:
+      interval: "monthly"
+    groups:
+      go-deps:
+        patterns:
+          - "*"
+    allow:
+      - dependency-type: "direct"
+    ignore:
+      # Cloud SDK are updated manually
+      - dependency-name: "cloud.google.com/*"
+      - dependency-name: "github.com/Azure/azure-sdk-for-go/*"
+      # Kubernetes deps are updated by fluxcd/pkg/runtime
+      - dependency-name: "k8s.io/*"
+      - dependency-name: "sigs.k8s.io/*"
+      - dependency-name: "github.com/go-logr/*"
+      # OCI deps are updated by fluxcd/pkg/oci
+      - dependency-name: "github.com/docker/*"
+      - dependency-name: "github.com/distribution/*"
+      - dependency-name: "github.com/google/go-containerregistry*"
+      - dependency-name: "github.com/opencontainers/*"
+      # Helm deps are updated by fluxcd/pkg/helmtestserver
+      - dependency-name: "helm.sh/helm/*"
+      # Flux APIs are updated at release time
+      - dependency-name: "github.com/fluxcd/source-controller/api"
   - package-ecosystem: "github-actions"
     directory: "/"
-    labels: ["area/build"]
+    labels: ["area/ci", "dependencies"]
+    groups:
+      ci:
+        patterns:
+          - "*"
     schedule:
-      # by default this will be on a monday.
-      interval: "weekly"
+      interval: "monthly"

.github/labels.yaml

@@ -0,0 +1,39 @@
+# Configuration file to declaratively configure labels
+# Ref: https://github.com/EndBug/label-sync#Config-files
+
+- name: area/bucket
+  description: Bucket related issues and pull requests
+  color: '#00b140'
+- name: area/git
+  description: Git related issues and pull requests
+  color: '#863faf'
+- name: area/helm
+  description: Helm related issues and pull requests
+  color: '#1673b6'
+- name: area/oci
+  description: OCI related issues and pull requests
+  color: '#c739ff'
+- name: area/storage
+  description: Storage related issues and pull requests
+  color: '#4b0082'
+- name: backport:release/v1.0.x
+  description: To be backported to release/v1.0.x
+  color: '#ffd700'
+- name: backport:release/v1.1.x
+  description: To be backported to release/v1.1.x
+  color: '#ffd700'
+- name: backport:release/v1.2.x
+  description: To be backported to release/v1.2.x
+  color: '#ffd700'
+- name: backport:release/v1.3.x
+  description: To be backported to release/v1.3.x
+  color: '#ffd700'
+- name: backport:release/v1.4.x
+  description: To be backported to release/v1.4.x
+  color: '#ffd700'
+- name: backport:release/v1.5.x
+  description: To be backported to release/v1.5.x
+  color: '#ffd700'
+- name: backport:release/v1.6.x
+  description: To be backported to release/v1.6.x
+  color: '#ffd700'

.github/workflows/backport.yaml

@@ -0,0 +1,34 @@
+name: backport
+
+on:
+  pull_request_target:
+    types: [closed, labeled]
+
+permissions:
+  contents: read
+
+jobs:
+  pull-request:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Create backport PRs
+        uses: korthout/backport-action@436145e922f9561fc5ea157ff406f21af2d6b363 # v3.2.0
+        # xref: https://github.com/korthout/backport-action#inputs
+        with:
+          # Use token to allow workflows to be triggered for the created PR
+          github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          # Match labels with a pattern `backport:<target-branch>`
+          label_pattern: '^backport:([^ ]+)$'
+          # A bit shorter pull-request title than the default
+          pull_title: '[${target_branch}] ${pull_title}'
+          # Simpler PR description than default
+          pull_description: |-
+            Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.

.github/workflows/cifuzz.yaml

@@ -1,8 +1,9 @@
-name: CIFuzz
+name: fuzz
 on:
   pull_request:
     branches:
-      - main
+      - 'main'
+      - 'release/**'
     paths-ignore:
       - 'CHANGELOG.md'
       - 'README.md'
@@ -12,15 +13,15 @@ permissions:
   contents: read
 
 jobs:
-  Fuzzing:
+  smoketest:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: 1.20.x
+          go-version: 1.24.x
           cache-dependency-path: |
             **/go.sum
             **/go.mod

.github/workflows/e2e.yaml

@@ -1,14 +1,15 @@
 name: e2e
 
 on:
+  workflow_dispatch:
   pull_request:
-    paths-ignore:
-      - 'CHANGELOG.md'
-      - 'README.md'
-      - 'MAINTAINERS'
+    branches:
+      - 'main'
+      - 'release/**'
   push:
     branches:
-      - main
+      - 'main'
+      - 'release/**'
 
 permissions:
   contents: read # for actions/checkout to fetch code
@@ -19,25 +20,23 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: 1.20.x
+          go-version: 1.24.x
           cache-dependency-path: |
             **/go.sum
             **/go.mod
       - name: Enable integration tests
-        # Only run integration tests for main branch
-        if: github.ref == 'refs/heads/main'
+        # Only run integration tests for main and release branches
+        if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')
         run: |
           echo 'GO_TAGS=integration' >> $GITHUB_ENV
       - name: Setup Kubernetes
-        uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         with:
-          version: v0.17.0
           cluster_name: kind
-          node_image: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
       - name: Setup Kustomize
         uses: fluxcd/pkg/actions/kustomize@main
       - name: Setup Helm
@@ -47,45 +46,8 @@ jobs:
           SKIP_COSIGN_VERIFICATION: true
           CREATE_CLUSTER: false
         run: make e2e
-
-  kind-linux-arm64:
-    # Hosted on Equinix
-    # Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
-    runs-on: [self-hosted, Linux, ARM64, equinix]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-      - name: Setup Go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
-        with:
-          go-version: 1.20.x
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
-      - name: Enable integration tests
-        # Only run integration tests for main branch
-        if: github.ref == 'refs/heads/main'
-        run: |
-          echo 'GO_TAGS=integration' >> $GITHUB_ENV
-      - name: Prepare
-        id: prep
-        run: |
-          echo "CLUSTER=arm64-${GITHUB_SHA:0:7}-$(date +%s)" >> $GITHUB_OUTPUT
-          echo "CONTEXT=kind-arm64-${GITHUB_SHA:0:7}-$(date +%s)" >> $GITHUB_OUTPUT
-      - name: Setup Kubernetes Kind
-        run: |
-          kind create cluster --name ${{ steps.prep.outputs.CLUSTER }} --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }}
-      - name: Run e2e tests
-        env:
-          SKIP_COSIGN_VERIFICATION: true
-          KIND_CLUSTER_NAME: ${{ steps.prep.outputs.CLUSTER }}
-          KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }}
-          CREATE_CLUSTER: false
-          BUILD_PLATFORM: linux/arm64
-          MINIO_TAG: RELEASE.2020-09-17T04-49-20Z-arm64
-        run: make e2e
-      - name: Cleanup
+      - name: Print controller logs
         if: always()
+        continue-on-error: true
         run: |
-          kind delete cluster --name ${{ steps.prep.outputs.CLUSTER }}
-          rm /tmp/${{ steps.prep.outputs.CLUSTER }}
+          kubectl -n source-system logs -l app=source-controller

.github/workflows/nightly.yml

@@ -15,16 +15,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
         with:
           buildkitd-flags: "--debug"
       - name: Build multi-arch container image
-        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
+        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0
         with:
           push: false
           builder: ${{ steps.buildx.outputs.name }}

.github/workflows/release.yml

@@ -7,23 +7,29 @@ on:
     inputs:
       tag:
         description: 'image tag prefix'
-        default: 'rc'
+        default: 'preview'
         required: true
 
 permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read
 
 env:
   CONTROLLER: ${{ github.event.repository.name }}
 
 jobs:
-  build-push:
+  release:
+    outputs:
+      hashes: ${{ steps.slsa.outputs.hashes }}
+      image_url: ${{ steps.slsa.outputs.image_url }}
+      image_digest: ${{ steps.slsa.outputs.image_digest }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # for creating the GitHub release.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for pushing and signing container images.
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Kustomize
         uses: fluxcd/pkg/actions/kustomize@main
       - name: Prepare
@@ -36,24 +42,24 @@ jobs:
           echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
           echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ghcr.io
           username: fluxcdbot
           password: ${{ secrets.GHCR_TOKEN }}
       - name: Login to Docker Hub
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           username: fluxcdbot
           password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
       - name: Generate images meta
         id: meta
-        uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.0
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: |
             fluxcd/${{ env.CONTROLLER }}
@@ -61,7 +67,8 @@ jobs:
           tags: |
             type=raw,value=${{ steps.prep.outputs.VERSION }}
       - name: Publish images
-        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
+        id: build-push
+        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0
         with:
           sbom: true
           provenance: true
@@ -72,32 +79,82 @@ jobs:
           platforms: linux/amd64,linux/arm/v7,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-      - name: Check images
-        run: |
-          docker buildx imagetools inspect docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-          docker buildx imagetools inspect ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-          docker pull docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-          docker pull ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-      - uses: sigstore/cosign-installer@204a51a57a74d190b284a0ce69b44bc37201f343 # v3.0.3
+      - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
       - name: Sign images
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign sign --yes fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-          cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
+          cosign sign --yes fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }}
+          cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }}
       - name: Generate release artifacts
         if: startsWith(github.ref, 'refs/tags/v')
         run: |
           mkdir -p config/release
           kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml
           kustomize build ./config/manager > ./config/release/${{ env.CONTROLLER }}.deployment.yaml
-          echo '[CHANGELOG](https://github.com/fluxcd/${{ env.CONTROLLER }}/blob/main/CHANGELOG.md)' > ./config/release/notes.md
-      - uses: anchore/sbom-action/download-syft@4d571ad1038a9cc29d676154ef265ab8f9027042 # v0.14.2
+      - uses: anchore/sbom-action/download-syft@e11c554f704a0b820cbf8c51673f6945e0731532 # v0.20.0
       - name: Create release and SBOM
+        id: run-goreleaser
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
         with:
           version: latest
-          args: release --release-notes=config/release/notes.md --rm-dist --skip-validate
+          args: release --clean --skip=validate
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate SLSA metadata
+        id: slsa
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+          
+          image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
+          echo "image_url=$image_url" >> $GITHUB_OUTPUT
+          
+          image_digest=${{ steps.build-push.outputs.digest }}
+          echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
+
+  release-provenance:
+    needs: [release]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      contents: write # for uploading attestations to GitHub releases.
+    if: startsWith(github.ref, 'refs/tags/v')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    with:
+      provenance-name: "provenance.intoto.jsonl"
+      base64-subjects: "${{ needs.release.outputs.hashes }}"
+      upload-assets: true
+
+  dockerhub-provenance:
+    needs: [release]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: startsWith(github.ref, 'refs/tags/v')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ${{ needs.release.outputs.image_url }}
+      digest: ${{ needs.release.outputs.image_digest }}
+      registry-username: fluxcdbot
+    secrets:
+      registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+
+  ghcr-provenance:
+    needs: [release]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: startsWith(github.ref, 'refs/tags/v')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ghcr.io/${{ needs.release.outputs.image_url }}
+      digest: ${{ needs.release.outputs.image_digest }}
+      registry-username: fluxcdbot
+    secrets:
+      registry-password: ${{ secrets.GHCR_TOKEN }}

.github/workflows/scan.yaml

@@ -1,10 +1,10 @@
-name: Scan
+name: scan
 
 on:
   push:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
   pull_request:
-    branches: [ main ]
+    branches: [ 'main', 'release/**' ]
   schedule:
     - cron: '18 10 * * 3'
 
@@ -18,9 +18,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@6728dc6fe9a068c648d080c33829ffbe56565023 # v2.0.0
+        uses: fossa-contrib/fossa-action@3d2ef181b1820d6dcd1972f86a767d18167fa19b # v3.0.1
         with:
           # FOSSA Push-Only API Token
           fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
@@ -31,19 +31,22 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: 1.20.x
+          go-version: 1.24.x
           cache-dependency-path: |
             **/go.sum
             **/go.mod
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
+        uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
         with:
           languages: go
+          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # xref: https://codeql.github.com/codeql-query-help/go/
+          queries: security-and-quality
       - name: Autobuild
-        uses: github/codeql-action/autobuild@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
+        uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
+        uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18

.github/workflows/sync-labels.yaml

@@ -0,0 +1,28 @@
+name: sync-labels
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - .github/labels.yaml
+
+permissions:
+  contents: read
+
+jobs:
+  labels:
+    name: Run sync
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
+        with:
+          # Configuration file
+          config-file: |
+            https://raw.githubusercontent.com/fluxcd/community/main/.github/standard-labels.yaml
+            .github/labels.yaml
+          # Strictly declarative
+          delete-other-labels: true

.github/workflows/tests.yaml

@@ -1,15 +1,15 @@
 name: tests
 
 on:
+  workflow_dispatch:
   pull_request:
-    paths-ignore:
-      - 'CHANGELOG.md'
-      - 'README.md'
-      - 'MAINTAINERS'
-
+    branches:
+      - 'main'
+      - 'release/**'
   push:
     branches:
-      - main
+      - 'main'
+      - 'release/**'
 
 permissions:
   contents: read # for actions/checkout to fetch code
@@ -20,11 +20,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: 1.20.x
+          go-version: 1.24.x
           cache-dependency-path: |
             **/go.sum
             **/go.mod
@@ -36,31 +36,22 @@ jobs:
         run: make test
 
   test-linux-arm64:
-    # Hosted on Equinix
-    # Docs: https://github.com/fluxcd/flux2/tree/main/.github/runners
-    runs-on: [self-hosted, Linux, ARM64, equinix]
+    runs-on:
+      group: "ARM64"
+    if: github.actor != 'dependabot[bot]'
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: 1.20.x
+          go-version: 1.24.x
           cache-dependency-path: |
             **/go.sum
             **/go.mod
       - name: Run tests
         env:
           SKIP_COSIGN_VERIFICATION: true
-
           TEST_AZURE_ACCOUNT_NAME: ${{ secrets.TEST_AZURE_ACCOUNT_NAME }}
           TEST_AZURE_ACCOUNT_KEY: ${{ secrets.TEST_AZURE_ACCOUNT_KEY }}
-          
-          # Temporarily disabling -race for arm64 as our GitHub action
-          # runners don't seem to like it. The race detection was tested
-          # on both Apple M1 and Linux arm64 with successful results.
-          #
-          # We should reenable go test -race for arm64 runners once the
-          # current issue is resolved.
-          GO_TEST_ARGS: ''
         run: make test

.github/workflows/verify.yaml

@@ -2,14 +2,13 @@ name: verify
 
 on:
   pull_request:
-    paths-ignore:
-      - 'CHANGELOG.md'
-      - 'README.md'
-      - 'MAINTAINERS'
-
+    branches:
+      - 'main'
+      - 'release/**'
   push:
     branches:
-      - main
+      - 'main'
+      - 'release/**'
 
 permissions:
   contents: read # for actions/checkout to fetch code
@@ -20,11 +19,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Go
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: 1.20.x
+          go-version: 1.24.x
           cache-dependency-path: |
             **/go.sum
             **/go.mod

.goreleaser.yaml

@@ -4,9 +4,26 @@ builds:
   - skip: true
 
 release:
-  prerelease: "true"
   extra_files:
     - glob: config/release/*.yaml
+  prerelease: "auto"
+  header: |
+    ## Changelog
+
+    [{{.Tag}} changelog](https://github.com/fluxcd/{{.ProjectName}}/blob/{{.Tag}}/CHANGELOG.md)
+  footer: |
+    ## Container images
+    
+    - `docker.io/fluxcd/{{.ProjectName}}:{{.Tag}}`
+    - `ghcr.io/fluxcd/{{.ProjectName}}:{{.Tag}}`
+    
+    Supported architectures: `linux/amd64`, `linux/arm64` and `linux/arm/v7`.
+    
+    The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
+    To verify the images and their provenance (SLSA level 3), please see the [security documentation](https://fluxcd.io/flux/security/).
+
+changelog:
+  disable: true
 
 checksum:
   extra_files:

CHANGELOG.md

@@ -2,6 +2,744 @@
 
 All notable changes to this project are documented in this file.
 
+## 1.6.2
+
+**Release date:** 2025-06-27
+
+This patch release comes with a fix for `rsa-sha2-512` and `rsa-sha2-256` algorithms
+not being prioritized for `ssh-rsa` host keys.
+
+Fixes:
+- Fix: Prioritize sha2-512 and sha2-256 for ssh-rsa host keys
+  [#1839](https://github.com/fluxcd/source-controller/pull/1839)
+
+## 1.6.1
+
+**Release date:** 2025-06-13
+
+This patch release comes with a fix for the `knownhosts: key mismatch`
+error in the `GitRepository` API when using SSH authentication, and
+a fix for authentication with
+[public ECR repositories](https://fluxcd.io/flux/integrations/aws/#for-amazon-public-elastic-container-registry)
+in the `OCIRepository` API.
+
+Fix:
+- Fix authentication for public ECR
+  [#1825](https://github.com/fluxcd/source-controller/pull/1825)
+- Fix `knownhosts key mismatch` regression bug
+  [#1829](https://github.com/fluxcd/source-controller/pull/1829)
+
+## 1.6.0
+
+**Release date:** 2025-05-27
+
+This minor release promotes the OCIRepository API to GA, and comes with new features,
+improvements and bug fixes.
+
+### OCIRepository
+
+The `OCIRepository` API has been promoted from `v1beta2` to `v1` (GA).
+The `v1` API is backwards compatible with `v1beta2`.
+
+OCIRepository API now supports object-level workload identity by setting
+`.spec.provider` to one of `aws`, `azure`, or `gcp`, and setting
+`.spec.serviceAccountName` to the name of a service account in the same
+namespace that has been configured with appropriate cloud permissions.
+For this feature to work, the controller feature gate
+`ObjectLevelWorkloadIdentity` must be enabled. See a complete guide
+[here](https://fluxcd.io/flux/integrations/).
+
+OCIRepository API now caches registry credentials for cloud providers
+by default. This behavior can be disabled or fine-tuned by adjusting the
+token cache controller flags (see [docs](https://fluxcd.io/flux/components/source/options/)).
+The token cache also exposes metrics that are documented
+[here](https://fluxcd.io/flux/monitoring/metrics/#controller-metrics).
+
+### GitRepository
+
+GitRepository API now supports sparse checkout by setting a list
+of directories in the `.spec.sparseCheckout` field. This allows
+for optimizing the amount of data fetched from the Git repository.
+
+GitRepository API now supports mTLS authentication for HTTPS Git repositories
+by setting the fields `tls.crt`, `tls.key`, and `ca.crt` in the `.data` field
+of the referenced Secret in `.spec.secretRef`.
+
+GitRepository API now caches credentials for non-`generic` providers by default.
+This behavior can be disabled or fine-tuned by adjusting the
+token cache controller flags (see [docs](https://fluxcd.io/flux/components/source/options/)).
+The token cache also exposes metrics that are documented
+[here](https://fluxcd.io/flux/monitoring/metrics/#controller-metrics).
+
+### General updates
+
+In addition, the Kubernetes dependencies have been updated to v1.33 and
+various other controller dependencies have been updated to their latest
+version. The controller is now built with Go 1.24.
+
+Fixes:
+- Downgrade `Masterminds/semver` to v3.3.0
+  [#1785](https://github.com/fluxcd/source-controller/pull/1785)
+
+Improvements:
+- Promote OCIRepository API to v1 (GA)
+  [#1794](https://github.com/fluxcd/source-controller/pull/1794)
+- [RFC-0010] Introduce object-level workload identity for container registry APIs and cache credentials
+  [#1790](https://github.com/fluxcd/source-controller/pull/1790)
+  [#1802](https://github.com/fluxcd/source-controller/pull/1802)
+  [#1811](https://github.com/fluxcd/source-controller/pull/1811)
+- Implement Sparse Checkout for `GitRepository`
+  [#1774](https://github.com/fluxcd/source-controller/pull/1774)
+- Add Mutual TLS support to `GitRepository`
+  [#1778](https://github.com/fluxcd/source-controller/pull/1778)
+- Introduce token cache for `GitRepository`
+  [#1745](https://github.com/fluxcd/source-controller/pull/1745)
+  [#1788](https://github.com/fluxcd/source-controller/pull/1788)
+  [#1789](https://github.com/fluxcd/source-controller/pull/1789)
+- Build controller without CGO
+  [#1725](https://github.com/fluxcd/source-controller/pull/1725)
+- Various dependency updates
+  [#1812](https://github.com/fluxcd/source-controller/pull/1812)
+  [#1800](https://github.com/fluxcd/source-controller/pull/1800)
+  [#1810](https://github.com/fluxcd/source-controller/pull/1810)
+  [#1806](https://github.com/fluxcd/source-controller/pull/1806)
+  [#1782](https://github.com/fluxcd/source-controller/pull/1782)
+  [#1783](https://github.com/fluxcd/source-controller/pull/1783)
+  [#1775](https://github.com/fluxcd/source-controller/pull/1775)
+  [#1728](https://github.com/fluxcd/source-controller/pull/1728)
+  [#1722](https://github.com/fluxcd/source-controller/pull/1722)
+
+## 1.5.0
+
+**Release date:** 2025-02-13
+
+This minor release comes with various bug fixes and improvements.
+
+### GitRepository
+
+The GitRepository API now supports authenticating through GitHub App
+for GitHub repositories. See
+[docs](https://fluxcd.io/flux/components/source/gitrepositories/#github).
+
+In addition, the Kubernetes dependencies have been updated to v1.32.1, Helm has
+been updated to v3.17.0 and various other controller dependencies have been
+updated to their latest version.
+
+Fixes:
+- Remove deprecated object metrics from controllers
+  [#1686](https://github.com/fluxcd/source-controller/pull/1686)
+
+Improvements:
+- [RFC-007] Implement GitHub app authentication for git repositories.
+  [#1647](https://github.com/fluxcd/source-controller/pull/1647)
+- Various dependency updates
+  [#1684](https://github.com/fluxcd/source-controller/pull/1684)
+  [#1689](https://github.com/fluxcd/source-controller/pull/1689)
+  [#1693](https://github.com/fluxcd/source-controller/pull/1693)
+  [#1705](https://github.com/fluxcd/source-controller/pull/1705)
+  [#1708](https://github.com/fluxcd/source-controller/pull/1708)
+  [#1709](https://github.com/fluxcd/source-controller/pull/1709)
+  [#1713](https://github.com/fluxcd/source-controller/pull/1713)
+  [#1716](https://github.com/fluxcd/source-controller/pull/1716)
+
+## 1.4.1
+
+**Release date:** 2024-09-26
+
+This patch release comes with a fix to the `GitRepository` API to keep it
+backwards compatible by removing the default value for `.spec.provider` field
+when not set in the API. The controller will internally consider an empty value
+for the provider as the `generic` provider.
+
+Fix:
+- GitRepo: Remove provider default value from API
+  [#1626](https://github.com/fluxcd/source-controller/pull/1626)
+
+## 1.4.0
+
+**Release date:** 2024-09-25
+
+This minor release promotes the Bucket API to GA, and comes with new features,
+improvements and bug fixes.
+
+### Bucket
+
+The `Bucket` API has been promoted from `v1beta2` to `v1` (GA).
+The `v1` API is backwards compatible with `v1beta2`.
+
+Bucket API now supports proxy through the field `.spec.proxySecretRef` and custom TLS client certificate and CA through the field `.spec.certSecretRef`.
+
+Bucket API now also supports specifying a custom STS configuration through the field `.spec.sts`. This is currently only supported for the providers `generic` and `aws`. When specifying a custom STS configuration one must specify which STS provider to use. For the `generic` bucket provider we support the `ldap` STS provider, and for the `aws` bucket provider we support the `aws` STS provider. For the `aws` STS provider, one may use the default main STS endpoint, or the regional STS endpoints, or even an interface endpoint.
+
+### OCIRepository
+
+OCIRepository API now supports proxy through the field `.spec.proxySecretRef`.
+
+**Warning**: Proxy is not supported for cosign keyless verification.
+
+### GitRepository
+
+GitRepository API now supports OIDC authentication for Azure DevOps repositories through the field `.spec.provider` using the value `azure`. See the docs for details [here](https://fluxcd.io/flux/components/source/gitrepositories/#provider).
+
+In addition, the Kubernetes dependencies have been updated to v1.31.1, Helm has
+been updated to v3.16.1 and various other controller dependencies have been
+updated to their latest version. The controller is now built with Go 1.23.
+
+Fixes:
+- helm: Use the default transport pool to preserve proxy settings
+  [#1490](https://github.com/fluxcd/source-controller/pull/1490)
+- Fix incorrect use of format strings with the conditions package.
+  [#1529](https://github.com/fluxcd/source-controller/pull/1529)
+- Fix HelmChart local dependency resolution for name-based path
+  [#1539](https://github.com/fluxcd/source-controller/pull/1539)
+- Fix Helm index validation for Artifactory
+  [#1516](https://github.com/fluxcd/source-controller/pull/1516)
+
+Improvements:
+- Promote Bucket API to v1
+  [#1592](https://github.com/fluxcd/source-controller/pull/1592)
+- Add .spec.certSecretRef to Bucket API
+  [#1475](https://github.com/fluxcd/source-controller/pull/1475)
+- Run ARM64 tests on GitHub runners
+  [#1512](https://github.com/fluxcd/source-controller/pull/1512)
+- Add support for .spec.proxySecretRef for generic provider of Bucket API
+  [#1500](https://github.com/fluxcd/source-controller/pull/1500)
+- Improve invalid proxy error message for Bucket API
+  [#1550](https://github.com/fluxcd/source-controller/pull/1550)
+- Add support for AWS STS endpoint in the Bucket API
+  [#1552](https://github.com/fluxcd/source-controller/pull/1552)
+- Add proxy support for GCS buckets
+  [#1565](https://github.com/fluxcd/source-controller/pull/1565)
+- azure-blob: Fix VisitObjects() in integration test
+  [#1574](https://github.com/fluxcd/source-controller/pull/1574)
+- Add proxy support for Azure buckets
+  [#1567](https://github.com/fluxcd/source-controller/pull/1567)
+- Add proxy support for AWS S3 buckets
+  [#1568](https://github.com/fluxcd/source-controller/pull/1568)
+- Add proxy support for OCIRepository API
+  [#1536](https://github.com/fluxcd/source-controller/pull/1536)
+- Add LDAP provider for Bucket STS API
+  [#1585](https://github.com/fluxcd/source-controller/pull/1585)
+- Introduce Bucket provider constants with the common part as a prefix
+  [#1589](https://github.com/fluxcd/source-controller/pull/1589)
+- OCIRepository: Configure proxy for OIDC auth
+  [#1607](https://github.com/fluxcd/source-controller/pull/1607)
+- [RFC-0007] Enable Azure OIDC for Azure DevOps repositories
+  [#1591](https://github.com/fluxcd/source-controller/pull/1591)
+- Build with Go 1.23
+  [#1582](https://github.com/fluxcd/source-controller/pull/1582)
+- Various dependency updates
+  [#1507](https://github.com/fluxcd/source-controller/pull/1507)
+  [#1576](https://github.com/fluxcd/source-controller/pull/1576)
+  [#1578](https://github.com/fluxcd/source-controller/pull/1578)
+  [#1579](https://github.com/fluxcd/source-controller/pull/1579)
+  [#1583](https://github.com/fluxcd/source-controller/pull/1583)
+  [#1588](https://github.com/fluxcd/source-controller/pull/1588)
+  [#1603](https://github.com/fluxcd/source-controller/pull/1603)
+  [#1610](https://github.com/fluxcd/source-controller/pull/1610)
+  [#1614](https://github.com/fluxcd/source-controller/pull/1614)
+  [#1618](https://github.com/fluxcd/source-controller/pull/1618)
+
+## 1.3.0
+
+**Release date:** 2024-05-03
+
+This minor release promotes the Helm APIs to GA, and comes with new features,
+improvements and bug fixes.
+
+### HelmRepository
+
+The `HelmRepository` API has been promoted from `v1beta2` to `v1` (GA).
+The `v1` API is backwards compatible with `v1beta2`.
+
+For `HelmRepository` of type `oci`, the `.spec.insecure` field allows connecting
+over HTTP to an insecure non-TLS container registry. 
+
+To upgrade from `v1beta2`, after deploying the new CRD and controller,
+set  `apiVersion: source.toolkit.fluxcd.io/v1` in the YAML files that
+contain `HelmRepository` definitions.
+Bumping the API version in manifests can be done gradually.
+It is advised not to delay this procedure as the beta versions will be removed after 6 months.
+
+### HelmChart
+
+The `HelmChart` API have been promoted from `v1beta2` to `v1` (GA).
+The `v1` API is backwards compatible with `v1beta2`, with the exception
+of the removal of the deprecated field `.spec.valuesFile` which was replaced with `spec.valuesFiles`.
+
+The `HelmChart` API was extended with support for
+[Notation signature verification](https://github.com/fluxcd/source-controller/blob/release/v1.3.x/docs/spec/v1/helmcharts.md#notation)
+of Helm OCI charts.
+
+A new optional field `.spec.ignoreMissingValuesFiles` has been added,
+which allows the controller to ignore missing values files rather than failing to reconcile the `HelmChart`.
+
+### OCIRepository
+
+The `OCIRepository` API was extended with support for
+[Notation signature verification](https://github.com/fluxcd/source-controller/blob/release/v1.3.x/docs/spec/v1beta2/ocirepositories.md#notation)
+of OCI artifacts.
+
+A new optional field `.spec.ref.semverFilter` has been added,
+which allows the controller to filter the tags based on regular expressions
+before applying the semver range. This allows 
+[picking the latest release candidate](https://github.com/fluxcd/source-controller/blob/release/v1.3.x/docs/spec/v1beta2/ocirepositories.md#semverfilter-example)
+instead of the latest stable release.
+
+In addition, the controller has been updated to Kubernetes v1.30.0,
+Helm v3.14.4, and various other dependencies to their latest version
+to patch upstream CVEs.
+
+Improvements:
+- Promote Helm APIs to `source.toolkit.fluxcd.io/v1` (GA)
+  [#1428](https://github.com/fluxcd/source-controller/pull/1428)
+- Add `.spec.ignoreMissingValuesFiles` to HelmChart API
+  [#1447](https://github.com/fluxcd/source-controller/pull/1447)
+- Implement `.spec.ref.semverFilter` in OCIRepository API
+  [#1407](https://github.com/fluxcd/source-controller/pull/1407)
+- Helm: Allow insecure registry login
+  [#1412](https://github.com/fluxcd/source-controller/pull/1442)
+- Add support for Notation verification to HelmChart and OCIRepository
+  [#1075](https://github.com/fluxcd/source-controller/pull/1075)
+- Various dependency updates
+  [#1442](https://github.com/fluxcd/source-controller/pull/1442)
+  [#1450](https://github.com/fluxcd/source-controller/pull/1450)
+  [#1469](https://github.com/fluxcd/source-controller/pull/1469)
+  [#1378](https://github.com/fluxcd/source-controller/pull/1378)
+
+Fixes:
+- Bind cached helm index to the maximum index size
+  [#1457](https://github.com/fluxcd/source-controller/pull/1457)
+- Remove `genclient:Namespaced` tag
+  [#1386](https://github.com/fluxcd/source-controller/pull/1386)
+
+## 1.2.5
+
+**Release date:** 2024-04-04
+
+This patch release comes with improvements to the `HelmChart` name validation 
+and adds logging sanitization of connection error messages for `Bucket` sources.
+
+Fixes:
+- Improve chart name validation
+  [#1377](https://github.com/fluxcd/source-controller/pull/1377)
+- Sanitize URLs for bucket fetch error messages
+  [#1430](https://github.com/fluxcd/source-controller/pull/1430)
+
+Improvements:
+- Update controller-gen to v0.14.0
+  [#1399](https://github.com/fluxcd/source-controller/pull/1399)
+
+## 1.2.4
+
+**Release date:** 2024-02-01
+
+This patch release updates the Kubernetes dependencies to v1.28.6 and various
+other dependencies to their latest version to patch upstream CVEs.
+
+Improvements:
+- Various dependency updates
+  [#1362](https://github.com/fluxcd/source-controller/pull/1362)
+  [#1357](https://github.com/fluxcd/source-controller/pull/1357)
+  [#1353](https://github.com/fluxcd/source-controller/pull/1353)
+  [#1347](https://github.com/fluxcd/source-controller/pull/1347)
+  [#1343](https://github.com/fluxcd/source-controller/pull/1343)
+  [#1340](https://github.com/fluxcd/source-controller/pull/1340)
+  [#1338](https://github.com/fluxcd/source-controller/pull/1338)
+  [#1336](https://github.com/fluxcd/source-controller/pull/1336)
+  [#1334](https://github.com/fluxcd/source-controller/pull/1334)
+
+## 1.2.3
+
+**Release date:** 2023-12-14
+
+This patch release updates the controller's Helm dependency to v3.13.3.
+
+Improvements:
+- Update Helm to v3.13.3
+  [#1325](https://github.com/fluxcd/source-controller/pull/1325)
+- helmrepo: Remove migration log/event
+  [#1324](https://github.com/fluxcd/source-controller/pull/1324)
+
+## 1.2.2
+
+**Release date:** 2023-12-11
+
+This patch release addresses an issue with AWS ECR authentication introduced in
+v1.2.0.
+
+In addition, a variety of dependencies have been updated. Including an update
+of the container base image to Alpine v3.19.
+
+Fixes:
+- Address issue with authenticating towards AWS ECR
+  [#1318](https://github.com/fluxcd/source-controller/pull/1318)
+  [#1321](https://github.com/fluxcd/source-controller/pull/1318)
+
+Improvements:
+
+- Update dependencies
+  [#1314](https://github.com/fluxcd/source-controller/pull/1314)
+  [#1318](https://github.com/fluxcd/source-controller/pull/1318)
+  [#1321](https://github.com/fluxcd/source-controller/pull/1321)
+- build: update Alpine to 3.19
+  [#1316](https://github.com/fluxcd/source-controller/pull/1316)
+
+## 1.2.1
+
+**Release date:** 2023-12-08
+
+This patch release ensures the controller is built with the latest Go `1.21.x`
+release, to mitigate multiple security vulnerabilities which were published
+shortly after the release of v1.2.0.
+
+In addition, a small number of dependencies have been updated to their latest
+version.
+
+Improvements:
+- Update dependencies
+  [#1309](https://github.com/fluxcd/source-controller/pull/1309)
+
+## 1.2.0
+
+**Release date:** 2023-12-05
+
+This minor release comes with API changes, bug fixes and several new features.
+
+### Bucket
+
+A new field, `.spec.prefix`, has been added to the Bucket API, which enables
+server-side filtering of files if the object's `.spec.provider` is set to
+`generic`/`aws`/`gcp`.
+
+### OCIRepository and HelmChart
+
+Two new fields, `.spec.verify.matchOIDCIdentity.issuer` and
+`.spec.verify.matchOIDCIdentity.subject` have been added to the HelmChart and
+OCIRepository APIs. If the image has been keylessly signed via Cosign, these
+fields can be used to verify the OIDC issuer of the Fulcio certificate and the
+OIDC identity's subject respectively.
+
+### HelmRepository
+
+A new boolean field, `.spec.insecure`, has been introduced to the HelmRepository
+API, which allows connecting to a non-TLS HTTP container registry. It is only
+considered if the object's `.spec.type` is set to `oci`.
+
+From this release onwards, HelmRepository objects of type OCI are treated as
+static objects, i.e. they have an empty status.
+Existing objects undergo a one-time automatic migration and new objects
+will be undergo a one-time reconciliation to remove any status fields.
+
+Additionally, the controller now performs a shallow clone if the
+`.spec.ref.name` of the GitRepository object points to a branch or a tag.
+
+Furthermore, a bug has been fixed, where the controller would try to
+authenticate against public OCI registries if the HelmRepository object has a
+reference to a Secret containing a CA certificate.
+
+Lastly, dependencies have been updated to their latest version, including an
+update of Kubernetes to v1.28.4.
+
+Fixes:
+- Address miscellaneous issues throughout code base
+  [#1257](https://github.com/fluxcd/source-controller/pull/1257)
+- helmrepo: only configure tls login option when required
+  [#1289](https://github.com/fluxcd/source-controller/pull/1289)
+- oci: rename `OCIChartRepository.insecure` to `insecureHTTP`
+  [#1299](https://github.com/fluxcd/source-controller/pull/1299)
+- Use bitnami Minio oci chart for e2e
+  [#1301](https://github.com/fluxcd/source-controller/pull/1301)
+
+Improvements:
+- build(deps): bump Go dependencies
+  [#1260](https://github.com/fluxcd/source-controller/pull/1260)
+  [#1261](https://github.com/fluxcd/source-controller/pull/1261)
+  [#1269](https://github.com/fluxcd/source-controller/pull/1269)
+  [#1291](https://github.com/fluxcd/source-controller/pull/1291)
+- build(deps): bump the ci group dependencies
+  [#1265](https://github.com/fluxcd/source-controller/pull/1265)
+  [#1266](https://github.com/fluxcd/source-controller/pull/1266)
+  [#1272](https://github.com/fluxcd/source-controller/pull/1272)
+  [#1277](https://github.com/fluxcd/source-controller/pull/1277)
+  [#1281](https://github.com/fluxcd/source-controller/pull/1281)
+  [#1285](https://github.com/fluxcd/source-controller/pull/1285)
+  [#1296](https://github.com/fluxcd/source-controller/pull/1296)
+  [#1303](https://github.com/fluxcd/source-controller/pull/1303)
+- bucket: Add prefix filtering capability
+  [#1228](https://github.com/fluxcd/source-controller/pull/1228)
+- Static HelmRepository OCI
+  [#1243](https://github.com/fluxcd/source-controller/pull/1243)
+- cosign: allow identity matching for keyless verification
+  [#1250](https://github.com/fluxcd/source-controller/pull/1250)
+- Upgrade `go-git` to v5.10.0
+  [#1271](https://github.com/fluxcd/source-controller/pull/1271)
+- storage: change default file permissions
+  [#1276](https://github.com/fluxcd/source-controller/pull/1276)
+- Update dependencies to Kubernetes v1.28
+  [#1286](https://github.com/fluxcd/source-controller/pull/1286)
+- Add `.spec.insecure` to `HelmRepository` for `type: oci`
+  [#1288](https://github.com/fluxcd/source-controller/pull/1288)
+- Update Git dependencies
+  [#1300](https://github.com/fluxcd/source-controller/pull/1300)
+- Update Go dependencies
+  [#1304](https://github.com/fluxcd/source-controller/pull/1304)
+
+## 1.1.2
+
+**Release date:** 2023-10-11
+
+This patch release fixes a bug where OCIRepository objects can't be consumed
+when the OCI image layer contains symlinks.
+
+Fixes:
+- oci: Skip symlinks found in upstream artifacts
+  [#1246](https://github.com/fluxcd/source-controller/pull/1246/)
+
+Improvements:
+- build(deps): bump the ci group with 1 update
+  [#1256](https://github.com/fluxcd/source-controller/pull/1256)
+
+## 1.1.1
+
+**Release date:** 2023-09-18
+
+This is a patch release that fixes a regression introduced in v1.1.0 where
+HelmRepository objects would not be reconciled if they provided a TLS Secret
+using `.spec.secretRef` with a type other than `Opaque` or `kubernetes.io/tls`.
+
+In addition, the URL lookup strategy for Buckets has been changed from path to
+auto, to widen support for S3-compatible object storage services.
+
+Lastly, several dependencies have been updated to their latest versions.
+
+Fixes:
+- bucket: use auto lookup type
+  [#1222](https://github.com/fluxcd/source-controller/pull/1222)
+- helmrepo: fix Secret type check for TLS via `.spec.secretRef`
+  [#1225](https://github.com/fluxcd/source-controller/pull/1225)
+- Upgrade github.com/fluxcd/pkg/{git,git/gogit}
+  [#1236](https://github.com/fluxcd/source-controller/pull/1236)
+
+Improvements:
+- build(deps): bump the ci group dependencies
+  [#1213](https://github.com/fluxcd/source-controller/pull/1213)
+  [#1224](https://github.com/fluxcd/source-controller/pull/1224)
+  [#1230](https://github.com/fluxcd/source-controller/pull/1230)
+  [#1235](https://github.com/fluxcd/source-controller/pull/1235)
+- docs: Add missing pem-encoding reference
+  [#1216](https://github.com/fluxcd/source-controller/pull/1216)
+- build(deps): bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4
+  [#1227](https://github.com/fluxcd/source-controller/pull/1227)
+
+## 1.1.0
+
+**Release date:** 2023-08-23
+
+This minor release comes with API changes, bug fixes and several new features.
+
+All APIs that accept TLS data have been modified to adopt Secrets of type
+`kubernetes.io/tls`. This includes:
+* HelmRepository: The field `.spec.secretRef` has been __deprecated__ in favor
+of a new field [`.spec.certSecretRef`](https://github.com/fluxcd/source-controller/blob/v1.1.0/docs/spec/v1beta2/helmrepositories.md#cert-secret-reference).
+  This field is also supported by OCI HelmRepositories.
+* OCIRepository: Support for the`caFile`, `keyFile` and `certFile` keys in the
+  Secret specified in [`.spec.certSecretRef`](https://github.com/fluxcd/source-controller/blob/v1.1.0/docs/spec/v1beta2/ocirepositories.md#cert-secret-reference)
+  have been __deprecated__ in favor of `ca.crt`, `tls.key` and `tls.crt`.
+  Also, the Secret now must be of type `Opaque` or `kubernete.io/tls`.
+* GitRepository: CA certificate can now be provided in the Secret sepcified in
+  `.spec.secretRef` using the `ca.crt` key, which takes precedence over the
+  existing `caFile` key.
+
+Furthermore, GitRepository has a couple of new features:
+* Proxy support: A new field [`.spec.proxySecretRef`](https://github.com/fluxcd/source-controller/blob/v1.1.0/docs/spec/v1/gitrepositories.md#proxy-secret-reference)
+  has been introduced which can be used to specify the proxy configuration to
+  use for all remote Git operations related to the particular object.
+* Tag verification: The field [`.spec.verification.mode`](https://github.com/fluxcd/source-controller/blob/v1.1.0/docs/spec/v1/gitrepositories.md#verification)
+  now supports the following values:
+    * HEAD: Verify the HEAD of the Git repository.
+    * Tag: Verify the tag specified in `.spec.ref`
+    * TagAndHead: Verify the tag specified in `.spec.ref` and the commit it
+      points to.
+
+Starting with this version, the controller now stops exporting an object's
+metrics as soon as the object has been deleted.
+
+In addition, the controller now consumes significantly less CPU and memory when
+reconciling Helm repository indexes.
+
+Lastly, a new flag `--interval-jitter-percentage` has been introduced which can
+be used to specify a jitter to the reconciliation interval in order to
+distribute the load more evenly when multiple objects are set up with the same
+interval.
+
+Improvements:
+- gitrepo: Add support for specifying proxy per `GitRepository`
+  [#1109](https://github.com/fluxcd/source-controller/pull/1109)
+- helmrepo: add `.spec.certSecretRef` for specifying TLS auth data
+  [#1160](https://github.com/fluxcd/source-controller/pull/1160)
+- Update docs on Azure identity
+  [#1167](https://github.com/fluxcd/source-controller/pull/1167)
+- gitrepo: document limitation of `spec.ref.name` with Azure Devops
+  [#1175](https://github.com/fluxcd/source-controller/pull/1175)
+- ocirepo: add cosign support for insecure HTTP registries
+  [#1176](https://github.com/fluxcd/source-controller/pull/1176)
+- Handle delete before adding finalizer
+  [#1177](https://github.com/fluxcd/source-controller/pull/1177)
+- Store Helm indexes in JSON format
+  [#1178](https://github.com/fluxcd/source-controller/pull/1178)
+- Unpin go-git and update to v5.8.1
+  [#1179](https://github.com/fluxcd/source-controller/pull/1179)
+- controller: jitter requeue interval
+  [#1184](https://github.com/fluxcd/source-controller/pull/1184)
+- cache: ensure new expiration is persisted
+  [#1185](https://github.com/fluxcd/source-controller/pull/1185)
+- gitrepo: add support for Git tag verification
+  [#1187](https://github.com/fluxcd/source-controller/pull/1187)
+- Update dependencies
+  [#1191](https://github.com/fluxcd/source-controller/pull/1191)
+- Adopt Kubernetes style TLS Secrets
+  [#1194](https://github.com/fluxcd/source-controller/pull/1194)
+- Update dependencies
+  [#1196](https://github.com/fluxcd/source-controller/pull/1196)
+- Helm OCI: Add support for TLS registries with self-signed certs
+  [#1197](https://github.com/fluxcd/source-controller/pull/1197)
+- Update dependencies
+  [#1202](https://github.com/fluxcd/source-controller/pull/1202)
+- Preserve url encoded path in normalized helm repository URL
+  [#1203](https://github.com/fluxcd/source-controller/pull/1203)
+- Fix link ref in API docs
+  [#1204](https://github.com/fluxcd/source-controller/pull/1204)
+
+Fixes:
+- Fix the helm cache arguments
+  [#1170](https://github.com/fluxcd/source-controller/pull/1170)
+- Delete stale metrics on object delete
+  [#1183](https://github.com/fluxcd/source-controller/pull/1183)
+- Disable system-wide git config in tests
+  [#1192](https://github.com/fluxcd/source-controller/pull/1192)
+- Fix links in API docs
+  [#1200](https://github.com/fluxcd/source-controller/pull/1200)
+
+## 1.0.1
+
+**Release date:** 2023-07-10
+
+This is a patch release that fixes the AWS authentication for cross-region ECR repositories.
+
+Fixes:
+- Update `fluxcd/pkg/oci` to fix ECR cross-region auth
+  [#1158](https://github.com/fluxcd/source-controller/pull/1158)
+
+## 1.0.0
+
+**Release date:** 2023-07-03
+
+This is the first stable release of the controller. From now on, this controller
+follows the [Flux 2 release cadence and support pledge](https://fluxcd.io/flux/releases/).
+
+Starting with this version, the build, release and provenance portions of the
+Flux project supply chain [provisionally meet SLSA Build Level 3](https://fluxcd.io/flux/security/slsa-assessment/).
+
+This release includes several minor changes that primarily focus on addressing
+forgotten and obsolete bits in the logic related to GitRepository objects.
+
+Including a removal of the `OptimizedGitClones` feature flag. If your
+Deployment is configured to disable this flag, you should remove it.
+
+In addition, dependencies have been updated to their latest version, including
+an update of Kubernetes to v1.27.3.
+
+For a comprehensive list of changes since `v0.36.x`, please refer to the
+changelog for [v1.0.0-rc.1](#100-rc1), [v1.0.0-rc.3](#100-rc3) and
+[`v1.0.0-rc.4`](#100-rc4).
+
+Improvements:
+- gitrepo: remove `OptimizedGitClones` as a feature gate
+  [#1124](https://github.com/fluxcd/source-controller/pull/1124)
+  [#1126](https://github.com/fluxcd/source-controller/pull/1126)
+- Update dependencies
+  [#1127](https://github.com/fluxcd/source-controller/pull/1127)
+  [#1147](https://github.com/fluxcd/source-controller/pull/1147)
+- Update Cosign to v2.1.0
+  [#1132](https://github.com/fluxcd/source-controller/pull/1132)
+- Align `go.mod` version with Kubernetes (Go 1.20)
+  [#1134](https://github.com/fluxcd/source-controller/pull/1134)
+- Add the verification key to the GitRepository verified status condition
+- [#1136](https://github.com/fluxcd/source-controller/pull/1136)
+- gitrepo: remove obsolete proxy docs
+  [#1144](https://github.com/fluxcd/source-controller/pull/1144)
+
+## 1.0.0-rc.5
+
+**Release date:** 2023-06-01
+
+This release candidate fixes a regression introduced in `1.0.0.-rc.4` where
+support for Git servers that exclusively use v2 of the wire protocol like Azure
+Devops and AWS CodeCommit was broken.
+
+Lastly, the controller's dependencies were updated to mitigate CVE-2023-33199.
+
+Improvements:
+- build(deps): bump github.com/sigstore/rekor from 1.1.1 to 1.2.0
+  [#1107](https://github.com/fluxcd/source-controller/pull/1107)
+
+Fixes:
+-  Bump `fluxcd/pkg/git/gogit` to v0.12.0
+  [#1111](https://github.com/fluxcd/source-controller/pull/1111)
+
+## 1.0.0-rc.4
+
+**Release date:** 2023-05-26
+
+This release candidate comes with support for Kubernetes v1.27 and Cosign v2.
+It also enables the use of annotated Git tags with `.spec.ref.name` in
+`GitRepository`. Furthermore, it fixes a bug related to accessing Helm OCI
+charts on ACR using OIDC auth.
+
+Improvements:
+- build(deps): bump helm/kind-action from 1.5.0 to 1.7.0
+  [#1100](https://github.com/fluxcd/source-controller/pull/1100)
+- build(deps): bump sigstore/cosign-installer from 3.0.3 to 3.0.5
+  [#1101](https://github.com/fluxcd/source-controller/pull/1101)
+- build(deps): bump actions/setup-go from 4.0.0 to 4.0.1
+  [#1102](https://github.com/fluxcd/source-controller/pull/1102)
+- Update cosign to v2
+  [#1096](https://github.com/fluxcd/source-controller/pull/1096)
+- build(deps): bump github.com/sigstore/rekor from 0.12.1-0.20220915152154-4bb6f441c1b2 to 1.1.1
+  [#1083](https://github.com/fluxcd/source-controller/pull/1083)
+- Update controller-runtime and Kubernetes dependencies
+  [#1104](https://github.com/fluxcd/source-controller/pull/1104)
+- Update dependencies; switch to `go-git/go-git` and `pkg/tar`
+  [#1105](https://github.com/fluxcd/source-controller/pull/1105)
+
+## 1.0.0-rc.3
+
+**Release date:** 2023-05-12
+
+This release candidate introduces the verification of the Artifact digest in
+storage during reconciliation. This ensures that the Artifact is not tampered
+with after it was written to storage. When the digest does not match, the
+controller will emit a warning event and remove the file from storage, forcing
+the Artifact to be re-downloaded.
+
+In addition, files with executable permissions are now archived with their mode
+set to `0o744` instead of `0o644`. Allowing the extracted file to be executable
+by the user.
+
+Lastly, the controller's dependencies were updated to mitigate CVE-2023-1732
+and CVE-2023-2253, and the controller base image was updated to Alpine 3.18.
+
+Improvements:
+- Verify digest of Artifact in Storage
+  [#1088](https://github.com/fluxcd/source-controller/pull/1088)
+- build(deps): bump github.com/cloudflare/circl from 1.3.2 to 1.3.3
+  [#1092](https://github.com/fluxcd/source-controller/pull/1092)
+- build(deps): bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible
+  [#1093](https://github.com/fluxcd/source-controller/pull/1093)
+- storage: set `0o744` for files with exec mode set
+  [#1094](https://github.com/fluxcd/source-controller/pull/1094)
+
 ## 1.0.0-rc.2
 
 **Release date:** 2023-05-09

DEVELOPMENT.md

@@ -15,7 +15,7 @@ There are a number of dependencies required to be able to run the controller and
 
 In addition to the above, the following dependencies are also used by some of the `make` targets:
 
-- `controller-gen` (v0.7.0)
+- `controller-gen` (v0.12.0)
 - `gen-crd-api-reference-docs` (v0.3.0)
 - `setup-envtest` (latest)
 
@@ -24,7 +24,7 @@ If any of the above dependencies are not present on your system, the first invoc
 ## How to run the test suite
 
 Prerequisites:
-* Go >= 1.18
+* Go >= 1.24
 
 You can run the test suite by simply doing
 
@@ -58,7 +58,7 @@ make run
 
 ### Building the container image
 
-Set the name of the container image to be created from the source code. This will be used 
+Set the name of the container image to be created from the source code. This will be used
 when building, pushing and referring to the image on YAML files:
 
 ```sh
@@ -79,7 +79,7 @@ make docker-push
 ```
 
 Alternatively, the three steps above can be done in a single line:
-  
+
 ```sh
 IMG=registry-path/source-controller TAG=latest BUILD_ARGS=--push \
     make docker-build
@@ -128,7 +128,8 @@ Create a `.vscode/launch.json` file:
             "type": "go",
             "request": "launch",
             "mode": "auto",
-            "program": "${workspaceFolder}/main.go"
+            "program": "${workspaceFolder}/main.go",
+            "args": ["--storage-adv-addr=:0", "--storage-path=${workspaceFolder}/bin/data"]
         }
     ]
 }

Dockerfile

@@ -1,30 +1,16 @@
-ARG BASE_VARIANT=alpine
-ARG GO_VERSION=1.20
-ARG XX_VERSION=1.2.1
+ARG GO_VERSION=1.24
+ARG XX_VERSION=1.6.1
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-${BASE_VARIANT} as gostable
-
-FROM gostable AS go-linux
-
-# Build-base consists of build platform dependencies and xx.
-# These will be used at current arch to yield execute the cross compilations.
-FROM go-${TARGETOS} AS build-base
-
-RUN apk add --no-cache clang lld
+# Docker buildkit multi-arch build requires golang alpine
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS builder
 
+# Copy the build utilities.
 COPY --from=xx / /
 
-# build-go-mod can still be cached at build platform architecture.
-FROM build-base as build
-
 ARG TARGETPLATFORM
 
-# Some dependencies have to installed 
-# for the target platform: https://github.com/tonistiigi/xx#go--cgo
-RUN xx-apk add musl-dev gcc clang lld
-
 # Configure workspace
 WORKDIR /workspace
 
@@ -46,28 +32,17 @@ COPY internal/ internal/
 ARG TARGETPLATFORM
 ARG TARGETARCH
 
-# Reasons why CGO is in use:
-# - The SHA1 implementation (sha1cd) used by go-git depends on CGO for
-#   performance reasons. See: https://github.com/pjbgf/sha1cd/issues/15
-ENV CGO_ENABLED=1
+# build without specifing the arch
+ENV CGO_ENABLED=0
+RUN xx-go build -trimpath -a -o source-controller main.go
 
-RUN export CGO_LDFLAGS="-static -fuse-ld=lld" && \
-  xx-go build \
-  -ldflags "-s -w" \
-  -tags 'netgo,osusergo,static_build' \
-  -o /source-controller -trimpath main.go;
-
-# Ensure that the binary was cross-compiled correctly to the target platform.
-RUN xx-verify --static /source-controller
-
-FROM alpine:3.17
+FROM alpine:3.21
 
 ARG TARGETPLATFORM
 RUN apk --no-cache add ca-certificates \
   && update-ca-certificates
 
-# Copy over binary from build
-COPY --from=build /source-controller /usr/local/bin/
+COPY --from=builder /workspace/source-controller /usr/local/bin/
 
 USER 65534:65534
 ENTRYPOINT [ "source-controller" ]

MAINTAINERS

@@ -6,3 +6,5 @@ In additional to those listed below, this project shares maintainers
 from the main Flux v2 git repository, as listed in
 
     https://github.com/fluxcd/flux2/blob/main/MAINTAINERS
+
+Dipti Pai, Microsoft <diptipai@microsoft.com> (github: @dipti-pai, slack: Dipti Pai)

Makefile

@@ -38,7 +38,7 @@ FUZZ_TIME ?= 1m
 GO_STATIC_FLAGS=-ldflags "-s -w" -tags 'netgo,osusergo,static_build$(addprefix ,,$(GO_TAGS))'
 
 # API (doc) generation utilities
-CONTROLLER_GEN_VERSION ?= v0.11.1
+CONTROLLER_GEN_VERSION ?= v0.16.1
 GEN_API_REF_DOCS_VERSION ?= e327d0730470cbd61b06300f81c5fcf91c23c113
 
 # If gobin not set, create one on ./build and add to path.
@@ -61,22 +61,24 @@ ifeq ($(shell uname -s),Darwin)
 ENVTEST_ARCH=amd64
 endif
 
-all: build
+all: manager
 
-build: check-deps ## Build manager binary
+# Build manager binary
+manager: generate fmt vet
 	go build $(GO_STATIC_FLAGS) -o $(BUILD_DIR)/bin/manager main.go
 
 KUBEBUILDER_ASSETS?="$(shell $(ENVTEST) --arch=$(ENVTEST_ARCH) use -i $(ENVTEST_KUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR) -p path)"
-test: install-envtest test-api check-deps ## Run all tests
+test: install-envtest test-api ## Run all tests
 	HTTPS_PROXY="" HTTP_PROXY="" \
 	KUBEBUILDER_ASSETS=$(KUBEBUILDER_ASSETS) \
 	GIT_CONFIG_GLOBAL=/dev/null \
+	GIT_CONFIG_NOSYSTEM=true \
 	go test $(GO_STATIC_FLAGS) \
 	  ./... \
 	  $(GO_TEST_ARGS) \
 	  -coverprofile cover.out
 
-test-ctrl: install-envtest test-api check-deps ## Run controller tests
+test-ctrl: install-envtest test-api ## Run controller tests
 	HTTPS_PROXY="" HTTP_PROXY="" \
 	KUBEBUILDER_ASSETS=$(KUBEBUILDER_ASSETS) \
 	GIT_CONFIG_GLOBAL=/dev/null \
@@ -85,11 +87,6 @@ test-ctrl: install-envtest test-api check-deps ## Run controller tests
 	  -v ./internal/controller \
 	  -coverprofile cover.out
 
-check-deps:
-ifeq ($(shell uname -s),Darwin)
-	if ! command -v pkg-config &> /dev/null; then echo "pkg-config is required"; exit 1; fi
-endif
-
 test-api: ## Run api tests
 	cd api; go test $(GO_TEST_ARGS) ./... -coverprofile cover.out
 
@@ -118,12 +115,11 @@ manifests: controller-gen  ## Generate manifests, e.g. CRD, RBAC, etc.
 	cd api; $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role paths="./..." output:crd:artifacts:config="../config/crd/bases"
 
 api-docs: gen-crd-api-reference-docs  ## Generate API reference documentation
-	$(GEN_CRD_API_REFERENCE_DOCS) -api-dir=./api/v1beta2 -config=./hack/api-docs/config.json -template-dir=./hack/api-docs/template -out-file=./docs/api/v1beta2/source.md
 	$(GEN_CRD_API_REFERENCE_DOCS) -api-dir=./api/v1 -config=./hack/api-docs/config.json -template-dir=./hack/api-docs/template -out-file=./docs/api/v1/source.md
 
 tidy:  ## Run go mod tidy
-	cd api; rm -f go.sum; go mod tidy -compat=1.20
-	rm -f go.sum; go mod tidy -compat=1.20
+	cd api; rm -f go.sum; go mod tidy -compat=1.24
+	rm -f go.sum; go mod tidy -compat=1.24
 
 fmt:  ## Run go fmt against code
 	go fmt ./...
@@ -192,7 +188,7 @@ TMP_DIR=$$(mktemp -d) ;\
 cd $$TMP_DIR ;\
 go mod init tmp ;\
 echo "Downloading $(2)" ;\
-env -i bash -c "GOBIN=$(GOBIN) PATH=$(PATH) GOPATH=$(shell go env GOPATH) GOCACHE=$(shell go env GOCACHE) go install $(2)" ;\
+env -i bash -c "GOBIN=$(GOBIN) PATH=\"$(PATH)\" GOPATH=$(shell go env GOPATH) GOCACHE=$(shell go env GOCACHE) go install $(2)" ;\
 rm -rf $$TMP_DIR ;\
 }
 endef

PROJECT

@@ -7,9 +7,15 @@ resources:
 - group: source
   kind: GitRepository
   version: v1beta2
+- group: source
+  kind: HelmRepository
+  version: v1
 - group: source
   kind: HelmRepository
   version: v1beta2
+- group: source
+  kind: HelmChart
+  version: v1
 - group: source
   kind: HelmChart
   version: v1beta2
@@ -31,4 +37,10 @@ resources:
 - group: source
   kind: OCIRepository
   version: v1beta2
+- group: source
+  kind: Bucket
+  version: v1
+- group: source
+  kind: OCIRepository
+  version: v1
 version: "2"

README.md

@@ -16,18 +16,18 @@ and is a core component of the [GitOps toolkit](https://fluxcd.io/flux/component
 
 ## APIs
 
-| Kind                                                    | API Version                        |
-|---------------------------------------------------------|------------------------------------|
-| [GitRepository](docs/spec/v1/gitrepositories.md)        | `source.toolkit.fluxcd.io/v1`      |
-| [OCIRepository](docs/spec/v1beta2/ocirepositories.md)   | `source.toolkit.fluxcd.io/v1beta2` |
-| [HelmRepository](docs/spec/v1beta2/helmrepositories.md) | `source.toolkit.fluxcd.io/v1beta2` |
-| [HelmChart](docs/spec/v1beta2/helmcharts.md)            | `source.toolkit.fluxcd.io/v1beta2` |
-| [Bucket](docs/spec/v1beta2/buckets.md)                  | `source.toolkit.fluxcd.io/v1beta2` |
+| Kind                                               | API Version                   |
+|----------------------------------------------------|-------------------------------|
+| [GitRepository](docs/spec/v1/gitrepositories.md)   | `source.toolkit.fluxcd.io/v1` |
+| [OCIRepository](docs/spec/v1/ocirepositories.md)   | `source.toolkit.fluxcd.io/v1` |
+| [HelmRepository](docs/spec/v1/helmrepositories.md) | `source.toolkit.fluxcd.io/v1` |
+| [HelmChart](docs/spec/v1/helmcharts.md)            | `source.toolkit.fluxcd.io/v1` |
+| [Bucket](docs/spec/v1/buckets.md)                  | `source.toolkit.fluxcd.io/v1` |
 
 ## Features
 
 * authenticates to sources (SSH, user/password, API token, Workload Identity)
-* validates source authenticity (PGP, Cosign)
+* validates source authenticity (PGP, Cosign, Notation)
 * detects source changes based on update policies (semver)
 * fetches resources on-demand and on-a-schedule
 * packages the fetched resources into a well-known format (tar.gz, yaml)

api/go.mod

@@ -1,30 +1,35 @@
 module github.com/fluxcd/source-controller/api
 
-go 1.18
+go 1.24.0
 
 require (
-	github.com/fluxcd/pkg/apis/acl v0.1.0
-	github.com/fluxcd/pkg/apis/meta v1.0.0
-	k8s.io/apimachinery v0.26.3
-	sigs.k8s.io/controller-runtime v0.14.6
+	github.com/fluxcd/pkg/apis/acl v0.7.0
+	github.com/fluxcd/pkg/apis/meta v1.12.0
+	k8s.io/apimachinery v0.33.0
+	sigs.k8s.io/controller-runtime v0.21.0
 )
 
 // Fix CVE-2022-28948
 replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
 
 require (
-	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/klog/v2 v2.80.1 // indirect
-	k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 // indirect
-	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )

api/go.sum

@@ -1,38 +1,59 @@
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fluxcd/pkg/apis/acl v0.1.0 h1:EoAl377hDQYL3WqanWCdifauXqXbMyFuK82NnX6pH4Q=
-github.com/fluxcd/pkg/apis/acl v0.1.0/go.mod h1:zfEZzz169Oap034EsDhmCAGgnWlcWmIObZjYMusoXS8=
-github.com/fluxcd/pkg/apis/meta v1.0.0 h1:i9IGHd/VNEZELX7mepkiYFbJxs2J5znaB4cN9z2nPm8=
-github.com/fluxcd/pkg/apis/meta v1.0.0/go.mod h1:04ZdpZYm1x+aL93K4daNHW1UX6E8K7Gyf5za9OhrE+U=
-github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
-github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/fluxcd/pkg/apis/acl v0.7.0 h1:dMhZJH+g6ZRPjs4zVOAN9vHBd1DcavFgcIFkg5ooOE0=
+github.com/fluxcd/pkg/apis/acl v0.7.0/go.mod h1:uv7pXXR/gydiX4MUwlQa7vS8JONEDztynnjTvY3JxKQ=
+github.com/fluxcd/pkg/apis/meta v1.12.0 h1:XW15TKZieC2b7MN8VS85stqZJOx+/b8jATQ/xTUhVYg=
+github.com/fluxcd/pkg/apis/meta v1.12.0/go.mod h1:+son1Va60x2eiDcTwd7lcctbI6C+K3gM7R+ULmEq1SI=
+github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU=
+github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
-github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
+github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
-github.com/onsi/ginkgo/v2 v2.6.0 h1:9t9b9vRUbFq3C4qKFCGkVuq/fIHji802N1nrtkh1mNc=
-github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E=
+github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg=
+github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.36.1 h1:bJDPBO7ibjxcbHMgSCoo4Yj18UWbKDlLwX1x9sybDcw=
+github.com/onsi/gomega v1.36.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -44,46 +65,53 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
+golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-k8s.io/api v0.26.1 h1:f+SWYiPd/GsiWwVRz+NbFyCgvv75Pk9NK6dlkZgpCRQ=
-k8s.io/apimachinery v0.26.3 h1:dQx6PNETJ7nODU3XPtrwkfuubs6w7sX0M8n61zHIV/k=
-k8s.io/apimachinery v0.26.3/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I=
-k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4=
-k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 h1:KTgPnR10d5zhztWptI952TNtt/4u5h3IzDXkdIMuo2Y=
-k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/controller-runtime v0.14.6 h1:oxstGVvXGNnMvY7TAESYk+lzr6S3V5VFxQ6d92KcwQA=
-sigs.k8s.io/controller-runtime v0.14.6/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0=
-sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k=
-sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
-sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/api v0.33.0 h1:yTgZVn1XEe6opVpP1FylmNrIFWuDqe2H0V8CT5gxfIU=
+k8s.io/api v0.33.0/go.mod h1:CTO61ECK/KU7haa3qq8sarQ0biLq2ju405IZAd9zsiM=
+k8s.io/apimachinery v0.33.0 h1:1a6kHrJxb2hs4t8EE5wuR/WxKDwGN1FKH3JvDtA0CIQ=
+k8s.io/apimachinery v0.33.0/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e h1:KqK5c/ghOm8xkHYhlodbp6i6+r+ChV2vuAuVRdFbLro=
+k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8=
+sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

api/v1/bucket_types.go

@@ -0,0 +1,271 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/pkg/apis/meta"
+)
+
+const (
+	// BucketKind is the string representation of a Bucket.
+	BucketKind = "Bucket"
+)
+
+const (
+	// BucketProviderGeneric for any S3 API compatible storage Bucket.
+	BucketProviderGeneric string = "generic"
+	// BucketProviderAmazon for an AWS S3 object storage Bucket.
+	// Provides support for retrieving credentials from the AWS EC2 service.
+	BucketProviderAmazon string = "aws"
+	// BucketProviderGoogle for a Google Cloud Storage Bucket.
+	// Provides support for authentication using a workload identity.
+	BucketProviderGoogle string = "gcp"
+	// BucketProviderAzure for an Azure Blob Storage Bucket.
+	// Provides support for authentication using a Service Principal,
+	// Managed Identity or Shared Key.
+	BucketProviderAzure string = "azure"
+)
+
+// BucketSpec specifies the required configuration to produce an Artifact for
+// an object storage bucket.
+// +kubebuilder:validation:XValidation:rule="self.provider == 'aws' || self.provider == 'generic' || !has(self.sts)", message="STS configuration is only supported for the 'aws' and 'generic' Bucket providers"
+// +kubebuilder:validation:XValidation:rule="self.provider != 'aws' || !has(self.sts) || self.sts.provider == 'aws'", message="'aws' is the only supported STS provider for the 'aws' Bucket provider"
+// +kubebuilder:validation:XValidation:rule="self.provider != 'generic' || !has(self.sts) || self.sts.provider == 'ldap'", message="'ldap' is the only supported STS provider for the 'generic' Bucket provider"
+// +kubebuilder:validation:XValidation:rule="!has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.secretRef)", message="spec.sts.secretRef is not required for the 'aws' STS provider"
+// +kubebuilder:validation:XValidation:rule="!has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.certSecretRef)", message="spec.sts.certSecretRef is not required for the 'aws' STS provider"
+type BucketSpec struct {
+	// Provider of the object storage bucket.
+	// Defaults to 'generic', which expects an S3 (API) compatible object
+	// storage.
+	// +kubebuilder:validation:Enum=generic;aws;gcp;azure
+	// +kubebuilder:default:=generic
+	// +optional
+	Provider string `json:"provider,omitempty"`
+
+	// BucketName is the name of the object storage bucket.
+	// +required
+	BucketName string `json:"bucketName"`
+
+	// Endpoint is the object storage address the BucketName is located at.
+	// +required
+	Endpoint string `json:"endpoint"`
+
+	// STS specifies the required configuration to use a Security Token
+	// Service for fetching temporary credentials to authenticate in a
+	// Bucket provider.
+	//
+	// This field is only supported for the `aws` and `generic` providers.
+	// +optional
+	STS *BucketSTSSpec `json:"sts,omitempty"`
+
+	// Insecure allows connecting to a non-TLS HTTP Endpoint.
+	// +optional
+	Insecure bool `json:"insecure,omitempty"`
+
+	// Region of the Endpoint where the BucketName is located in.
+	// +optional
+	Region string `json:"region,omitempty"`
+
+	// Prefix to use for server-side filtering of files in the Bucket.
+	// +optional
+	Prefix string `json:"prefix,omitempty"`
+
+	// SecretRef specifies the Secret containing authentication credentials
+	// for the Bucket.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// CertSecretRef can be given the name of a Secret containing
+	// either or both of
+	//
+	// - a PEM-encoded client certificate (`tls.crt`) and private
+	// key (`tls.key`);
+	// - a PEM-encoded CA certificate (`ca.crt`)
+	//
+	// and whichever are supplied, will be used for connecting to the
+	// bucket. The client cert and key are useful if you are
+	// authenticating with a certificate; the CA cert is useful if
+	// you are using a self-signed server certificate. The Secret must
+	// be of type `Opaque` or `kubernetes.io/tls`.
+	//
+	// This field is only supported for the `generic` provider.
+	// +optional
+	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
+
+	// ProxySecretRef specifies the Secret containing the proxy configuration
+	// to use while communicating with the Bucket server.
+	// +optional
+	ProxySecretRef *meta.LocalObjectReference `json:"proxySecretRef,omitempty"`
+
+	// Interval at which the Bucket Endpoint is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +required
+	Interval metav1.Duration `json:"interval"`
+
+	// Timeout for fetch operations, defaults to 60s.
+	// +kubebuilder:default="60s"
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+	// +optional
+	Timeout *metav1.Duration `json:"timeout,omitempty"`
+
+	// Ignore overrides the set of excluded patterns in the .sourceignore format
+	// (which is the same as .gitignore). If not provided, a default will be used,
+	// consult the documentation for your version to find out what those are.
+	// +optional
+	Ignore *string `json:"ignore,omitempty"`
+
+	// Suspend tells the controller to suspend the reconciliation of this
+	// Bucket.
+	// +optional
+	Suspend bool `json:"suspend,omitempty"`
+}
+
+// BucketSTSSpec specifies the required configuration to use a Security Token
+// Service for fetching temporary credentials to authenticate in a Bucket
+// provider.
+type BucketSTSSpec struct {
+	// Provider of the Security Token Service.
+	// +kubebuilder:validation:Enum=aws;ldap
+	// +required
+	Provider string `json:"provider"`
+
+	// Endpoint is the HTTP/S endpoint of the Security Token Service from
+	// where temporary credentials will be fetched.
+	// +required
+	// +kubebuilder:validation:Pattern="^(http|https)://.*$"
+	Endpoint string `json:"endpoint"`
+
+	// SecretRef specifies the Secret containing authentication credentials
+	// for the STS endpoint. This Secret must contain the fields `username`
+	// and `password` and is supported only for the `ldap` provider.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// CertSecretRef can be given the name of a Secret containing
+	// either or both of
+	//
+	// - a PEM-encoded client certificate (`tls.crt`) and private
+	// key (`tls.key`);
+	// - a PEM-encoded CA certificate (`ca.crt`)
+	//
+	// and whichever are supplied, will be used for connecting to the
+	// STS endpoint. The client cert and key are useful if you are
+	// authenticating with a certificate; the CA cert is useful if
+	// you are using a self-signed server certificate. The Secret must
+	// be of type `Opaque` or `kubernetes.io/tls`.
+	//
+	// This field is only supported for the `ldap` provider.
+	// +optional
+	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
+}
+
+// BucketStatus records the observed state of a Bucket.
+type BucketStatus struct {
+	// ObservedGeneration is the last observed generation of the Bucket object.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// Conditions holds the conditions for the Bucket.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// URL is the dynamic fetch link for the latest Artifact.
+	// It is provided on a "best effort" basis, and using the precise
+	// BucketStatus.Artifact data is recommended.
+	// +optional
+	URL string `json:"url,omitempty"`
+
+	// Artifact represents the last successful Bucket reconciliation.
+	// +optional
+	Artifact *Artifact `json:"artifact,omitempty"`
+
+	// ObservedIgnore is the observed exclusion patterns used for constructing
+	// the source artifact.
+	// +optional
+	ObservedIgnore *string `json:"observedIgnore,omitempty"`
+
+	meta.ReconcileRequestStatus `json:",inline"`
+}
+
+const (
+	// BucketOperationSucceededReason signals that the Bucket listing and fetch
+	// operations succeeded.
+	BucketOperationSucceededReason string = "BucketOperationSucceeded"
+
+	// BucketOperationFailedReason signals that the Bucket listing or fetch
+	// operations failed.
+	BucketOperationFailedReason string = "BucketOperationFailed"
+)
+
+// GetConditions returns the status conditions of the object.
+func (in *Bucket) GetConditions() []metav1.Condition {
+	return in.Status.Conditions
+}
+
+// SetConditions sets the status conditions on the object.
+func (in *Bucket) SetConditions(conditions []metav1.Condition) {
+	in.Status.Conditions = conditions
+}
+
+// GetRequeueAfter returns the duration after which the source must be reconciled again.
+func (in *Bucket) GetRequeueAfter() time.Duration {
+	return in.Spec.Interval.Duration
+}
+
+// GetArtifact returns the latest artifact from the source if present in the status sub-resource.
+func (in *Bucket) GetArtifact() *Artifact {
+	return in.Status.Artifact
+}
+
+// +genclient
+// +kubebuilder:storageversion
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
+
+// Bucket is the Schema for the buckets API.
+type Bucket struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec BucketSpec `json:"spec,omitempty"`
+	// +kubebuilder:default={"observedGeneration":-1}
+	Status BucketStatus `json:"status,omitempty"`
+}
+
+// BucketList contains a list of Bucket objects.
+// +kubebuilder:object:root=true
+type BucketList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Bucket `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Bucket{}, &BucketList{})
+}

api/v1/condition_types.go

@@ -104,4 +104,15 @@ const (
 
 	// CacheOperationFailedReason signals a failure in cache operation.
 	CacheOperationFailedReason string = "CacheOperationFailed"
+
+	// PatchOperationFailedReason signals a failure in patching a kubernetes API
+	// object.
+	PatchOperationFailedReason string = "PatchOperationFailed"
+
+	// InvalidSTSConfigurationReason signals that the STS configurtion is invalid.
+	InvalidSTSConfigurationReason string = "InvalidSTSConfiguration"
+
+	// InvalidProviderConfigurationReason signals that the provider
+	// configuration is invalid.
+	InvalidProviderConfigurationReason string = "InvalidProviderConfiguration"
 )

api/v1/gitrepository_types.go

@@ -27,6 +27,18 @@ import (
 const (
 	// GitRepositoryKind is the string representation of a GitRepository.
 	GitRepositoryKind = "GitRepository"
+
+	// GitProviderGeneric provides support for authentication using
+	// credentials specified in secretRef.
+	GitProviderGeneric string = "generic"
+
+	// GitProviderAzure provides support for authentication to azure
+	// repositories using Managed Identity.
+	GitProviderAzure string = "azure"
+
+	// GitProviderGitHub provides support for authentication to git
+	// repositories using GitHub App authentication
+	GitProviderGitHub string = "github"
 )
 
 const (
@@ -38,6 +50,31 @@ const (
 	IncludeUnavailableCondition string = "IncludeUnavailable"
 )
 
+// GitVerificationMode specifies the verification mode for a Git repository.
+type GitVerificationMode string
+
+// Valid checks the validity of the Git verification mode.
+func (m GitVerificationMode) Valid() bool {
+	switch m {
+	case ModeGitHEAD, ModeGitTag, ModeGitTagAndHEAD:
+		return true
+	default:
+		return false
+	}
+}
+
+const (
+	// ModeGitHEAD implies that the HEAD of the Git repository (after it has been
+	// checked out to the required commit) should be verified.
+	ModeGitHEAD GitVerificationMode = "HEAD"
+	// ModeGitTag implies that the tag object specified in the checkout configuration
+	// should be verified.
+	ModeGitTag GitVerificationMode = "Tag"
+	// ModeGitTagAndHEAD implies that both the tag object and the commit it points
+	// to should be verified.
+	ModeGitTagAndHEAD GitVerificationMode = "TagAndHEAD"
+)
+
 // GitRepositorySpec specifies the required configuration to produce an
 // Artifact for a Git repository.
 type GitRepositorySpec struct {
@@ -55,7 +92,15 @@ type GitRepositorySpec struct {
 	// +optional
 	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
 
-	// Interval at which to check the GitRepository for updates.
+	// Provider used for authentication, can be 'azure', 'github', 'generic'.
+	// When not specified, defaults to 'generic'.
+	// +kubebuilder:validation:Enum=generic;azure;github
+	// +optional
+	Provider string `json:"provider,omitempty"`
+
+	// Interval at which the GitRepository URL is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
 	// +kubebuilder:validation:Type=string
 	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
 	// +required
@@ -78,6 +123,11 @@ type GitRepositorySpec struct {
 	// +optional
 	Verification *GitRepositoryVerification `json:"verify,omitempty"`
 
+	// ProxySecretRef specifies the Secret containing the proxy configuration
+	// to use while communicating with the Git server.
+	// +optional
+	ProxySecretRef *meta.LocalObjectReference `json:"proxySecretRef,omitempty"`
+
 	// Ignore overrides the set of excluded patterns in the .sourceignore format
 	// (which is the same as .gitignore). If not provided, a default will be used,
 	// consult the documentation for your version to find out what those are.
@@ -98,6 +148,12 @@ type GitRepositorySpec struct {
 	// should be included in the Artifact produced for this GitRepository.
 	// +optional
 	Include []GitRepositoryInclude `json:"include,omitempty"`
+
+	// SparseCheckout specifies a list of directories to checkout when cloning
+	// the repository. If specified, only these directories are included in the
+	// Artifact produced for this GitRepository.
+	// +optional
+	SparseCheckout []string `json:"sparseCheckout,omitempty"`
 }
 
 // GitRepositoryInclude specifies a local reference to a GitRepository which
@@ -165,9 +221,15 @@ type GitRepositoryRef struct {
 // GitRepositoryVerification specifies the Git commit signature verification
 // strategy.
 type GitRepositoryVerification struct {
-	// Mode specifies what Git object should be verified, currently ('head').
-	// +kubebuilder:validation:Enum=head
-	Mode string `json:"mode"`
+	// Mode specifies which Git object(s) should be verified.
+	//
+	// The variants "head" and "HEAD" both imply the same thing, i.e. verify
+	// the commit that the HEAD of the Git repository points to. The variant
+	// "head" solely exists to ensure backwards compatibility.
+	// +kubebuilder:validation:Enum=head;HEAD;Tag;TagAndHEAD
+	// +optional
+	// +kubebuilder:default:=HEAD
+	Mode GitVerificationMode `json:"mode,omitempty"`
 
 	// SecretRef specifies the Secret containing the public keys of trusted Git
 	// authors.
@@ -210,6 +272,16 @@ type GitRepositoryStatus struct {
 	// +optional
 	ObservedInclude []GitRepositoryInclude `json:"observedInclude,omitempty"`
 
+	// ObservedSparseCheckout is the observed list of directories used to
+	// produce the current Artifact.
+	// +optional
+	ObservedSparseCheckout []string `json:"observedSparseCheckout,omitempty"`
+
+	// SourceVerificationMode is the last used verification mode indicating
+	// which Git object(s) have been verified.
+	// +optional
+	SourceVerificationMode *GitVerificationMode `json:"sourceVerificationMode,omitempty"`
+
 	meta.ReconcileRequestStatus `json:",inline"`
 }
 
@@ -245,8 +317,35 @@ func (in *GitRepository) GetArtifact() *Artifact {
 	return in.Status.Artifact
 }
 
+// GetProvider returns the Git authentication provider.
+func (v *GitRepository) GetProvider() string {
+	if v.Spec.Provider == "" {
+		return GitProviderGeneric
+	}
+	return v.Spec.Provider
+}
+
+// GetMode returns the declared GitVerificationMode, or a ModeGitHEAD default.
+func (v *GitRepositoryVerification) GetMode() GitVerificationMode {
+	if v.Mode.Valid() {
+		return v.Mode
+	}
+	return ModeGitHEAD
+}
+
+// VerifyHEAD returns if the configured mode instructs verification of the
+// Git HEAD.
+func (v *GitRepositoryVerification) VerifyHEAD() bool {
+	return v.GetMode() == ModeGitHEAD || v.GetMode() == ModeGitTagAndHEAD
+}
+
+// VerifyTag returns if the configured mode instructs verification of the
+// Git tag.
+func (v *GitRepositoryVerification) VerifyTag() bool {
+	return v.GetMode() == ModeGitTag || v.GetMode() == ModeGitTagAndHEAD
+}
+
 // +genclient
-// +genclient:Namespaced
 // +kubebuilder:storageversion
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=gitrepo

api/v1/helmchart_types.go

@@ -0,0 +1,227 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/pkg/apis/meta"
+)
+
+// HelmChartKind is the string representation of a HelmChart.
+const HelmChartKind = "HelmChart"
+
+// HelmChartSpec specifies the desired state of a Helm chart.
+type HelmChartSpec struct {
+	// Chart is the name or path the Helm chart is available at in the
+	// SourceRef.
+	// +required
+	Chart string `json:"chart"`
+
+	// Version is the chart version semver expression, ignored for charts from
+	// GitRepository and Bucket sources. Defaults to latest when omitted.
+	// +kubebuilder:default:=*
+	// +optional
+	Version string `json:"version,omitempty"`
+
+	// SourceRef is the reference to the Source the chart is available at.
+	// +required
+	SourceRef LocalHelmChartSourceReference `json:"sourceRef"`
+
+	// Interval at which the HelmChart SourceRef is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +required
+	Interval metav1.Duration `json:"interval"`
+
+	// ReconcileStrategy determines what enables the creation of a new artifact.
+	// Valid values are ('ChartVersion', 'Revision').
+	// See the documentation of the values for an explanation on their behavior.
+	// Defaults to ChartVersion when omitted.
+	// +kubebuilder:validation:Enum=ChartVersion;Revision
+	// +kubebuilder:default:=ChartVersion
+	// +optional
+	ReconcileStrategy string `json:"reconcileStrategy,omitempty"`
+
+	// ValuesFiles is an alternative list of values files to use as the chart
+	// values (values.yaml is not included by default), expected to be a
+	// relative path in the SourceRef.
+	// Values files are merged in the order of this list with the last file
+	// overriding the first. Ignored when omitted.
+	// +optional
+	ValuesFiles []string `json:"valuesFiles,omitempty"`
+
+	// IgnoreMissingValuesFiles controls whether to silently ignore missing values
+	// files rather than failing.
+	// +optional
+	IgnoreMissingValuesFiles bool `json:"ignoreMissingValuesFiles,omitempty"`
+
+	// Suspend tells the controller to suspend the reconciliation of this
+	// source.
+	// +optional
+	Suspend bool `json:"suspend,omitempty"`
+
+	// Verify contains the secret name containing the trusted public keys
+	// used to verify the signature and specifies which provider to use to check
+	// whether OCI image is authentic.
+	// This field is only supported when using HelmRepository source with spec.type 'oci'.
+	// Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.
+	// +optional
+	Verify *OCIRepositoryVerification `json:"verify,omitempty"`
+}
+
+const (
+	// ReconcileStrategyChartVersion reconciles when the version of the Helm chart is different.
+	ReconcileStrategyChartVersion string = "ChartVersion"
+
+	// ReconcileStrategyRevision reconciles when the Revision of the source is different.
+	ReconcileStrategyRevision string = "Revision"
+)
+
+// LocalHelmChartSourceReference contains enough information to let you locate
+// the typed referenced object at namespace level.
+type LocalHelmChartSourceReference struct {
+	// APIVersion of the referent.
+	// +optional
+	APIVersion string `json:"apiVersion,omitempty"`
+
+	// Kind of the referent, valid values are ('HelmRepository', 'GitRepository',
+	// 'Bucket').
+	// +kubebuilder:validation:Enum=HelmRepository;GitRepository;Bucket
+	// +required
+	Kind string `json:"kind"`
+
+	// Name of the referent.
+	// +required
+	Name string `json:"name"`
+}
+
+// HelmChartStatus records the observed state of the HelmChart.
+type HelmChartStatus struct {
+	// ObservedGeneration is the last observed generation of the HelmChart
+	// object.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// ObservedSourceArtifactRevision is the last observed Artifact.Revision
+	// of the HelmChartSpec.SourceRef.
+	// +optional
+	ObservedSourceArtifactRevision string `json:"observedSourceArtifactRevision,omitempty"`
+
+	// ObservedChartName is the last observed chart name as specified by the
+	// resolved chart reference.
+	// +optional
+	ObservedChartName string `json:"observedChartName,omitempty"`
+
+	// ObservedValuesFiles are the observed value files of the last successful
+	// reconciliation.
+	// It matches the chart in the last successfully reconciled artifact.
+	// +optional
+	ObservedValuesFiles []string `json:"observedValuesFiles,omitempty"`
+
+	// Conditions holds the conditions for the HelmChart.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// URL is the dynamic fetch link for the latest Artifact.
+	// It is provided on a "best effort" basis, and using the precise
+	// BucketStatus.Artifact data is recommended.
+	// +optional
+	URL string `json:"url,omitempty"`
+
+	// Artifact represents the output of the last successful reconciliation.
+	// +optional
+	Artifact *Artifact `json:"artifact,omitempty"`
+
+	meta.ReconcileRequestStatus `json:",inline"`
+}
+
+const (
+	// ChartPullSucceededReason signals that the pull of the Helm chart
+	// succeeded.
+	ChartPullSucceededReason string = "ChartPullSucceeded"
+
+	// ChartPackageSucceededReason signals that the package of the Helm
+	// chart succeeded.
+	ChartPackageSucceededReason string = "ChartPackageSucceeded"
+)
+
+// GetConditions returns the status conditions of the object.
+func (in HelmChart) GetConditions() []metav1.Condition {
+	return in.Status.Conditions
+}
+
+// SetConditions sets the status conditions on the object.
+func (in *HelmChart) SetConditions(conditions []metav1.Condition) {
+	in.Status.Conditions = conditions
+}
+
+// GetRequeueAfter returns the duration after which the source must be
+// reconciled again.
+func (in HelmChart) GetRequeueAfter() time.Duration {
+	return in.Spec.Interval.Duration
+}
+
+// GetArtifact returns the latest artifact from the source if present in the
+// status sub-resource.
+func (in *HelmChart) GetArtifact() *Artifact {
+	return in.Status.Artifact
+}
+
+// GetValuesFiles returns a merged list of HelmChartSpec.ValuesFiles.
+func (in *HelmChart) GetValuesFiles() []string {
+	return in.Spec.ValuesFiles
+}
+
+// +genclient
+// +kubebuilder:storageversion
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=hc
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Chart",type=string,JSONPath=`.spec.chart`
+// +kubebuilder:printcolumn:name="Version",type=string,JSONPath=`.spec.version`
+// +kubebuilder:printcolumn:name="Source Kind",type=string,JSONPath=`.spec.sourceRef.kind`
+// +kubebuilder:printcolumn:name="Source Name",type=string,JSONPath=`.spec.sourceRef.name`
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
+
+// HelmChart is the Schema for the helmcharts API.
+type HelmChart struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec HelmChartSpec `json:"spec,omitempty"`
+	// +kubebuilder:default={"observedGeneration":-1}
+	Status HelmChartStatus `json:"status,omitempty"`
+}
+
+// HelmChartList contains a list of HelmChart objects.
+// +kubebuilder:object:root=true
+type HelmChartList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []HelmChart `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&HelmChart{}, &HelmChartList{})
+}

api/v1/helmrepository_types.go

@@ -0,0 +1,228 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/pkg/apis/acl"
+	"github.com/fluxcd/pkg/apis/meta"
+)
+
+const (
+	// HelmRepositoryKind is the string representation of a HelmRepository.
+	HelmRepositoryKind = "HelmRepository"
+	// HelmRepositoryURLIndexKey is the key used for indexing HelmRepository
+	// objects by their HelmRepositorySpec.URL.
+	HelmRepositoryURLIndexKey = ".metadata.helmRepositoryURL"
+	// HelmRepositoryTypeDefault is the default HelmRepository type.
+	// It is used when no type is specified and corresponds to a Helm repository.
+	HelmRepositoryTypeDefault = "default"
+	// HelmRepositoryTypeOCI is the type for an OCI repository.
+	HelmRepositoryTypeOCI = "oci"
+)
+
+// HelmRepositorySpec specifies the required configuration to produce an
+// Artifact for a Helm repository index YAML.
+type HelmRepositorySpec struct {
+	// URL of the Helm repository, a valid URL contains at least a protocol and
+	// host.
+	// +kubebuilder:validation:Pattern="^(http|https|oci)://.*$"
+	// +required
+	URL string `json:"url"`
+
+	// SecretRef specifies the Secret containing authentication credentials
+	// for the HelmRepository.
+	// For HTTP/S basic auth the secret must contain 'username' and 'password'
+	// fields.
+	// Support for TLS auth using the 'certFile' and 'keyFile', and/or 'caFile'
+	// keys is deprecated. Please use `.spec.certSecretRef` instead.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// CertSecretRef can be given the name of a Secret containing
+	// either or both of
+	//
+	// - a PEM-encoded client certificate (`tls.crt`) and private
+	// key (`tls.key`);
+	// - a PEM-encoded CA certificate (`ca.crt`)
+	//
+	// and whichever are supplied, will be used for connecting to the
+	// registry. The client cert and key are useful if you are
+	// authenticating with a certificate; the CA cert is useful if
+	// you are using a self-signed server certificate. The Secret must
+	// be of type `Opaque` or `kubernetes.io/tls`.
+	//
+	// It takes precedence over the values specified in the Secret referred
+	// to by `.spec.secretRef`.
+	// +optional
+	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
+
+	// PassCredentials allows the credentials from the SecretRef to be passed
+	// on to a host that does not match the host as defined in URL.
+	// This may be required if the host of the advertised chart URLs in the
+	// index differ from the defined URL.
+	// Enabling this should be done with caution, as it can potentially result
+	// in credentials getting stolen in a MITM-attack.
+	// +optional
+	PassCredentials bool `json:"passCredentials,omitempty"`
+
+	// Interval at which the HelmRepository URL is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +optional
+	Interval metav1.Duration `json:"interval,omitempty"`
+
+	// Insecure allows connecting to a non-TLS HTTP container registry.
+	// This field is only taken into account if the .spec.type field is set to 'oci'.
+	// +optional
+	Insecure bool `json:"insecure,omitempty"`
+
+	// Timeout is used for the index fetch operation for an HTTPS helm repository,
+	// and for remote OCI Repository operations like pulling for an OCI helm
+	// chart by the associated HelmChart.
+	// Its default value is 60s.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+	// +optional
+	Timeout *metav1.Duration `json:"timeout,omitempty"`
+
+	// Suspend tells the controller to suspend the reconciliation of this
+	// HelmRepository.
+	// +optional
+	Suspend bool `json:"suspend,omitempty"`
+
+	// AccessFrom specifies an Access Control List for allowing cross-namespace
+	// references to this object.
+	// NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092
+	// +optional
+	AccessFrom *acl.AccessFrom `json:"accessFrom,omitempty"`
+
+	// Type of the HelmRepository.
+	// When this field is set to  "oci", the URL field value must be prefixed with "oci://".
+	// +kubebuilder:validation:Enum=default;oci
+	// +optional
+	Type string `json:"type,omitempty"`
+
+	// Provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'.
+	// This field is optional, and only taken into account if the .spec.type field is set to 'oci'.
+	// When not specified, defaults to 'generic'.
+	// +kubebuilder:validation:Enum=generic;aws;azure;gcp
+	// +kubebuilder:default:=generic
+	// +optional
+	Provider string `json:"provider,omitempty"`
+}
+
+// HelmRepositoryStatus records the observed state of the HelmRepository.
+type HelmRepositoryStatus struct {
+	// ObservedGeneration is the last observed generation of the HelmRepository
+	// object.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// Conditions holds the conditions for the HelmRepository.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// URL is the dynamic fetch link for the latest Artifact.
+	// It is provided on a "best effort" basis, and using the precise
+	// HelmRepositoryStatus.Artifact data is recommended.
+	// +optional
+	URL string `json:"url,omitempty"`
+
+	// Artifact represents the last successful HelmRepository reconciliation.
+	// +optional
+	Artifact *Artifact `json:"artifact,omitempty"`
+
+	meta.ReconcileRequestStatus `json:",inline"`
+}
+
+const (
+	// IndexationFailedReason signals that the HelmRepository index fetch
+	// failed.
+	IndexationFailedReason string = "IndexationFailed"
+)
+
+// GetConditions returns the status conditions of the object.
+func (in HelmRepository) GetConditions() []metav1.Condition {
+	return in.Status.Conditions
+}
+
+// SetConditions sets the status conditions on the object.
+func (in *HelmRepository) SetConditions(conditions []metav1.Condition) {
+	in.Status.Conditions = conditions
+}
+
+// GetRequeueAfter returns the duration after which the source must be
+// reconciled again.
+func (in HelmRepository) GetRequeueAfter() time.Duration {
+	if in.Spec.Interval.Duration != 0 {
+		return in.Spec.Interval.Duration
+	}
+	return time.Minute
+}
+
+// GetTimeout returns the timeout duration used for various operations related
+// to this HelmRepository.
+func (in HelmRepository) GetTimeout() time.Duration {
+	if in.Spec.Timeout != nil {
+		return in.Spec.Timeout.Duration
+	}
+	return time.Minute
+}
+
+// GetArtifact returns the latest artifact from the source if present in the
+// status sub-resource.
+func (in *HelmRepository) GetArtifact() *Artifact {
+	return in.Status.Artifact
+}
+
+// +genclient
+// +kubebuilder:storageversion
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=helmrepo
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="URL",type=string,JSONPath=`.spec.url`
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
+
+// HelmRepository is the Schema for the helmrepositories API.
+type HelmRepository struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec HelmRepositorySpec `json:"spec,omitempty"`
+	// +kubebuilder:default={"observedGeneration":-1}
+	Status HelmRepositoryStatus `json:"status,omitempty"`
+}
+
+// HelmRepositoryList contains a list of HelmRepository objects.
+// +kubebuilder:object:root=true
+type HelmRepositoryList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []HelmRepository `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&HelmRepository{}, &HelmRepositoryList{})
+}

api/v1/ocirepository_types.go

@@ -0,0 +1,296 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/fluxcd/pkg/apis/meta"
+)
+
+const (
+	// OCIRepositoryKind is the string representation of an OCIRepository.
+	OCIRepositoryKind = "OCIRepository"
+
+	// OCIRepositoryPrefix is the prefix used for OCIRepository URLs.
+	OCIRepositoryPrefix = "oci://"
+
+	// GenericOCIProvider provides support for authentication using static credentials
+	// for any OCI compatible API such as Docker Registry, GitHub Container Registry,
+	// Docker Hub, Quay, etc.
+	GenericOCIProvider string = "generic"
+
+	// AmazonOCIProvider provides support for OCI authentication using AWS IRSA.
+	AmazonOCIProvider string = "aws"
+
+	// GoogleOCIProvider provides support for OCI authentication using GCP workload identity.
+	GoogleOCIProvider string = "gcp"
+
+	// AzureOCIProvider provides support for OCI authentication using a Azure Service Principal,
+	// Managed Identity or Shared Key.
+	AzureOCIProvider string = "azure"
+
+	// OCILayerExtract defines the operation type for extracting the content from an OCI artifact layer.
+	OCILayerExtract = "extract"
+
+	// OCILayerCopy defines the operation type for copying the content from an OCI artifact layer.
+	OCILayerCopy = "copy"
+)
+
+// OCIRepositorySpec defines the desired state of OCIRepository
+type OCIRepositorySpec struct {
+	// URL is a reference to an OCI artifact repository hosted
+	// on a remote container registry.
+	// +kubebuilder:validation:Pattern="^oci://.*$"
+	// +required
+	URL string `json:"url"`
+
+	// The OCI reference to pull and monitor for changes,
+	// defaults to the latest tag.
+	// +optional
+	Reference *OCIRepositoryRef `json:"ref,omitempty"`
+
+	// LayerSelector specifies which layer should be extracted from the OCI artifact.
+	// When not specified, the first layer found in the artifact is selected.
+	// +optional
+	LayerSelector *OCILayerSelector `json:"layerSelector,omitempty"`
+
+	// The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'.
+	// When not specified, defaults to 'generic'.
+	// +kubebuilder:validation:Enum=generic;aws;azure;gcp
+	// +kubebuilder:default:=generic
+	// +optional
+	Provider string `json:"provider,omitempty"`
+
+	// SecretRef contains the secret name containing the registry login
+	// credentials to resolve image metadata.
+	// The secret must be of type kubernetes.io/dockerconfigjson.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// Verify contains the secret name containing the trusted public keys
+	// used to verify the signature and specifies which provider to use to check
+	// whether OCI image is authentic.
+	// +optional
+	Verify *OCIRepositoryVerification `json:"verify,omitempty"`
+
+	// ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate
+	// the image pull if the service account has attached pull secrets. For more information:
+	// https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+
+	// CertSecretRef can be given the name of a Secret containing
+	// either or both of
+	//
+	// - a PEM-encoded client certificate (`tls.crt`) and private
+	// key (`tls.key`);
+	// - a PEM-encoded CA certificate (`ca.crt`)
+	//
+	// and whichever are supplied, will be used for connecting to the
+	// registry. The client cert and key are useful if you are
+	// authenticating with a certificate; the CA cert is useful if
+	// you are using a self-signed server certificate. The Secret must
+	// be of type `Opaque` or `kubernetes.io/tls`.
+	// +optional
+	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
+
+	// ProxySecretRef specifies the Secret containing the proxy configuration
+	// to use while communicating with the container registry.
+	// +optional
+	ProxySecretRef *meta.LocalObjectReference `json:"proxySecretRef,omitempty"`
+
+	// Interval at which the OCIRepository URL is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +required
+	Interval metav1.Duration `json:"interval"`
+
+	// The timeout for remote OCI Repository operations like pulling, defaults to 60s.
+	// +kubebuilder:default="60s"
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+	// +optional
+	Timeout *metav1.Duration `json:"timeout,omitempty"`
+
+	// Ignore overrides the set of excluded patterns in the .sourceignore format
+	// (which is the same as .gitignore). If not provided, a default will be used,
+	// consult the documentation for your version to find out what those are.
+	// +optional
+	Ignore *string `json:"ignore,omitempty"`
+
+	// Insecure allows connecting to a non-TLS HTTP container registry.
+	// +optional
+	Insecure bool `json:"insecure,omitempty"`
+
+	// This flag tells the controller to suspend the reconciliation of this source.
+	// +optional
+	Suspend bool `json:"suspend,omitempty"`
+}
+
+// OCIRepositoryRef defines the image reference for the OCIRepository's URL
+type OCIRepositoryRef struct {
+	// Digest is the image digest to pull, takes precedence over SemVer.
+	// The value should be in the format 'sha256:<HASH>'.
+	// +optional
+	Digest string `json:"digest,omitempty"`
+
+	// SemVer is the range of tags to pull selecting the latest within
+	// the range, takes precedence over Tag.
+	// +optional
+	SemVer string `json:"semver,omitempty"`
+
+	// SemverFilter is a regex pattern to filter the tags within the SemVer range.
+	// +optional
+	SemverFilter string `json:"semverFilter,omitempty"`
+
+	// Tag is the image tag to pull, defaults to latest.
+	// +optional
+	Tag string `json:"tag,omitempty"`
+}
+
+// OCILayerSelector specifies which layer should be extracted from an OCI Artifact
+type OCILayerSelector struct {
+	// MediaType specifies the OCI media type of the layer
+	// which should be extracted from the OCI Artifact. The
+	// first layer matching this type is selected.
+	// +optional
+	MediaType string `json:"mediaType,omitempty"`
+
+	// Operation specifies how the selected layer should be processed.
+	// By default, the layer compressed content is extracted to storage.
+	// When the operation is set to 'copy', the layer compressed content
+	// is persisted to storage as it is.
+	// +kubebuilder:validation:Enum=extract;copy
+	// +optional
+	Operation string `json:"operation,omitempty"`
+}
+
+// OCIRepositoryStatus defines the observed state of OCIRepository
+type OCIRepositoryStatus struct {
+	// ObservedGeneration is the last observed generation.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// Conditions holds the conditions for the OCIRepository.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// URL is the download link for the artifact output of the last OCI Repository sync.
+	// +optional
+	URL string `json:"url,omitempty"`
+
+	// Artifact represents the output of the last successful OCI Repository sync.
+	// +optional
+	Artifact *Artifact `json:"artifact,omitempty"`
+
+	// ObservedIgnore is the observed exclusion patterns used for constructing
+	// the source artifact.
+	// +optional
+	ObservedIgnore *string `json:"observedIgnore,omitempty"`
+
+	// ObservedLayerSelector is the observed layer selector used for constructing
+	// the source artifact.
+	// +optional
+	ObservedLayerSelector *OCILayerSelector `json:"observedLayerSelector,omitempty"`
+
+	meta.ReconcileRequestStatus `json:",inline"`
+}
+
+const (
+	// OCIPullFailedReason signals that a pull operation failed.
+	OCIPullFailedReason string = "OCIArtifactPullFailed"
+
+	// OCILayerOperationFailedReason signals that an OCI layer operation failed.
+	OCILayerOperationFailedReason string = "OCIArtifactLayerOperationFailed"
+)
+
+// GetConditions returns the status conditions of the object.
+func (in OCIRepository) GetConditions() []metav1.Condition {
+	return in.Status.Conditions
+}
+
+// SetConditions sets the status conditions on the object.
+func (in *OCIRepository) SetConditions(conditions []metav1.Condition) {
+	in.Status.Conditions = conditions
+}
+
+// GetRequeueAfter returns the duration after which the OCIRepository must be
+// reconciled again.
+func (in OCIRepository) GetRequeueAfter() time.Duration {
+	return in.Spec.Interval.Duration
+}
+
+// GetArtifact returns the latest Artifact from the OCIRepository if present in
+// the status sub-resource.
+func (in *OCIRepository) GetArtifact() *Artifact {
+	return in.Status.Artifact
+}
+
+// GetLayerMediaType returns the media type layer selector if found in spec.
+func (in *OCIRepository) GetLayerMediaType() string {
+	if in.Spec.LayerSelector == nil {
+		return ""
+	}
+
+	return in.Spec.LayerSelector.MediaType
+}
+
+// GetLayerOperation returns the layer selector operation (defaults to extract).
+func (in *OCIRepository) GetLayerOperation() string {
+	if in.Spec.LayerSelector == nil || in.Spec.LayerSelector.Operation == "" {
+		return OCILayerExtract
+	}
+
+	return in.Spec.LayerSelector.Operation
+}
+
+// +genclient
+// +kubebuilder:storageversion
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=ocirepo
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="URL",type=string,JSONPath=`.spec.url`
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
+
+// OCIRepository is the Schema for the ocirepositories API
+type OCIRepository struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec OCIRepositorySpec `json:"spec,omitempty"`
+	// +kubebuilder:default={"observedGeneration":-1}
+	Status OCIRepositoryStatus `json:"status,omitempty"`
+}
+
+// OCIRepositoryList contains a list of OCIRepository
+// +kubebuilder:object:root=true
+type OCIRepositoryList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []OCIRepository `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&OCIRepository{}, &OCIRepositoryList{})
+}

api/v1/ociverification_types.go

@@ -0,0 +1,56 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"github.com/fluxcd/pkg/apis/meta"
+)
+
+// OCIRepositoryVerification verifies the authenticity of an OCI Artifact
+type OCIRepositoryVerification struct {
+	// Provider specifies the technology used to sign the OCI Artifact.
+	// +kubebuilder:validation:Enum=cosign;notation
+	// +kubebuilder:default:=cosign
+	Provider string `json:"provider"`
+
+	// SecretRef specifies the Kubernetes Secret containing the
+	// trusted public keys.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// MatchOIDCIdentity specifies the identity matching criteria to use
+	// while verifying an OCI artifact which was signed using Cosign keyless
+	// signing. The artifact's identity is deemed to be verified if any of the
+	// specified matchers match against the identity.
+	// +optional
+	MatchOIDCIdentity []OIDCIdentityMatch `json:"matchOIDCIdentity,omitempty"`
+}
+
+// OIDCIdentityMatch specifies options for verifying the certificate identity,
+// i.e. the issuer and the subject of the certificate.
+type OIDCIdentityMatch struct {
+	// Issuer specifies the regex pattern to match against to verify
+	// the OIDC issuer in the Fulcio certificate. The pattern must be a
+	// valid Go regular expression.
+	// +required
+	Issuer string `json:"issuer"`
+	// Subject specifies the regex pattern to match against to verify
+	// the identity subject in the Fulcio certificate. The pattern must
+	// be a valid Go regular expression.
+	// +required
+	Subject string `json:"subject"`
+}

api/v1/sts_types.go

@@ -0,0 +1,26 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+const (
+	// STSProviderAmazon represents the AWS provider for Security Token Service.
+	// Provides support for fetching temporary credentials from an AWS STS endpoint.
+	STSProviderAmazon string = "aws"
+	// STSProviderLDAP represents the LDAP provider for Security Token Service.
+	// Provides support for fetching temporary credentials from an LDAP endpoint.
+	STSProviderLDAP string = "ldap"
+)

api/v1/zz_generated.deepcopy.go

@@ -1,8 +1,7 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated
 
 /*
-Copyright 2023 The Flux authors
+Copyright 2024 The Flux authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -22,6 +21,7 @@ limitations under the License.
 package v1
 
 import (
+	"github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -55,6 +55,169 @@ func (in *Artifact) DeepCopy() *Artifact {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Bucket) DeepCopyInto(out *Bucket) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Bucket.
+func (in *Bucket) DeepCopy() *Bucket {
+	if in == nil {
+		return nil
+	}
+	out := new(Bucket)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Bucket) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BucketList) DeepCopyInto(out *BucketList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Bucket, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketList.
+func (in *BucketList) DeepCopy() *BucketList {
+	if in == nil {
+		return nil
+	}
+	out := new(BucketList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *BucketList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BucketSTSSpec) DeepCopyInto(out *BucketSTSSpec) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.CertSecretRef != nil {
+		in, out := &in.CertSecretRef, &out.CertSecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketSTSSpec.
+func (in *BucketSTSSpec) DeepCopy() *BucketSTSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(BucketSTSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BucketSpec) DeepCopyInto(out *BucketSpec) {
+	*out = *in
+	if in.STS != nil {
+		in, out := &in.STS, &out.STS
+		*out = new(BucketSTSSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.CertSecretRef != nil {
+		in, out := &in.CertSecretRef, &out.CertSecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.ProxySecretRef != nil {
+		in, out := &in.ProxySecretRef, &out.ProxySecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	out.Interval = in.Interval
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	if in.Ignore != nil {
+		in, out := &in.Ignore, &out.Ignore
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketSpec.
+func (in *BucketSpec) DeepCopy() *BucketSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(BucketSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BucketStatus) DeepCopyInto(out *BucketStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Artifact != nil {
+		in, out := &in.Artifact, &out.Artifact
+		*out = new(Artifact)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ObservedIgnore != nil {
+		in, out := &in.ObservedIgnore, &out.ObservedIgnore
+		*out = new(string)
+		**out = **in
+	}
+	out.ReconcileRequestStatus = in.ReconcileRequestStatus
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketStatus.
+func (in *BucketStatus) DeepCopy() *BucketStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(BucketStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GitRepository) DeepCopyInto(out *GitRepository) {
 	*out = *in
@@ -169,6 +332,11 @@ func (in *GitRepositorySpec) DeepCopyInto(out *GitRepositorySpec) {
 		*out = new(GitRepositoryVerification)
 		**out = **in
 	}
+	if in.ProxySecretRef != nil {
+		in, out := &in.ProxySecretRef, &out.ProxySecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
 	if in.Ignore != nil {
 		in, out := &in.Ignore, &out.Ignore
 		*out = new(string)
@@ -179,6 +347,11 @@ func (in *GitRepositorySpec) DeepCopyInto(out *GitRepositorySpec) {
 		*out = make([]GitRepositoryInclude, len(*in))
 		copy(*out, *in)
 	}
+	if in.SparseCheckout != nil {
+		in, out := &in.SparseCheckout, &out.SparseCheckout
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitRepositorySpec.
@@ -227,6 +400,16 @@ func (in *GitRepositoryStatus) DeepCopyInto(out *GitRepositoryStatus) {
 		*out = make([]GitRepositoryInclude, len(*in))
 		copy(*out, *in)
 	}
+	if in.ObservedSparseCheckout != nil {
+		in, out := &in.ObservedSparseCheckout, &out.ObservedSparseCheckout
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.SourceVerificationMode != nil {
+		in, out := &in.SourceVerificationMode, &out.SourceVerificationMode
+		*out = new(GitVerificationMode)
+		**out = **in
+	}
 	out.ReconcileRequestStatus = in.ReconcileRequestStatus
 }
 
@@ -255,3 +438,483 @@ func (in *GitRepositoryVerification) DeepCopy() *GitRepositoryVerification {
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HelmChart) DeepCopyInto(out *HelmChart) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmChart.
+func (in *HelmChart) DeepCopy() *HelmChart {
+	if in == nil {
+		return nil
+	}
+	out := new(HelmChart)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *HelmChart) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HelmChartList) DeepCopyInto(out *HelmChartList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]HelmChart, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmChartList.
+func (in *HelmChartList) DeepCopy() *HelmChartList {
+	if in == nil {
+		return nil
+	}
+	out := new(HelmChartList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *HelmChartList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HelmChartSpec) DeepCopyInto(out *HelmChartSpec) {
+	*out = *in
+	out.SourceRef = in.SourceRef
+	out.Interval = in.Interval
+	if in.ValuesFiles != nil {
+		in, out := &in.ValuesFiles, &out.ValuesFiles
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Verify != nil {
+		in, out := &in.Verify, &out.Verify
+		*out = new(OCIRepositoryVerification)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmChartSpec.
+func (in *HelmChartSpec) DeepCopy() *HelmChartSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(HelmChartSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HelmChartStatus) DeepCopyInto(out *HelmChartStatus) {
+	*out = *in
+	if in.ObservedValuesFiles != nil {
+		in, out := &in.ObservedValuesFiles, &out.ObservedValuesFiles
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Artifact != nil {
+		in, out := &in.Artifact, &out.Artifact
+		*out = new(Artifact)
+		(*in).DeepCopyInto(*out)
+	}
+	out.ReconcileRequestStatus = in.ReconcileRequestStatus
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmChartStatus.
+func (in *HelmChartStatus) DeepCopy() *HelmChartStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(HelmChartStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HelmRepository) DeepCopyInto(out *HelmRepository) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmRepository.
+func (in *HelmRepository) DeepCopy() *HelmRepository {
+	if in == nil {
+		return nil
+	}
+	out := new(HelmRepository)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *HelmRepository) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HelmRepositoryList) DeepCopyInto(out *HelmRepositoryList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]HelmRepository, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmRepositoryList.
+func (in *HelmRepositoryList) DeepCopy() *HelmRepositoryList {
+	if in == nil {
+		return nil
+	}
+	out := new(HelmRepositoryList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *HelmRepositoryList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HelmRepositorySpec) DeepCopyInto(out *HelmRepositorySpec) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.CertSecretRef != nil {
+		in, out := &in.CertSecretRef, &out.CertSecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	out.Interval = in.Interval
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	if in.AccessFrom != nil {
+		in, out := &in.AccessFrom, &out.AccessFrom
+		*out = new(acl.AccessFrom)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmRepositorySpec.
+func (in *HelmRepositorySpec) DeepCopy() *HelmRepositorySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(HelmRepositorySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HelmRepositoryStatus) DeepCopyInto(out *HelmRepositoryStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Artifact != nil {
+		in, out := &in.Artifact, &out.Artifact
+		*out = new(Artifact)
+		(*in).DeepCopyInto(*out)
+	}
+	out.ReconcileRequestStatus = in.ReconcileRequestStatus
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HelmRepositoryStatus.
+func (in *HelmRepositoryStatus) DeepCopy() *HelmRepositoryStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(HelmRepositoryStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LocalHelmChartSourceReference) DeepCopyInto(out *LocalHelmChartSourceReference) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalHelmChartSourceReference.
+func (in *LocalHelmChartSourceReference) DeepCopy() *LocalHelmChartSourceReference {
+	if in == nil {
+		return nil
+	}
+	out := new(LocalHelmChartSourceReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OCILayerSelector) DeepCopyInto(out *OCILayerSelector) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OCILayerSelector.
+func (in *OCILayerSelector) DeepCopy() *OCILayerSelector {
+	if in == nil {
+		return nil
+	}
+	out := new(OCILayerSelector)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OCIRepository) DeepCopyInto(out *OCIRepository) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OCIRepository.
+func (in *OCIRepository) DeepCopy() *OCIRepository {
+	if in == nil {
+		return nil
+	}
+	out := new(OCIRepository)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OCIRepository) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OCIRepositoryList) DeepCopyInto(out *OCIRepositoryList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]OCIRepository, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OCIRepositoryList.
+func (in *OCIRepositoryList) DeepCopy() *OCIRepositoryList {
+	if in == nil {
+		return nil
+	}
+	out := new(OCIRepositoryList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *OCIRepositoryList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OCIRepositoryRef) DeepCopyInto(out *OCIRepositoryRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OCIRepositoryRef.
+func (in *OCIRepositoryRef) DeepCopy() *OCIRepositoryRef {
+	if in == nil {
+		return nil
+	}
+	out := new(OCIRepositoryRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OCIRepositorySpec) DeepCopyInto(out *OCIRepositorySpec) {
+	*out = *in
+	if in.Reference != nil {
+		in, out := &in.Reference, &out.Reference
+		*out = new(OCIRepositoryRef)
+		**out = **in
+	}
+	if in.LayerSelector != nil {
+		in, out := &in.LayerSelector, &out.LayerSelector
+		*out = new(OCILayerSelector)
+		**out = **in
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.Verify != nil {
+		in, out := &in.Verify, &out.Verify
+		*out = new(OCIRepositoryVerification)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.CertSecretRef != nil {
+		in, out := &in.CertSecretRef, &out.CertSecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.ProxySecretRef != nil {
+		in, out := &in.ProxySecretRef, &out.ProxySecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	out.Interval = in.Interval
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	if in.Ignore != nil {
+		in, out := &in.Ignore, &out.Ignore
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OCIRepositorySpec.
+func (in *OCIRepositorySpec) DeepCopy() *OCIRepositorySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OCIRepositorySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OCIRepositoryStatus) DeepCopyInto(out *OCIRepositoryStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Artifact != nil {
+		in, out := &in.Artifact, &out.Artifact
+		*out = new(Artifact)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ObservedIgnore != nil {
+		in, out := &in.ObservedIgnore, &out.ObservedIgnore
+		*out = new(string)
+		**out = **in
+	}
+	if in.ObservedLayerSelector != nil {
+		in, out := &in.ObservedLayerSelector, &out.ObservedLayerSelector
+		*out = new(OCILayerSelector)
+		**out = **in
+	}
+	out.ReconcileRequestStatus = in.ReconcileRequestStatus
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OCIRepositoryStatus.
+func (in *OCIRepositoryStatus) DeepCopy() *OCIRepositoryStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(OCIRepositoryStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OCIRepositoryVerification) DeepCopyInto(out *OCIRepositoryVerification) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.MatchOIDCIdentity != nil {
+		in, out := &in.MatchOIDCIdentity, &out.MatchOIDCIdentity
+		*out = make([]OIDCIdentityMatch, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OCIRepositoryVerification.
+func (in *OCIRepositoryVerification) DeepCopy() *OCIRepositoryVerification {
+	if in == nil {
+		return nil
+	}
+	out := new(OCIRepositoryVerification)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCIdentityMatch) DeepCopyInto(out *OIDCIdentityMatch) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityMatch.
+func (in *OIDCIdentityMatch) DeepCopy() *OIDCIdentityMatch {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCIdentityMatch)
+	in.DeepCopyInto(out)
+	return out
+}

api/v1beta1/bucket_types.go

@@ -193,9 +193,9 @@ func (in *Bucket) GetInterval() metav1.Duration {
 }
 
 // +genclient
-// +genclient:Namespaced
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion:warning="v1beta1 Bucket is deprecated, upgrade to v1"
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
 // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""

api/v1beta1/gitrepository_types.go

@@ -265,7 +265,6 @@ func (in *GitRepository) GetInterval() metav1.Duration {
 }
 
 // +genclient
-// +genclient:Namespaced
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=gitrepo
 // +kubebuilder:subresource:status

api/v1beta1/helmchart_types.go

@@ -231,10 +231,10 @@ func (in *HelmChart) GetValuesFiles() []string {
 }
 
 // +genclient
-// +genclient:Namespaced
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=hc
 // +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion:warning="v1beta1 HelmChart is deprecated, upgrade to v1"
 // +kubebuilder:printcolumn:name="Chart",type=string,JSONPath=`.spec.chart`
 // +kubebuilder:printcolumn:name="Version",type=string,JSONPath=`.spec.version`
 // +kubebuilder:printcolumn:name="Source Kind",type=string,JSONPath=`.spec.sourceRef.kind`

api/v1beta1/helmrepository_types.go

@@ -181,10 +181,10 @@ func (in *HelmRepository) GetInterval() metav1.Duration {
 }
 
 // +genclient
-// +genclient:Namespaced
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=helmrepo
 // +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion:warning="v1beta1 HelmRepository is deprecated, upgrade to v1"
 // +kubebuilder:printcolumn:name="URL",type=string,JSONPath=`.spec.url`
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
 // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""

api/v1beta1/zz_generated.deepcopy.go

@@ -1,8 +1,7 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated
 
 /*
-Copyright 2023 The Flux authors
+Copyright 2024 The Flux authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

api/v1beta2/bucket_types.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
+
 	apiv1 "github.com/fluxcd/source-controller/api/v1"
 )
 
@@ -32,22 +33,48 @@ const (
 )
 
 const (
+	// BucketProviderGeneric for any S3 API compatible storage Bucket.
+	BucketProviderGeneric string = apiv1.BucketProviderGeneric
+	// BucketProviderAmazon for an AWS S3 object storage Bucket.
+	// Provides support for retrieving credentials from the AWS EC2 service.
+	BucketProviderAmazon string = apiv1.BucketProviderAmazon
+	// BucketProviderGoogle for a Google Cloud Storage Bucket.
+	// Provides support for authentication using a workload identity.
+	BucketProviderGoogle string = apiv1.BucketProviderGoogle
+	// BucketProviderAzure for an Azure Blob Storage Bucket.
+	// Provides support for authentication using a Service Principal,
+	// Managed Identity or Shared Key.
+	BucketProviderAzure string = apiv1.BucketProviderAzure
+
 	// GenericBucketProvider for any S3 API compatible storage Bucket.
-	GenericBucketProvider string = "generic"
+	//
+	// Deprecated: use BucketProviderGeneric.
+	GenericBucketProvider string = apiv1.BucketProviderGeneric
 	// AmazonBucketProvider for an AWS S3 object storage Bucket.
 	// Provides support for retrieving credentials from the AWS EC2 service.
-	AmazonBucketProvider string = "aws"
+	//
+	// Deprecated: use BucketProviderAmazon.
+	AmazonBucketProvider string = apiv1.BucketProviderAmazon
 	// GoogleBucketProvider for a Google Cloud Storage Bucket.
 	// Provides support for authentication using a workload identity.
-	GoogleBucketProvider string = "gcp"
+	//
+	// Deprecated: use BucketProviderGoogle.
+	GoogleBucketProvider string = apiv1.BucketProviderGoogle
 	// AzureBucketProvider for an Azure Blob Storage Bucket.
 	// Provides support for authentication using a Service Principal,
 	// Managed Identity or Shared Key.
-	AzureBucketProvider string = "azure"
+	//
+	// Deprecated: use BucketProviderAzure.
+	AzureBucketProvider string = apiv1.BucketProviderAzure
 )
 
 // BucketSpec specifies the required configuration to produce an Artifact for
 // an object storage bucket.
+// +kubebuilder:validation:XValidation:rule="self.provider == 'aws' || self.provider == 'generic' || !has(self.sts)", message="STS configuration is only supported for the 'aws' and 'generic' Bucket providers"
+// +kubebuilder:validation:XValidation:rule="self.provider != 'aws' || !has(self.sts) || self.sts.provider == 'aws'", message="'aws' is the only supported STS provider for the 'aws' Bucket provider"
+// +kubebuilder:validation:XValidation:rule="self.provider != 'generic' || !has(self.sts) || self.sts.provider == 'ldap'", message="'ldap' is the only supported STS provider for the 'generic' Bucket provider"
+// +kubebuilder:validation:XValidation:rule="!has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.secretRef)", message="spec.sts.secretRef is not required for the 'aws' STS provider"
+// +kubebuilder:validation:XValidation:rule="!has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.certSecretRef)", message="spec.sts.certSecretRef is not required for the 'aws' STS provider"
 type BucketSpec struct {
 	// Provider of the object storage bucket.
 	// Defaults to 'generic', which expects an S3 (API) compatible object
@@ -65,6 +92,14 @@ type BucketSpec struct {
 	// +required
 	Endpoint string `json:"endpoint"`
 
+	// STS specifies the required configuration to use a Security Token
+	// Service for fetching temporary credentials to authenticate in a
+	// Bucket provider.
+	//
+	// This field is only supported for the `aws` and `generic` providers.
+	// +optional
+	STS *BucketSTSSpec `json:"sts,omitempty"`
+
 	// Insecure allows connecting to a non-TLS HTTP Endpoint.
 	// +optional
 	Insecure bool `json:"insecure,omitempty"`
@@ -73,12 +108,40 @@ type BucketSpec struct {
 	// +optional
 	Region string `json:"region,omitempty"`
 
+	// Prefix to use for server-side filtering of files in the Bucket.
+	// +optional
+	Prefix string `json:"prefix,omitempty"`
+
 	// SecretRef specifies the Secret containing authentication credentials
 	// for the Bucket.
 	// +optional
 	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
 
-	// Interval at which to check the Endpoint for updates.
+	// CertSecretRef can be given the name of a Secret containing
+	// either or both of
+	//
+	// - a PEM-encoded client certificate (`tls.crt`) and private
+	// key (`tls.key`);
+	// - a PEM-encoded CA certificate (`ca.crt`)
+	//
+	// and whichever are supplied, will be used for connecting to the
+	// bucket. The client cert and key are useful if you are
+	// authenticating with a certificate; the CA cert is useful if
+	// you are using a self-signed server certificate. The Secret must
+	// be of type `Opaque` or `kubernetes.io/tls`.
+	//
+	// This field is only supported for the `generic` provider.
+	// +optional
+	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
+
+	// ProxySecretRef specifies the Secret containing the proxy configuration
+	// to use while communicating with the Bucket server.
+	// +optional
+	ProxySecretRef *meta.LocalObjectReference `json:"proxySecretRef,omitempty"`
+
+	// Interval at which the Bucket Endpoint is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
 	// +kubebuilder:validation:Type=string
 	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
 	// +required
@@ -109,6 +172,45 @@ type BucketSpec struct {
 	AccessFrom *acl.AccessFrom `json:"accessFrom,omitempty"`
 }
 
+// BucketSTSSpec specifies the required configuration to use a Security Token
+// Service for fetching temporary credentials to authenticate in a Bucket
+// provider.
+type BucketSTSSpec struct {
+	// Provider of the Security Token Service.
+	// +kubebuilder:validation:Enum=aws;ldap
+	// +required
+	Provider string `json:"provider"`
+
+	// Endpoint is the HTTP/S endpoint of the Security Token Service from
+	// where temporary credentials will be fetched.
+	// +required
+	// +kubebuilder:validation:Pattern="^(http|https)://.*$"
+	Endpoint string `json:"endpoint"`
+
+	// SecretRef specifies the Secret containing authentication credentials
+	// for the STS endpoint. This Secret must contain the fields `username`
+	// and `password` and is supported only for the `ldap` provider.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// CertSecretRef can be given the name of a Secret containing
+	// either or both of
+	//
+	// - a PEM-encoded client certificate (`tls.crt`) and private
+	// key (`tls.key`);
+	// - a PEM-encoded CA certificate (`ca.crt`)
+	//
+	// and whichever are supplied, will be used for connecting to the
+	// STS endpoint. The client cert and key are useful if you are
+	// authenticating with a certificate; the CA cert is useful if
+	// you are using a self-signed server certificate. The Secret must
+	// be of type `Opaque` or `kubernetes.io/tls`.
+	//
+	// This field is only supported for the `ldap` provider.
+	// +optional
+	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
+}
+
 // BucketStatus records the observed state of a Bucket.
 type BucketStatus struct {
 	// ObservedGeneration is the last observed generation of the Bucket object.
@@ -168,10 +270,9 @@ func (in *Bucket) GetArtifact() *apiv1.Artifact {
 }
 
 // +genclient
-// +genclient:Namespaced
-// +kubebuilder:storageversion
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion:warning="v1beta2 Bucket is deprecated, upgrade to v1"
 // +kubebuilder:printcolumn:name="Endpoint",type=string,JSONPath=`.spec.endpoint`
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""

api/v1beta2/gitrepository_types.go

@@ -287,7 +287,6 @@ func (in *GitRepository) GetArtifact() *apiv1.Artifact {
 }
 
 // +genclient
-// +genclient:Namespaced
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=gitrepo
 // +kubebuilder:subresource:status

api/v1beta2/helmchart_types.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
+
 	apiv1 "github.com/fluxcd/source-controller/api/v1"
 )
 
@@ -46,7 +47,9 @@ type HelmChartSpec struct {
 	// +required
 	SourceRef LocalHelmChartSourceReference `json:"sourceRef"`
 
-	// Interval is the interval at which to check the Source for updates.
+	// Interval at which the HelmChart SourceRef is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
 	// +kubebuilder:validation:Type=string
 	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
 	// +required
@@ -77,6 +80,11 @@ type HelmChartSpec struct {
 	// +deprecated
 	ValuesFile string `json:"valuesFile,omitempty"`
 
+	// IgnoreMissingValuesFiles controls whether to silently ignore missing values
+	// files rather than failing.
+	// +optional
+	IgnoreMissingValuesFiles bool `json:"ignoreMissingValuesFiles,omitempty"`
+
 	// Suspend tells the controller to suspend the reconciliation of this
 	// source.
 	// +optional
@@ -94,7 +102,7 @@ type HelmChartSpec struct {
 	// This field is only supported when using HelmRepository source with spec.type 'oci'.
 	// Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.
 	// +optional
-	Verify *OCIRepositoryVerification `json:"verify,omitempty"`
+	Verify *apiv1.OCIRepositoryVerification `json:"verify,omitempty"`
 }
 
 const (
@@ -140,6 +148,12 @@ type HelmChartStatus struct {
 	// +optional
 	ObservedChartName string `json:"observedChartName,omitempty"`
 
+	// ObservedValuesFiles are the observed value files of the last successful
+	// reconciliation.
+	// It matches the chart in the last successfully reconciled artifact.
+	// +optional
+	ObservedValuesFiles []string `json:"observedValuesFiles,omitempty"`
+
 	// Conditions holds the conditions for the HelmChart.
 	// +optional
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
@@ -201,11 +215,10 @@ func (in *HelmChart) GetValuesFiles() []string {
 }
 
 // +genclient
-// +genclient:Namespaced
-// +kubebuilder:storageversion
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=hc
 // +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion:warning="v1beta2 HelmChart is deprecated, upgrade to v1"
 // +kubebuilder:printcolumn:name="Chart",type=string,JSONPath=`.spec.chart`
 // +kubebuilder:printcolumn:name="Version",type=string,JSONPath=`.spec.version`
 // +kubebuilder:printcolumn:name="Source Kind",type=string,JSONPath=`.spec.sourceRef.kind`

api/v1beta2/helmrepository_types.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
+
 	apiv1 "github.com/fluxcd/source-controller/api/v1"
 )
 
@@ -44,6 +45,7 @@ const (
 type HelmRepositorySpec struct {
 	// URL of the Helm repository, a valid URL contains at least a protocol and
 	// host.
+	// +kubebuilder:validation:Pattern="^(http|https|oci)://.*$"
 	// +required
 	URL string `json:"url"`
 
@@ -51,11 +53,29 @@ type HelmRepositorySpec struct {
 	// for the HelmRepository.
 	// For HTTP/S basic auth the secret must contain 'username' and 'password'
 	// fields.
-	// For TLS the secret must contain a 'certFile' and 'keyFile', and/or
-	// 'caFile' fields.
+	// Support for TLS auth using the 'certFile' and 'keyFile', and/or 'caFile'
+	// keys is deprecated. Please use `.spec.certSecretRef` instead.
 	// +optional
 	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
 
+	// CertSecretRef can be given the name of a Secret containing
+	// either or both of
+	//
+	// - a PEM-encoded client certificate (`tls.crt`) and private
+	// key (`tls.key`);
+	// - a PEM-encoded CA certificate (`ca.crt`)
+	//
+	// and whichever are supplied, will be used for connecting to the
+	// registry. The client cert and key are useful if you are
+	// authenticating with a certificate; the CA cert is useful if
+	// you are using a self-signed server certificate. The Secret must
+	// be of type `Opaque` or `kubernetes.io/tls`.
+	//
+	// It takes precedence over the values specified in the Secret referred
+	// to by `.spec.secretRef`.
+	// +optional
+	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
+
 	// PassCredentials allows the credentials from the SecretRef to be passed
 	// on to a host that does not match the host as defined in URL.
 	// This may be required if the host of the advertised chart URLs in the
@@ -65,16 +85,23 @@ type HelmRepositorySpec struct {
 	// +optional
 	PassCredentials bool `json:"passCredentials,omitempty"`
 
-	// Interval at which to check the URL for updates.
+	// Interval at which the HelmRepository URL is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
 	// +kubebuilder:validation:Type=string
 	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-	// +required
-	Interval metav1.Duration `json:"interval"`
+	// +optional
+	Interval metav1.Duration `json:"interval,omitempty"`
+
+	// Insecure allows connecting to a non-TLS HTTP container registry.
+	// This field is only taken into account if the .spec.type field is set to 'oci'.
+	// +optional
+	Insecure bool `json:"insecure,omitempty"`
 
 	// Timeout is used for the index fetch operation for an HTTPS helm repository,
-	// and for remote OCI Repository operations like pulling for an OCI helm repository.
+	// and for remote OCI Repository operations like pulling for an OCI helm
+	// chart by the associated HelmChart.
 	// Its default value is 60s.
-	// +kubebuilder:default:="60s"
 	// +kubebuilder:validation:Type=string
 	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
 	// +optional
@@ -149,7 +176,19 @@ func (in *HelmRepository) SetConditions(conditions []metav1.Condition) {
 // GetRequeueAfter returns the duration after which the source must be
 // reconciled again.
 func (in HelmRepository) GetRequeueAfter() time.Duration {
-	return in.Spec.Interval.Duration
+	if in.Spec.Interval.Duration != 0 {
+		return in.Spec.Interval.Duration
+	}
+	return time.Minute
+}
+
+// GetTimeout returns the timeout duration used for various operations related
+// to this HelmRepository.
+func (in HelmRepository) GetTimeout() time.Duration {
+	if in.Spec.Timeout != nil {
+		return in.Spec.Timeout.Duration
+	}
+	return time.Minute
 }
 
 // GetArtifact returns the latest artifact from the source if present in the
@@ -159,11 +198,10 @@ func (in *HelmRepository) GetArtifact() *apiv1.Artifact {
 }
 
 // +genclient
-// +genclient:Namespaced
-// +kubebuilder:storageversion
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=helmrepo
 // +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion:warning="v1beta2 HelmRepository is deprecated, upgrade to v1"
 // +kubebuilder:printcolumn:name="URL",type=string,JSONPath=`.spec.url`
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""

api/v1beta2/ocirepository_types.go

@@ -22,6 +22,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/fluxcd/pkg/apis/meta"
+
 	apiv1 "github.com/fluxcd/source-controller/api/v1"
 )
 
@@ -89,7 +90,7 @@ type OCIRepositorySpec struct {
 	// used to verify the signature and specifies which provider to use to check
 	// whether OCI image is authentic.
 	// +optional
-	Verify *OCIRepositoryVerification `json:"verify,omitempty"`
+	Verify *apiv1.OCIRepositoryVerification `json:"verify,omitempty"`
 
 	// ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate
 	// the image pull if the service account has attached pull secrets. For more information:
@@ -97,21 +98,32 @@ type OCIRepositorySpec struct {
 	// +optional
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 
-	// CertSecretRef can be given the name of a secret containing
+	// CertSecretRef can be given the name of a Secret containing
 	// either or both of
 	//
-	//  - a PEM-encoded client certificate (`certFile`) and private
-	//  key (`keyFile`);
-	//  - a PEM-encoded CA certificate (`caFile`)
+	// - a PEM-encoded client certificate (`tls.crt`) and private
+	// key (`tls.key`);
+	// - a PEM-encoded CA certificate (`ca.crt`)
 	//
-	//  and whichever are supplied, will be used for connecting to the
-	//  registry. The client cert and key are useful if you are
-	//  authenticating with a certificate; the CA cert is useful if
-	//  you are using a self-signed server certificate.
+	// and whichever are supplied, will be used for connecting to the
+	// registry. The client cert and key are useful if you are
+	// authenticating with a certificate; the CA cert is useful if
+	// you are using a self-signed server certificate. The Secret must
+	// be of type `Opaque` or `kubernetes.io/tls`.
+	//
+	// Note: Support for the `caFile`, `certFile` and `keyFile` keys have
+	// been deprecated.
 	// +optional
 	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
 
-	// The interval at which to check for image updates.
+	// ProxySecretRef specifies the Secret containing the proxy configuration
+	// to use while communicating with the container registry.
+	// +optional
+	ProxySecretRef *meta.LocalObjectReference `json:"proxySecretRef,omitempty"`
+
+	// Interval at which the OCIRepository URL is checked for updates.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
 	// +kubebuilder:validation:Type=string
 	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
 	// +required
@@ -151,6 +163,10 @@ type OCIRepositoryRef struct {
 	// +optional
 	SemVer string `json:"semver,omitempty"`
 
+	// SemverFilter is a regex pattern to filter the tags within the SemVer range.
+	// +optional
+	SemverFilter string `json:"semverFilter,omitempty"`
+
 	// Tag is the image tag to pull, defaults to latest.
 	// +optional
 	Tag string `json:"tag,omitempty"`
@@ -173,19 +189,6 @@ type OCILayerSelector struct {
 	Operation string `json:"operation,omitempty"`
 }
 
-// OCIRepositoryVerification verifies the authenticity of an OCI Artifact
-type OCIRepositoryVerification struct {
-	// Provider specifies the technology used to sign the OCI Artifact.
-	// +kubebuilder:validation:Enum=cosign
-	// +kubebuilder:default:=cosign
-	Provider string `json:"provider"`
-
-	// SecretRef specifies the Kubernetes Secret containing the
-	// trusted public keys.
-	// +optional
-	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
-}
-
 // OCIRepositoryStatus defines the observed state of OCIRepository
 type OCIRepositoryStatus struct {
 	// ObservedGeneration is the last observed generation.
@@ -280,11 +283,10 @@ func (in *OCIRepository) GetLayerOperation() string {
 }
 
 // +genclient
-// +genclient:Namespaced
-// +kubebuilder:storageversion
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=ocirepo
 // +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion:warning="v1beta2 OCIRepository is deprecated, upgrade to v1"
 // +kubebuilder:printcolumn:name="URL",type=string,JSONPath=`.spec.url`
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
 // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""

api/v1beta2/sts_types.go

@@ -0,0 +1,26 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+const (
+	// STSProviderAmazon represents the AWS provider for Security Token Service.
+	// Provides support for fetching temporary credentials from an AWS STS endpoint.
+	STSProviderAmazon string = "aws"
+	// STSProviderLDAP represents the LDAP provider for Security Token Service.
+	// Provides support for fetching temporary credentials from an LDAP endpoint.
+	STSProviderLDAP string = "ldap"
+)

api/v1beta2/zz_generated.deepcopy.go

@@ -1,8 +1,7 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated
 
 /*
-Copyright 2023 The Flux authors
+Copyright 2024 The Flux authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -117,13 +116,53 @@ func (in *BucketList) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BucketSpec) DeepCopyInto(out *BucketSpec) {
+func (in *BucketSTSSpec) DeepCopyInto(out *BucketSTSSpec) {
 	*out = *in
 	if in.SecretRef != nil {
 		in, out := &in.SecretRef, &out.SecretRef
 		*out = new(meta.LocalObjectReference)
 		**out = **in
 	}
+	if in.CertSecretRef != nil {
+		in, out := &in.CertSecretRef, &out.CertSecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketSTSSpec.
+func (in *BucketSTSSpec) DeepCopy() *BucketSTSSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(BucketSTSSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BucketSpec) DeepCopyInto(out *BucketSpec) {
+	*out = *in
+	if in.STS != nil {
+		in, out := &in.STS, &out.STS
+		*out = new(BucketSTSSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.CertSecretRef != nil {
+		in, out := &in.CertSecretRef, &out.CertSecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+	if in.ProxySecretRef != nil {
+		in, out := &in.ProxySecretRef, &out.ProxySecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
 	out.Interval = in.Interval
 	if in.Timeout != nil {
 		in, out := &in.Timeout, &out.Timeout
@@ -467,7 +506,7 @@ func (in *HelmChartSpec) DeepCopyInto(out *HelmChartSpec) {
 	}
 	if in.Verify != nil {
 		in, out := &in.Verify, &out.Verify
-		*out = new(OCIRepositoryVerification)
+		*out = new(apiv1.OCIRepositoryVerification)
 		(*in).DeepCopyInto(*out)
 	}
 }
@@ -485,6 +524,11 @@ func (in *HelmChartSpec) DeepCopy() *HelmChartSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HelmChartStatus) DeepCopyInto(out *HelmChartStatus) {
 	*out = *in
+	if in.ObservedValuesFiles != nil {
+		in, out := &in.ObservedValuesFiles, &out.ObservedValuesFiles
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
 		*out = make([]v1.Condition, len(*in))
@@ -577,6 +621,11 @@ func (in *HelmRepositorySpec) DeepCopyInto(out *HelmRepositorySpec) {
 		*out = new(meta.LocalObjectReference)
 		**out = **in
 	}
+	if in.CertSecretRef != nil {
+		in, out := &in.CertSecretRef, &out.CertSecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
 	out.Interval = in.Interval
 	if in.Timeout != nil {
 		in, out := &in.Timeout, &out.Timeout
@@ -752,7 +801,7 @@ func (in *OCIRepositorySpec) DeepCopyInto(out *OCIRepositorySpec) {
 	}
 	if in.Verify != nil {
 		in, out := &in.Verify, &out.Verify
-		*out = new(OCIRepositoryVerification)
+		*out = new(apiv1.OCIRepositoryVerification)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.CertSecretRef != nil {
@@ -760,6 +809,11 @@ func (in *OCIRepositorySpec) DeepCopyInto(out *OCIRepositorySpec) {
 		*out = new(meta.LocalObjectReference)
 		**out = **in
 	}
+	if in.ProxySecretRef != nil {
+		in, out := &in.ProxySecretRef, &out.ProxySecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
 	out.Interval = in.Interval
 	if in.Timeout != nil {
 		in, out := &in.Timeout, &out.Timeout
@@ -820,23 +874,3 @@ func (in *OCIRepositoryStatus) DeepCopy() *OCIRepositoryStatus {
 	in.DeepCopyInto(out)
 	return out
 }
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OCIRepositoryVerification) DeepCopyInto(out *OCIRepositoryVerification) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(meta.LocalObjectReference)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OCIRepositoryVerification.
-func (in *OCIRepositoryVerification) DeepCopy() *OCIRepositoryVerification {
-	if in == nil {
-		return nil
-	}
-	out := new(OCIRepositoryVerification)
-	in.DeepCopyInto(out)
-	return out
-}

config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: helmcharts.source.toolkit.fluxcd.io
 spec:
   group: source.toolkit.fluxcd.io
@@ -17,6 +16,338 @@ spec:
     singular: helmchart
   scope: Namespaced
   versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.chart
+      name: Chart
+      type: string
+    - jsonPath: .spec.version
+      name: Version
+      type: string
+    - jsonPath: .spec.sourceRef.kind
+      name: Source Kind
+      type: string
+    - jsonPath: .spec.sourceRef.name
+      name: Source Name
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: HelmChart is the Schema for the helmcharts API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: HelmChartSpec specifies the desired state of a Helm chart.
+            properties:
+              chart:
+                description: |-
+                  Chart is the name or path the Helm chart is available at in the
+                  SourceRef.
+                type: string
+              ignoreMissingValuesFiles:
+                description: |-
+                  IgnoreMissingValuesFiles controls whether to silently ignore missing values
+                  files rather than failing.
+                type: boolean
+              interval:
+                description: |-
+                  Interval at which the HelmChart SourceRef is checked for updates.
+                  This interval is approximate and may be subject to jitter to ensure
+                  efficient use of resources.
+                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
+                type: string
+              reconcileStrategy:
+                default: ChartVersion
+                description: |-
+                  ReconcileStrategy determines what enables the creation of a new artifact.
+                  Valid values are ('ChartVersion', 'Revision').
+                  See the documentation of the values for an explanation on their behavior.
+                  Defaults to ChartVersion when omitted.
+                enum:
+                - ChartVersion
+                - Revision
+                type: string
+              sourceRef:
+                description: SourceRef is the reference to the Source the chart is
+                  available at.
+                properties:
+                  apiVersion:
+                    description: APIVersion of the referent.
+                    type: string
+                  kind:
+                    description: |-
+                      Kind of the referent, valid values are ('HelmRepository', 'GitRepository',
+                      'Bucket').
+                    enum:
+                    - HelmRepository
+                    - GitRepository
+                    - Bucket
+                    type: string
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
+              suspend:
+                description: |-
+                  Suspend tells the controller to suspend the reconciliation of this
+                  source.
+                type: boolean
+              valuesFiles:
+                description: |-
+                  ValuesFiles is an alternative list of values files to use as the chart
+                  values (values.yaml is not included by default), expected to be a
+                  relative path in the SourceRef.
+                  Values files are merged in the order of this list with the last file
+                  overriding the first. Ignored when omitted.
+                items:
+                  type: string
+                type: array
+              verify:
+                description: |-
+                  Verify contains the secret name containing the trusted public keys
+                  used to verify the signature and specifies which provider to use to check
+                  whether OCI image is authentic.
+                  This field is only supported when using HelmRepository source with spec.type 'oci'.
+                  Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.
+                properties:
+                  matchOIDCIdentity:
+                    description: |-
+                      MatchOIDCIdentity specifies the identity matching criteria to use
+                      while verifying an OCI artifact which was signed using Cosign keyless
+                      signing. The artifact's identity is deemed to be verified if any of the
+                      specified matchers match against the identity.
+                    items:
+                      description: |-
+                        OIDCIdentityMatch specifies options for verifying the certificate identity,
+                        i.e. the issuer and the subject of the certificate.
+                      properties:
+                        issuer:
+                          description: |-
+                            Issuer specifies the regex pattern to match against to verify
+                            the OIDC issuer in the Fulcio certificate. The pattern must be a
+                            valid Go regular expression.
+                          type: string
+                        subject:
+                          description: |-
+                            Subject specifies the regex pattern to match against to verify
+                            the identity subject in the Fulcio certificate. The pattern must
+                            be a valid Go regular expression.
+                          type: string
+                      required:
+                      - issuer
+                      - subject
+                      type: object
+                    type: array
+                  provider:
+                    default: cosign
+                    description: Provider specifies the technology used to sign the
+                      OCI Artifact.
+                    enum:
+                    - cosign
+                    - notation
+                    type: string
+                  secretRef:
+                    description: |-
+                      SecretRef specifies the Kubernetes Secret containing the
+                      trusted public keys.
+                    properties:
+                      name:
+                        description: Name of the referent.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                required:
+                - provider
+                type: object
+              version:
+                default: '*'
+                description: |-
+                  Version is the chart version semver expression, ignored for charts from
+                  GitRepository and Bucket sources. Defaults to latest when omitted.
+                type: string
+            required:
+            - chart
+            - interval
+            - sourceRef
+            type: object
+          status:
+            default:
+              observedGeneration: -1
+            description: HelmChartStatus records the observed state of the HelmChart.
+            properties:
+              artifact:
+                description: Artifact represents the output of the last successful
+                  reconciliation.
+                properties:
+                  digest:
+                    description: Digest is the digest of the file in the form of '<algorithm>:<checksum>'.
+                    pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$
+                    type: string
+                  lastUpdateTime:
+                    description: |-
+                      LastUpdateTime is the timestamp corresponding to the last update of the
+                      Artifact.
+                    format: date-time
+                    type: string
+                  metadata:
+                    additionalProperties:
+                      type: string
+                    description: Metadata holds upstream information such as OCI annotations.
+                    type: object
+                  path:
+                    description: |-
+                      Path is the relative file path of the Artifact. It can be used to locate
+                      the file in the root of the Artifact storage on the local file system of
+                      the controller managing the Source.
+                    type: string
+                  revision:
+                    description: |-
+                      Revision is a human-readable identifier traceable in the origin source
+                      system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.
+                    type: string
+                  size:
+                    description: Size is the number of bytes in the file.
+                    format: int64
+                    type: integer
+                  url:
+                    description: |-
+                      URL is the HTTP address of the Artifact as exposed by the controller
+                      managing the Source. It can be used to retrieve the Artifact for
+                      consumption, e.g. by another controller applying the Artifact contents.
+                    type: string
+                required:
+                - lastUpdateTime
+                - path
+                - revision
+                - url
+                type: object
+              conditions:
+                description: Conditions holds the conditions for the HelmChart.
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              lastHandledReconcileAt:
+                description: |-
+                  LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value
+                  can be detected.
+                type: string
+              observedChartName:
+                description: |-
+                  ObservedChartName is the last observed chart name as specified by the
+                  resolved chart reference.
+                type: string
+              observedGeneration:
+                description: |-
+                  ObservedGeneration is the last observed generation of the HelmChart
+                  object.
+                format: int64
+                type: integer
+              observedSourceArtifactRevision:
+                description: |-
+                  ObservedSourceArtifactRevision is the last observed Artifact.Revision
+                  of the HelmChartSpec.SourceRef.
+                type: string
+              observedValuesFiles:
+                description: |-
+                  ObservedValuesFiles are the observed value files of the last successful
+                  reconciliation.
+                  It matches the chart in the last successfully reconciled artifact.
+                items:
+                  type: string
+                type: array
+              url:
+                description: |-
+                  URL is the dynamic fetch link for the latest Artifact.
+                  It is provided on a "best effort" basis, and using the precise
+                  BucketStatus.Artifact data is recommended.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
   - additionalPrinterColumns:
     - jsonPath: .spec.chart
       name: Chart
@@ -39,20 +370,27 @@ spec:
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
+    deprecated: true
+    deprecationWarning: v1beta1 HelmChart is deprecated, upgrade to v1
     name: v1beta1
     schema:
       openAPIV3Schema:
         description: HelmChart is the Schema for the helmcharts API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -64,22 +402,21 @@ spec:
                   cross-namespace references to this object.
                 properties:
                   namespaceSelectors:
-                    description: NamespaceSelectors is the list of namespace selectors
-                      to which this ACL applies. Items in this list are evaluated
-                      using a logical OR operation.
+                    description: |-
+                      NamespaceSelectors is the list of namespace selectors to which this ACL applies.
+                      Items in this list are evaluated using a logical OR operation.
                     items:
-                      description: NamespaceSelector selects the namespaces to which
-                        this ACL applies. An empty map of MatchLabels matches all
-                        namespaces in a cluster.
+                      description: |-
+                        NamespaceSelector selects the namespaces to which this ACL applies.
+                        An empty map of MatchLabels matches all namespaces in a cluster.
                       properties:
                         matchLabels:
                           additionalProperties:
                             type: string
-                          description: MatchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
+                          description: |-
+                            MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                           type: object
                       type: object
                     type: array
@@ -95,10 +432,11 @@ spec:
                 type: string
               reconcileStrategy:
                 default: ChartVersion
-                description: Determines what enables the creation of a new artifact.
-                  Valid values are ('ChartVersion', 'Revision'). See the documentation
-                  of the values for an explanation on their behavior. Defaults to
-                  ChartVersion when omitted.
+                description: |-
+                  Determines what enables the creation of a new artifact. Valid values are
+                  ('ChartVersion', 'Revision').
+                  See the documentation of the values for an explanation on their behavior.
+                  Defaults to ChartVersion when omitted.
                 enum:
                 - ChartVersion
                 - Revision
@@ -110,8 +448,9 @@ spec:
                     description: APIVersion of the referent.
                     type: string
                   kind:
-                    description: Kind of the referent, valid values are ('HelmRepository',
-                      'GitRepository', 'Bucket').
+                    description: |-
+                      Kind of the referent, valid values are ('HelmRepository', 'GitRepository',
+                      'Bucket').
                     enum:
                     - HelmRepository
                     - GitRepository
@@ -129,24 +468,26 @@ spec:
                   of this source.
                 type: boolean
               valuesFile:
-                description: Alternative values file to use as the default chart values,
-                  expected to be a relative path in the SourceRef. Deprecated in favor
-                  of ValuesFiles, for backwards compatibility the file defined here
-                  is merged before the ValuesFiles items. Ignored when omitted.
+                description: |-
+                  Alternative values file to use as the default chart values, expected to
+                  be a relative path in the SourceRef. Deprecated in favor of ValuesFiles,
+                  for backwards compatibility the file defined here is merged before the
+                  ValuesFiles items. Ignored when omitted.
                 type: string
               valuesFiles:
-                description: Alternative list of values files to use as the chart
-                  values (values.yaml is not included by default), expected to be
-                  a relative path in the SourceRef. Values files are merged in the
-                  order of this list with the last file overriding the first. Ignored
-                  when omitted.
+                description: |-
+                  Alternative list of values files to use as the chart values (values.yaml
+                  is not included by default), expected to be a relative path in the SourceRef.
+                  Values files are merged in the order of this list with the last file overriding
+                  the first. Ignored when omitted.
                 items:
                   type: string
                 type: array
               version:
                 default: '*'
-                description: The chart version semver expression, ignored for charts
-                  from GitRepository and Bucket sources. Defaults to latest when omitted.
+                description: |-
+                  The chart version semver expression, ignored for charts from GitRepository
+                  and Bucket sources. Defaults to latest when omitted.
                 type: string
             required:
             - chart
@@ -166,65 +507,60 @@ spec:
                     description: Checksum is the SHA256 checksum of the artifact.
                     type: string
                   lastUpdateTime:
-                    description: LastUpdateTime is the timestamp corresponding to
-                      the last update of this artifact.
+                    description: |-
+                      LastUpdateTime is the timestamp corresponding to the last update of this
+                      artifact.
                     format: date-time
                     type: string
                   path:
                     description: Path is the relative file path of this artifact.
                     type: string
                   revision:
-                    description: Revision is a human readable identifier traceable
-                      in the origin source system. It can be a Git commit SHA, Git
-                      tag, a Helm index timestamp, a Helm chart version, etc.
+                    description: |-
+                      Revision is a human readable identifier traceable in the origin source
+                      system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm
+                      chart version, etc.
                     type: string
                   url:
                     description: URL is the HTTP address of this artifact.
                     type: string
                 required:
+                - lastUpdateTime
                 - path
                 - url
                 type: object
               conditions:
                 description: Conditions holds the conditions for the HelmChart.
                 items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
                   properties:
                     lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                       format: date-time
                       type: string
                     message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
                       maxLength: 32768
                       type: string
                     observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
                       format: int64
                       minimum: 0
                       type: integer
                     reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
                         This field may not be empty.
                       maxLength: 1024
                       minLength: 1
@@ -239,10 +575,6 @@ spec:
                       type: string
                     type:
                       description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                       type: string
@@ -255,9 +587,10 @@ spec:
                   type: object
                 type: array
               lastHandledReconcileAt:
-                description: LastHandledReconcileAt holds the value of the most recent
-                  reconcile request value, so a change of the annotation value can
-                  be detected.
+                description: |-
+                  LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value
+                  can be detected.
                 type: string
               observedGeneration:
                 description: ObservedGeneration is the last observed generation.
@@ -294,20 +627,27 @@ spec:
     - jsonPath: .status.conditions[?(@.type=="Ready")].message
       name: Status
       type: string
+    deprecated: true
+    deprecationWarning: v1beta2 HelmChart is deprecated, upgrade to v1
     name: v1beta2
     schema:
       openAPIV3Schema:
         description: HelmChart is the Schema for the helmcharts API.
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -315,27 +655,27 @@ spec:
             description: HelmChartSpec specifies the desired state of a Helm chart.
             properties:
               accessFrom:
-                description: 'AccessFrom specifies an Access Control List for allowing
-                  cross-namespace references to this object. NOTE: Not implemented,
-                  provisional as of https://github.com/fluxcd/flux2/pull/2092'
+                description: |-
+                  AccessFrom specifies an Access Control List for allowing cross-namespace
+                  references to this object.
+                  NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092
                 properties:
                   namespaceSelectors:
-                    description: NamespaceSelectors is the list of namespace selectors
-                      to which this ACL applies. Items in this list are evaluated
-                      using a logical OR operation.
+                    description: |-
+                      NamespaceSelectors is the list of namespace selectors to which this ACL applies.
+                      Items in this list are evaluated using a logical OR operation.
                     items:
-                      description: NamespaceSelector selects the namespaces to which
-                        this ACL applies. An empty map of MatchLabels matches all
-                        namespaces in a cluster.
+                      description: |-
+                        NamespaceSelector selects the namespaces to which this ACL applies.
+                        An empty map of MatchLabels matches all namespaces in a cluster.
                       properties:
                         matchLabels:
                           additionalProperties:
                             type: string
-                          description: MatchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
+                          description: |-
+                            MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                           type: object
                       type: object
                     type: array
@@ -343,20 +683,29 @@ spec:
                 - namespaceSelectors
                 type: object
               chart:
-                description: Chart is the name or path the Helm chart is available
-                  at in the SourceRef.
+                description: |-
+                  Chart is the name or path the Helm chart is available at in the
+                  SourceRef.
                 type: string
+              ignoreMissingValuesFiles:
+                description: |-
+                  IgnoreMissingValuesFiles controls whether to silently ignore missing values
+                  files rather than failing.
+                type: boolean
               interval:
-                description: Interval is the interval at which to check the Source
-                  for updates.
+                description: |-
+                  Interval at which the HelmChart SourceRef is checked for updates.
+                  This interval is approximate and may be subject to jitter to ensure
+                  efficient use of resources.
                 pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
                 type: string
               reconcileStrategy:
                 default: ChartVersion
-                description: ReconcileStrategy determines what enables the creation
-                  of a new artifact. Valid values are ('ChartVersion', 'Revision').
-                  See the documentation of the values for an explanation on their
-                  behavior. Defaults to ChartVersion when omitted.
+                description: |-
+                  ReconcileStrategy determines what enables the creation of a new artifact.
+                  Valid values are ('ChartVersion', 'Revision').
+                  See the documentation of the values for an explanation on their behavior.
+                  Defaults to ChartVersion when omitted.
                 enum:
                 - ChartVersion
                 - Revision
@@ -369,8 +718,9 @@ spec:
                     description: APIVersion of the referent.
                     type: string
                   kind:
-                    description: Kind of the referent, valid values are ('HelmRepository',
-                      'GitRepository', 'Bucket').
+                    description: |-
+                      Kind of the referent, valid values are ('HelmRepository', 'GitRepository',
+                      'Bucket').
                     enum:
                     - HelmRepository
                     - GitRepository
@@ -384,43 +734,75 @@ spec:
                 - name
                 type: object
               suspend:
-                description: Suspend tells the controller to suspend the reconciliation
-                  of this source.
+                description: |-
+                  Suspend tells the controller to suspend the reconciliation of this
+                  source.
                 type: boolean
               valuesFile:
-                description: ValuesFile is an alternative values file to use as the
-                  default chart values, expected to be a relative path in the SourceRef.
-                  Deprecated in favor of ValuesFiles, for backwards compatibility
-                  the file specified here is merged before the ValuesFiles items.
-                  Ignored when omitted.
+                description: |-
+                  ValuesFile is an alternative values file to use as the default chart
+                  values, expected to be a relative path in the SourceRef. Deprecated in
+                  favor of ValuesFiles, for backwards compatibility the file specified here
+                  is merged before the ValuesFiles items. Ignored when omitted.
                 type: string
               valuesFiles:
-                description: ValuesFiles is an alternative list of values files to
-                  use as the chart values (values.yaml is not included by default),
-                  expected to be a relative path in the SourceRef. Values files are
-                  merged in the order of this list with the last file overriding the
-                  first. Ignored when omitted.
+                description: |-
+                  ValuesFiles is an alternative list of values files to use as the chart
+                  values (values.yaml is not included by default), expected to be a
+                  relative path in the SourceRef.
+                  Values files are merged in the order of this list with the last file
+                  overriding the first. Ignored when omitted.
                 items:
                   type: string
                 type: array
               verify:
-                description: Verify contains the secret name containing the trusted
-                  public keys used to verify the signature and specifies which provider
-                  to use to check whether OCI image is authentic. This field is only
-                  supported when using HelmRepository source with spec.type 'oci'.
-                  Chart dependencies, which are not bundled in the umbrella chart
-                  artifact, are not verified.
+                description: |-
+                  Verify contains the secret name containing the trusted public keys
+                  used to verify the signature and specifies which provider to use to check
+                  whether OCI image is authentic.
+                  This field is only supported when using HelmRepository source with spec.type 'oci'.
+                  Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.
                 properties:
+                  matchOIDCIdentity:
+                    description: |-
+                      MatchOIDCIdentity specifies the identity matching criteria to use
+                      while verifying an OCI artifact which was signed using Cosign keyless
+                      signing. The artifact's identity is deemed to be verified if any of the
+                      specified matchers match against the identity.
+                    items:
+                      description: |-
+                        OIDCIdentityMatch specifies options for verifying the certificate identity,
+                        i.e. the issuer and the subject of the certificate.
+                      properties:
+                        issuer:
+                          description: |-
+                            Issuer specifies the regex pattern to match against to verify
+                            the OIDC issuer in the Fulcio certificate. The pattern must be a
+                            valid Go regular expression.
+                          type: string
+                        subject:
+                          description: |-
+                            Subject specifies the regex pattern to match against to verify
+                            the identity subject in the Fulcio certificate. The pattern must
+                            be a valid Go regular expression.
+                          type: string
+                      required:
+                      - issuer
+                      - subject
+                      type: object
+                    type: array
                   provider:
                     default: cosign
                     description: Provider specifies the technology used to sign the
                       OCI Artifact.
                     enum:
                     - cosign
+                    - notation
                     type: string
                   secretRef:
-                    description: SecretRef specifies the Kubernetes Secret containing
-                      the trusted public keys.
+                    description: |-
+                      SecretRef specifies the Kubernetes Secret containing the
+                      trusted public keys.
                     properties:
                       name:
                         description: Name of the referent.
@@ -433,9 +815,9 @@ spec:
                 type: object
               version:
                 default: '*'
-                description: Version is the chart version semver expression, ignored
-                  for charts from GitRepository and Bucket sources. Defaults to latest
-                  when omitted.
+                description: |-
+                  Version is the chart version semver expression, ignored for charts from
+                  GitRepository and Bucket sources. Defaults to latest when omitted.
                 type: string
             required:
             - chart
@@ -456,8 +838,9 @@ spec:
                     pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$
                     type: string
                   lastUpdateTime:
-                    description: LastUpdateTime is the timestamp corresponding to
-                      the last update of the Artifact.
+                    description: |-
+                      LastUpdateTime is the timestamp corresponding to the last update of the
+                      Artifact.
                     format: date-time
                     type: string
                   metadata:
@@ -466,24 +849,25 @@ spec:
                     description: Metadata holds upstream information such as OCI annotations.
                     type: object
                   path:
-                    description: Path is the relative file path of the Artifact. It
-                      can be used to locate the file in the root of the Artifact storage
-                      on the local file system of the controller managing the Source.
+                    description: |-
+                      Path is the relative file path of the Artifact. It can be used to locate
+                      the file in the root of the Artifact storage on the local file system of
+                      the controller managing the Source.
                     type: string
                   revision:
-                    description: Revision is a human-readable identifier traceable
-                      in the origin source system. It can be a Git commit SHA, Git
-                      tag, a Helm chart version, etc.
+                    description: |-
+                      Revision is a human-readable identifier traceable in the origin source
+                      system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.
                     type: string
                   size:
                     description: Size is the number of bytes in the file.
                     format: int64
                     type: integer
                   url:
-                    description: URL is the HTTP address of the Artifact as exposed
-                      by the controller managing the Source. It can be used to retrieve
-                      the Artifact for consumption, e.g. by another controller applying
-                      the Artifact contents.
+                    description: |-
+                      URL is the HTTP address of the Artifact as exposed by the controller
+                      managing the Source. It can be used to retrieve the Artifact for
+                      consumption, e.g. by another controller applying the Artifact contents.
                     type: string
                 required:
                 - lastUpdateTime
@@ -494,43 +878,35 @@ spec:
               conditions:
                 description: Conditions holds the conditions for the HelmChart.
                 items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
                   properties:
                     lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                       format: date-time
                       type: string
                     message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
                       maxLength: 32768
                       type: string
                     observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
                       format: int64
                       minimum: 0
                       type: integer
                     reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
                         This field may not be empty.
                       maxLength: 1024
                       minLength: 1
@@ -545,10 +921,6 @@ spec:
                       type: string
                     type:
                       description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                       type: string
@@ -561,31 +933,44 @@ spec:
                   type: object
                 type: array
               lastHandledReconcileAt:
-                description: LastHandledReconcileAt holds the value of the most recent
-                  reconcile request value, so a change of the annotation value can
-                  be detected.
+                description: |-
+                  LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value
+                  can be detected.
                 type: string
               observedChartName:
-                description: ObservedChartName is the last observed chart name as
-                  specified by the resolved chart reference.
+                description: |-
+                  ObservedChartName is the last observed chart name as specified by the
+                  resolved chart reference.
                 type: string
               observedGeneration:
-                description: ObservedGeneration is the last observed generation of
-                  the HelmChart object.
+                description: |-
+                  ObservedGeneration is the last observed generation of the HelmChart
+                  object.
                 format: int64
                 type: integer
               observedSourceArtifactRevision:
-                description: ObservedSourceArtifactRevision is the last observed Artifact.Revision
+                description: |-
+                  ObservedSourceArtifactRevision is the last observed Artifact.Revision
                   of the HelmChartSpec.SourceRef.
                 type: string
+              observedValuesFiles:
+                description: |-
+                  ObservedValuesFiles are the observed value files of the last successful
+                  reconciliation.
+                  It matches the chart in the last successfully reconciled artifact.
+                items:
+                  type: string
+                type: array
               url:
-                description: URL is the dynamic fetch link for the latest Artifact.
-                  It is provided on a "best effort" basis, and using the precise BucketStatus.Artifact
-                  data is recommended.
+                description: |-
+                  URL is the dynamic fetch link for the latest Artifact.
+                  It is provided on a "best effort" basis, and using the precise
+                  BucketStatus.Artifact data is recommended.
                 type: string
             type: object
         type: object
     served: true
-    storage: true
+    storage: false
     subresources:
       status: {}

config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: helmrepositories.source.toolkit.fluxcd.io
 spec:
   group: source.toolkit.fluxcd.io
@@ -17,6 +16,308 @@ spec:
     singular: helmrepository
   scope: Namespaced
   versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.url
+      name: URL
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: HelmRepository is the Schema for the helmrepositories API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: |-
+              HelmRepositorySpec specifies the required configuration to produce an
+              Artifact for a Helm repository index YAML.
+            properties:
+              accessFrom:
+                description: |-
+                  AccessFrom specifies an Access Control List for allowing cross-namespace
+                  references to this object.
+                  NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092
+                properties:
+                  namespaceSelectors:
+                    description: |-
+                      NamespaceSelectors is the list of namespace selectors to which this ACL applies.
+                      Items in this list are evaluated using a logical OR operation.
+                    items:
+                      description: |-
+                        NamespaceSelector selects the namespaces to which this ACL applies.
+                        An empty map of MatchLabels matches all namespaces in a cluster.
+                      properties:
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: |-
+                            MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                    type: array
+                required:
+                - namespaceSelectors
+                type: object
+              certSecretRef:
+                description: |-
+                  CertSecretRef can be given the name of a Secret containing
+                  either or both of
+
+                  - a PEM-encoded client certificate (`tls.crt`) and private
+                  key (`tls.key`);
+                  - a PEM-encoded CA certificate (`ca.crt`)
+
+                  and whichever are supplied, will be used for connecting to the
+                  registry. The client cert and key are useful if you are
+                  authenticating with a certificate; the CA cert is useful if
+                  you are using a self-signed server certificate. The Secret must
+                  be of type `Opaque` or `kubernetes.io/tls`.
+
+                  It takes precedence over the values specified in the Secret referred
+                  to by `.spec.secretRef`.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              insecure:
+                description: |-
+                  Insecure allows connecting to a non-TLS HTTP container registry.
+                  This field is only taken into account if the .spec.type field is set to 'oci'.
+                type: boolean
+              interval:
+                description: |-
+                  Interval at which the HelmRepository URL is checked for updates.
+                  This interval is approximate and may be subject to jitter to ensure
+                  efficient use of resources.
+                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
+                type: string
+              passCredentials:
+                description: |-
+                  PassCredentials allows the credentials from the SecretRef to be passed
+                  on to a host that does not match the host as defined in URL.
+                  This may be required if the host of the advertised chart URLs in the
+                  index differ from the defined URL.
+                  Enabling this should be done with caution, as it can potentially result
+                  in credentials getting stolen in a MITM-attack.
+                type: boolean
+              provider:
+                default: generic
+                description: |-
+                  Provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'.
+                  This field is optional, and only taken into account if the .spec.type field is set to 'oci'.
+                  When not specified, defaults to 'generic'.
+                enum:
+                - generic
+                - aws
+                - azure
+                - gcp
+                type: string
+              secretRef:
+                description: |-
+                  SecretRef specifies the Secret containing authentication credentials
+                  for the HelmRepository.
+                  For HTTP/S basic auth the secret must contain 'username' and 'password'
+                  fields.
+                  Support for TLS auth using the 'certFile' and 'keyFile', and/or 'caFile'
+                  keys is deprecated. Please use `.spec.certSecretRef` instead.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              suspend:
+                description: |-
+                  Suspend tells the controller to suspend the reconciliation of this
+                  HelmRepository.
+                type: boolean
+              timeout:
+                description: |-
+                  Timeout is used for the index fetch operation for an HTTPS helm repository,
+                  and for remote OCI Repository operations like pulling for an OCI helm
+                  chart by the associated HelmChart.
+                  Its default value is 60s.
+                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
+                type: string
+              type:
+                description: |-
+                  Type of the HelmRepository.
+                  When this field is set to  "oci", the URL field value must be prefixed with "oci://".
+                enum:
+                - default
+                - oci
+                type: string
+              url:
+                description: |-
+                  URL of the Helm repository, a valid URL contains at least a protocol and
+                  host.
+                pattern: ^(http|https|oci)://.*$
+                type: string
+            required:
+            - url
+            type: object
+          status:
+            default:
+              observedGeneration: -1
+            description: HelmRepositoryStatus records the observed state of the HelmRepository.
+            properties:
+              artifact:
+                description: Artifact represents the last successful HelmRepository
+                  reconciliation.
+                properties:
+                  digest:
+                    description: Digest is the digest of the file in the form of '<algorithm>:<checksum>'.
+                    pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$
+                    type: string
+                  lastUpdateTime:
+                    description: |-
+                      LastUpdateTime is the timestamp corresponding to the last update of the
+                      Artifact.
+                    format: date-time
+                    type: string
+                  metadata:
+                    additionalProperties:
+                      type: string
+                    description: Metadata holds upstream information such as OCI annotations.
+                    type: object
+                  path:
+                    description: |-
+                      Path is the relative file path of the Artifact. It can be used to locate
+                      the file in the root of the Artifact storage on the local file system of
+                      the controller managing the Source.
+                    type: string
+                  revision:
+                    description: |-
+                      Revision is a human-readable identifier traceable in the origin source
+                      system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.
+                    type: string
+                  size:
+                    description: Size is the number of bytes in the file.
+                    format: int64
+                    type: integer
+                  url:
+                    description: |-
+                      URL is the HTTP address of the Artifact as exposed by the controller
+                      managing the Source. It can be used to retrieve the Artifact for
+                      consumption, e.g. by another controller applying the Artifact contents.
+                    type: string
+                required:
+                - lastUpdateTime
+                - path
+                - revision
+                - url
+                type: object
+              conditions:
+                description: Conditions holds the conditions for the HelmRepository.
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              lastHandledReconcileAt:
+                description: |-
+                  LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value
+                  can be detected.
+                type: string
+              observedGeneration:
+                description: |-
+                  ObservedGeneration is the last observed generation of the HelmRepository
+                  object.
+                format: int64
+                type: integer
+              url:
+                description: |-
+                  URL is the dynamic fetch link for the latest Artifact.
+                  It is provided on a "best effort" basis, and using the precise
+                  HelmRepositoryStatus.Artifact data is recommended.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
   - additionalPrinterColumns:
     - jsonPath: .spec.url
       name: URL
@@ -30,20 +331,27 @@ spec:
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
+    deprecated: true
+    deprecationWarning: v1beta1 HelmRepository is deprecated, upgrade to v1
     name: v1beta1
     schema:
       openAPIV3Schema:
         description: HelmRepository is the Schema for the helmrepositories API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -55,22 +363,21 @@ spec:
                   cross-namespace references to this object.
                 properties:
                   namespaceSelectors:
-                    description: NamespaceSelectors is the list of namespace selectors
-                      to which this ACL applies. Items in this list are evaluated
-                      using a logical OR operation.
+                    description: |-
+                      NamespaceSelectors is the list of namespace selectors to which this ACL applies.
+                      Items in this list are evaluated using a logical OR operation.
                     items:
-                      description: NamespaceSelector selects the namespaces to which
-                        this ACL applies. An empty map of MatchLabels matches all
-                        namespaces in a cluster.
+                      description: |-
+                        NamespaceSelector selects the namespaces to which this ACL applies.
+                        An empty map of MatchLabels matches all namespaces in a cluster.
                       properties:
                         matchLabels:
                           additionalProperties:
                             type: string
-                          description: MatchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
+                          description: |-
+                            MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                           type: object
                       type: object
                     type: array
@@ -81,18 +388,22 @@ spec:
                 description: The interval at which to check the upstream for updates.
                 type: string
               passCredentials:
-                description: PassCredentials allows the credentials from the SecretRef
-                  to be passed on to a host that does not match the host as defined
-                  in URL. This may be required if the host of the advertised chart
-                  URLs in the index differ from the defined URL. Enabling this should
-                  be done with caution, as it can potentially result in credentials
-                  getting stolen in a MITM-attack.
+                description: |-
+                  PassCredentials allows the credentials from the SecretRef to be passed on to
+                  a host that does not match the host as defined in URL.
+                  This may be required if the host of the advertised chart URLs in the index
+                  differ from the defined URL.
+                  Enabling this should be done with caution, as it can potentially result in
+                  credentials getting stolen in a MITM-attack.
                 type: boolean
               secretRef:
-                description: The name of the secret containing authentication credentials
-                  for the Helm repository. For HTTP/S basic auth the secret must contain
-                  username and password fields. For TLS the secret must contain a
-                  certFile and keyFile, and/or caFile fields.
+                description: |-
+                  The name of the secret containing authentication credentials for the Helm
+                  repository.
+                  For HTTP/S basic auth the secret must contain username and
+                  password fields.
+                  For TLS the secret must contain a certFile and keyFile, and/or
+                  caFile fields.
                 properties:
                   name:
                     description: Name of the referent.
@@ -129,65 +440,60 @@ spec:
                     description: Checksum is the SHA256 checksum of the artifact.
                     type: string
                   lastUpdateTime:
-                    description: LastUpdateTime is the timestamp corresponding to
-                      the last update of this artifact.
+                    description: |-
+                      LastUpdateTime is the timestamp corresponding to the last update of this
+                      artifact.
                     format: date-time
                     type: string
                   path:
                     description: Path is the relative file path of this artifact.
                     type: string
                   revision:
-                    description: Revision is a human readable identifier traceable
-                      in the origin source system. It can be a Git commit SHA, Git
-                      tag, a Helm index timestamp, a Helm chart version, etc.
+                    description: |-
+                      Revision is a human readable identifier traceable in the origin source
+                      system. It can be a Git commit SHA, Git tag, a Helm index timestamp, a Helm
+                      chart version, etc.
                     type: string
                   url:
                     description: URL is the HTTP address of this artifact.
                     type: string
                 required:
+                - lastUpdateTime
                 - path
                 - url
                 type: object
               conditions:
                 description: Conditions holds the conditions for the HelmRepository.
                 items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
                   properties:
                     lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                       format: date-time
                       type: string
                     message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
                       maxLength: 32768
                       type: string
                     observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
                       format: int64
                       minimum: 0
                       type: integer
                     reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
                         This field may not be empty.
                       maxLength: 1024
                       minLength: 1
@@ -202,10 +508,6 @@ spec:
                       type: string
                     type:
                       description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                       type: string
@@ -218,9 +520,10 @@ spec:
                   type: object
                 type: array
               lastHandledReconcileAt:
-                description: LastHandledReconcileAt holds the value of the most recent
-                  reconcile request value, so a change of the annotation value can
-                  be detected.
+                description: |-
+                  LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value
+                  can be detected.
                 type: string
               observedGeneration:
                 description: ObservedGeneration is the last observed generation.
@@ -248,73 +551,114 @@ spec:
     - jsonPath: .status.conditions[?(@.type=="Ready")].message
       name: Status
       type: string
+    deprecated: true
+    deprecationWarning: v1beta2 HelmRepository is deprecated, upgrade to v1
     name: v1beta2
     schema:
       openAPIV3Schema:
         description: HelmRepository is the Schema for the helmrepositories API.
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
           spec:
-            description: HelmRepositorySpec specifies the required configuration to
-              produce an Artifact for a Helm repository index YAML.
+            description: |-
+              HelmRepositorySpec specifies the required configuration to produce an
+              Artifact for a Helm repository index YAML.
             properties:
               accessFrom:
-                description: 'AccessFrom specifies an Access Control List for allowing
-                  cross-namespace references to this object. NOTE: Not implemented,
-                  provisional as of https://github.com/fluxcd/flux2/pull/2092'
+                description: |-
+                  AccessFrom specifies an Access Control List for allowing cross-namespace
+                  references to this object.
+                  NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092
                 properties:
                   namespaceSelectors:
-                    description: NamespaceSelectors is the list of namespace selectors
-                      to which this ACL applies. Items in this list are evaluated
-                      using a logical OR operation.
+                    description: |-
+                      NamespaceSelectors is the list of namespace selectors to which this ACL applies.
+                      Items in this list are evaluated using a logical OR operation.
                     items:
-                      description: NamespaceSelector selects the namespaces to which
-                        this ACL applies. An empty map of MatchLabels matches all
-                        namespaces in a cluster.
+                      description: |-
+                        NamespaceSelector selects the namespaces to which this ACL applies.
+                        An empty map of MatchLabels matches all namespaces in a cluster.
                       properties:
                         matchLabels:
                           additionalProperties:
                             type: string
-                          description: MatchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
+                          description: |-
+                            MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                           type: object
                       type: object
                     type: array
                 required:
                 - namespaceSelectors
                 type: object
+              certSecretRef:
+                description: |-
+                  CertSecretRef can be given the name of a Secret containing
+                  either or both of
+
+                  - a PEM-encoded client certificate (`tls.crt`) and private
+                  key (`tls.key`);
+                  - a PEM-encoded CA certificate (`ca.crt`)
+
+                  and whichever are supplied, will be used for connecting to the
+                  registry. The client cert and key are useful if you are
+                  authenticating with a certificate; the CA cert is useful if
+                  you are using a self-signed server certificate. The Secret must
+                  be of type `Opaque` or `kubernetes.io/tls`.
+
+                  It takes precedence over the values specified in the Secret referred
+                  to by `.spec.secretRef`.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              insecure:
+                description: |-
+                  Insecure allows connecting to a non-TLS HTTP container registry.
+                  This field is only taken into account if the .spec.type field is set to 'oci'.
+                type: boolean
               interval:
-                description: Interval at which to check the URL for updates.
+                description: |-
+                  Interval at which the HelmRepository URL is checked for updates.
+                  This interval is approximate and may be subject to jitter to ensure
+                  efficient use of resources.
                 pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
                 type: string
               passCredentials:
-                description: PassCredentials allows the credentials from the SecretRef
-                  to be passed on to a host that does not match the host as defined
-                  in URL. This may be required if the host of the advertised chart
-                  URLs in the index differ from the defined URL. Enabling this should
-                  be done with caution, as it can potentially result in credentials
-                  getting stolen in a MITM-attack.
+                description: |-
+                  PassCredentials allows the credentials from the SecretRef to be passed
+                  on to a host that does not match the host as defined in URL.
+                  This may be required if the host of the advertised chart URLs in the
+                  index differ from the defined URL.
+                  Enabling this should be done with caution, as it can potentially result
+                  in credentials getting stolen in a MITM-attack.
                 type: boolean
               provider:
                 default: generic
-                description: Provider used for authentication, can be 'aws', 'azure',
-                  'gcp' or 'generic'. This field is optional, and only taken into
-                  account if the .spec.type field is set to 'oci'. When not specified,
-                  defaults to 'generic'.
+                description: |-
+                  Provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'.
+                  This field is optional, and only taken into account if the .spec.type field is set to 'oci'.
+                  When not specified, defaults to 'generic'.
                 enum:
                 - generic
                 - aws
@@ -322,10 +666,13 @@ spec:
                 - gcp
                 type: string
               secretRef:
-                description: SecretRef specifies the Secret containing authentication
-                  credentials for the HelmRepository. For HTTP/S basic auth the secret
-                  must contain 'username' and 'password' fields. For TLS the secret
-                  must contain a 'certFile' and 'keyFile', and/or 'caFile' fields.
+                description: |-
+                  SecretRef specifies the Secret containing authentication credentials
+                  for the HelmRepository.
+                  For HTTP/S basic auth the secret must contain 'username' and 'password'
+                  fields.
+                  Support for TLS auth using the 'certFile' and 'keyFile', and/or 'caFile'
+                  keys is deprecated. Please use `.spec.certSecretRef` instead.
                 properties:
                   name:
                     description: Name of the referent.
@@ -334,29 +681,33 @@ spec:
                 - name
                 type: object
               suspend:
-                description: Suspend tells the controller to suspend the reconciliation
-                  of this HelmRepository.
+                description: |-
+                  Suspend tells the controller to suspend the reconciliation of this
+                  HelmRepository.
                 type: boolean
               timeout:
-                default: 60s
-                description: Timeout is used for the index fetch operation for an
-                  HTTPS helm repository, and for remote OCI Repository operations
-                  like pulling for an OCI helm repository. Its default value is 60s.
+                description: |-
+                  Timeout is used for the index fetch operation for an HTTPS helm repository,
+                  and for remote OCI Repository operations like pulling for an OCI helm
+                  chart by the associated HelmChart.
+                  Its default value is 60s.
                 pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
                 type: string
               type:
-                description: Type of the HelmRepository. When this field is set to  "oci",
-                  the URL field value must be prefixed with "oci://".
+                description: |-
+                  Type of the HelmRepository.
+                  When this field is set to  "oci", the URL field value must be prefixed with "oci://".
                 enum:
                 - default
                 - oci
                 type: string
               url:
-                description: URL of the Helm repository, a valid URL contains at least
-                  a protocol and host.
+                description: |-
+                  URL of the Helm repository, a valid URL contains at least a protocol and
+                  host.
+                pattern: ^(http|https|oci)://.*$
                 type: string
             required:
-            - interval
             - url
             type: object
           status:
@@ -373,8 +724,9 @@ spec:
                     pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$
                     type: string
                   lastUpdateTime:
-                    description: LastUpdateTime is the timestamp corresponding to
-                      the last update of the Artifact.
+                    description: |-
+                      LastUpdateTime is the timestamp corresponding to the last update of the
+                      Artifact.
                     format: date-time
                     type: string
                   metadata:
@@ -383,24 +735,25 @@ spec:
                     description: Metadata holds upstream information such as OCI annotations.
                     type: object
                   path:
-                    description: Path is the relative file path of the Artifact. It
-                      can be used to locate the file in the root of the Artifact storage
-                      on the local file system of the controller managing the Source.
+                    description: |-
+                      Path is the relative file path of the Artifact. It can be used to locate
+                      the file in the root of the Artifact storage on the local file system of
+                      the controller managing the Source.
                     type: string
                   revision:
-                    description: Revision is a human-readable identifier traceable
-                      in the origin source system. It can be a Git commit SHA, Git
-                      tag, a Helm chart version, etc.
+                    description: |-
+                      Revision is a human-readable identifier traceable in the origin source
+                      system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.
                     type: string
                   size:
                     description: Size is the number of bytes in the file.
                     format: int64
                     type: integer
                   url:
-                    description: URL is the HTTP address of the Artifact as exposed
-                      by the controller managing the Source. It can be used to retrieve
-                      the Artifact for consumption, e.g. by another controller applying
-                      the Artifact contents.
+                    description: |-
+                      URL is the HTTP address of the Artifact as exposed by the controller
+                      managing the Source. It can be used to retrieve the Artifact for
+                      consumption, e.g. by another controller applying the Artifact contents.
                     type: string
                 required:
                 - lastUpdateTime
@@ -411,43 +764,35 @@ spec:
               conditions:
                 description: Conditions holds the conditions for the HelmRepository.
                 items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
                   properties:
                     lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                       format: date-time
                       type: string
                     message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
                       maxLength: 32768
                       type: string
                     observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
                       format: int64
                       minimum: 0
                       type: integer
                     reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
                         This field may not be empty.
                       maxLength: 1024
                       minLength: 1
@@ -462,10 +807,6 @@ spec:
                       type: string
                     type:
                       description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                       type: string
@@ -478,23 +819,26 @@ spec:
                   type: object
                 type: array
               lastHandledReconcileAt:
-                description: LastHandledReconcileAt holds the value of the most recent
-                  reconcile request value, so a change of the annotation value can
-                  be detected.
+                description: |-
+                  LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value
+                  can be detected.
                 type: string
               observedGeneration:
-                description: ObservedGeneration is the last observed generation of
-                  the HelmRepository object.
+                description: |-
+                  ObservedGeneration is the last observed generation of the HelmRepository
+                  object.
                 format: int64
                 type: integer
               url:
-                description: URL is the dynamic fetch link for the latest Artifact.
-                  It is provided on a "best effort" basis, and using the precise HelmRepositoryStatus.Artifact
-                  data is recommended.
+                description: |-
+                  URL is the dynamic fetch link for the latest Artifact.
+                  It is provided on a "best effort" basis, and using the precise
+                  HelmRepositoryStatus.Artifact data is recommended.
                 type: string
             type: object
         type: object
     served: true
-    storage: true
+    storage: false
     subresources:
       status: {}

config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.16.1
   name: ocirepositories.source.toolkit.fluxcd.io
 spec:
   group: source.toolkit.fluxcd.io
@@ -30,20 +29,25 @@ spec:
     - jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
-    name: v1beta2
+    name: v1
     schema:
       openAPIV3Schema:
         description: OCIRepository is the Schema for the ocirepositories API
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -51,13 +55,19 @@ spec:
             description: OCIRepositorySpec defines the desired state of OCIRepository
             properties:
               certSecretRef:
-                description: "CertSecretRef can be given the name of a secret containing
-                  either or both of \n - a PEM-encoded client certificate (`certFile`)
-                  and private key (`keyFile`); - a PEM-encoded CA certificate (`caFile`)
-                  \n and whichever are supplied, will be used for connecting to the
-                  registry. The client cert and key are useful if you are authenticating
-                  with a certificate; the CA cert is useful if you are using a self-signed
-                  server certificate."
+                description: |-
+                  CertSecretRef can be given the name of a Secret containing
+                  either or both of
+
+                  - a PEM-encoded client certificate (`tls.crt`) and private
+                  key (`tls.key`);
+                  - a PEM-encoded CA certificate (`ca.crt`)
+
+                  and whichever are supplied, will be used for connecting to the
+                  registry. The client cert and key are useful if you are
+                  authenticating with a certificate; the CA cert is useful if
+                  you are using a self-signed server certificate. The Secret must
+                  be of type `Opaque` or `kubernetes.io/tls`.
                 properties:
                   name:
                     description: Name of the referent.
@@ -66,34 +76,39 @@ spec:
                 - name
                 type: object
               ignore:
-                description: Ignore overrides the set of excluded patterns in the
-                  .sourceignore format (which is the same as .gitignore). If not provided,
-                  a default will be used, consult the documentation for your version
-                  to find out what those are.
+                description: |-
+                  Ignore overrides the set of excluded patterns in the .sourceignore format
+                  (which is the same as .gitignore). If not provided, a default will be used,
+                  consult the documentation for your version to find out what those are.
                 type: string
               insecure:
                 description: Insecure allows connecting to a non-TLS HTTP container
                   registry.
                 type: boolean
               interval:
-                description: The interval at which to check for image updates.
+                description: |-
+                  Interval at which the OCIRepository URL is checked for updates.
+                  This interval is approximate and may be subject to jitter to ensure
+                  efficient use of resources.
                 pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
                 type: string
               layerSelector:
-                description: LayerSelector specifies which layer should be extracted
-                  from the OCI artifact. When not specified, the first layer found
-                  in the artifact is selected.
+                description: |-
+                  LayerSelector specifies which layer should be extracted from the OCI artifact.
+                  When not specified, the first layer found in the artifact is selected.
                 properties:
                   mediaType:
-                    description: MediaType specifies the OCI media type of the layer
-                      which should be extracted from the OCI Artifact. The first layer
-                      matching this type is selected.
+                    description: |-
+                      MediaType specifies the OCI media type of the layer
+                      which should be extracted from the OCI Artifact. The
+                      first layer matching this type is selected.
                     type: string
                   operation:
-                    description: Operation specifies how the selected layer should
-                      be processed. By default, the layer compressed content is extracted
-                      to storage. When the operation is set to 'copy', the layer compressed
-                      content is persisted to storage as it is.
+                    description: |-
+                      Operation specifies how the selected layer should be processed.
+                      By default, the layer compressed content is extracted to storage.
+                      When the operation is set to 'copy', the layer compressed content
+                      is persisted to storage as it is.
                     enum:
                     - extract
                     - copy
@@ -101,34 +116,54 @@ spec:
                 type: object
               provider:
                 default: generic
-                description: The provider used for authentication, can be 'aws', 'azure',
-                  'gcp' or 'generic'. When not specified, defaults to 'generic'.
+                description: |-
+                  The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'.
+                  When not specified, defaults to 'generic'.
                 enum:
                 - generic
                 - aws
                 - azure
                 - gcp
                 type: string
+              proxySecretRef:
+                description: |-
+                  ProxySecretRef specifies the Secret containing the proxy configuration
+                  to use while communicating with the container registry.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
               ref:
-                description: The OCI reference to pull and monitor for changes, defaults
-                  to the latest tag.
+                description: |-
+                  The OCI reference to pull and monitor for changes,
+                  defaults to the latest tag.
                 properties:
                   digest:
-                    description: Digest is the image digest to pull, takes precedence
-                      over SemVer. The value should be in the format 'sha256:<HASH>'.
+                    description: |-
+                      Digest is the image digest to pull, takes precedence over SemVer.
+                      The value should be in the format 'sha256:<HASH>'.
                     type: string
                   semver:
-                    description: SemVer is the range of tags to pull selecting the
-                      latest within the range, takes precedence over Tag.
+                    description: |-
+                      SemVer is the range of tags to pull selecting the latest within
+                      the range, takes precedence over Tag.
+                    type: string
+                  semverFilter:
+                    description: SemverFilter is a regex pattern to filter the tags
+                      within the SemVer range.
                     type: string
                   tag:
                     description: Tag is the image tag to pull, defaults to latest.
                     type: string
                 type: object
               secretRef:
-                description: SecretRef contains the secret name containing the registry
-                  login credentials to resolve image metadata. The secret must be
-                  of type kubernetes.io/dockerconfigjson.
+                description: |-
+                  SecretRef contains the secret name containing the registry login
+                  credentials to resolve image metadata.
+                  The secret must be of type kubernetes.io/dockerconfigjson.
                 properties:
                   name:
                     description: Name of the referent.
@@ -137,9 +172,10 @@ spec:
                 - name
                 type: object
               serviceAccountName:
-                description: 'ServiceAccountName is the name of the Kubernetes ServiceAccount
-                  used to authenticate the image pull if the service account has attached
-                  pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account'
+                description: |-
+                  ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate
+                  the image pull if the service account has attached pull secrets. For more information:
+                  https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
                 type: string
               suspend:
                 description: This flag tells the controller to suspend the reconciliation
@@ -152,25 +188,57 @@ spec:
                 pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
                 type: string
               url:
-                description: URL is a reference to an OCI artifact repository hosted
+                description: |-
+                  URL is a reference to an OCI artifact repository hosted
                   on a remote container registry.
                 pattern: ^oci://.*$
                 type: string
               verify:
-                description: Verify contains the secret name containing the trusted
-                  public keys used to verify the signature and specifies which provider
-                  to use to check whether OCI image is authentic.
+                description: |-
+                  Verify contains the secret name containing the trusted public keys
+                  used to verify the signature and specifies which provider to use to check
+                  whether OCI image is authentic.
                 properties:
+                  matchOIDCIdentity:
+                    description: |-
+                      MatchOIDCIdentity specifies the identity matching criteria to use
+                      while verifying an OCI artifact which was signed using Cosign keyless
+                      signing. The artifact's identity is deemed to be verified if any of the
+                      specified matchers match against the identity.
+                    items:
+                      description: |-
+                        OIDCIdentityMatch specifies options for verifying the certificate identity,
+                        i.e. the issuer and the subject of the certificate.
+                      properties:
+                        issuer:
+                          description: |-
+                            Issuer specifies the regex pattern to match against to verify
+                            the OIDC issuer in the Fulcio certificate. The pattern must be a
+                            valid Go regular expression.
+                          type: string
+                        subject:
+                          description: |-
+                            Subject specifies the regex pattern to match against to verify
+                            the identity subject in the Fulcio certificate. The pattern must
+                            be a valid Go regular expression.
+                          type: string
+                      required:
+                      - issuer
+                      - subject
+                      type: object
+                    type: array
                   provider:
                     default: cosign
                     description: Provider specifies the technology used to sign the
                       OCI Artifact.
                     enum:
                     - cosign
+                    - notation
                     type: string
                   secretRef:
-                    description: SecretRef specifies the Kubernetes Secret containing
-                      the trusted public keys.
+                    description: |-
+                      SecretRef specifies the Kubernetes Secret containing the
+                      trusted public keys.
                     properties:
                       name:
                         description: Name of the referent.
@@ -199,8 +267,9 @@ spec:
                     pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$
                     type: string
                   lastUpdateTime:
-                    description: LastUpdateTime is the timestamp corresponding to
-                      the last update of the Artifact.
+                    description: |-
+                      LastUpdateTime is the timestamp corresponding to the last update of the
+                      Artifact.
                     format: date-time
                     type: string
                   metadata:
@@ -209,24 +278,25 @@ spec:
                     description: Metadata holds upstream information such as OCI annotations.
                     type: object
                   path:
-                    description: Path is the relative file path of the Artifact. It
-                      can be used to locate the file in the root of the Artifact storage
-                      on the local file system of the controller managing the Source.
+                    description: |-
+                      Path is the relative file path of the Artifact. It can be used to locate
+                      the file in the root of the Artifact storage on the local file system of
+                      the controller managing the Source.
                     type: string
                   revision:
-                    description: Revision is a human-readable identifier traceable
-                      in the origin source system. It can be a Git commit SHA, Git
-                      tag, a Helm chart version, etc.
+                    description: |-
+                      Revision is a human-readable identifier traceable in the origin source
+                      system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.
                     type: string
                   size:
                     description: Size is the number of bytes in the file.
                     format: int64
                     type: integer
                   url:
-                    description: URL is the HTTP address of the Artifact as exposed
-                      by the controller managing the Source. It can be used to retrieve
-                      the Artifact for consumption, e.g. by another controller applying
-                      the Artifact contents.
+                    description: |-
+                      URL is the HTTP address of the Artifact as exposed by the controller
+                      managing the Source. It can be used to retrieve the Artifact for
+                      consumption, e.g. by another controller applying the Artifact contents.
                     type: string
                 required:
                 - lastUpdateTime
@@ -237,43 +307,35 @@ spec:
               conditions:
                 description: Conditions holds the conditions for the OCIRepository.
                 items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
                   properties:
                     lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
                       format: date-time
                       type: string
                     message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
                       maxLength: 32768
                       type: string
                     observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
                       format: int64
                       minimum: 0
                       type: integer
                     reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
                         This field may not be empty.
                       maxLength: 1024
                       minLength: 1
@@ -288,10 +350,6 @@ spec:
                       type: string
                     type:
                       description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                       type: string
@@ -303,43 +361,38 @@ spec:
                   - type
                   type: object
                 type: array
-              contentConfigChecksum:
-                description: "ContentConfigChecksum is a checksum of all the configurations
-                  related to the content of the source artifact: - .spec.ignore -
-                  .spec.layerSelector observed in .status.observedGeneration version
-                  of the object. This can be used to determine if the content configuration
-                  has changed and the artifact needs to be rebuilt. It has the format
-                  of `<algo>:<checksum>`, for example: `sha256:<checksum>`. \n Deprecated:
-                  Replaced with explicit fields for observed artifact content config
-                  in the status."
-                type: string
               lastHandledReconcileAt:
-                description: LastHandledReconcileAt holds the value of the most recent
-                  reconcile request value, so a change of the annotation value can
-                  be detected.
+                description: |-
+                  LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value
+                  can be detected.
                 type: string
               observedGeneration:
                 description: ObservedGeneration is the last observed generation.
                 format: int64
                 type: integer
               observedIgnore:
-                description: ObservedIgnore is the observed exclusion patterns used
-                  for constructing the source artifact.
+                description: |-
+                  ObservedIgnore is the observed exclusion patterns used for constructing
+                  the source artifact.
                 type: string
               observedLayerSelector:
-                description: ObservedLayerSelector is the observed layer selector
-                  used for constructing the source artifact.
+                description: |-
+                  ObservedLayerSelector is the observed layer selector used for constructing
+                  the source artifact.
                 properties:
                   mediaType:
-                    description: MediaType specifies the OCI media type of the layer
-                      which should be extracted from the OCI Artifact. The first layer
-                      matching this type is selected.
+                    description: |-
+                      MediaType specifies the OCI media type of the layer
+                      which should be extracted from the OCI Artifact. The
+                      first layer matching this type is selected.
                     type: string
                   operation:
-                    description: Operation specifies how the selected layer should
-                      be processed. By default, the layer compressed content is extracted
-                      to storage. When the operation is set to 'copy', the layer compressed
-                      content is persisted to storage as it is.
+                    description: |-
+                      Operation specifies how the selected layer should be processed.
+                      By default, the layer compressed content is extracted to storage.
+                      When the operation is set to 'copy', the layer compressed content
+                      is persisted to storage as it is.
                     enum:
                     - extract
                     - copy
@@ -355,3 +408,414 @@ spec:
     storage: true
     subresources:
       status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .spec.url
+      name: URL
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    deprecated: true
+    deprecationWarning: v1beta2 OCIRepository is deprecated, upgrade to v1
+    name: v1beta2
+    schema:
+      openAPIV3Schema:
+        description: OCIRepository is the Schema for the ocirepositories API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: OCIRepositorySpec defines the desired state of OCIRepository
+            properties:
+              certSecretRef:
+                description: |-
+                  CertSecretRef can be given the name of a Secret containing
+                  either or both of
+
+                  - a PEM-encoded client certificate (`tls.crt`) and private
+                  key (`tls.key`);
+                  - a PEM-encoded CA certificate (`ca.crt`)
+
+                  and whichever are supplied, will be used for connecting to the
+                  registry. The client cert and key are useful if you are
+                  authenticating with a certificate; the CA cert is useful if
+                  you are using a self-signed server certificate. The Secret must
+                  be of type `Opaque` or `kubernetes.io/tls`.
+
+                  Note: Support for the `caFile`, `certFile` and `keyFile` keys have
+                  been deprecated.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              ignore:
+                description: |-
+                  Ignore overrides the set of excluded patterns in the .sourceignore format
+                  (which is the same as .gitignore). If not provided, a default will be used,
+                  consult the documentation for your version to find out what those are.
+                type: string
+              insecure:
+                description: Insecure allows connecting to a non-TLS HTTP container
+                  registry.
+                type: boolean
+              interval:
+                description: |-
+                  Interval at which the OCIRepository URL is checked for updates.
+                  This interval is approximate and may be subject to jitter to ensure
+                  efficient use of resources.
+                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$
+                type: string
+              layerSelector:
+                description: |-
+                  LayerSelector specifies which layer should be extracted from the OCI artifact.
+                  When not specified, the first layer found in the artifact is selected.
+                properties:
+                  mediaType:
+                    description: |-
+                      MediaType specifies the OCI media type of the layer
+                      which should be extracted from the OCI Artifact. The
+                      first layer matching this type is selected.
+                    type: string
+                  operation:
+                    description: |-
+                      Operation specifies how the selected layer should be processed.
+                      By default, the layer compressed content is extracted to storage.
+                      When the operation is set to 'copy', the layer compressed content
+                      is persisted to storage as it is.
+                    enum:
+                    - extract
+                    - copy
+                    type: string
+                type: object
+              provider:
+                default: generic
+                description: |-
+                  The provider used for authentication, can be 'aws', 'azure', 'gcp' or 'generic'.
+                  When not specified, defaults to 'generic'.
+                enum:
+                - generic
+                - aws
+                - azure
+                - gcp
+                type: string
+              proxySecretRef:
+                description: |-
+                  ProxySecretRef specifies the Secret containing the proxy configuration
+                  to use while communicating with the container registry.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              ref:
+                description: |-
+                  The OCI reference to pull and monitor for changes,
+                  defaults to the latest tag.
+                properties:
+                  digest:
+                    description: |-
+                      Digest is the image digest to pull, takes precedence over SemVer.
+                      The value should be in the format 'sha256:<HASH>'.
+                    type: string
+                  semver:
+                    description: |-
+                      SemVer is the range of tags to pull selecting the latest within
+                      the range, takes precedence over Tag.
+                    type: string
+                  semverFilter:
+                    description: SemverFilter is a regex pattern to filter the tags
+                      within the SemVer range.
+                    type: string
+                  tag:
+                    description: Tag is the image tag to pull, defaults to latest.
+                    type: string
+                type: object
+              secretRef:
+                description: |-
+                  SecretRef contains the secret name containing the registry login
+                  credentials to resolve image metadata.
+                  The secret must be of type kubernetes.io/dockerconfigjson.
+                properties:
+                  name:
+                    description: Name of the referent.
+                    type: string
+                required:
+                - name
+                type: object
+              serviceAccountName:
+                description: |-
+                  ServiceAccountName is the name of the Kubernetes ServiceAccount used to authenticate
+                  the image pull if the service account has attached pull secrets. For more information:
+                  https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
+                type: string
+              suspend:
+                description: This flag tells the controller to suspend the reconciliation
+                  of this source.
+                type: boolean
+              timeout:
+                default: 60s
+                description: The timeout for remote OCI Repository operations like
+                  pulling, defaults to 60s.
+                pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$
+                type: string
+              url:
+                description: |-
+                  URL is a reference to an OCI artifact repository hosted
+                  on a remote container registry.
+                pattern: ^oci://.*$
+                type: string
+              verify:
+                description: |-
+                  Verify contains the secret name containing the trusted public keys
+                  used to verify the signature and specifies which provider to use to check
+                  whether OCI image is authentic.
+                properties:
+                  matchOIDCIdentity:
+                    description: |-
+                      MatchOIDCIdentity specifies the identity matching criteria to use
+                      while verifying an OCI artifact which was signed using Cosign keyless
+                      signing. The artifact's identity is deemed to be verified if any of the
+                      specified matchers match against the identity.
+                    items:
+                      description: |-
+                        OIDCIdentityMatch specifies options for verifying the certificate identity,
+                        i.e. the issuer and the subject of the certificate.
+                      properties:
+                        issuer:
+                          description: |-
+                            Issuer specifies the regex pattern to match against to verify
+                            the OIDC issuer in the Fulcio certificate. The pattern must be a
+                            valid Go regular expression.
+                          type: string
+                        subject:
+                          description: |-
+                            Subject specifies the regex pattern to match against to verify
+                            the identity subject in the Fulcio certificate. The pattern must
+                            be a valid Go regular expression.
+                          type: string
+                      required:
+                      - issuer
+                      - subject
+                      type: object
+                    type: array
+                  provider:
+                    default: cosign
+                    description: Provider specifies the technology used to sign the
+                      OCI Artifact.
+                    enum:
+                    - cosign
+                    - notation
+                    type: string
+                  secretRef:
+                    description: |-
+                      SecretRef specifies the Kubernetes Secret containing the
+                      trusted public keys.
+                    properties:
+                      name:
+                        description: Name of the referent.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                required:
+                - provider
+                type: object
+            required:
+            - interval
+            - url
+            type: object
+          status:
+            default:
+              observedGeneration: -1
+            description: OCIRepositoryStatus defines the observed state of OCIRepository
+            properties:
+              artifact:
+                description: Artifact represents the output of the last successful
+                  OCI Repository sync.
+                properties:
+                  digest:
+                    description: Digest is the digest of the file in the form of '<algorithm>:<checksum>'.
+                    pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$
+                    type: string
+                  lastUpdateTime:
+                    description: |-
+                      LastUpdateTime is the timestamp corresponding to the last update of the
+                      Artifact.
+                    format: date-time
+                    type: string
+                  metadata:
+                    additionalProperties:
+                      type: string
+                    description: Metadata holds upstream information such as OCI annotations.
+                    type: object
+                  path:
+                    description: |-
+                      Path is the relative file path of the Artifact. It can be used to locate
+                      the file in the root of the Artifact storage on the local file system of
+                      the controller managing the Source.
+                    type: string
+                  revision:
+                    description: |-
+                      Revision is a human-readable identifier traceable in the origin source
+                      system. It can be a Git commit SHA, Git tag, a Helm chart version, etc.
+                    type: string
+                  size:
+                    description: Size is the number of bytes in the file.
+                    format: int64
+                    type: integer
+                  url:
+                    description: |-
+                      URL is the HTTP address of the Artifact as exposed by the controller
+                      managing the Source. It can be used to retrieve the Artifact for
+                      consumption, e.g. by another controller applying the Artifact contents.
+                    type: string
+                required:
+                - lastUpdateTime
+                - path
+                - revision
+                - url
+                type: object
+              conditions:
+                description: Conditions holds the conditions for the OCIRepository.
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              contentConfigChecksum:
+                description: |-
+                  ContentConfigChecksum is a checksum of all the configurations related to
+                  the content of the source artifact:
+                   - .spec.ignore
+                   - .spec.layerSelector
+                  observed in .status.observedGeneration version of the object. This can
+                  be used to determine if the content configuration has changed and the
+                  artifact needs to be rebuilt.
+                  It has the format of `<algo>:<checksum>`, for example: `sha256:<checksum>`.
+
+                  Deprecated: Replaced with explicit fields for observed artifact content
+                  config in the status.
+                type: string
+              lastHandledReconcileAt:
+                description: |-
+                  LastHandledReconcileAt holds the value of the most recent
+                  reconcile request value, so a change of the annotation value
+                  can be detected.
+                type: string
+              observedGeneration:
+                description: ObservedGeneration is the last observed generation.
+                format: int64
+                type: integer
+              observedIgnore:
+                description: |-
+                  ObservedIgnore is the observed exclusion patterns used for constructing
+                  the source artifact.
+                type: string
+              observedLayerSelector:
+                description: |-
+                  ObservedLayerSelector is the observed layer selector used for constructing
+                  the source artifact.
+                properties:
+                  mediaType:
+                    description: |-
+                      MediaType specifies the OCI media type of the layer
+                      which should be extracted from the OCI Artifact. The
+                      first layer matching this type is selected.
+                    type: string
+                  operation:
+                    description: |-
+                      Operation specifies how the selected layer should be processed.
+                      By default, the layer compressed content is extracted to storage.
+                      When the operation is set to 'copy', the layer compressed content
+                      is persisted to storage as it is.
+                    enum:
+                    - extract
+                    - copy
+                    type: string
+                type: object
+              url:
+                description: URL is the download link for the artifact output of the
+                  last OCI Repository sync.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}

config/manager/kustomization.yaml

@@ -6,4 +6,4 @@ resources:
 images:
 - name: fluxcd/source-controller
   newName: fluxcd/source-controller
-  newTag: v1.0.0-rc.2
+  newTag: v1.6.0

config/rbac/role.yaml

@@ -2,7 +2,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: manager-role
 rules:
 - apiGroups:
@@ -20,129 +19,19 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
 - apiGroups:
   - source.toolkit.fluxcd.io
   resources:
   - buckets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
-  - buckets/finalizers
-  verbs:
-  - create
-  - delete
-  - get
-  - patch
-  - update
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
-  - buckets/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
   - gitrepositories
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
-  - gitrepositories/finalizers
-  verbs:
-  - create
-  - delete
-  - get
-  - patch
-  - update
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
-  - gitrepositories/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
   - helmcharts
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
-  - helmcharts/finalizers
-  verbs:
-  - create
-  - delete
-  - get
-  - patch
-  - update
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
-  - helmcharts/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
   - helmrepositories
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
-  - helmrepositories/finalizers
-  verbs:
-  - create
-  - delete
-  - get
-  - patch
-  - update
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
-  - helmrepositories/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - source.toolkit.fluxcd.io
-  resources:
   - ocirepositories
   verbs:
   - create
@@ -155,6 +44,10 @@ rules:
 - apiGroups:
   - source.toolkit.fluxcd.io
   resources:
+  - buckets/finalizers
+  - gitrepositories/finalizers
+  - helmcharts/finalizers
+  - helmrepositories/finalizers
   - ocirepositories/finalizers
   verbs:
   - create
@@ -165,6 +58,10 @@ rules:
 - apiGroups:
   - source.toolkit.fluxcd.io
   resources:
+  - buckets/status
+  - gitrepositories/status
+  - helmcharts/status
+  - helmrepositories/status
   - ocirepositories/status
   verbs:
   - get

config/samples/source_v1_bucket.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: Bucket
 metadata:
   name: bucket-sample

config/samples/source_v1_helmchart_gitrepository.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmChart
 metadata:
   name: helmchart-git-sample

config/samples/source_v1_helmchart_helmrepository-oci.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmChart
 metadata:
   name: helmchart-sample-oci

config/samples/source_v1_helmchart_helmrepository.yaml

@@ -1,11 +1,12 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmChart
 metadata:
   name: helmchart-sample
 spec:
   chart: podinfo
-  version: '>=2.0.0 <3.0.0'
+  version: '6.x'
   sourceRef:
     kind: HelmRepository
     name: helmrepository-sample
   interval: 1m
+  ignoreMissingValuesFiles: true

config/samples/source_v1_helmrepository-oci.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: helmrepository-sample-oci

config/samples/source_v1_helmrepository.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: helmrepository-sample

config/samples/source_v1_ocirepository.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: OCIRepository
 metadata:
   name: ocirepository-sample

config/testdata/bucket/source.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: Bucket
 metadata:
   name: podinfo

config/testdata/git/large-repo.yaml

@@ -1,13 +1,10 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
   name: large-repo
 spec:
   interval: 10m
   timeout: 2m
-  url: https://github.com/hashgraph/hedera-mirror-node.git
+  url: https://github.com/nodejs/node.git
   ref:
     branch: main
-  ignore: |
-    /*
-    !/charts

config/testdata/helmchart-from-bucket/source.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: Bucket
 metadata:
   name: charts
@@ -13,7 +13,7 @@ spec:
   secretRef:
     name: minio-credentials
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmChart
 metadata:
   name: helmchart-bucket

config/testdata/helmchart-from-oci/notation.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: podinfo-notation
+spec:
+  url: oci://ghcr.io/stefanprodan/charts
+  type: "oci"
+  interval: 1m
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: podinfo-notation
+spec:
+  chart: podinfo
+  sourceRef:
+    kind: HelmRepository
+    name: podinfo-notation
+  version: '6.6.0'
+  interval: 1m
+  verify:
+    provider: notation
+    secretRef:
+      name: notation-config

config/testdata/helmchart-from-oci/source.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: podinfo
@@ -8,7 +8,7 @@ spec:
   type: "oci"
   interval: 1m
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmChart
 metadata:
   name: podinfo
@@ -20,7 +20,7 @@ spec:
   version: '6.1.*'
   interval: 1m
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmChart
 metadata:
   name: podinfo-keyless

config/testdata/ocirepository/signed-with-key.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: OCIRepository
 metadata:
   name: podinfo-deploy-signed-with-key

config/testdata/ocirepository/signed-with-keyless.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: OCIRepository
 metadata:
   name: podinfo-deploy-signed-with-keyless

config/testdata/ocirepository/signed-with-notation.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: podinfo-deploy-signed-with-notation
+spec:
+  interval: 5m
+  url: oci://ghcr.io/stefanprodan/podinfo-deploy
+  ref:
+    semver: "6.6.x"
+  verify:
+    provider: notation
+    secretRef:
+      name: notation-config

docs/api/v1beta2/source.md

@@ -114,6 +114,23 @@ string
 </tr>
 <tr>
 <td>
+<code>sts</code><br>
+<em>
+<a href="#source.toolkit.fluxcd.io/v1beta2.BucketSTSSpec">
+BucketSTSSpec
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>STS specifies the required configuration to use a Security Token
+Service for fetching temporary credentials to authenticate in a
+Bucket provider.</p>
+<p>This field is only supported for the <code>aws</code> and <code>generic</code> providers.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>insecure</code><br>
 <em>
 bool
@@ -138,6 +155,18 @@ string
 </tr>
 <tr>
 <td>
+<code>prefix</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Prefix to use for server-side filtering of files in the Bucket.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>secretRef</code><br>
 <em>
 <a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
@@ -153,6 +182,47 @@ for the Bucket.</p>
 </tr>
 <tr>
 <td>
+<code>certSecretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>CertSecretRef can be given the name of a Secret containing
+either or both of</p>
+<ul>
+<li>a PEM-encoded client certificate (<code>tls.crt</code>) and private
+key (<code>tls.key</code>);</li>
+<li>a PEM-encoded CA certificate (<code>ca.crt</code>)</li>
+</ul>
+<p>and whichever are supplied, will be used for connecting to the
+bucket. The client cert and key are useful if you are
+authenticating with a certificate; the CA cert is useful if
+you are using a self-signed server certificate. The Secret must
+be of type <code>Opaque</code> or <code>kubernetes.io/tls</code>.</p>
+<p>This field is only supported for the <code>generic</code> provider.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>proxySecretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ProxySecretRef specifies the Secret containing the proxy configuration
+to use while communicating with the Bucket server.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>interval</code><br>
 <em>
 <a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration">
@@ -161,7 +231,9 @@ Kubernetes meta/v1.Duration
 </em>
 </td>
 <td>
-<p>Interval at which to check the Endpoint for updates.</p>
+<p>Interval at which the Bucket Endpoint is checked for updates.
+This interval is approximate and may be subject to jitter to ensure
+efficient use of resources.</p>
 </td>
 </tr>
 <tr>
@@ -593,7 +665,9 @@ Kubernetes meta/v1.Duration
 </em>
 </td>
 <td>
-<p>Interval is the interval at which to check the Source for updates.</p>
+<p>Interval at which the HelmChart SourceRef is checked for updates.
+This interval is approximate and may be subject to jitter to ensure
+efficient use of resources.</p>
 </td>
 </tr>
 <tr>
@@ -644,6 +718,19 @@ is merged before the ValuesFiles items. Ignored when omitted.</p>
 </tr>
 <tr>
 <td>
+<code>ignoreMissingValuesFiles</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>IgnoreMissingValuesFiles controls whether to silently ignore missing values
+files rather than failing.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>suspend</code><br>
 <em>
 bool
@@ -675,8 +762,8 @@ NOTE: Not implemented, provisional as of <a href="https://github.com/fluxcd/flux
 <td>
 <code>verify</code><br>
 <em>
-<a href="#source.toolkit.fluxcd.io/v1beta2.OCIRepositoryVerification">
-OCIRepositoryVerification
+<a href="https://pkg.go.dev/github.com/fluxcd/source-controller/api/v1#OCIRepositoryVerification">
+github.com/fluxcd/source-controller/api/v1.OCIRepositoryVerification
 </a>
 </em>
 </td>
@@ -792,8 +879,35 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference
 for the HelmRepository.
 For HTTP/S basic auth the secret must contain &lsquo;username&rsquo; and &lsquo;password&rsquo;
 fields.
-For TLS the secret must contain a &lsquo;certFile&rsquo; and &lsquo;keyFile&rsquo;, and/or
-&lsquo;caFile&rsquo; fields.</p>
+Support for TLS auth using the &lsquo;certFile&rsquo; and &lsquo;keyFile&rsquo;, and/or &lsquo;caFile&rsquo;
+keys is deprecated. Please use <code>.spec.certSecretRef</code> instead.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>certSecretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>CertSecretRef can be given the name of a Secret containing
+either or both of</p>
+<ul>
+<li>a PEM-encoded client certificate (<code>tls.crt</code>) and private
+key (<code>tls.key</code>);</li>
+<li>a PEM-encoded CA certificate (<code>ca.crt</code>)</li>
+</ul>
+<p>and whichever are supplied, will be used for connecting to the
+registry. The client cert and key are useful if you are
+authenticating with a certificate; the CA cert is useful if
+you are using a self-signed server certificate. The Secret must
+be of type <code>Opaque</code> or <code>kubernetes.io/tls</code>.</p>
+<p>It takes precedence over the values specified in the Secret referred
+to by <code>.spec.secretRef</code>.</p>
 </td>
 </tr>
 <tr>
@@ -823,7 +937,23 @@ Kubernetes meta/v1.Duration
 </em>
 </td>
 <td>
-<p>Interval at which to check the URL for updates.</p>
+<em>(Optional)</em>
+<p>Interval at which the HelmRepository URL is checked for updates.
+This interval is approximate and may be subject to jitter to ensure
+efficient use of resources.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>insecure</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Insecure allows connecting to a non-TLS HTTP container registry.
+This field is only taken into account if the .spec.type field is set to &lsquo;oci&rsquo;.</p>
 </td>
 </tr>
 <tr>
@@ -838,7 +968,8 @@ Kubernetes meta/v1.Duration
 <td>
 <em>(Optional)</em>
 <p>Timeout is used for the index fetch operation for an HTTPS helm repository,
-and for remote OCI Repository operations like pulling for an OCI helm repository.
+and for remote OCI Repository operations like pulling for an OCI helm
+chart by the associated HelmChart.
 Its default value is 60s.</p>
 </td>
 </tr>
@@ -1049,8 +1180,8 @@ The secret must be of type kubernetes.io/dockerconfigjson.</p>
 <td>
 <code>verify</code><br>
 <em>
-<a href="#source.toolkit.fluxcd.io/v1beta2.OCIRepositoryVerification">
-OCIRepositoryVerification
+<a href="https://pkg.go.dev/github.com/fluxcd/source-controller/api/v1#OCIRepositoryVerification">
+github.com/fluxcd/source-controller/api/v1.OCIRepositoryVerification
 </a>
 </em>
 </td>
@@ -1086,17 +1217,35 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference
 </td>
 <td>
 <em>(Optional)</em>
-<p>CertSecretRef can be given the name of a secret containing
+<p>CertSecretRef can be given the name of a Secret containing
 either or both of</p>
 <ul>
-<li>a PEM-encoded client certificate (<code>certFile</code>) and private
-key (<code>keyFile</code>);</li>
-<li>a PEM-encoded CA certificate (<code>caFile</code>)</li>
+<li>a PEM-encoded client certificate (<code>tls.crt</code>) and private
+key (<code>tls.key</code>);</li>
+<li>a PEM-encoded CA certificate (<code>ca.crt</code>)</li>
 </ul>
 <p>and whichever are supplied, will be used for connecting to the
 registry. The client cert and key are useful if you are
 authenticating with a certificate; the CA cert is useful if
-you are using a self-signed server certificate.</p>
+you are using a self-signed server certificate. The Secret must
+be of type <code>Opaque</code> or <code>kubernetes.io/tls</code>.</p>
+<p>Note: Support for the <code>caFile</code>, <code>certFile</code> and <code>keyFile</code> keys have
+been deprecated.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>proxySecretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ProxySecretRef specifies the Secret containing the proxy configuration
+to use while communicating with the container registry.</p>
 </td>
 </tr>
 <tr>
@@ -1109,7 +1258,9 @@ Kubernetes meta/v1.Duration
 </em>
 </td>
 <td>
-<p>The interval at which to check for image updates.</p>
+<p>Interval at which the OCIRepository URL is checked for updates.
+This interval is approximate and may be subject to jitter to ensure
+efficient use of resources.</p>
 </td>
 </tr>
 <tr>
@@ -1304,6 +1455,94 @@ map[string]string
 </table>
 </div>
 </div>
+<h3 id="source.toolkit.fluxcd.io/v1beta2.BucketSTSSpec">BucketSTSSpec
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#source.toolkit.fluxcd.io/v1beta2.BucketSpec">BucketSpec</a>)
+</p>
+<p>BucketSTSSpec specifies the required configuration to use a Security Token
+Service for fetching temporary credentials to authenticate in a Bucket
+provider.</p>
+<div class="md-typeset__scrollwrap">
+<div class="md-typeset__table">
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>provider</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Provider of the Security Token Service.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>endpoint</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Endpoint is the HTTP/S endpoint of the Security Token Service from
+where temporary credentials will be fetched.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>secretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>SecretRef specifies the Secret containing authentication credentials
+for the STS endpoint. This Secret must contain the fields <code>username</code>
+and <code>password</code> and is supported only for the <code>ldap</code> provider.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>certSecretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>CertSecretRef can be given the name of a Secret containing
+either or both of</p>
+<ul>
+<li>a PEM-encoded client certificate (<code>tls.crt</code>) and private
+key (<code>tls.key</code>);</li>
+<li>a PEM-encoded CA certificate (<code>ca.crt</code>)</li>
+</ul>
+<p>and whichever are supplied, will be used for connecting to the
+STS endpoint. The client cert and key are useful if you are
+authenticating with a certificate; the CA cert is useful if
+you are using a self-signed server certificate. The Secret must
+be of type <code>Opaque</code> or <code>kubernetes.io/tls</code>.</p>
+<p>This field is only supported for the <code>ldap</code> provider.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
 <h3 id="source.toolkit.fluxcd.io/v1beta2.BucketSpec">BucketSpec
 </h3>
 <p>
@@ -1360,6 +1599,23 @@ string
 </tr>
 <tr>
 <td>
+<code>sts</code><br>
+<em>
+<a href="#source.toolkit.fluxcd.io/v1beta2.BucketSTSSpec">
+BucketSTSSpec
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>STS specifies the required configuration to use a Security Token
+Service for fetching temporary credentials to authenticate in a
+Bucket provider.</p>
+<p>This field is only supported for the <code>aws</code> and <code>generic</code> providers.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>insecure</code><br>
 <em>
 bool
@@ -1384,6 +1640,18 @@ string
 </tr>
 <tr>
 <td>
+<code>prefix</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Prefix to use for server-side filtering of files in the Bucket.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>secretRef</code><br>
 <em>
 <a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
@@ -1399,6 +1667,47 @@ for the Bucket.</p>
 </tr>
 <tr>
 <td>
+<code>certSecretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>CertSecretRef can be given the name of a Secret containing
+either or both of</p>
+<ul>
+<li>a PEM-encoded client certificate (<code>tls.crt</code>) and private
+key (<code>tls.key</code>);</li>
+<li>a PEM-encoded CA certificate (<code>ca.crt</code>)</li>
+</ul>
+<p>and whichever are supplied, will be used for connecting to the
+bucket. The client cert and key are useful if you are
+authenticating with a certificate; the CA cert is useful if
+you are using a self-signed server certificate. The Secret must
+be of type <code>Opaque</code> or <code>kubernetes.io/tls</code>.</p>
+<p>This field is only supported for the <code>generic</code> provider.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>proxySecretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ProxySecretRef specifies the Secret containing the proxy configuration
+to use while communicating with the Bucket server.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>interval</code><br>
 <em>
 <a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration">
@@ -1407,7 +1716,9 @@ Kubernetes meta/v1.Duration
 </em>
 </td>
 <td>
-<p>Interval at which to check the Endpoint for updates.</p>
+<p>Interval at which the Bucket Endpoint is checked for updates.
+This interval is approximate and may be subject to jitter to ensure
+efficient use of resources.</p>
 </td>
 </tr>
 <tr>
@@ -2197,7 +2508,9 @@ Kubernetes meta/v1.Duration
 </em>
 </td>
 <td>
-<p>Interval is the interval at which to check the Source for updates.</p>
+<p>Interval at which the HelmChart SourceRef is checked for updates.
+This interval is approximate and may be subject to jitter to ensure
+efficient use of resources.</p>
 </td>
 </tr>
 <tr>
@@ -2248,6 +2561,19 @@ is merged before the ValuesFiles items. Ignored when omitted.</p>
 </tr>
 <tr>
 <td>
+<code>ignoreMissingValuesFiles</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>IgnoreMissingValuesFiles controls whether to silently ignore missing values
+files rather than failing.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>suspend</code><br>
 <em>
 bool
@@ -2279,8 +2605,8 @@ NOTE: Not implemented, provisional as of <a href="https://github.com/fluxcd/flux
 <td>
 <code>verify</code><br>
 <em>
-<a href="#source.toolkit.fluxcd.io/v1beta2.OCIRepositoryVerification">
-OCIRepositoryVerification
+<a href="https://pkg.go.dev/github.com/fluxcd/source-controller/api/v1#OCIRepositoryVerification">
+github.com/fluxcd/source-controller/api/v1.OCIRepositoryVerification
 </a>
 </em>
 </td>
@@ -2355,6 +2681,20 @@ resolved chart reference.</p>
 </tr>
 <tr>
 <td>
+<code>observedValuesFiles</code><br>
+<em>
+[]string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ObservedValuesFiles are the observed value files of the last successful
+reconciliation.
+It matches the chart in the last successfully reconciled artifact.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>conditions</code><br>
 <em>
 <a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Condition">
@@ -2459,8 +2799,35 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference
 for the HelmRepository.
 For HTTP/S basic auth the secret must contain &lsquo;username&rsquo; and &lsquo;password&rsquo;
 fields.
-For TLS the secret must contain a &lsquo;certFile&rsquo; and &lsquo;keyFile&rsquo;, and/or
-&lsquo;caFile&rsquo; fields.</p>
+Support for TLS auth using the &lsquo;certFile&rsquo; and &lsquo;keyFile&rsquo;, and/or &lsquo;caFile&rsquo;
+keys is deprecated. Please use <code>.spec.certSecretRef</code> instead.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>certSecretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>CertSecretRef can be given the name of a Secret containing
+either or both of</p>
+<ul>
+<li>a PEM-encoded client certificate (<code>tls.crt</code>) and private
+key (<code>tls.key</code>);</li>
+<li>a PEM-encoded CA certificate (<code>ca.crt</code>)</li>
+</ul>
+<p>and whichever are supplied, will be used for connecting to the
+registry. The client cert and key are useful if you are
+authenticating with a certificate; the CA cert is useful if
+you are using a self-signed server certificate. The Secret must
+be of type <code>Opaque</code> or <code>kubernetes.io/tls</code>.</p>
+<p>It takes precedence over the values specified in the Secret referred
+to by <code>.spec.secretRef</code>.</p>
 </td>
 </tr>
 <tr>
@@ -2490,7 +2857,23 @@ Kubernetes meta/v1.Duration
 </em>
 </td>
 <td>
-<p>Interval at which to check the URL for updates.</p>
+<em>(Optional)</em>
+<p>Interval at which the HelmRepository URL is checked for updates.
+This interval is approximate and may be subject to jitter to ensure
+efficient use of resources.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>insecure</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Insecure allows connecting to a non-TLS HTTP container registry.
+This field is only taken into account if the .spec.type field is set to &lsquo;oci&rsquo;.</p>
 </td>
 </tr>
 <tr>
@@ -2505,7 +2888,8 @@ Kubernetes meta/v1.Duration
 <td>
 <em>(Optional)</em>
 <p>Timeout is used for the index fetch operation for an HTTPS helm repository,
-and for remote OCI Repository operations like pulling for an OCI helm repository.
+and for remote OCI Repository operations like pulling for an OCI helm
+chart by the associated HelmChart.
 Its default value is 60s.</p>
 </td>
 </tr>
@@ -2813,6 +3197,18 @@ the range, takes precedence over Tag.</p>
 </tr>
 <tr>
 <td>
+<code>semverFilter</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>SemverFilter is a regex pattern to filter the tags within the SemVer range.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>tag</code><br>
 <em>
 string
@@ -2919,8 +3315,8 @@ The secret must be of type kubernetes.io/dockerconfigjson.</p>
 <td>
 <code>verify</code><br>
 <em>
-<a href="#source.toolkit.fluxcd.io/v1beta2.OCIRepositoryVerification">
-OCIRepositoryVerification
+<a href="https://pkg.go.dev/github.com/fluxcd/source-controller/api/v1#OCIRepositoryVerification">
+github.com/fluxcd/source-controller/api/v1.OCIRepositoryVerification
 </a>
 </em>
 </td>
@@ -2956,17 +3352,35 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference
 </td>
 <td>
 <em>(Optional)</em>
-<p>CertSecretRef can be given the name of a secret containing
+<p>CertSecretRef can be given the name of a Secret containing
 either or both of</p>
 <ul>
-<li>a PEM-encoded client certificate (<code>certFile</code>) and private
-key (<code>keyFile</code>);</li>
-<li>a PEM-encoded CA certificate (<code>caFile</code>)</li>
+<li>a PEM-encoded client certificate (<code>tls.crt</code>) and private
+key (<code>tls.key</code>);</li>
+<li>a PEM-encoded CA certificate (<code>ca.crt</code>)</li>
 </ul>
 <p>and whichever are supplied, will be used for connecting to the
 registry. The client cert and key are useful if you are
 authenticating with a certificate; the CA cert is useful if
-you are using a self-signed server certificate.</p>
+you are using a self-signed server certificate. The Secret must
+be of type <code>Opaque</code> or <code>kubernetes.io/tls</code>.</p>
+<p>Note: Support for the <code>caFile</code>, <code>certFile</code> and <code>keyFile</code> keys have
+been deprecated.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>proxySecretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ProxySecretRef specifies the Secret containing the proxy configuration
+to use while communicating with the container registry.</p>
 </td>
 </tr>
 <tr>
@@ -2979,7 +3393,9 @@ Kubernetes meta/v1.Duration
 </em>
 </td>
 <td>
-<p>The interval at which to check for image updates.</p>
+<p>Interval at which the OCIRepository URL is checked for updates.
+This interval is approximate and may be subject to jitter to ensure
+efficient use of resources.</p>
 </td>
 </tr>
 <tr>
@@ -3175,54 +3591,6 @@ github.com/fluxcd/pkg/apis/meta.ReconcileRequestStatus
 </table>
 </div>
 </div>
-<h3 id="source.toolkit.fluxcd.io/v1beta2.OCIRepositoryVerification">OCIRepositoryVerification
-</h3>
-<p>
-(<em>Appears on:</em>
-<a href="#source.toolkit.fluxcd.io/v1beta2.HelmChartSpec">HelmChartSpec</a>, 
-<a href="#source.toolkit.fluxcd.io/v1beta2.OCIRepositorySpec">OCIRepositorySpec</a>)
-</p>
-<p>OCIRepositoryVerification verifies the authenticity of an OCI Artifact</p>
-<div class="md-typeset__scrollwrap">
-<div class="md-typeset__table">
-<table>
-<thead>
-<tr>
-<th>Field</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td>
-<code>provider</code><br>
-<em>
-string
-</em>
-</td>
-<td>
-<p>Provider specifies the technology used to sign the OCI Artifact.</p>
-</td>
-</tr>
-<tr>
-<td>
-<code>secretRef</code><br>
-<em>
-<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
-github.com/fluxcd/pkg/apis/meta.LocalObjectReference
-</a>
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>SecretRef specifies the Kubernetes Secret containing the
-trusted public keys.</p>
-</td>
-</tr>
-</tbody>
-</table>
-</div>
-</div>
 <h3 id="source.toolkit.fluxcd.io/v1beta2.Source">Source
 </h3>
 <p>Source interface must be supported by all API types.

docs/spec/v1/README.md

@@ -6,6 +6,10 @@ This is the v1 API specification for defining the desired state sources of Kuber
 
 * Source kinds:
   + [GitRepository](gitrepositories.md)
+  + [OCIRepository](ocirepositories.md)
+  + [HelmRepository](helmrepositories.md)
+  + [HelmChart](helmcharts.md)
+  + [Bucket](buckets.md)
 
 ## Implementation
 

docs/spec/v1/gitrepositories.md

@@ -139,6 +139,14 @@ To authenticate towards a Git repository over HTTPS using bearer token
 authentication (in other words: using a `Authorization: Bearer` header), the referenced
 Secret is expected to contain the token in `.data.bearerToken`.
 
+**Note:** If you are looking to use OAuth tokens with popular servers (e.g.
+[GitHub](https://docs.github.com/en/rest/overview/authenticating-to-the-rest-api?apiVersion=2022-11-28#authenticating-with-a-token-generated-by-an-app),
+[Bitbucket](https://support.atlassian.com/bitbucket-cloud/docs/using-access-tokens/),
+[GitLab](https://docs.gitlab.com/ee/gitlab-basics/start-using-git.html#clone-using-a-token)),
+you should use basic access authentication instead. These servers use basic HTTP
+authentication, with the OAuth token as the password. Check the documentation of
+your Git server for details.
+
 ```yaml
 ---
 apiVersion: v1
@@ -153,8 +161,9 @@ data:
 #### HTTPS Certificate Authority
 
 To provide a Certificate Authority to trust while connecting with a Git
-repository over HTTPS, the referenced Secret can contain a `.data.caFile`
-value.
+repository over HTTPS, the referenced Secret's `.data` can contain a `ca.crt`
+or `caFile` key. `ca.crt` takes precedence over `caFile`, i.e. if both keys 
+are present, the value of `ca.crt` will be taken into consideration.
 
 ```yaml
 ---
@@ -165,7 +174,32 @@ metadata:
   namespace: default
 type: Opaque
 data:
-  caFile: <BASE64>
+  ca.crt: <BASE64>
+```
+
+#### HTTPS Mutual TLS authentication
+
+To authenticate towards a Git repository over HTTPS using mutual TLS,
+the referenced Secret's `.data` should contain the following keys:
+
+* `tls.crt` and `tls.key`, to specify the client certificate and private key used
+  for TLS client authentication. These must be used in conjunction, i.e.
+  specifying one without the other will lead to an error.
+* `ca.crt`, to specify the CA certificate used to verify the server, which is
+  required if the server is using a self-signed certificate.
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: https-tls-certs
+  namespace: default
+type: Opaque
+data:
+  tls.crt: <BASE64>
+  tls.key: <BASE64>
+  ca.crt: <BASE64>
 ```
 
 #### SSH authentication
@@ -203,6 +237,153 @@ For password-protected SSH private keys, the password must be provided
 via an additional `password` field in the secret. Flux CLI also supports
 this via the `--password` flag.
 
+### Provider
+
+`.spec.provider` is an optional field that allows specifying an OIDC provider
+used for authentication purposes.
+
+Supported options are:
+
+- `generic`
+- `azure`
+- `github`
+
+When provider is not specified, it defaults to `generic` indicating that
+mechanisms using `spec.secretRef` are used for authentication. 
+
+For a complete guide on how to set up authentication for cloud providers,
+see the integration [docs](/flux/integrations/).
+
+#### Azure
+
+The `azure` provider can be used to authenticate to Azure DevOps repositories
+automatically using Workload Identity. 
+
+##### Pre-requisites
+
+- Ensure that your Azure DevOps Organization is
+  [connected](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops)
+  to Microsoft Entra.
+- Ensure Workload Identity is properly [set up on your
+  cluster](https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster#create-an-aks-cluster).
+
+##### Configure Flux controller
+
+- Create a managed identity to access Azure DevOps. Establish a federated
+  identity credential between the managed identity and the source-controller
+  service account. In the default installation, the source-controller service
+  account is located in the `flux-system` namespace with name
+  `source-controller`. Ensure the federated credential uses the correct
+  namespace and name of the source-controller service account. For more details,
+  please refer to this
+  [guide](https://azure.github.io/azure-workload-identity/docs/quick-start.html#6-establish-federated-identity-credential-between-the-identity-and-the-service-account-issuer--subject).
+
+- Add the managed identity to the Azure DevOps organization as a user. Ensure
+  that the managed identity has the necessary permissions to access the Azure
+  DevOps repository as described
+  [here](https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principal-managed-identity?view=azure-devops#2-add-and-manage-service-principals-in-an-azure-devops-organization).
+
+- Add the following patch to your bootstrap repository in
+  `flux-system/kustomization.yaml` file:
+
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - gotk-components.yaml
+  - gotk-sync.yaml
+patches:
+  - patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: source-controller
+        namespace: flux-system
+        annotations:
+          azure.workload.identity/client-id: <AZURE_CLIENT_ID>
+        labels:
+          azure.workload.identity/use: "true"
+  - patch: |-
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: source-controller
+        namespace: flux-system
+        labels:
+          azure.workload.identity/use: "true"
+      spec:
+        template:
+          metadata:
+            labels:
+              azure.workload.identity/use: "true"
+```
+
+**Note:** When azure `provider` is used with `GitRepository`, the `.spec.url`
+must follow this format:
+
+```
+https://dev.azure.com/{your-organization}/{your-project}/_git/{your-repository}
+```
+#### GitHub
+
+The `github` provider can be used to authenticate to Git repositories using
+[GitHub Apps](https://docs.github.com/en/apps/overview).
+
+##### Pre-requisites
+
+- [Register](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/registering-a-github-app)
+  the GitHub App with the necessary permissions and [generate a private
+  key](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/managing-private-keys-for-github-apps)
+  for the app. 
+
+- [Install](https://docs.github.com/en/apps/using-github-apps/installing-your-own-github-app)
+  the app in the organization/account configuring access to the necessary
+  repositories.
+
+##### Configure GitHub App secret
+
+The GitHub App information is specified in `.spec.secretRef` in the format
+specified below:
+
+- Get the App ID from the app settings page at
+  `https://github.com/settings/apps/<app-name>`. 
+- Get the App Installation ID from the app installations page at
+`https://github.com/settings/installations`. Click the installed app, the URL
+will contain the installation ID
+`https://github.com/settings/installations/<installation-id>`. For
+organizations, the first part of the URL may be different, but it follows the
+same pattern.
+- The private key that was generated in the pre-requisites.
+- (Optional) GitHub Enterprise Server users can set the base URL to
+  `http(s)://HOSTNAME/api/v3`.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: github-sa
+type: Opaque
+stringData:
+  githubAppID: "<app-id>"
+  githubAppInstallationID: "<app-installation-id>"
+  githubAppPrivateKey: |
+    -----BEGIN RSA PRIVATE KEY-----
+    ...
+    -----END RSA PRIVATE KEY-----
+  githubAppBaseURL: "<github-enterprise-api-url>" #optional, required only for GitHub Enterprise Server users
+```
+
+Alternatively, the Flux CLI can be used to automatically create the secret with
+the github app authentication information.
+
+```sh
+flux create secret githubapp ghapp-secret \
+    --app-id=1 \
+    --app-installation-id=3 \
+    --app-private-key=~/private-key.pem    
+```
+
 ### Interval
 
 `.spec.interval` is a required field that specifies the interval at which the
@@ -216,6 +397,11 @@ e.g. `10m0s` to reconcile the object every 10 minutes.
 If the `.metadata.generation` of a resource changes (due to e.g. a change to
 the spec), this is handled instantly outside the interval window.
 
+**Note:** The controller can be configured to apply a jitter to the interval in
+order to distribute the load more evenly when multiple GitRepository objects are
+set up with the same interval. For more information, please refer to the
+[source-controller configuration options](https://fluxcd.io/flux/components/source/options/).
+
 ### Timeout
 
 `.spec.timeout` is an optional field to specify a timeout for Git operations
@@ -311,6 +497,12 @@ Valid examples are: `refs/heads/main`, `refs/tags/v0.1.0`, `refs/pull/420/head`,
 This field takes precedence over [`.branch`](#branch-example),
 [`.tag`](#tag-example), and [`.semver`](#semver-example).
 
+**Note:** Azure DevOps and AWS CodeCommit do not support fetching the HEAD of
+a pull request. While Azure DevOps allows you to fetch the merge commit that
+will be created after merging a PR (using `refs/pull/<id>/merge`), this field
+can only be used to fetch references that exist in the current state of the Git
+repository and not references that will be created in the future.
+
 #### Commit example
 
 To Git checkout a specified commit, use `.spec.ref.commit`:
@@ -347,8 +539,17 @@ spec:
 `.spec.verify` is an optional field to enable the verification of Git commit
 signatures. The field offers two subfields:
 
-- `.mode`, to specify what Git commit object should be verified. Only supports
-  `head` at present.
+- `.mode`, to specify what Git object(s) should be verified. Supported
+  values are:
+  - `HEAD`: Verifies the commit object pointed to by the HEAD of the repository
+     after performing a checkout via `.spec.ref`.
+  - `head`: Same as `HEAD`, supported for backwards compatibility purposes.
+  - `Tag`: Verifies the tag object pointed to by the specified/inferred tag
+     reference in `.spec.ref.tag`, `.spec.ref.semver` or `.spec.ref.name`.
+  - `TagAndHEAD`: Verifies the tag object pointed to by the specified/inferred tag
+     reference in `.spec.ref.tag`, `.spec.ref.semver` or `.spec.ref.name` and
+     the commit object pointed to by the tag.
+
 - `.secretRef.name`, to specify a reference to a Secret in the same namespace as
   the GitRepository. Containing the (PGP) public keys of trusted Git authors.
 
@@ -365,7 +566,7 @@ spec:
   ref:
     branch: master
   verify:
-    mode: head
+    mode: HEAD
     secretRef:
       name: pgp-public-keys
 ```
@@ -417,6 +618,28 @@ list](#default-exclusions), and may overrule the [`.sourceignore` file
 exclusions](#sourceignore-file). See [excluding files](#excluding-files)
 for more information.
 
+### Sparse checkout
+
+`.spec.sparseCheckout` is an optional field to specify list of directories to
+checkout when cloning the repository. If specified, only the specified directory
+contents will be present in the artifact produced for this repository.
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 5m
+  url: https://github.com/stefanprodan/podinfo
+  ref:
+    branch: master
+  sparseCheckout:
+  - charts
+  - kustomize
+```
+
 ### Suspend
 
 `.spec.suspend` is an optional field to suspend the reconciliation of a
@@ -425,28 +648,54 @@ GitRepository, and changes to the resource or in the Git repository will not
 result in a new Artifact. When the field is set to `false` or removed, it will
 resume.
 
-#### Optimized Git clones
+### Proxy secret reference
 
-Optimized Git clones decreases resource utilization for GitRepository
-reconciliations.
+`.spec.proxySecretRef.name` is an optional field used to specify the name of a
+Secret that contains the proxy settings for the object. These settings are used
+for all remote Git operations related to the GitRepository.
+The Secret can contain three keys:
 
-When enabled, it avoids full Git clone operations by first checking whether
-the revision of the last stored artifact is still the head of the remote
-repository and none of the other factors that contribute to a change in the
-artifact, like ignore rules and included repositories, have changed. If that is
-so, the reconciliation is skipped. Else, a full reconciliation is performed as
-usual.
+- `address`, to specify the address of the proxy server. This is a required key.
+- `username`, to specify the username to use if the proxy server is protected by
+   basic authentication. This is an optional key.
+- `password`, to specify the password to use if the proxy server is protected by
+   basic authentication. This is an optional key.
 
-This feature is enabled by default. It can be disabled by starting the
-controller with the argument `--feature-gates=OptimizedGitClones=false`.
+The proxy server must be either HTTP/S or SOCKS5. You can use a SOCKS5 proxy
+with a HTTP/S Git repository url.
 
-NB: GitRepository objects configured for SemVer or Commit clones are
-not affected by this functionality.
+Examples:
 
-#### Proxy support
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: http-proxy
+type: Opaque
+stringData:
+  address: http://proxy.com
+  username: mandalorian
+  password: grogu
+```
 
-When a proxy is configured in the source-controller Pod through the appropriate
-environment variables, for example `HTTPS_PROXY`, `NO_PROXY`, etc.
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ssh-proxy
+type: Opaque
+stringData:
+  address: socks5://proxy.com
+  username: mandalorian
+  password: grogu
+```
+
+Proxying can also be configured in the source-controller Deployment directly by
+using the standard environment variables such as `HTTPS_PROXY`, `ALL_PROXY`, etc.
+
+`.spec.proxySecretRef.name` takes precedence over all environment variables.
 
 ### Recurse submodules
 
@@ -933,6 +1182,36 @@ status:
   ...
 ```
 
+### Observed Sparse Checkout
+
+The source-controller reports observed sparse checkout in the GitRepository's
+`.status.observedSparseCheckout`. The observed sparse checkout is the latest
+`.spec.sparseCheckout` value which resulted in a [ready
+state](#ready-gitrepository), or stalled due to error it can not recover from
+without human intervention. The value is the same as the [sparseCheckout in
+spec](#sparse-checkout). It indicates the sparse checkout configuration used in
+building the current artifact in storage. It is also used by the controller to
+determine if an artifact needs to be rebuilt.
+
+Example:
+```yaml
+status:
+  ...
+  observedSparseCheckout:
+  - charts
+  - kustomize
+  ...
+```
+
+### Source Verification Mode
+
+The source-controller reports the Git object(s) it verified in the Git
+repository to create an artifact in the GitRepository's
+`.status.sourceVerificationMode`. This value is the same as the [verification
+mode in spec](#verification). The verification status is applicable only to the
+latest Git repository revision used to successfully build and store an
+artifact.
+
 ### Observed Generation
 
 The source-controller reports an [observed generation][typical-status-properties]

docs/spec/v1/helmcharts.md

@@ -0,0 +1,865 @@
+# Helm Charts
+
+<!-- menuweight:50 -->
+
+The `HelmChart` API defines a Source to produce an Artifact for a Helm chart
+archive with a set of specific configurations.
+
+## Example
+
+The following is an example of a HelmChart. It fetches and/or packages a Helm
+chart and exposes it as a tarball (`.tgz`) Artifact for the specified
+configuration:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 5m0s
+  chart: podinfo
+  reconcileStrategy: ChartVersion
+  sourceRef:
+    kind: HelmRepository
+    name: podinfo
+  version: '5.*'
+```
+
+In the above example:
+
+- A HelmChart named `podinfo` is created, indicated by the `.metadata.name`
+  field.
+- The source-controller fetches the Helm chart every five minutes from the
+  `podinfo` HelmRepository source reference, indicated by the
+  `.spec.sourceRef.kind` and `.spec.sourceRef.name` fields.
+- The fetched Helm chart version is the latest available chart
+  version in the range specified in `spec.version`. This version is also used as
+  Artifact revision, reported in-cluster in the `.status.artifact.revision`
+  field.
+- When the current Helm Chart version differs from the latest available chart
+  in the version range, it is fetched and/or packaged as a new Artifact.
+- The new Artifact is reported in the `.status.artifact` field.
+
+You can run this example by saving the manifest into `helmchart.yaml`.
+
+**Note:** HelmChart is usually used by the helm-controller. Based on the
+HelmRelease configuration, an associated HelmChart is created by the 
+helm-controller.
+
+1. Apply the resource on the cluster:
+
+   ```sh
+   kubectl apply -f helmchart.yaml
+   ```
+
+2. Run `kubectl get helmchart` to see the HelmChart:
+
+   ```console
+   NAME      CHART     VERSION   SOURCE KIND      SOURCE NAME   AGE   READY   STATUS                                     
+   podinfo   podinfo   5.*       HelmRepository   podinfo       53s   True    pulled 'podinfo' chart with version '5.2.1'
+   ```
+
+3. Run `kubectl describe helmchart podinfo` to see the [Artifact](#artifact) and
+   [Conditions](#conditions) in the HelmChart's Status:
+
+   ```console
+   Status:
+     Observed Source Artifact Revision:  sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
+     Artifact:
+       Digest:            sha256:6c3cc3b955bce1686036ae6822ee2ca0ef6ecb994e3f2d19eaf3ec03dcba84b3
+       Last Update Time:  2022-02-13T11:24:10Z
+       Path:              helmchart/default/podinfo/podinfo-5.2.1.tgz
+       Revision:          5.2.1
+       Size:              14166
+       URL:               http://source-controller.flux-system.svc.cluster.local./helmchart/default/podinfo/podinfo-5.2.1.tgz
+     Conditions:
+       Last Transition Time:  2022-02-13T11:24:10Z
+       Message:               pulled 'podinfo' chart with version '5.2.1'
+       Observed Generation:   1
+       Reason:                ChartPullSucceeded
+       Status:                True
+       Type:                  Ready
+       Last Transition Time:  2022-02-13T11:24:10Z
+       Message:               pulled 'podinfo' chart with version '5.2.1'
+       Observed Generation:   1
+       Reason:                ChartPullSucceeded
+       Status:                True
+       Type:                  ArtifactInStorage
+     Observed Chart Name:     podinfo
+     Observed Generation:     1
+     URL:                     http://source-controller.flux-system.svc.cluster.local./helmchart/default/podinfo/latest.tar.gz
+   Events:
+     Type    Reason              Age    From               Message
+     ----    ------              ----   ----               -------
+     Normal  ChartPullSucceeded  2m51s  source-controller  pulled 'podinfo' chart with version '5.2.1'
+   ```
+
+## Writing a HelmChart spec
+
+As with all other Kubernetes config, a HelmChart needs `apiVersion`, `kind`, and
+`metadata` fields. The name of a HelmChart object must be a valid 
+[DNS subdomain name](https://kubernetes.io/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
+
+A HelmChart also needs a
+[`.spec` section](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status).
+
+### Source reference
+
+`.spec.sourceRef` is a required field that specifies a reference to the Source
+the chart is available at.
+
+Supported references are:
+- [`HelmRepository`](helmrepositories.md)
+- [`GitRepository`](gitrepositories.md)
+- [`Bucket`](buckets.md)
+
+Although there are three kinds of source references, there are only two
+underlying implementations. The artifact building process for `GitRepository`
+and `Bucket` are the same as they are already built source artifacts. In case
+of `HelmRepository`, a chart is fetched and/or packaged based on the
+configuration of the Helm chart.
+
+For a `HelmChart` to be reconciled, the associated artifact in the source
+reference must be ready. If the source artifact is not ready, the `HelmChart`
+reconciliation is retried.
+
+When the `metadata.generation` of the `HelmChart` don't match with the
+`status.observedGeneration`, the chart is fetched from source and/or packaged.
+If there's no `.spec.valuesFiles` specified, the chart is only fetched from the
+source, and not packaged. If `.spec.valuesFiles` are specified, the chart is
+fetched and packaged with the values files. When the `metadata.generation`
+matches the `status.observedGeneration`, the chart is only fetched from source
+or from the cache if available, and not packaged.
+
+When using a `HelmRepository` source reference, the secret reference defined in
+the Helm repository is used to fetch the chart.
+
+The HelmChart reconciliation behavior varies depending on the source reference
+kind, see [reconcile strategy](#reconcile-strategy).
+
+The attributes of the generated artifact also varies depending on the source
+reference kind, see [artifact](#artifact).
+
+### Chart
+
+`.spec.chart` is a required field that specifies the name or path the Helm chart
+is available at in the [Source reference](#source-reference).
+
+For `HelmRepository` Source reference, it'll be just the name of the chart.
+
+```yaml
+spec:
+  chart: podinfo
+  sourceRef:
+    name: podinfo
+    kind: HelmRepository
+```
+
+For `GitRepository` and `Bucket` Source reference, it'll be the path to the
+Helm chart directory.
+
+```yaml
+spec:
+  chart: ./charts/podinfo
+  sourceRef:
+    name: podinfo
+    kind: <GitRepository|Bucket>
+```
+
+### Version
+
+`.spec.version` is an optional field to specify the version of the chart in
+semver. It is applicable only when the Source reference is a `HelmRepository`.
+It is ignored for `GitRepository` and `Bucket` Source reference. It defaults to
+the latest version of the chart with value `*`.
+
+Version can be a fixed semver, minor or patch semver range of a specific
+version (i.e. `4.0.x`) or any semver range (i.e. `>=4.0.0 <5.0.0`).
+
+### Values files
+
+`.spec.valuesFiles` is an optional field to specify an alternative list of
+values files to use as the chart values (values.yaml). The file paths are
+expected to be relative to the Source reference. Values files are merged in the
+order of the list with the last file overriding the first. It is ignored when
+omitted. When values files are specified, the chart is fetched and packaged
+with the provided values.
+
+```yaml
+spec:
+  chart:
+    spec:
+      chart: podinfo
+      ...
+      valuesFiles:
+        - values.yaml
+        - values-production.yaml
+```
+
+Values files also affect the generated artifact revision, see
+[artifact](#artifact).
+
+### Ignore missing values files
+
+`.spec.ignoreMissingValuesFiles` is an optional field to specify whether missing
+values files should be ignored rather than be considered errors.  It defaults to
+`false`.
+
+When `.spec.valuesFiles` and  `.spec.ignoreMissingValuesFiles` are specified,
+the `.status.observedValuesFiles` field is populated with the list of values
+files that were found and actually contributed to the packaged chart.
+
+### Reconcile strategy
+
+`.spec.reconcileStrategy` is an optional field to specify what enables the
+creation of a new Artifact. Valid values are `ChartVersion` and `Revision`.
+`ChartVersion` is used for creating a new artifact when the chart version
+changes in a `HelmRepository`. `Revision` is used for creating a new artifact
+when the source revision changes in a `GitRepository` or a `Bucket` Source. It
+defaults to `ChartVersion`.
+
+**Note:** If the reconcile strategy is `ChartVersion` and the source reference
+is a `GitRepository` or a `Bucket`, no new chart artifact is produced on updates
+to the source unless the `version` in `Chart.yaml` is incremented. To produce
+new chart artifact on change in source revision, set the reconcile strategy to
+`Revision`.
+
+Reconcile strategy also affects the artifact version, see [artifact](#artifact)
+for more details.
+
+### Interval
+
+`.spec.interval` is a required field that specifies the interval at which the
+Helm Chart source must be checked for updates.
+
+After successfully reconciling a HelmChart object, the source-controller
+requeues the object for inspection after the specified interval. The value must
+be in a [Go recognized duration string format](https://pkg.go.dev/time#ParseDuration),
+e.g. `10m0s` to look at the source for updates every 10 minutes.
+
+If the `.metadata.generation` of a resource changes (due to e.g. applying a
+change to the spec), this is handled instantly outside the interval window.
+
+**Note:** The controller can be configured to apply a jitter to the interval in
+order to distribute the load more evenly when multiple HelmChart objects are set
+up with the same interval. For more information, please refer to the
+[source-controller configuration options](https://fluxcd.io/flux/components/source/options/).
+
+### Suspend
+
+`.spec.suspend` is an optional field to suspend the reconciliation of a
+HelmChart. When set to `true`, the controller will stop reconciling the
+HelmChart, and changes to the resource or the Helm chart Source will not result
+in a new Artifact. When the field is set to `false` or removed, it will resume.
+
+For practical information, see
+[suspending and resuming](#suspending-and-resuming).
+
+### Verification
+
+**Note:** This feature is available only for Helm charts fetched from an OCI Registry.
+
+`.spec.verify` is an optional field to enable the verification of [Cosign](https://github.com/sigstore/cosign) or [Notation](https://github.com/notaryproject/notation)
+signatures. The field offers three subfields:
+
+- `.provider`, to specify the verification provider. The supported options are `cosign` and `notation` at present.
+- `.secretRef.name`, to specify a reference to a Secret in the same namespace as
+  the HelmChart, containing the public keys of trusted authors. For Notation this Secret should also include the [trust policy](https://github.com/notaryproject/specifications/blob/v1.0.0/specs/trust-store-trust-policy.md#trust-policy) in
+  addition to the CA certificate.
+- `.matchOIDCIdentity`, to specify a list of OIDC identity matchers (only supported when using `cosign` as the verification provider). Please see
+   [Keyless verification](#keyless-verification) for more details.
+
+#### Cosign
+
+The `cosign` provider can be used to verify the signature of an OCI artifact using either a known public key or via the [Cosign Keyless](https://github.com/sigstore/cosign/blob/main/KEYLESS.md) procedure.
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: podinfo
+spec:
+  verify:
+    provider: cosign
+    secretRef:
+      name: cosign-public-keys
+```
+
+When the verification succeeds, the controller adds a Condition with the
+following attributes to the HelmChart's `.status.conditions`:
+
+- `type: SourceVerified`
+- `status: "True"`
+- `reason: Succeeded`
+
+##### Public keys verification
+
+To verify the authenticity of HelmChart hosted in an OCI Registry, create a Kubernetes
+secret with the Cosign public keys:
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cosign-public-keys
+type: Opaque
+data:
+  key1.pub: <BASE64>
+  key2.pub: <BASE64>
+```
+
+Note that the keys must have the `.pub` extension for Flux to make use of them.
+
+Flux will loop over the public keys and use them to verify a HelmChart's signature.
+This allows for older HelmCharts to be valid as long as the right key is in the secret.
+
+##### Keyless verification
+
+For publicly available HelmCharts, which are signed using the
+[Cosign Keyless](https://github.com/sigstore/cosign/blob/main/KEYLESS.md) procedure,
+you can enable the verification by omitting the `.verify.secretRef` field.
+
+To verify the identity's subject and the OIDC issuer present in the Fulcio
+certificate, you can specify a list of OIDC identity matchers using
+`.spec.verify.matchOIDCIdentity`. The matcher provides two required fields:
+
+- `.issuer`, to specify a regexp that matches against the OIDC issuer.
+- `.subject`, to specify a regexp that matches against the subject identity in
+   the certificate.
+Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax).
+
+The matchers are evaluated in an OR fashion, i.e. the identity is deemed to be
+verified if any one matcher successfully matches against the identity.
+
+Example of verifying  HelmCharts signed by the
+[Cosign GitHub Action](https://github.com/sigstore/cosign-installer) with GitHub OIDC Token:
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: podinfo
+spec:
+  interval: 5m
+  chart: podinfo
+  reconcileStrategy: ChartVersion
+  sourceRef:
+    kind: HelmRepository
+    name: podinfo
+  version: ">=6.1.6"
+  verify:
+    provider: cosign
+    matchOIDCIdentity:
+      - issuer: "^https://token.actions.githubusercontent.com$"
+        subject: "^https://github.com/stefanprodan/podinfo.*$"
+```
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: podinfo
+spec:
+  interval: 1m0s
+  url: oci://ghcr.io/stefanprodan/charts
+  type: "oci"
+```
+
+The controller verifies the signatures using the Fulcio root CA and the Rekor
+instance hosted at [rekor.sigstore.dev](https://rekor.sigstore.dev/).
+
+Note that keyless verification is an **experimental feature**, using
+custom root CAs or self-hosted Rekor instances are not currently supported.
+
+#### Notation
+
+The `notation` provider can be used to verify the signature of an OCI artifact using known
+trust policy and CA certificate.
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: podinfo
+spec:
+  verify:
+    provider: notation
+    secretRef:
+      name: notation-config
+```
+
+When the verification succeeds, the controller adds a Condition with the
+following attributes to the HelmChart's `.status.conditions`:
+
+- `type: SourceVerified`
+- `status: "True"`
+- `reason: Succeeded`
+
+To verify the authenticity of an OCI artifact, create a Kubernetes secret
+containing Certificate Authority (CA) root certificates and the a `trust policy`
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: notation-config
+type: Opaque
+data:
+  certificate1.pem: <BASE64>
+  certificate2.crt: <BASE64>
+  trustpolicy.json: <BASE64>
+```
+
+Note that the CA certificates must have either `.pem` or `.crt` extension and your trust policy must
+be named `trustpolicy.json` for Flux to make use of them.
+
+For more information on the signing and verification process see [Signing and Verification Workflow](https://github.com/notaryproject/specifications/blob/v1.0.0/specs/signing-and-verification-workflow.md).
+
+Flux will loop over the certificates and use them to verify an artifact's signature.
+This allows for older artifacts to be valid as long as the right certificate is in the secret.
+
+## Working with HelmCharts
+
+### Triggering a reconcile
+
+To manually tell the source-controller to reconcile a HelmChart outside the
+[specified interval window](#interval), a HelmCHart can be annotated with
+`reconcile.fluxcd.io/requestedAt: <arbitrary value>`. Annotating the resource
+queues the object for reconciliation if the `<arbitrary-value>` differs from
+the last value the controller acted on, as reported in
+[`.status.lastHandledReconcileAt`](#last-handled-reconcile-at).
+
+Using `kubectl`:
+
+```sh
+kubectl annotate --field-manager=flux-client-side-apply --overwrite helmchart/<chart-name> reconcile.fluxcd.io/requestedAt="$(date +%s)"
+```
+
+### Waiting for `Ready`
+
+When a change is applied, it is possible to wait for the HelmChart to reach a
+[ready state](#ready-helmchart) using `kubectl`:
+
+```sh
+kubectl wait helmchart/<chart-name> --for=condition=ready --timeout=1m
+```
+
+### Suspending and resuming
+
+When you find yourself in a situation where you temporarily want to pause the
+reconciliation of a HelmChart, you can suspend it using the
+[`.spec.suspend` field](#suspend).
+
+#### Suspend a HelmChart
+
+In your YAML declaration:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: <chart-name>
+spec:
+  suspend: true
+```
+
+Using `kubectl`:
+
+```sh
+kubectl patch helmchart <chart-name> --field-manager=flux-client-side-apply -p '{\"spec\": {\"suspend\" : true }}'
+```
+
+**Note:** When a HelmChart has an Artifact and is suspended, and this
+Artifact later disappears from the storage due to e.g. the source-controller
+Pod being evicted from a Node, this will not be reflected in the
+HelmChart's Status until it is resumed.
+
+#### Resume a HelmChart
+
+In your YAML declaration, comment out (or remove) the field:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: <chart-name>
+spec:
+  # suspend: true
+```
+
+**Note:** Setting the field value to `false` has the same effect as removing
+it, but does not allow for "hot patching" using e.g. `kubectl` while practicing
+GitOps; as the manually applied patch would be overwritten by the declared
+state in Git.
+
+Using `kubectl`:
+
+```sh
+kubectl patch helmchart <chart-name> --field-manager=flux-client-side-apply -p '{\"spec\" : {\"suspend\" : false }}'
+```
+
+### Debugging a HelmChart
+
+There are several ways to gather information about a HelmChart for debugging
+purposes.
+
+#### Describe the HelmChart
+
+Describing a HelmChart using `kubectl describe helmchart <chart-name>` displays
+the latest recorded information for the resource in the `Status` and `Events`
+sections:
+
+```console
+...
+Status:
+...
+  Conditions:
+    Last Transition Time:     2022-02-13T14:06:27Z
+    Message:                  invalid chart reference: failed to get chart version for remote reference: no 'podinfo' chart with version matching '9.*' found
+    Observed Generation:      3
+    Reason:                   InvalidChartReference
+    Status:                   True
+    Type:                     Stalled
+    Last Transition Time:     2022-02-13T14:06:27Z
+    Message:                  invalid chart reference: failed to get chart version for remote reference: no 'podinfo' chart with version matching '9.*' found
+    Observed Generation:      3
+    Reason:                   InvalidChartReference
+    Status:                   False
+    Type:                     Ready
+    Last Transition Time:     2022-02-13T14:06:27Z
+    Message:                  invalid chart reference: failed to get chart version for remote reference: no 'podinfo' chart with version matching '9.*' found
+    Observed Generation:      3
+    Reason:                   InvalidChartReference
+    Status:                   True
+    Type:                     FetchFailed
+  Last Handled Reconcile At:  1644759954
+  Observed Chart Name:        podinfo
+  Observed Generation:        3
+  URL:                        http://source-controller.flux-system.svc.cluster.local./helmchart/default/podinfo/latest.tar.gz
+Events:
+  Type     Reason                      Age                  From               Message
+  ----     ------                      ----                 ----               -------
+  Warning  InvalidChartReference       11s                  source-controller  invalid chart reference: failed to get chart version for remote reference: no 'podinfo' chart with ver
+sion matching '9.*' found
+```
+
+#### Trace emitted Events
+
+To view events for specific HelmChart(s), `kubectl events` can be used in
+combination with `--for` to list the Events for specific objects. For example,
+running
+
+```sh
+kubectl events --for HelmChart/<chart-name>
+```
+
+lists
+
+```console
+LAST SEEN   TYPE      REASON                       OBJECT                   MESSAGE
+22s         Warning   InvalidChartReference        helmchart/<chart-name>   invalid chart reference: failed to get chart version for remote reference: no 'podinfo' chart with version matching '9.*' found
+2s          Normal    ChartPullSucceeded           helmchart/<chart-name>   pulled 'podinfo' chart with version '6.0.3'
+2s          Normal    ArtifactUpToDate             helmchart/<chart-name>   artifact up-to-date with remote revision: '6.0.3'
+```
+
+Besides being reported in Events, the reconciliation errors are also logged by
+the controller. The Flux CLI offer commands for filtering the logs for a
+specific HelmChart, e.g. `flux logs --level=error --kind=HelmChart --name=<chart-name>`.
+
+### Improving resource consumption by enabling the cache
+
+When using a `HelmRepository` as Source for a `HelmChart`, the controller loads
+the repository index in memory to find the latest version of the chart.
+
+The controller can be configured to cache Helm repository indexes in memory.
+The cache is used to avoid loading repository indexes for every `HelmChart`
+reconciliation.
+
+The following flags are provided to enable and configure the cache:
+- `helm-cache-max-size`: The maximum size of the cache in number of indexes.
+  If `0`, then the cache is disabled.
+- `helm-cache-ttl`: The TTL of an index in the cache.
+- `helm-cache-purge-interval`: The interval at which the cache is purged of
+  expired items. 
+
+The caching strategy is to pull a repository index from the cache if it is 
+available, otherwise to load the index, retrieve and build the chart,
+then cache the index. The cached index TTL is refreshed every time the
+Helm repository index is loaded with the `helm-cache-ttl` value.
+
+The cache is purged of expired items every `helm-cache-purge-interval`.
+
+When the cache is full, no more items can be added to the cache, and the
+source-controller will report a warning event instead.
+
+In order to use the cache, set the related flags in the source-controller
+Deployment config:
+
+```yaml
+    spec:
+      containers:
+      - args:
+        - --watch-all-namespaces
+        - --log-level=info
+        - --log-encoding=json
+        - --enable-leader-election
+        - --storage-path=/data
+        - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.cluster.local.
+        ## Helm cache with up to 10 items, i.e. 10 indexes.
+        - --helm-cache-max-size=10
+        ## TTL of an index is 1 hour.
+        - --helm-cache-ttl=1h
+        ## Purge expired index every 10 minutes.
+        - --helm-cache-purge-interval=10m
+```
+
+## HelmChart Status
+
+### Artifact
+
+The HelmChart reports the last built chart as an Artifact object in the
+`.status.artifact` of the resource.
+
+The Artifact file is a gzip compressed TAR archive (`<chart-name>-<chart-version>.tgz`),
+and can be retrieved in-cluster from the `.status.artifact.url` HTTP address.
+
+#### Artifact example
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: <chart-name>
+status:
+  artifact:
+    digest: sha256:e30b95a08787de69ffdad3c232d65cfb131b5b50c6fd44295f48a078fceaa44e
+    lastUpdateTime: "2022-02-10T18:53:47Z"
+    path: helmchart/<source-namespace>/<chart-name>/<chart-name>-<chart-version>.tgz
+    revision: 6.0.3
+    size: 14166
+    url: http://source-controller.flux-system.svc.cluster.local./helmchart/<source-namespace>/<chart-name>/<chart-name>-<chart-version>.tgz
+```
+
+When using a `HelmRepository` as the source reference and values files are
+provided, the value of `status.artifact.revision` is the chart version combined
+with the `HelmChart` object generation. For example, if the chart version is
+`6.0.3` and the `HelmChart` object generation is `1`, the
+`status.artifact.revision` value will be `6.0.3+1`.
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: <chart-name>
+status:
+  artifact:
+    digest: sha256:ee68224ded207ebb18a8e9730cf3313fa6bc1f31e6d8d3943ab541113559bb52
+    lastUpdateTime: "2022-02-28T08:07:12Z"
+    path: helmchart/<source-namespace>/<chart-name>/<chart-name>-6.0.3+1.tgz
+    revision: 6.0.3+1
+    size: 14166
+    url: http://source-controller.flux-system.svc.cluster.local./helmchart/<source-namespace>/<chart-name>/<chart-name>-6.0.3+1.tgz
+  observedGeneration: 1
+  ...
+```
+
+When using a `GitRepository` or a `Bucket` as the source reference and
+`Revision` as the reconcile strategy, the value of `status.artifact.revision` is
+the chart version combined with the first 12 characters of the revision of the
+`GitRepository` or `Bucket`. For example if the chart version is `6.0.3` and the
+revision of the `Bucket` is `4e5cbb7b97d00a8039b8810b90b922f4256fd3bd8f78b934b4892dae13f7ca87`,
+the `status.artifact.revision` value will be `6.0.3+4e5cbb7b97d0`.
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: <chart-name>
+status:
+  artifact:
+    digest: sha256:8d1f0ac3f4b0e8759a32180086f17ac87ca04e5d46c356e67f97e97616ef4718
+    lastUpdateTime: "2022-02-28T08:07:12Z"
+    path: helmchart/<source-namespace>/<chart-name>/<chart-name>-6.0.3+4e5cbb7b97d0.tgz
+    revision: 6.0.3+4e5cbb7b97d0
+    size: 14166
+    url: http://source-controller.flux-system.svc.cluster.local./helmchart/<source-namespace>/<chart-name>/<chart-name>-6.0.3+4e5cbb7b97d0.tgz
+```
+
+### Conditions
+
+A HelmChart enters various states during its lifecycle, reflected as [Kubernetes
+Conditions][typical-status-properties].
+It can be [reconciling](#reconciling-helmchart) while fetching or building the
+chart,  it can be [ready](#ready-helmchart), it can
+[fail during reconciliation](#failed-helmchart), or it can
+[stall](#stalled-helmchart).
+
+The HelmChart API is compatible with the [kstatus
+specification][kstatus-spec],
+and reports `Reconciling` and `Stalled` conditions where applicable to
+provide better (timeout) support to solutions polling the HelmChart to become
+`Ready`.
+
+#### Reconciling HelmChart
+
+The source-controller marks a HelmChart as _reconciling_ when one of the
+following is true:
+
+- There is no current Artifact for the HelmChart, or the reported Artifact is
+  determined to have disappeared from the storage.
+- The generation of the HelmChart is newer than the [Observed
+  Generation](#observed-generation).
+- The newly fetched Artifact revision differs from the current Artifact.
+
+When the HelmChart is "reconciling", the `Ready` Condition status becomes
+`Unknown` when the controller detects drift, and the controller adds a Condition
+with the following attributes to the HelmChart's `.status.conditions`:
+
+- `type: Reconciling`
+- `status: "True"`
+- `reason: Progressing` | `reason: ProgressingWithRetry`
+
+If the reconciling state is due to a new version, it adds an additional
+Condition with the following attributes:
+
+- `type: ArtifactOutdated`
+- `status: "True"`
+- `reason: NewChart`
+
+Both Conditions have a ["negative polarity"][typical-status-properties],
+and are only present on the HelmChart while their status value is `"True"`.
+
+#### Ready HelmChart
+
+The source-controller marks a HelmChart as _ready_ when it has the following
+characteristics:
+
+- The HelmChart reports an [Artifact](#artifact).
+- The reported Artifact exists in the controller's Artifact storage.
+- The controller was able to fetch and build the Helm chart using the current
+  spec.
+- The version/revision of the reported Artifact is up-to-date with the
+  latest version/revision of the Helm chart.
+
+When the HelmChart is "ready", the controller sets a Condition with the
+following attributes in the HelmChart's `.status.conditions`:
+
+- `type: Ready`
+- `status: "True"`
+- `reason: Succeeded`
+
+This `Ready` Condition will retain a status value of `"True"` until the
+HelmChart is marked as [reconciling](#reconciling-helmchart), or e.g.
+a [transient error](#failed-helmchart) occurs due to a temporary network issue.
+
+When the HelmChart Artifact is archived in the controller's Artifact
+storage, the controller sets a Condition with the following attributes in the
+HelmChart's `.status.conditions`:
+
+- `type: ArtifactInStorage`
+- `status: "True"`
+- `reason: Succeeded`
+
+This `ArtifactInStorage` Condition will retain a status value of `"True"` until
+the Artifact in the storage no longer exists.
+
+#### Failed HelmChart
+
+The source-controller may get stuck trying to produce an Artifact for a
+HelmChart without completing. This can occur due to some of the following
+factors:
+
+- The Helm chart Source is temporarily unavailable.
+- The credentials in the [Source reference](#source-reference) Secret are
+  invalid.
+- The HelmChart spec contains a generic misconfiguration.
+- A storage related failure when storing the artifact.
+
+When this happens, the controller sets the `Ready` Condition status to `False`,
+and adds a Condition with the following attributes to the HelmChart's
+`.status.conditions`:
+
+- `type: FetchFailed` | `type: StorageOperationFailed`
+- `status: "True"`
+- `reason: AuthenticationFailed` | `reason: StorageOperationFailed` | `reason: URLInvalid` | `reason: IllegalPath` | `reason: Failed`
+
+This condition has a ["negative polarity"][typical-status-properties],
+and is only present on the HelmChart while the status value is `"True"`.
+There may be more arbitrary values for the `reason` field to provide accurate
+reason for a condition.
+
+While the HelmChart has this Condition, the controller will continue to
+attempt to produce an Artifact for the resource with an exponential backoff,
+until it succeeds and the HelmChart is marked as [ready](#ready-helmchart).
+
+Note that a HelmChart can be [reconciling](#reconciling-helmchart)
+while failing at the same time, for example due to a newly introduced
+configuration issue in the HelmChart spec. When a reconciliation fails, the
+`Reconciling` Condition reason would be `ProgressingWithRetry`. When the
+reconciliation is performed again after the failure, the reason is updated to
+`Progressing`.
+
+#### Stalled HelmChart
+
+The source-controller can mark a HelmChart as _stalled_ when it determines that
+without changes to the spec, the reconciliation can not succeed.
+For example because a HelmChart Version is set to a non-existing version.
+
+When this happens, the controller sets the same Conditions as when it
+[fails](#failed-helmchart), but adds another Condition with the following
+attributes to the HelmChart's `.status.conditions`:
+
+- `type: Stalled`
+- `status: "True"`
+- `reason: InvalidChartReference`
+
+While the HelmChart has this Condition, the controller will not requeue the
+resource any further, and will stop reconciling the resource until a change to
+the spec is made.
+
+### Observed Source Artifact Revision
+
+The source-controller reports the revision of the last
+[Source reference's](#source-reference) Artifact the current chart was fetched
+from in the HelmChart's `.status.observedSourceArtifactRevision`. It is used to
+keep track of the source artifact revision and detect when a new source
+artifact is available.
+
+### Observed Chart Name
+
+The source-controller reports the last resolved chart name of the Artifact
+for the [`.spec.chart` field](#chart) in the HelmChart's
+`.status.observedChartName`. It is used to keep track of the chart and detect
+when a new chart is found.
+
+### Observed Generation
+
+The source-controller reports an [observed generation][typical-status-properties]
+in the HelmChart's `.status.observedGeneration`. The observed generation is the
+latest `.metadata.generation` which resulted in either a [ready state](#ready-helmchart),
+or stalled due to error it can not recover from without human
+intervention.
+
+### Last Handled Reconcile At
+
+The source-controller reports the last `reconcile.fluxcd.io/requestedAt`
+annotation value it acted on in the `.status.lastHandledReconcileAt` field.
+
+For practical information about this field, see [triggering a
+reconcile](#triggering-a-reconcile).
+
+[typical-status-properties]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+[kstatus-spec]: https://github.com/kubernetes-sigs/cli-utils/tree/master/pkg/kstatus

docs/spec/v1/helmrepositories.md

@@ -0,0 +1,878 @@
+# Helm Repositories
+
+<!-- menuweight:40 -->
+
+There are 2 [Helm repository types](#type) defined by the `HelmRepository` API:
+- Helm HTTP/S repository, which defines a Source to produce an Artifact for a Helm
+repository index YAML (`index.yaml`). 
+- OCI Helm repository, which defines a source that does not produce an Artifact.
+  It's a data container to store the information about the OCI repository that
+  can be used by [HelmChart](helmcharts.md) to access OCI Helm charts.
+
+## Examples
+
+### Helm HTTP/S repository
+
+The following is an example of a HelmRepository. It creates a YAML (`.yaml`)
+Artifact from the fetched Helm repository index (in this example the [podinfo
+repository](https://github.com/stefanprodan/podinfo)):
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 5m0s
+  url: https://stefanprodan.github.io/podinfo
+```
+
+In the above example:
+
+- A HelmRepository named `podinfo` is created, indicated by the
+  `.metadata.name` field.
+- The source-controller fetches the Helm repository index YAML every five
+  minutes from `https://stefanprodan.github.io/podinfo`, indicated by the
+  `.spec.interval` and `.spec.url` fields.
+- The digest (algorithm defaults to SHA256) of the Helm repository index after
+  stable sorting the entries is used as Artifact revision, reported in-cluster
+  in the `.status.artifact.revision` field.
+- When the current HelmRepository revision differs from the latest fetched 
+  revision, it is stored as a new Artifact.
+- The new Artifact is reported in the `.status.artifact` field.
+
+You can run this example by saving the manifest into `helmrepository.yaml`.
+
+1. Apply the resource on the cluster:
+
+   ```sh
+   kubectl apply -f helmrepository.yaml
+   ```
+
+2. Run `kubectl get helmrepository` to see the HelmRepository:
+
+   ```console
+   NAME      URL                                      AGE   READY   STATUS                                                                                         
+   podinfo   https://stefanprodan.github.io/podinfo   4s    True    stored artifact for revision 'sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111'
+   ```
+
+3. Run `kubectl describe helmrepository podinfo` to see the [Artifact](#artifact)
+   and [Conditions](#conditions) in the HelmRepository's Status:
+
+   ```console
+   ...
+   Status:
+     Artifact:
+       Digest:            sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
+       Last Update Time:  2022-02-04T09:55:58Z
+       Path:              helmrepository/default/podinfo/index-83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111.yaml
+       Revision:          sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
+       Size:              40898
+       URL:               http://source-controller.flux-system.svc.cluster.local./helmrepository/default/podinfo/index-83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111.yaml
+     Conditions:
+       Last Transition Time:  2022-02-04T09:55:58Z
+       Message:               stored artifact for revision 'sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111'
+       Observed Generation:   1
+       Reason:                Succeeded
+       Status:                True
+       Type:                  Ready
+       Last Transition Time:  2022-02-04T09:55:58Z
+       Message:               stored artifact for revision 'sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111'
+       Observed Generation:   1
+       Reason:                Succeeded
+       Status:                True
+       Type:                  ArtifactInStorage
+     Observed Generation:     1
+     URL:                     http://source-controller.flux-system.svc.cluster.local./helmrepository/default/podinfo/index.yaml
+   Events:
+     Type    Reason                      Age                From               Message
+     ----    ------                      ----               ----               -------
+     Normal  NewArtifact                 1m                 source-controller  fetched index of size 30.88kB from 'https://stefanprodan.github.io/podinfo'
+   ```
+
+### Helm OCI repository
+
+The following is an example of an OCI HelmRepository.
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  type: "oci"
+  interval: 5m0s
+  url: oci://ghcr.io/stefanprodan/charts
+```
+
+In the above example:
+
+- A HelmRepository named `podinfo` is created, indicated by the
+  `.metadata.name` field.
+- A HelmChart that refers to this HelmRepository uses the URL in the `.spec.url`
+  field to access the OCI Helm chart.
+
+**NOTE:** The `.spec.interval` field is only used by the `default` Helm
+repository and is ignored for any value in `oci` Helm repository.
+
+You can run this example by saving the manifest into `helmrepository.yaml`.
+
+1. Apply the resource on the cluster:
+
+   ```sh
+   kubectl apply -f helmrepository.yaml
+   ```
+
+2. Run `kubectl get helmrepository` to see the HelmRepository:
+
+   ```console
+   NAME      URL                                 AGE     READY   STATUS
+   podinfo   oci://ghcr.io/stefanprodan/charts   3m22s
+   ```
+
+Because the OCI Helm repository is a data container, there's nothing to report
+for `READY` and `STATUS` columns above. The existence of the object can be
+considered to be ready for use.
+
+## Writing a HelmRepository spec
+
+As with all other Kubernetes config, a HelmRepository needs `apiVersion`,
+`kind`, and `metadata` fields. The name of a HelmRepository object must be a
+valid [DNS subdomain name](https://kubernetes.io/docs/concepts/overview/working-with-objects/names#dns-subdomain-names).
+
+A HelmRepository also needs a
+[`.spec` section](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status).
+
+### Type
+
+`.spec.type` is an optional field that specifies the Helm repository type. 
+
+Possible values are `default` for a Helm HTTP/S repository, or `oci` for an OCI Helm repository.
+
+### Provider
+
+`.spec.provider` is an optional field that allows specifying an OIDC provider used
+for authentication purposes.
+
+Supported options are:
+- `generic`
+- `aws`
+- `azure`
+- `gcp`
+
+The `generic` provider can be used for public repositories or when static credentials
+are used for authentication. If you do not specify `.spec.provider`, it defaults
+to `generic`.
+
+**Note**: The provider field is supported only for Helm OCI repositories. The `spec.type`
+field must be set to `oci`.
+
+#### AWS
+
+The `aws` provider can be used to authenticate automatically using the EKS worker
+node IAM role or IAM Role for Service Accounts (IRSA), and by extension gain access
+to ECR.
+
+##### EKS Worker Node IAM Role
+
+When the worker node IAM role has access to ECR, source-controller running on it
+will also have access to ECR.
+
+##### IAM Role for Service Accounts (IRSA)
+
+When using IRSA to enable access to ECR, add the following patch to your bootstrap
+repository, in the `flux-system/kustomization.yaml` file:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - gotk-components.yaml
+  - gotk-sync.yaml
+patches:
+  - patch: |
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: source-controller
+        annotations:
+          eks.amazonaws.com/role-arn: <role arn>
+    target:
+      kind: ServiceAccount
+      name: source-controller
+```
+
+Note that you can attach the AWS managed policy `arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly`
+to the IAM role when using IRSA.
+
+#### Azure
+
+The `azure` provider can be used to authenticate automatically using Workload Identity and Kubelet Managed
+Identity to gain access to ACR.
+
+##### Kubelet Managed Identity
+
+When the kubelet managed identity has access to ACR, source-controller running on 
+it will also have access to ACR.
+
+**Note:** If you have more than one identity configured on the cluster, you have to specify which one to use
+by setting the `AZURE_CLIENT_ID` environment variable in the source-controller deployment.
+
+If you are running into further issues, please look at the
+[troubleshooting guide](https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/TROUBLESHOOTING.md#azure-virtual-machine-managed-identity).
+
+##### Azure Workload Identity
+
+When using Workload Identity to enable access to ACR, add the following patch to
+your bootstrap repository, in the `flux-system/kustomization.yaml` file:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - gotk-components.yaml
+  - gotk-sync.yaml
+patches:
+  - patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: source-controller
+        namespace: flux-system
+        annotations:
+          azure.workload.identity/client-id: <AZURE_CLIENT_ID>
+        labels:
+          azure.workload.identity/use: "true"
+  - patch: |-
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: source-controller
+        namespace: flux-system
+        labels:
+          azure.workload.identity/use: "true"
+      spec:
+        template:
+          metadata:
+            labels:
+              azure.workload.identity/use: "true"
+```
+
+Ensure Workload Identity is properly set up on your cluster and the mutating webhook is installed.
+Create an identity that has access to ACR. Next, establish
+a federated identity between the source-controller ServiceAccount and the
+identity. Patch the source-controller Deployment and ServiceAccount as shown in the patch
+above. Please take a look at this [guide](https://azure.github.io/azure-workload-identity/docs/quick-start.html#6-establish-federated-identity-credential-between-the-identity-and-the-service-account-issuer--subject).
+
+#### GCP
+
+The `gcp` provider can be used to authenticate automatically using OAuth scopes or
+Workload Identity, and by extension gain access to GCR or Artifact Registry.
+
+##### Access Scopes
+
+When the GKE nodes have the appropriate OAuth scope for accessing GCR and Artifact Registry,
+source-controller running on it will also have access to them.
+
+##### GKE Workload Identity
+
+When using Workload Identity to enable access to GCR or Artifact Registry, add the
+following patch to your bootstrap repository, in the `flux-system/kustomization.yaml`
+file:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - gotk-components.yaml
+  - gotk-sync.yaml
+patches:
+  - patch: |
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: source-controller
+        annotations:
+          iam.gke.io/gcp-service-account: <identity-name>
+    target:
+      kind: ServiceAccount
+      name: source-controller
+```
+
+The Artifact Registry service uses the permission `artifactregistry.repositories.downloadArtifacts`
+that is located under the Artifact Registry Reader role. If you are using Google Container Registry service,
+the needed permission is instead `storage.objects.list` which can be bound as part
+of the Container Registry Service Agent role. Take a look at [this guide](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
+for more information about setting up GKE Workload Identity.
+
+### Insecure
+
+`.spec.insecure` is an optional field to allow connecting to an insecure (HTTP)
+container registry server, if set to `true`. The default value is `false`,
+denying insecure non-TLS connections when fetching Helm chart OCI artifacts.
+
+**Note**: The insecure field is supported only for Helm OCI repositories.
+The `spec.type` field must be set to `oci`.
+
+### Interval
+
+**Note:** This field is ineffectual for [OCI Helm
+Repositories](#helm-oci-repository).
+
+`.spec.interval` is a an optional field that specifies the interval which the
+Helm repository index must be consulted at. When not set, the default value is
+`1m`.
+
+After successfully reconciling a HelmRepository object, the source-controller
+requeues the object for inspection after the specified interval. The value
+must be in a [Go recognized duration string format](https://pkg.go.dev/time#ParseDuration),
+e.g. `10m0s` to fetch the HelmRepository index YAML every 10 minutes.
+
+If the `.metadata.generation` of a resource changes (due to e.g. applying a
+change to the spec), this is handled instantly outside the interval window.
+
+**Note:** The controller can be configured to apply a jitter to the interval in
+order to distribute the load more evenly when multiple HelmRepository objects
+are set up with the same interval. For more information, please refer to the
+[source-controller configuration options](https://fluxcd.io/flux/components/source/options/).
+
+### URL
+
+`.spec.url` is a required field that depending on the [type of the HelmRepository object](#type)
+specifies the HTTP/S or OCI address of a Helm repository.
+
+For OCI, the URL is expected to point to a registry repository, e.g. `oci://ghcr.io/fluxcd/source-controller`.
+
+For Helm repositories which require authentication, see [Secret reference](#secret-reference).
+
+### Timeout
+
+**Note:** This field is not applicable to [OCI Helm
+Repositories](#helm-oci-repository).
+
+`.spec.timeout` is an optional field to specify a timeout for the fetch
+operation. The value must be in a
+[Go recognized duration string format](https://pkg.go.dev/time#ParseDuration),
+e.g. `1m30s` for a timeout of one minute and thirty seconds. When not set, the
+default value is `1m`.
+
+### Secret reference
+
+`.spec.secretRef.name` is an optional field to specify a name reference to a
+Secret in the same namespace as the HelmRepository, containing authentication
+credentials for the repository.
+
+#### Basic access authentication
+
+To authenticate towards a Helm repository using basic access authentication
+(in other words: using a username and password), the referenced Secret is
+expected to contain `.data.username` and `.data.password` values.
+
+For example:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: example
+  namespace: default
+spec:
+  interval: 5m0s
+  url: https://example.com
+  secretRef:
+    name: example-user
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: example-user
+  namespace: default
+stringData:
+  username: "user-123456"
+  password: "pass-123456"
+```
+
+OCI Helm repository example:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 5m0s
+  url: oci://ghcr.io/my-user/my-private-repo
+  type: "oci"
+  secretRef:
+    name: oci-creds
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: oci-creds
+  namespace: default
+stringData:
+  username: "user-123456"
+  password: "pass-123456"
+```
+
+For OCI Helm repositories, Kubernetes secrets of type [kubernetes.io/dockerconfigjson](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types) are also supported.
+It is possible to create one such secret with `kubectl create secret docker-registry`
+or using the Flux CLI:
+
+```yaml
+flux create secret oci ghcr-auth \
+  --url=ghcr.io \
+  --username=flux \
+  --password=${GITHUB_PAT}
+```
+
+**Warning:** Support for specifying TLS authentication data using this API has been
+deprecated. Please use [`.spec.certSecretRef`](#cert-secret-reference) instead.
+If the controller uses the secret specified by this field to configure TLS, then
+a deprecation warning will be logged.
+
+### Cert secret reference
+
+`.spec.certSecretRef.name` is an optional field to specify a secret containing
+TLS certificate data. The secret can contain the following keys:
+
+* `tls.crt` and `tls.key`, to specify the client certificate and private key used
+for TLS client authentication. These must be used in conjunction, i.e.
+specifying one without the other will lead to an error.
+* `ca.crt`, to specify the CA certificate used to verify the server, which is
+required if the server is using a self-signed certificate.
+
+If the server is using a self-signed certificate and has TLS client
+authentication enabled, all three values are required.
+
+The Secret should be of type `Opaque` or `kubernetes.io/tls`. All the files in
+the Secret are expected to be [PEM-encoded][pem-encoding]. Assuming you have
+three files; `client.key`, `client.crt` and `ca.crt` for the client private key,
+client certificate and the CA certificate respectively, you can generate the
+required Secret using the `flux create secret tls` command:
+
+```sh
+flux create secret tls --tls-key-file=client.key --tls-crt-file=client.crt --ca-crt-file=ca.crt
+```
+
+Example usage:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: example
+  namespace: default
+spec:
+  interval: 5m0s
+  url: https://example.com
+  certSecretRef:
+    name: example-tls
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: example-tls
+  namespace: default
+type: kubernetes.io/tls # or Opaque
+data:
+  tls.crt: <BASE64>
+  tls.key: <BASE64>
+  # NOTE: Can be supplied without the above values
+  ca.crt: <BASE64>
+```
+
+### Pass credentials
+
+`.spec.passCredentials` is an optional field to allow the credentials from the
+[Secret reference](#secret-reference) to be passed on to a host that does not
+match the host as defined in URL. This may for example be required if the host
+advertised chart URLs in the index differ from the specified URL.
+
+Enabling this should be done with caution, as it can potentially result in
+credentials getting stolen in a man-in-the-middle attack. This feature only applies
+to HTTP/S Helm repositories.
+
+### Suspend
+
+**Note:** This field is not applicable to [OCI Helm
+Repositories](#helm-oci-repository).
+
+`.spec.suspend` is an optional field to suspend the reconciliation of a
+HelmRepository. When set to `true`, the controller will stop reconciling the
+HelmRepository, and changes to the resource or the Helm repository index will
+not result in a new Artifact. When the field is set to `false` or removed, it
+will resume.
+
+For practical information, see
+[suspending and resuming](#suspending-and-resuming).
+
+## Working with HelmRepositories
+
+**Note:** This section does not apply to [OCI Helm
+Repositories](#helm-oci-repository), being a data container, once created, they
+are ready to used by [HelmCharts](helmcharts.md).
+ 
+### Triggering a reconcile
+
+To manually tell the source-controller to reconcile a HelmRepository outside the
+[specified interval window](#interval), a HelmRepository can be annotated with
+`reconcile.fluxcd.io/requestedAt: <arbitrary value>`. Annotating the resource
+queues the object for reconciliation if the `<arbitrary-value>` differs from
+the last value the controller acted on, as reported in
+[`.status.lastHandledReconcileAt`](#last-handled-reconcile-at).
+
+Using `kubectl`:
+
+```sh
+kubectl annotate --field-manager=flux-client-side-apply --overwrite helmrepository/<repository-name> reconcile.fluxcd.io/requestedAt="$(date +%s)"
+```
+
+Using `flux`:
+
+```sh
+flux reconcile source helm <repository-name>
+```
+
+### Waiting for `Ready`
+
+When a change is applied, it is possible to wait for the HelmRepository to
+reach a [ready state](#ready-helmrepository) using `kubectl`:
+
+```sh
+kubectl wait helmrepository/<repository-name> --for=condition=ready --timeout=1m
+```
+
+### Suspending and resuming
+
+When you find yourself in a situation where you temporarily want to pause the
+reconciliation of a HelmRepository, you can suspend it using the
+[`.spec.suspend` field](#suspend).
+
+#### Suspend a HelmRepository
+
+In your YAML declaration:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: <repository-name>
+spec:
+  suspend: true
+```
+
+Using `kubectl`:
+
+```sh
+kubectl patch helmrepository <repository-name> --field-manager=flux-client-side-apply -p '{\"spec\": {\"suspend\" : true }}'
+```
+
+Using `flux`:
+
+```sh
+flux suspend source helm <repository-name>
+```
+
+**Note:** When a HelmRepository has an Artifact and is suspended, and this
+Artifact later disappears from the storage due to e.g. the source-controller
+Pod being  evicted from a Node, this will not be reflected in the
+HelmRepository's Status until it is resumed.
+
+#### Resume a HelmRepository
+
+In your YAML declaration, comment out (or remove) the field:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: <repository-name>
+spec:
+  # suspend: true
+```
+
+**Note:** Setting the field value to `false` has the same effect as removing
+it, but does not allow for "hot patching" using e.g. `kubectl` while practicing
+GitOps; as the manually applied patch would be overwritten by the declared
+state in Git.
+
+Using `kubectl`:
+
+```sh
+kubectl patch helmrepository <repository-name> --field-manager=flux-client-side-apply -p '{\"spec\" : {\"suspend\" : false }}'
+```
+
+Using `flux`:
+
+```sh
+flux resume source helm <repository-name>
+```
+
+### Debugging a HelmRepository
+
+**Note:** This section does not apply to [OCI Helm
+Repositories](#helm-oci-repository), being a data container, they are static
+objects that don't require debugging if valid.
+
+There are several ways to gather information about a HelmRepository for debugging
+purposes.
+
+#### Describe the HelmRepository
+
+Describing a HelmRepository using `kubectl describe helmrepository <repository-name>`
+displays the latest recorded information for the resource in the `Status` and
+`Events` sections:
+
+```console
+...
+Status:
+...
+  Conditions:
+    Last Transition Time:  2022-02-04T13:41:56Z
+    Message:               failed to construct Helm client: scheme "invalid" not supported
+    Observed Generation:   2
+    Reason:                Failed
+    Status:                True
+    Type:                  Stalled
+    Last Transition Time:  2022-02-04T13:41:56Z
+    Message:               failed to construct Helm client: scheme "invalid" not supported
+    Observed Generation:   2
+    Reason:                Failed
+    Status:                False
+    Type:                  Ready
+    Last Transition Time:  2022-02-04T13:41:56Z
+    Message:               failed to construct Helm client: scheme "invalid" not supported
+    Observed Generation:   2
+    Reason:                Failed
+    Status:                True
+    Type:                  FetchFailed
+  Observed Generation:     2
+  URL:                     http://source-controller.source-system.svc.cluster.local./helmrepository/default/podinfo/index.yaml
+Events:
+  Type     Reason                      Age                  From               Message
+  ----     ------                      ----                 ----               -------
+  Warning  Failed                      6s                   source-controller  failed to construct Helm client: scheme "invalid" not supported
+```
+
+#### Trace emitted Events
+
+To view events for specific HelmRepository(s), `kubectl events` can be used in
+combination with `--for` to list the Events for specific objects. For example,
+running
+
+```sh
+kubectl events --for HelmRepository/<repository-name>
+```
+
+lists
+
+```console
+LAST SEEN   TYPE      REASON           OBJECT                             MESSAGE
+107s        Warning   Failed           helmrepository/<repository-name>   failed to construct Helm client: scheme "invalid" not supported
+7s          Normal    NewArtifact      helmrepository/<repository-name>   fetched index of size 30.88kB from 'https://stefanprodan.github.io/podinfo'
+3s          Normal    ArtifactUpToDate helmrepository/<repository-name>   artifact up-to-date with remote revision: 'sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111'
+```
+
+Besides being reported in Events, the reconciliation errors are also logged by
+the controller. The Flux CLI offer commands for filtering the logs for a
+specific HelmRepository, e.g. `flux logs --level=error --kind=HelmRepository --name=<chart-name>`.
+
+## HelmRepository Status
+
+**Note:** This section does not apply to [OCI Helm
+Repositories](#helm-oci-repository), they do not contain any information in the
+status.
+
+### Artifact
+
+The HelmRepository reports the last fetched repository index as an Artifact
+object in the `.status.artifact` of the resource.
+
+The Artifact file is an exact copy of the Helm repository index YAML
+(`index-<revision>.yaml`) as fetched, and can be retrieved in-cluster from the
+`.status.artifact.url` HTTP address.
+
+#### Artifact example
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: <repository-name>
+status:
+  artifact:
+    digest: sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
+    lastUpdateTime: "2022-02-04T09:55:58Z"
+    path: helmrepository/<namespace>/<repository-name>/index-83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111.yaml
+    revision: sha256:83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111
+    size: 40898
+    url: http://source-controller.flux-system.svc.cluster.local./helmrepository/<namespace>/<repository-name>/index-83a3c595163a6ff0333e0154c790383b5be441b9db632cb36da11db1c4ece111.yaml
+```
+
+### Conditions
+
+A HelmRepository enters various states during its lifecycle, reflected as [Kubernetes
+Conditions][typical-status-properties].
+It can be [reconciling](#reconciling-helmrepository) while fetching the
+repository index,  it can be [ready](#ready-helmrepository), it can
+[fail during reconciliation](#failed-helmrepository), or it can
+[stall](#stalled-helmrepository).
+
+The HelmRepository API is compatible with the [kstatus
+specification][kstatus-spec],
+and reports `Reconciling` and `Stalled` conditions where applicable to
+provide better (timeout) support to solutions polling the HelmRepository to become
+`Ready`.
+
+#### Reconciling HelmRepository
+
+The source-controller marks a HelmRepository as _reconciling_ when one of the following
+is true:
+
+- There is no current Artifact for the HelmRepository, or the reported Artifact
+  is determined to have disappeared from the storage.
+- The generation of the HelmRepository is newer than the [Observed
+  Generation](#observed-generation).
+- The newly fetched Artifact revision differs from the current Artifact.
+
+When the HelmRepository is "reconciling", the `Ready` Condition status becomes
+`Unknown` when the controller detects drift, and the controller adds a Condition
+with the following attributes to the HelmRepository's `.status.conditions`:
+
+- `type: Reconciling`
+- `status: "True"`
+- `reason: Progressing` | `reason: ProgressingWithRetry`
+
+If the reconciling state is due to a new revision, it adds an additional
+Condition with the following attributes:
+
+- `type: ArtifactOutdated`
+- `status: "True"`
+- `reason: NewRevision`
+
+Both Conditions have a ["negative polarity"][typical-status-properties],
+and are only present on the HelmRepository while their status value is `"True"`.
+
+#### Ready HelmRepository
+
+The source-controller marks a HelmRepository as _ready_ when it has the following
+characteristics:
+
+- The HelmRepository reports an [Artifact](#artifact).
+- The reported Artifact exists in the controller's Artifact storage.
+- The controller was able to fetch the Helm repository index using the current
+  spec.
+- The revision of the reported Artifact is up-to-date with the latest
+  revision of the Helm repository.
+
+When the HelmRepository is "ready", the controller sets a Condition with the following
+attributes in the HelmRepository's `.status.conditions`:
+
+- `type: Ready`
+- `status: "True"`
+- `reason: Succeeded`
+
+This `Ready` Condition will retain a status value of `"True"` until the
+HelmRepository is marked as [reconciling](#reconciling-helmrepository), or e.g.
+a [transient error](#failed-helmrepository) occurs due to a temporary network
+issue.
+
+When the HelmRepository Artifact is archived in the controller's Artifact
+storage, the controller sets a Condition with the following attributes in the
+HelmRepository's `.status.conditions`:
+
+- `type: ArtifactInStorage`
+- `status: "True"`
+- `reason: Succeeded`
+
+This `ArtifactInStorage` Condition will retain a status value of `"True"` until
+the Artifact in the storage no longer exists.
+
+#### Failed HelmRepository
+
+The source-controller may get stuck trying to produce an Artifact for a
+HelmRepository without completing. This can occur due to some of the following
+factors:
+
+- The Helm repository [URL](#url) is temporarily unavailable.
+- The [Secret reference](#secret-reference) contains a reference to a
+  non-existing Secret.
+- The credentials in the referenced Secret are invalid.
+- The HelmRepository spec contains a generic misconfiguration.
+- A storage related failure when storing the artifact.
+
+When this happens, the controller sets the `Ready` Condition status to `False`,
+and adds a Condition with the following attributes to the HelmRepository's
+`.status.conditions`:
+
+- `type: FetchFailed` | `type: StorageOperationFailed`
+- `status: "True"`
+- `reason: AuthenticationFailed` | `reason: IndexationFailed` | `reason: Failed`
+
+This condition has a ["negative polarity"][typical-status-properties],
+and is only present on the HelmRepository while the status value is `"True"`.
+There may be more arbitrary values for the `reason` field to provide accurate
+reason for a condition.
+
+While the HelmRepository has this Condition, the controller will continue to
+attempt to produce an Artifact for the resource with an exponential backoff,
+until it succeeds and the HelmRepository is marked as [ready](#ready-helmrepository).
+
+Note that a HelmRepository can be [reconciling](#reconciling-helmrepository)
+while failing at the same time, for example due to a newly introduced
+configuration issue in the HelmRepository spec. When a reconciliation fails, the
+`Reconciling` Condition reason would be `ProgressingWithRetry`. When the
+reconciliation is performed again after the failure, the reason is updated to
+`Progressing`.
+
+#### Stalled HelmRepository
+
+The source-controller can mark a HelmRepository as _stalled_ when it determines
+that without changes to the spec, the reconciliation can not succeed.
+For example because a Helm repository URL with an unsupported protocol is
+specified.
+
+When this happens, the controller sets the same Conditions as when it
+[fails](#failed-helmrepository), but adds another Condition with the following
+attributes to the HelmRepository's
+`.status.conditions`:
+
+- `type: Stalled`
+- `status: "True"`
+- `reason: URLInvalid`
+
+While the HelmRepository has this Condition, the controller will not requeue
+the resource any further, and will stop reconciling the resource until a change
+to the spec is made.
+
+### Observed Generation
+
+The source-controller reports an [observed generation][typical-status-properties]
+in the HelmRepository's `.status.observedGeneration`. The observed generation is
+the latest `.metadata.generation` which resulted in either a [ready state](#ready-helmrepository),
+or stalled due to error it can not recover from without human intervention.
+
+### Last Handled Reconcile At
+
+The source-controller reports the last `reconcile.fluxcd.io/requestedAt`
+annotation value it acted on in the `.status.lastHandledReconcileAt` field.
+
+For practical information about this field, see [triggering a
+reconcile](#triggering-a-reconcile).
+
+[pem-encoding]: https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail
+[typical-status-properties]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
+[kstatus-spec]: https://github.com/kubernetes-sigs/cli-utils/tree/master/pkg/kstatus

docs/spec/v1beta2/buckets.md

@@ -439,8 +439,8 @@ data:
 
 ##### Workload Identity
 
-If you have [Workload Identity mutating webhook](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html)
-installed on your cluster. You need to create an Azure Identity and give it
+If you have [Workload Identity](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html)
+set up on your cluster, you need to create an Azure Identity and give it
 access to Azure Blob Storage.
 
 ```shell
@@ -465,7 +465,7 @@ az identity federated-credential create \
   --subject "system:serviceaccount:flux-system:source-controller"
 ```
 
-Add a patch to label and annotate the source-controller Pods and ServiceAccount
+Add a patch to label and annotate the source-controller Deployment and ServiceAccount
 correctly so that it can match an identity binding:
 
 ```yaml
@@ -501,7 +501,7 @@ patches:
 ```
 
 If you have set up Workload Identity correctly and labeled the source-controller
-Pod and ServiceAccount, then you don't need to reference a Secret. For more information,
+Deployment and ServiceAccount, then you don't need to reference a Secret. For more information,
 please see [documentation](https://azure.github.io/azure-workload-identity/docs/quick-start.html).
 
 ```yaml
@@ -517,7 +517,7 @@ spec:
   endpoint: https://testfluxsas.blob.core.windows.net
 ```
 
-##### Managed Identity with AAD Pod Identity
+##### Deprecated: Managed Identity with AAD Pod Identity
 
 If you are using [aad pod identity](https://azure.github.io/aad-pod-identity/docs),
 You need to create an Azure Identity and give it access to Azure Blob Storage.
@@ -561,7 +561,7 @@ spec:
   selector: ${IDENTITY_NAME}
 ```
 
-Label the source-controller correctly so that it can match an identity binding:
+Label the source-controller Deployment correctly so that it can match an identity binding:
 
 ```yaml
 apiVersion: apps/v1
@@ -577,7 +577,7 @@ spec:
 ```
 
 If you have set up aad-pod-identity correctly and labeled the source-controller
-Pod, then you don't need to reference a Secret.
+Deployment, then you don't need to reference a Secret.
 
 ```yaml
 apiVersion: source.toolkit.fluxcd.io/v1beta2
@@ -724,7 +724,7 @@ Where the (base64 decoded) value of `.data.serviceaccount` looks like this:
 
 ### Interval
 
-`.spec.interval` is a required field that specifices the interval which the
+`.spec.interval` is a required field that specifies the interval which the
 object storage bucket must be consulted at.
 
 After successfully reconciling a Bucket object, the source-controller requeues
@@ -733,7 +733,12 @@ the object for inspection after the specified interval. The value must be in a
 e.g. `10m0s` to look at the object storage bucket every 10 minutes.
 
 If the `.metadata.generation` of a resource changes (due to e.g. the apply of a
-change to the spec), this is handled instantly outside of the interval window.
+change to the spec), this is handled instantly outside the interval window.
+
+**Note:** The controller can be configured to apply a jitter to the interval in
+order to distribute the load more evenly when multiple Bucket objects are set up
+with the same interval. For more information, please refer to the
+[source-controller configuration options](https://fluxcd.io/flux/components/source/options/).
 
 ### Endpoint
 
@@ -744,6 +749,83 @@ HTTP endpoint requires enabling [`.spec.insecure`](#insecure).
 Some endpoints require the specification of a [`.spec.region`](#region),
 see [Provider](#provider) for more (provider specific) examples.
 
+### STS
+
+`.spec.sts` is an optional field for specifying the Security Token Service
+configuration. A Security Token Service (STS) is a web service that issues
+temporary security credentials. By adding this field, one may specify the
+STS endpoint from where temporary credentials will be fetched.
+
+This field is only supported for the `aws` and `generic` bucket [providers](#provider).
+
+If using `.spec.sts`, the following fields are required:
+
+- `.spec.sts.provider`, the Security Token Service provider. The only supported
+  option for the `generic` bucket provider is `ldap`. The only supported option
+  for the `aws` bucket provider is `aws`.
+- `.spec.sts.endpoint`, the HTTP/S endpoint of the Security Token Service. In
+  the case of `aws` this can be `https://sts.amazonaws.com`, or a Regional STS
+  Endpoint, or an Interface Endpoint created inside a VPC. In the case of
+  `ldap` this must be the LDAP server endpoint.
+
+When using the `ldap` provider, the following fields may also be specified:
+
+- `.spec.sts.secretRef.name`, the name of the Secret containing the LDAP
+  credentials. The Secret must contain the following keys:
+  - `username`, the username to authenticate with.
+  - `password`, the password to authenticate with.
+- `.spec.sts.certSecretRef.name`, the name of the Secret containing the
+  TLS configuration for communicating with the STS endpoint. The contents
+  of this Secret must follow the same structure of
+  [`.spec.certSecretRef.name`](#cert-secret-reference).
+
+If [`.spec.proxySecretRef.name`](#proxy-secret-reference) is specified,
+the proxy configuration will be used for commucating with the STS endpoint.
+
+Example for the `ldap` provider:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: Bucket
+metadata:
+  name: example
+  namespace: example
+spec:
+  interval: 5m
+  bucketName: example
+  provider: generic
+  endpoint: minio.example.com
+  sts:
+    provider: ldap
+    endpoint: https://ldap.example.com
+    secretRef:
+      name: ldap-credentials
+    certSecretRef:
+      name: ldap-tls
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ldap-credentials
+  namespace: example
+type: Opaque
+stringData:
+  username: <username>
+  password: <password>
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ldap-tls
+  namespace: example
+type: kubernetes.io/tls # or Opaque
+stringData:
+  tls.crt: <PEM-encoded cert>
+  tls.key: <PEM-encoded key>
+  ca.crt: <PEM-encoded cert>
+```
+
 ### Bucket name
 
 `.spec.bucketName` is a required field that specifies which object storage
@@ -758,6 +840,100 @@ See [Provider](#provider) for more (provider specific) examples.
 
 See [Provider](#provider) for more (provider specific) examples.
 
+### Cert secret reference
+
+`.spec.certSecretRef.name` is an optional field to specify a secret containing
+TLS certificate data. The secret can contain the following keys:
+
+* `tls.crt` and `tls.key`, to specify the client certificate and private key used
+for TLS client authentication. These must be used in conjunction, i.e.
+specifying one without the other will lead to an error.
+* `ca.crt`, to specify the CA certificate used to verify the server, which is
+required if the server is using a self-signed certificate.
+
+If the server is using a self-signed certificate and has TLS client
+authentication enabled, all three values are required.
+
+The Secret should be of type `Opaque` or `kubernetes.io/tls`. All the files in
+the Secret are expected to be [PEM-encoded][pem-encoding]. Assuming you have
+three files; `client.key`, `client.crt` and `ca.crt` for the client private key,
+client certificate and the CA certificate respectively, you can generate the
+required Secret using the `flux create secret tls` command:
+
+```sh
+flux create secret tls minio-tls --tls-key-file=client.key --tls-crt-file=client.crt --ca-crt-file=ca.crt
+```
+
+If TLS client authentication is not required, you can generate the secret with:
+
+```sh
+flux create secret tls minio-tls --ca-crt-file=ca.crt
+```
+
+This API is only supported for the `generic` [provider](#provider).
+
+Example usage:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: Bucket
+metadata:
+  name: example
+  namespace: example
+spec:
+  interval: 5m
+  bucketName: example
+  provider: generic
+  endpoint: minio.example.com
+  certSecretRef:
+    name: minio-tls
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: minio-tls
+  namespace: example
+type: kubernetes.io/tls # or Opaque
+stringData:
+  tls.crt: <PEM-encoded cert>
+  tls.key: <PEM-encoded key>
+  ca.crt: <PEM-encoded cert>
+```
+
+### Proxy secret reference
+
+`.spec.proxySecretRef.name` is an optional field used to specify the name of a
+Secret that contains the proxy settings for the object. These settings are used
+for all the remote operations related to the Bucket.
+The Secret can contain three keys:
+
+- `address`, to specify the address of the proxy server. This is a required key.
+- `username`, to specify the username to use if the proxy server is protected by
+   basic authentication. This is an optional key.
+- `password`, to specify the password to use if the proxy server is protected by
+   basic authentication. This is an optional key.
+
+Example:
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: http-proxy
+type: Opaque
+stringData:
+  address: http://proxy.com
+  username: mandalorian
+  password: grogu
+```
+
+Proxying can also be configured in the source-controller Deployment directly by
+using the standard environment variables such as `HTTPS_PROXY`, `ALL_PROXY`, etc.
+
+`.spec.proxySecretRef.name` takes precedence over all environment variables.
+
 ### Insecure
 
 `.spec.insecure` is an optional field to allow connecting to an insecure (HTTP)
@@ -780,6 +956,15 @@ credentials for the object storage. For some `.spec.provider` implementations
 the presence of the field is required, see [Provider](#provider) for more
 details and examples.
 
+### Prefix
+
+`.spec.prefix` is an optional field to enable server-side filtering
+of files in the Bucket.
+
+**Note:** The server-side filtering works only with the `generic`, `aws`
+and `gcp` [provider](#provider) and is preferred over [`.spec.ignore`](#ignore)
+as a more efficient way of excluding files. 
+
 ### Ignore
 
 `.spec.ignore` is an optional field to specify rules in [the `.gitignore`

docs/spec/v1beta2/gitrepositories.md

@@ -140,6 +140,14 @@ To authenticate towards a Git repository over HTTPS using bearer token
 authentication (in other words: using a `Authorization: Bearer` header), the referenced
 Secret is expected to contain the token in `.data.bearerToken`.
 
+**Note:** If you are looking to use OAuth tokens with popular servers (e.g.
+[GitHub](https://docs.github.com/en/rest/overview/authenticating-to-the-rest-api?apiVersion=2022-11-28#authenticating-with-a-token-generated-by-an-app),
+[Bitbucket](https://support.atlassian.com/bitbucket-cloud/docs/using-access-tokens/),
+[GitLab](https://docs.gitlab.com/ee/gitlab-basics/start-using-git.html#clone-using-a-token)),
+you should use basic access authentication instead. These servers use basic HTTP
+authentication, with the OAuth token as the password. Check the documentation of
+your Git server for details.
+
 ```yaml
 ---
 apiVersion: v1

docs/spec/v1beta2/helmcharts.md

@@ -45,7 +45,7 @@ In the above example:
 
 You can run this example by saving the manifest into `helmchart.yaml`.
 
-**NOTE:** HelmChart is usually used by the helm-controller. Based on the
+**Note:** HelmChart is usually used by the helm-controller. Based on the
 HelmRelease configuration, an associated HelmChart is created by the 
 helm-controller.
 
@@ -202,6 +202,16 @@ spec:
 Values files also affect the generated artifact revision, see
 [artifact](#artifact).
 
+### Ignore missing values files
+
+`.spec.ignoreMissingValuesFiles` is an optional field to specify whether missing
+values files should be ignored rather than be considered errors.  It defaults to
+`false`.
+
+When `.spec.valuesFiles` and  `.spec.ignoreMissingValuesFiles` are specified,
+the `.status.observedValuesFiles` field is populated with the list of values
+files that were found and actually contributed to the packaged chart.
+
 ### Reconcile strategy
 
 `.spec.reconcileStrategy` is an optional field to specify what enables the
@@ -211,7 +221,7 @@ changes in a `HelmRepository`. `Revision` is used for creating a new artifact
 when the source revision changes in a `GitRepository` or a `Bucket` Source. It
 defaults to `ChartVersion`.
 
-**NOTE:** If the reconcile strategy is `ChartVersion` and the source reference
+**Note:** If the reconcile strategy is `ChartVersion` and the source reference
 is a `GitRepository` or a `Bucket`, no new chart artifact is produced on updates
 to the source unless the `version` in `Chart.yaml` is incremented. To produce
 new chart artifact on change in source revision, set the reconcile strategy to
@@ -233,6 +243,11 @@ e.g. `10m0s` to look at the source for updates every 10 minutes.
 If the `.metadata.generation` of a resource changes (due to e.g. applying a
 change to the spec), this is handled instantly outside the interval window.
 
+**Note:** The controller can be configured to apply a jitter to the interval in
+order to distribute the load more evenly when multiple HelmChart objects are set
+up with the same interval. For more information, please refer to the
+[source-controller configuration options](https://fluxcd.io/flux/components/source/options/).
+
 ### Suspend
 
 `.spec.suspend` is an optional field to suspend the reconciliation of a
@@ -247,12 +262,19 @@ For practical information, see
 
 **Note:** This feature is available only for Helm charts fetched from an OCI Registry.
 
-`.spec.verify` is an optional field to enable the verification of [Cosign](https://github.com/sigstore/cosign)
-signatures. The field offers two subfields:
+`.spec.verify` is an optional field to enable the verification of [Cosign](https://github.com/sigstore/cosign) or [Notation](https://github.com/notaryproject/notation)
+signatures. The field offers three subfields:
 
-- `.provider`, to specify the verification provider. Only supports `cosign` at present.
+- `.provider`, to specify the verification provider. The supported options are `cosign` and `notation` at present.
 - `.secretRef.name`, to specify a reference to a Secret in the same namespace as
-  the HelmChart, containing the Cosign public keys of trusted authors.
+  the HelmChart, containing the public keys of trusted authors. For Notation this Secret should also include the [trust policy](https://github.com/notaryproject/specifications/blob/v1.0.0/specs/trust-store-trust-policy.md#trust-policy) in
+  addition to the CA certificate.
+- `.matchOIDCIdentity`, to specify a list of OIDC identity matchers (only supported when using `cosign` as the verification provider). Please see
+   [Keyless verification](#keyless-verification) for more details.
+
+#### Cosign
+
+The `cosign` provider can be used to verify the signature of an OCI artifact using either a known public key or via the [Cosign Keyless](https://github.com/sigstore/cosign/blob/main/KEYLESS.md) procedure.
 
 ```yaml
 ---
@@ -274,7 +296,7 @@ following attributes to the HelmChart's `.status.conditions`:
 - `status: "True"`
 - `reason: Succeeded`
 
-#### Public keys verification
+##### Public keys verification
 
 To verify the authenticity of HelmChart hosted in an OCI Registry, create a Kubernetes
 secret with the Cosign public keys:
@@ -296,12 +318,24 @@ Note that the keys must have the `.pub` extension for Flux to make use of them.
 Flux will loop over the public keys and use them to verify a HelmChart's signature.
 This allows for older HelmCharts to be valid as long as the right key is in the secret.
 
-#### Keyless verification
+##### Keyless verification
 
 For publicly available HelmCharts, which are signed using the
 [Cosign Keyless](https://github.com/sigstore/cosign/blob/main/KEYLESS.md) procedure,
 you can enable the verification by omitting the `.verify.secretRef` field.
 
+To verify the identity's subject and the OIDC issuer present in the Fulcio
+certificate, you can specify a list of OIDC identity matchers using
+`.spec.verify.matchOIDCIdentity`. The matcher provides two required fields:
+
+- `.issuer`, to specify a regexp that matches against the OIDC issuer.
+- `.subject`, to specify a regexp that matches against the subject identity in
+   the certificate.
+Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax).
+
+The matchers are evaluated in an OR fashion, i.e. the identity is deemed to be
+verified if any one matcher successfully matches against the identity.
+
 Example of verifying  HelmCharts signed by the
 [Cosign GitHub Action](https://github.com/sigstore/cosign-installer) with GitHub OIDC Token:
 
@@ -320,6 +354,9 @@ spec:
   version: ">=6.1.6"
   verify:
     provider: cosign
+    matchOIDCIdentity:
+      - issuer: "^https://token.actions.githubusercontent.com$"
+        subject: "^https://github.com/stefanprodan/podinfo.*$"
 ```
 
 ```yaml
@@ -340,6 +377,55 @@ instance hosted at [rekor.sigstore.dev](https://rekor.sigstore.dev/).
 Note that keyless verification is an **experimental feature**, using
 custom root CAs or self-hosted Rekor instances are not currently supported.
 
+#### Notation
+
+The `notation` provider can be used to verify the signature of an OCI artifact using known
+trust policy and CA certificate.
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmChart
+metadata:
+  name: podinfo
+spec:
+  verify:
+    provider: notation
+    secretRef:
+      name: notation-config
+```
+
+When the verification succeeds, the controller adds a Condition with the
+following attributes to the HelmChart's `.status.conditions`:
+
+- `type: SourceVerified`
+- `status: "True"`
+- `reason: Succeeded`
+
+To verify the authenticity of an OCI artifact, create a Kubernetes secret
+containing Certificate Authority (CA) root certificates and the a `trust policy`
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: notation-config
+type: Opaque
+data:
+  certificate1.pem: <BASE64>
+  certificate2.crt: <BASE64>
+  trustpolicy.json: <BASE64>
+```
+
+Note that the CA certificates must have either `.pem` or `.crt` extension and your trust policy must
+be named `trustpolicy.json` for Flux to make use of them.
+
+For more information on the signing and verification process see [Signing and Verification Workflow](https://github.com/notaryproject/specifications/blob/v1.0.0/specs/signing-and-verification-workflow.md).
+
+Flux will loop over the certificates and use them to verify an artifact's signature.
+This allows for older artifacts to be valid as long as the right certificate is in the secret.
+
 ## Working with HelmCharts
 
 ### Triggering a reconcile

docs/spec/v1beta2/helmrepositories.md

@@ -5,9 +5,9 @@
 There are 2 [Helm repository types](#type) defined by the `HelmRepository` API:
 - Helm HTTP/S repository, which defines a Source to produce an Artifact for a Helm
 repository index YAML (`index.yaml`). 
-- OCI Helm repository, which defines a source that does not produce an Artifact. 
-Instead a validation of the Helm repository is performed and the outcome is reported in the
-`.status.conditions` field.
+- OCI Helm repository, which defines a source that does not produce an Artifact.
+  It's a data container to store the information about the OCI repository that
+  can be used by [HelmChart](helmcharts.md) to access OCI Helm charts.
 
 ## Examples
 
@@ -113,9 +113,11 @@ In the above example:
 
 - A HelmRepository named `podinfo` is created, indicated by the
   `.metadata.name` field.
-- The source-controller performs the Helm repository url validation i.e. the url 
-is a valid OCI registry url, every five minutes with the information indicated by the
-`.spec.interval` and `.spec.url` fields.
+- A HelmChart that refers to this HelmRepository uses the URL in the `.spec.url`
+  field to access the OCI Helm chart.
+
+**NOTE:** The `.spec.interval` field is only used by the `default` Helm
+repository and is ignored for any value in `oci` Helm repository.
 
 You can run this example by saving the manifest into `helmrepository.yaml`.
 
@@ -129,25 +131,12 @@ You can run this example by saving the manifest into `helmrepository.yaml`.
 
    ```console
    NAME      URL                                 AGE     READY   STATUS
-   podinfo   oci://ghcr.io/stefanprodan/charts   3m22s   True    Helm repository "podinfo" is ready
+   podinfo   oci://ghcr.io/stefanprodan/charts   3m22s
    ```
 
-3. Run `kubectl describe helmrepository podinfo` to see the [Conditions](#conditions) 
-in the HelmRepository's Status:
-
-   ```console
-   ...
-   Status:
-     Conditions:
-       Last Transition Time:  2022-05-12T14:02:12Z
-       Message:               Helm repository "podinfo" is ready
-       Observed Generation:   1
-       Reason:                Succeeded
-       Status:                True
-       Type:                  Ready
-     Observed Generation:     1
-   Events:                    <none>
-   ```
+Because the OCI Helm repository is a data container, there's nothing to report
+for `READY` and `STATUS` columns above. The existence of the object can be
+considered to be ready for use.
 
 ## Writing a HelmRepository spec
 
@@ -158,14 +147,12 @@ valid [DNS subdomain name](https://kubernetes.io/docs/concepts/overview/working-
 A HelmRepository also needs a
 [`.spec` section](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status).
 
-
 ### Type
 
 `.spec.type` is an optional field that specifies the Helm repository type. 
 
 Possible values are `default` for a Helm HTTP/S repository, or `oci` for an OCI Helm repository.
 
-
 ### Provider
 
 `.spec.provider` is an optional field that allows specifying an OIDC provider used
@@ -224,8 +211,8 @@ to the IAM role when using IRSA.
 
 #### Azure
 
-The `azure` provider can be used to authenticate automatically using kubelet managed
-identity or Azure Active Directory pod-managed identity (aad-pod-identity), and 
+The `azure` provider can be used to authenticate automatically using Workload Identity, Kubelet Managed
+Identity or Azure Active Directory pod-managed identity (aad-pod-identity), and
 by extension gain access to ACR.
 
 ##### Kubelet Managed Identity
@@ -233,6 +220,12 @@ by extension gain access to ACR.
 When the kubelet managed identity has access to ACR, source-controller running on 
 it will also have access to ACR.
 
+**Note:** If you have more than one identity configured on the cluster, you have to specify which one to use
+by setting the `AZURE_CLIENT_ID` environment variable in the source-controller deployment.
+
+If you are running into further issues, please look at the
+[troubleshooting guide](https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/TROUBLESHOOTING.md#azure-virtual-machine-managed-identity).
+
 ##### Azure Workload Identity
 
 When using Workload Identity to enable access to ACR, add the following patch to
@@ -270,13 +263,17 @@ patches:
               azure.workload.identity/use: "true"
 ```
 
-To use Workload Identity, you have to install the Workload Identity
-mutating webhook and create an identity that has access to ACR. Next, establish
+Ensure Workload Identity is properly set up on your cluster and the mutating webhook is installed.
+Create an identity that has access to ACR. Next, establish
 a federated identity between the source-controller ServiceAccount and the
-identity. Patch the source-controller Pod and ServiceAccount as shown in the patch
+identity. Patch the source-controller Deployment and ServiceAccount as shown in the patch
 above. Please take a look at this [guide](https://azure.github.io/azure-workload-identity/docs/quick-start.html#6-establish-federated-identity-credential-between-the-identity-and-the-service-account-issuer--subject).
 
-##### AAD Pod Identity
+##### Deprecated: AAD Pod Identity
+
+**Warning:** The AAD Pod Identity project will be archived in
+[September 2023](https://github.com/Azure/aad-pod-identity#-announcement),
+and you are advised to use Workload Identity instead.
 
 When using aad-pod-identity to enable access to ACR, add the following patch to
 your bootstrap repository, in the `flux-system/kustomization.yaml` file:
@@ -302,7 +299,7 @@ to give the `source-controller` pod access to the ACR. To do this, you have to i
 `aad-pod-identity` on your cluster, create a managed identity that has access to the
 container registry (this can also be the Kubelet identity if it has `AcrPull` role
 assignment on the ACR), create an `AzureIdentity` and `AzureIdentityBinding` that describe
-the managed identity and then label the `source-controller` pods with the name of the
+the managed identity and then label the `source-controller` deployment with the name of the
 AzureIdentity as shown in the patch above. Please take a look at [this guide](https://azure.github.io/aad-pod-identity/docs/)
 or [this one](https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity)
 if you want to use AKS pod-managed identities add-on that is in preview.
@@ -348,10 +345,23 @@ the needed permission is instead `storage.objects.list` which can be bound as pa
 of the Container Registry Service Agent role. Take a look at [this guide](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
 for more information about setting up GKE Workload Identity.
 
+### Insecure
+
+`.spec.insecure` is an optional field to allow connecting to an insecure (HTTP)
+container registry server, if set to `true`. The default value is `false`,
+denying insecure non-TLS connections when fetching Helm chart OCI artifacts.
+
+**Note**: The insecure field is supported only for Helm OCI repositories.
+The `spec.type` field must be set to `oci`.
+
 ### Interval
 
-`.spec.interval` is a required field that specifies the interval which the
-Helm repository index must be consulted at.
+**Note:** This field is ineffectual for [OCI Helm
+Repositories](#helm-oci-repository).
+
+`.spec.interval` is a an optional field that specifies the interval which the
+Helm repository index must be consulted at. When not set, the default value is
+`1m`.
 
 After successfully reconciling a HelmRepository object, the source-controller
 requeues the object for inspection after the specified interval. The value
@@ -361,6 +371,11 @@ e.g. `10m0s` to fetch the HelmRepository index YAML every 10 minutes.
 If the `.metadata.generation` of a resource changes (due to e.g. applying a
 change to the spec), this is handled instantly outside the interval window.
 
+**Note:** The controller can be configured to apply a jitter to the interval in
+order to distribute the load more evenly when multiple HelmRepository objects
+are set up with the same interval. For more information, please refer to the
+[source-controller configuration options](https://fluxcd.io/flux/components/source/options/).
+
 ### URL
 
 `.spec.url` is a required field that depending on the [type of the HelmRepository object](#type)
@@ -372,11 +387,14 @@ For Helm repositories which require authentication, see [Secret reference](#secr
 
 ### Timeout
 
+**Note:** This field is not applicable to [OCI Helm
+Repositories](#helm-oci-repository).
+
 `.spec.timeout` is an optional field to specify a timeout for the fetch
 operation. The value must be in a
 [Go recognized duration string format](https://pkg.go.dev/time#ParseDuration),
-e.g. `1m30s` for a timeout of one minute and thirty seconds. The default value
-is `60s`.
+e.g. `1m30s` for a timeout of one minute and thirty seconds. When not set, the
+default value is `1m`.
 
 ### Secret reference
 
@@ -411,8 +429,8 @@ metadata:
   name: example-user
   namespace: default
 stringData:
-  username: example
-  password: 123456
+  username: "user-123456"
+  password: "pass-123456"
 ```
 
 OCI Helm repository example:
@@ -437,8 +455,8 @@ metadata:
   name: oci-creds
   namespace: default
 stringData:
-  username: example
-  password: 123456
+  username: "user-123456"
+  password: "pass-123456"
 ```
 
 For OCI Helm repositories, Kubernetes secrets of type [kubernetes.io/dockerconfigjson](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types) are also supported.
@@ -452,15 +470,36 @@ flux create secret oci ghcr-auth \
   --password=${GITHUB_PAT}
 ```
 
-#### TLS authentication
+**Warning:** Support for specifying TLS authentication data using this API has been
+deprecated. Please use [`.spec.certSecretRef`](#cert-secret-reference) instead.
+If the controller uses the secret specified by this field to configure TLS, then
+a deprecation warning will be logged.
 
-**Note:** TLS authentication is not yet supported by OCI Helm repositories.
+### Cert secret reference
 
-To provide TLS credentials to use while connecting with the Helm repository,
-the referenced Secret is expected to contain `.data.certFile` and
-`.data.keyFile`, and/or `.data.caFile` values.
+`.spec.certSecretRef.name` is an optional field to specify a secret containing
+TLS certificate data. The secret can contain the following keys:
 
-For example:
+* `tls.crt` and `tls.key`, to specify the client certificate and private key used
+for TLS client authentication. These must be used in conjunction, i.e.
+specifying one without the other will lead to an error.
+* `ca.crt`, to specify the CA certificate used to verify the server, which is
+required if the server is using a self-signed certificate.
+
+If the server is using a self-signed certificate and has TLS client
+authentication enabled, all three values are required.
+
+The Secret should be of type `Opaque` or `kubernetes.io/tls`. All the files in
+the Secret are expected to be [PEM-encoded][pem-encoding]. Assuming you have
+three files; `client.key`, `client.crt` and `ca.crt` for the client private key,
+client certificate and the CA certificate respectively, you can generate the
+required Secret using the `flux create secret tls` command:
+
+```sh
+flux create secret tls --tls-key-file=client.key --tls-crt-file=client.crt --ca-crt-file=ca.crt
+```
+
+Example usage:
 
 ```yaml
 ---
@@ -472,7 +511,7 @@ metadata:
 spec:
   interval: 5m0s
   url: https://example.com
-  secretRef:
+  certSecretRef:
     name: example-tls
 ---
 apiVersion: v1
@@ -480,11 +519,12 @@ kind: Secret
 metadata:
   name: example-tls
   namespace: default
+type: kubernetes.io/tls # or Opaque
 data:
-  certFile: <BASE64>
-  keyFile: <BASE64>
+  tls.crt: <BASE64>
+  tls.key: <BASE64>
   # NOTE: Can be supplied without the above values
-  caFile: <BASE64>
+  ca.crt: <BASE64>
 ```
 
 ### Pass credentials
@@ -500,6 +540,9 @@ to HTTP/S Helm repositories.
 
 ### Suspend
 
+**Note:** This field is not applicable to [OCI Helm
+Repositories](#helm-oci-repository).
+
 `.spec.suspend` is an optional field to suspend the reconciliation of a
 HelmRepository. When set to `true`, the controller will stop reconciling the
 HelmRepository, and changes to the resource or the Helm repository index will
@@ -510,6 +553,10 @@ For practical information, see
 [suspending and resuming](#suspending-and-resuming).
 
 ## Working with HelmRepositories
+
+**Note:** This section does not apply to [OCI Helm
+Repositories](#helm-oci-repository), being a data container, once created, they
+are ready to used by [HelmCharts](helmcharts.md).
  
 ### Triggering a reconcile
 
@@ -611,6 +658,10 @@ flux resume source helm <repository-name>
 
 ### Debugging a HelmRepository
 
+**Note:** This section does not apply to [OCI Helm
+Repositories](#helm-oci-repository), being a data container, they are static
+objects that don't require debugging if valid.
+
 There are several ways to gather information about a HelmRepository for debugging
 purposes.
 
@@ -676,9 +727,11 @@ specific HelmRepository, e.g. `flux logs --level=error --kind=HelmRepository --n
 
 ## HelmRepository Status
 
-### Artifact
+**Note:** This section does not apply to [OCI Helm
+Repositories](#helm-oci-repository), they do not contain any information in the
+status.
 
-**Note:** This section does not apply to [OCI Helm Repositories](#oci-helm-repositories), they do not emit artifacts.
+### Artifact
 
 The HelmRepository reports the last fetched repository index as an Artifact
 object in the `.status.artifact` of the resource.
@@ -720,9 +773,6 @@ and reports `Reconciling` and `Stalled` conditions where applicable to
 provide better (timeout) support to solutions polling the HelmRepository to become
 `Ready`.
 
- OCI Helm repositories use only `Reconciling`, `Ready`, `FetchFailed`, and `Stalled`
- condition types.
-
 #### Reconciling HelmRepository
 
 The source-controller marks a HelmRepository as _reconciling_ when one of the following
@@ -859,5 +909,6 @@ annotation value it acted on in the `.status.lastHandledReconcileAt` field.
 For practical information about this field, see [triggering a
 reconcile](#triggering-a-reconcile).
 
+[pem-encoding]: https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail
 [typical-status-properties]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
 [kstatus-spec]: https://github.com/kubernetes-sigs/cli-utils/tree/master/pkg/kstatus

docs/spec/v1beta2/ocirepositories.md

@@ -157,15 +157,20 @@ to the IAM role when using IRSA.
 
 #### Azure
 
-The `azure` provider can be used to authenticate automatically using kubelet
-managed identity or Azure Active Directory pod-managed identity (aad-pod-identity),
-and by extension gain access to ACR.
+The `azure` provider can be used to authenticate automatically using Workload Identity and Kubelet Managed
+Identity to gain access to ACR.
 
 ##### Kubelet Managed Identity
 
 When the kubelet managed identity has access to ACR, source-controller running
 on it will also have access to ACR.
 
+**Note:** If you have more than one identity configured on the cluster, you have to specify which one to use
+by setting the `AZURE_CLIENT_ID` environment variable in the source-controller deployment.
+
+If you are running into further issues, please look at the
+[troubleshooting guide](https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/TROUBLESHOOTING.md#azure-virtual-machine-managed-identity).
+
 ##### Workload Identity
 
 When using Workload Identity to enable access to ACR, add the following patch to
@@ -203,43 +208,12 @@ patches:
               azure.workload.identity/use: "true"
 ```
 
-To use Workload Identity, you have to install the Workload Identity
-mutating webhook and create an identity that has access to ACR. Next, establish 
-a federated identity between the source-controller ServiceAccount and the 
-identity. Patch the source-controller Pod and ServiceAccount as shown in the patch
+Ensure Workload Identity is properly set up on your cluster and the mutating webhook is installed.
+Create an identity that has access to ACR. Next, establish
+a federated identity between the source-controller ServiceAccount and the
+identity. Patch the source-controller Deployment and ServiceAccount as shown in the patch
 above. Please take a look at this [guide](https://azure.github.io/azure-workload-identity/docs/quick-start.html#6-establish-federated-identity-credential-between-the-identity-and-the-service-account-issuer--subject).
 
-##### AAD Pod Identity
-When using aad-pod-identity to enable access to ACR, add the following patch to
-your bootstrap repository, in the `flux-system/kustomization.yaml` file:
-
-```yaml
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - gotk-components.yaml
-  - gotk-sync.yaml
-patches:
-  - patch: |
-      - op: add
-        path: /spec/template/metadata/labels/aadpodidbinding
-        value: <identity-name>
-    target:
-      kind: Deployment
-      name: source-controller
-``` 
-
-When using pod-managed identity on an AKS cluster, AAD Pod Identity
-has to be used to give the `source-controller` pod access to the ACR.
-To do this, you have to install `aad-pod-identity` on your cluster, create a managed identity
-that has access to the container registry (this can also be the Kubelet identity
-if it has `AcrPull` role assignment on the ACR), create an `AzureIdentity` and `AzureIdentityBinding`
-that describe the managed identity and then label the `source-controller` pods
-with the name of the AzureIdentity as shown in the patch above. Please take a look
-at [this guide](https://azure.github.io/aad-pod-identity/docs/) or
-[this one](https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity)
-if you want to use AKS pod-managed identities add-on that is in preview.
-
 #### GCP
 
 The `gcp` provider can be used to authenticate automatically using OAuth scopes
@@ -269,7 +243,7 @@ patches:
     target:
       kind: ServiceAccount
       name: source-controller
-``` 
+```
 
 The Artifact Registry service uses the permission `artifactregistry.repositories.downloadArtifacts`
 that is located under the Artifact Registry Reader role. If you are using
@@ -300,42 +274,103 @@ fetch the image pull secrets attached to the service account and use them for au
 **Note:** that for a publicly accessible image repository, you don't need to provide a `secretRef`
 nor `serviceAccountName`.
 
-### TLS Certificates
+### Cert secret reference
 
-`.spec.certSecretRef` field names a secret with TLS certificate data. This is for two separate
-purposes:
+`.spec.certSecretRef.name` is an optional field to specify a secret containing
+TLS certificate data. The secret can contain the following keys:
 
-- to provide a client certificate and private key, if you use a certificate to authenticate with
-  the container registry; and,
-- to provide a CA certificate, if the registry uses a self-signed certificate.
+* `tls.crt` and `tls.key`, to specify the client certificate and private key used
+for TLS client authentication. These must be used in conjunction, i.e.
+specifying one without the other will lead to an error.
+* `ca.crt`, to specify the CA certificate used to verify the server, which is
+required if the server is using a self-signed certificate.
 
-These will often go together, if you are hosting a container registry yourself. All the files in the
-secret are expected to be [PEM-encoded][pem-encoding]. This is an ASCII format for certificates and
-keys; `openssl` and such tools will typically give you an option of PEM output.
+If the server is using a self-signed certificate and has TLS client
+authentication enabled, all three values are required.
 
-Assuming you have obtained a certificate file and private key and put them in the files `client.crt`
-and `client.key` respectively, you can create a secret with `kubectl` like this:
+The Secret should be of type `Opaque` or `kubernetes.io/tls`. All the files in
+the Secret are expected to be [PEM-encoded][pem-encoding]. Assuming you have
+three files; `client.key`, `client.crt` and `ca.crt` for the client private key,
+client certificate and the CA certificate respectively, you can generate the
+required Secret using the `flux create secret tls` command:
 
-```bash
-kubectl create secret generic tls-certs \
-  --from-file=certFile=client.crt \
-  --from-file=keyFile=client.key
+```sh
+flux create secret tls --tls-key-file=client.key --tls-crt-file=client.crt --ca-crt-file=ca.crt
 ```
 
-You could also [prepare a secret and encrypt it][sops-guide]; the important bit is that the data
-keys in the secret are `certFile` and `keyFile`.
+Example usage:
 
-If you have a CA certificate for the client to use, the data key for that is `caFile`. Adapting the
-previous example, if you have the certificate in the file `ca.crt`, and the client certificate and
-key as before, the whole command would be:
-
-```bash
-kubectl create secret generic tls-certs \
-  --from-file=certFile=client.crt \
-  --from-file=keyFile=client.key \
-  --from-file=caFile=ca.crt
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: example
+  namespace: default
+spec:
+  interval: 5m0s
+  url: oci://example.com
+  certSecretRef:
+    name: example-tls
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: example-tls
+  namespace: default
+type: kubernetes.io/tls # or Opaque
+data:
+  tls.crt: <BASE64>
+  tls.key: <BASE64>
+  # NOTE: Can be supplied without the above values
+  ca.crt: <BASE64>
 ```
 
+**Warning:** Support for the `caFile`, `certFile` and `keyFile` keys have been
+deprecated. If you have any Secrets using these keys and specified in an
+OCIRepository, the controller will log a deprecation warning.
+
+### Proxy secret reference
+
+`.spec.proxySecretRef.name` is an optional field used to specify the name of a
+Secret that contains the proxy settings for the object. These settings are used
+for all the remote operations related to the OCIRepository.
+The Secret can contain three keys:
+
+- `address`, to specify the address of the proxy server. This is a required key.
+- `username`, to specify the username to use if the proxy server is protected by
+   basic authentication. This is an optional key.
+- `password`, to specify the password to use if the proxy server is protected by
+   basic authentication. This is an optional key.
+
+Example:
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: http-proxy
+type: Opaque
+stringData:
+  address: http://proxy.com
+  username: mandalorian
+  password: grogu
+```
+
+Proxying can also be configured in the source-controller Deployment directly by
+using the standard environment variables such as `HTTPS_PROXY`, `ALL_PROXY`, etc.
+
+`.spec.proxySecretRef.name` takes precedence over all environment variables.
+
+**Warning:** [Cosign](https://github.com/sigstore/cosign) *keyless*
+[verification](#verification) is not supported for this API. If you
+require cosign keyless verification to use a proxy you must use the
+standard environment variables mentioned above. If you specify a
+`proxySecretRef` the controller will simply send out the requests
+needed for keyless verification without the associated object-level
+proxy settings.
+
 ### Insecure
 
 `.spec.insecure` is an optional field to allow connecting to an insecure (HTTP)
@@ -355,6 +390,11 @@ e.g. `10m0s` to reconcile the object every 10 minutes.
 If the `.metadata.generation` of a resource changes (due to e.g. a change to
 the spec), this is handled instantly outside the interval window.
 
+**Note:** The controller can be configured to apply a jitter to the interval in
+order to distribute the load more evenly when multiple OCIRepository objects are
+set up with the same interval. For more information, please refer to the
+[source-controller configuration options](https://fluxcd.io/flux/components/source/options/).
+
 ### Timeout
 
 `.spec.timeout` is an optional field to specify a timeout for OCI operations
@@ -406,6 +446,37 @@ spec:
 
 This field takes precedence over [`.tag`](#tag-example).
 
+#### SemverFilter example
+
+`.spec.ref.semverFilter` is an optional field to specify a SemVer filter to apply
+when fetching tags from the OCI repository. The filter is a regular expression
+that is applied to the tags fetched from the repository. Only tags that match
+the filter are considered for the semver range resolution.
+
+**Note:** The filter is only taken into account when the `.spec.ref.semver` field
+is set.
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: podinfo
+  namespace: default
+spec:
+  interval: 5m0s
+  url: oci://ghcr.io/stefanprodan/manifests/podinfo
+  ref:
+    # SemVer comparisons using constraints without a prerelease comparator will skip prerelease versions.
+    # Adding a `-0` suffix to the semver range will include prerelease versions.
+    semver: ">= 6.1.x-0"
+    semverFilter: ".*-rc.*"
+```
+
+In the above example, the controller fetches tags from the `ghcr.io/stefanprodan/manifests/podinfo`
+repository and filters them using the regular expression `.*-rc.*`. Only tags that
+contain the `-rc` suffix are considered for the semver range resolution.
+
 #### Digest example
 
 To pull a specific digest, use `.spec.ref.digest`:
@@ -419,7 +490,7 @@ metadata:
 spec:
   ref:
     digest: "sha256:<SHA-value>"
-``` 
+```
 
 This field takes precedence over all other fields.
 
@@ -466,11 +537,22 @@ for more information.
 ### Verification
 
 `.spec.verify` is an optional field to enable the verification of [Cosign](https://github.com/sigstore/cosign)
-signatures. The field offers two subfields:
+or [Notation](https://github.com/notaryproject/notation)
+signatures. The field offers three subfields:
 
-- `.provider`, to specify the verification provider. Only supports `cosign` at present.
+- `.provider`, to specify the verification provider. The supported options are `cosign` and `notation` at present.
 - `.secretRef.name`, to specify a reference to a Secret in the same namespace as
-  the OCIRepository, containing the Cosign public keys of trusted authors.
+  the OCIRepository, containing the Cosign public keys of trusted authors. For Notation this Secret should also
+  include the [trust policy](https://github.com/notaryproject/specifications/blob/v1.0.0/specs/trust-store-trust-policy.md#trust-policy) in
+  addition to the CA certificate.
+- `.matchOIDCIdentity`, to specify a list of OIDC identity matchers (only supported when using `cosign` as the
+  verification provider). Please see
+   [Keyless verification](#keyless-verification) for more details.
+
+#### Cosign
+
+The `cosign` provider can be used to verify the signature of an OCI artifact using either a known public key
+or via the [Cosign Keyless](https://github.com/sigstore/cosign/blob/main/KEYLESS.md) procedure.
 
 ```yaml
 ---
@@ -492,7 +574,7 @@ following attributes to the OCIRepository's `.status.conditions`:
 - `status: "True"`
 - `reason: Succeeded`
 
-#### Public keys verification
+##### Public keys verification
 
 To verify the authenticity of an OCI artifact, create a Kubernetes secret
 with the Cosign public keys:
@@ -514,12 +596,24 @@ Note that the keys must have the `.pub` extension for Flux to make use of them.
 Flux will loop over the public keys and use them to verify an artifact's signature.
 This allows for older artifacts to be valid as long as the right key is in the secret.
 
-#### Keyless verification
+##### Keyless verification
 
 For publicly available OCI artifacts, which are signed using the
 [Cosign Keyless](https://github.com/sigstore/cosign/blob/main/KEYLESS.md) procedure,
 you can enable the verification by omitting the `.verify.secretRef` field.
 
+To verify the identity's subject and the OIDC issuer present in the Fulcio
+certificate, you can specify a list of OIDC identity matchers using
+`.spec.verify.matchOIDCIdentity`. The matcher provides two required fields:
+
+- `.issuer`, to specify a regexp that matches against the OIDC issuer.
+- `.subject`, to specify a regexp that matches against the subject identity in
+   the certificate.
+Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax).
+
+The matchers are evaluated in an OR fashion, i.e. the identity is deemed to be
+verified if any one matcher successfully matches against the identity.
+
 Example of verifying artifacts signed by the
 [Cosign GitHub Action](https://github.com/sigstore/cosign-installer) with GitHub OIDC Token:
 
@@ -533,6 +627,9 @@ spec:
   url: oci://ghcr.io/stefanprodan/manifests/podinfo
   verify:
     provider: cosign
+    matchOIDCIdentity:
+      - issuer: "^https://token.actions.githubusercontent.com$"
+        subject: "^https://github.com/stefanprodan/podinfo.*$"
 ```
 
 The controller verifies the signatures using the Fulcio root CA and the Rekor
@@ -541,6 +638,55 @@ instance hosted at [rekor.sigstore.dev](https://rekor.sigstore.dev/).
 Note that keyless verification is an **experimental feature**, using
 custom root CAs or self-hosted Rekor instances are not currently supported.
 
+#### Notation
+
+The `notation` provider can be used to verify the signature of an OCI artifact using known
+trust policy and CA certificate.
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: <repository-name>
+spec:
+  verify:
+    provider: notation
+    secretRef:
+      name: notation-config
+```
+
+When the verification succeeds, the controller adds a Condition with the
+following attributes to the OCIRepository's `.status.conditions`:
+
+- `type: SourceVerified`
+- `status: "True"`
+- `reason: Succeeded`
+
+To verify the authenticity of an OCI artifact, create a Kubernetes secret
+containing Certificate Authority (CA) root certificates and the a `trust policy`
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: notation-config
+type: Opaque
+data:
+  certificate1.pem: <BASE64>
+  certificate2.crt: <BASE64>
+  trustpolicy.json: <BASE64>
+```
+
+Note that the CA certificates must have either `.pem` or `.crt` extension and your trust policy must
+be named `trustpolicy.json` for Flux to make use of them.
+
+For more information on the signing and verification process see [Signing and Verification Workflow](https://github.com/notaryproject/specifications/blob/v1.0.0/specs/signing-and-verification-workflow.md).
+
+Flux will loop over the certificates and use them to verify an artifact's signature.
+This allows for older artifacts to be valid as long as the right certificate is in the secret.
+
 ### Suspend
 
 `.spec.suspend` is an optional field to suspend the reconciliation of a
@@ -609,7 +755,7 @@ flux reconcile source oci <repository-name>
 ### Waiting for `Ready`
 
 When a change is applied, it is possible to wait for the OCIRepository to reach
-a [ready state](#ready-gitrepository) using `kubectl`:
+a [ready state](#ready-ocirepository) using `kubectl`:
 
 ```sh
 kubectl wait gitrepository/<repository-name> --for=condition=ready --timeout=1m
@@ -866,8 +1012,8 @@ following attributes in the OCIRepository's `.status.conditions`:
 - `reason: Succeeded`
 
 This `Ready` Condition will retain a status value of `"True"` until the
-OCIRepository is marked as [reconciling](#reconciling-gitrepository), or e.g. a
-[transient error](#failed-gitrepository) occurs due to a temporary network issue.
+OCIRepository is marked as [reconciling](#reconciling-ocirepository), or e.g. a
+[transient error](#failed-ocirepository) occurs due to a temporary network issue.
 
 When the OCIRepository Artifact is archived in the controller's Artifact
 storage, the controller sets a Condition with the following attributes in the

go.mod

@@ -1,414 +1,425 @@
 module github.com/fluxcd/source-controller
 
-go 1.18
+go 1.24.0
 
 replace github.com/fluxcd/source-controller/api => ./api
 
+// Pin semver to v3.3.0 to avoid breaking changes in v3.3.1
+// xref: https://github.com/fluxcd/source-controller/issues/1738
+replace github.com/Masterminds/semver/v3 => github.com/Masterminds/semver/v3 v3.3.0
+
 // Replace digest lib to master to gather access to BLAKE3.
 // xref: https://github.com/opencontainers/go-digest/pull/66
 replace github.com/opencontainers/go-digest => github.com/opencontainers/go-digest v1.0.1-0.20220411205349-bde1400a84be
 
-// Required to keep oras.land/oras-go happy, as it will otherwise fail with
-// "assignment mismatch: 3 variables but registry.PingV2Registry returns 2 values"
-//
-// Check again when oras.land/oras-go is updated to >=v2.0.0, which is a
-// dependency of Helm.
-replace github.com/docker/docker => github.com/docker/docker v20.10.23+incompatible
-
 require (
-	cloud.google.com/go/storage v1.30.1
-	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.5.0-beta.1
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0-beta.4
-	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0
-	github.com/Masterminds/semver/v3 v3.2.1
-	github.com/cyphar/filepath-securejoin v0.2.3
-	github.com/distribution/distribution/v3 v3.0.0-20230505052155-8900e90699a5
-	github.com/docker/cli v23.0.6+incompatible
+	cloud.google.com/go/compute/metadata v0.6.0
+	cloud.google.com/go/storage v1.50.0
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.0
+	github.com/Masterminds/semver/v3 v3.3.1
+	github.com/cyphar/filepath-securejoin v0.4.1
+	github.com/distribution/distribution/v3 v3.0.0
+	github.com/docker/cli v28.1.1+incompatible
 	github.com/docker/go-units v0.5.0
-	github.com/fluxcd/go-git/v5 v5.0.0-20221219190809-2e5c9d01cfc4
-	github.com/fluxcd/pkg/apis/event v0.4.1
-	github.com/fluxcd/pkg/apis/meta v1.0.0
-	github.com/fluxcd/pkg/git v0.11.0
-	github.com/fluxcd/pkg/git/gogit v0.8.1
-	github.com/fluxcd/pkg/gittestserver v0.8.2
-	github.com/fluxcd/pkg/helmtestserver v0.12.0
-	github.com/fluxcd/pkg/lockedfile v0.1.0
-	github.com/fluxcd/pkg/masktoken v0.2.0
-	github.com/fluxcd/pkg/oci v0.23.0
-	github.com/fluxcd/pkg/runtime v0.35.0
-	github.com/fluxcd/pkg/sourceignore v0.3.3
-	github.com/fluxcd/pkg/ssh v0.7.3
-	github.com/fluxcd/pkg/testserver v0.4.0
-	github.com/fluxcd/pkg/untar v0.3.0
-	github.com/fluxcd/pkg/version v0.2.1
-	github.com/fluxcd/source-controller/api v1.0.0-rc.2
-	github.com/go-git/go-billy/v5 v5.4.1
-	github.com/go-logr/logr v1.2.4
-	github.com/google/go-containerregistry v0.15.1
-	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20230307034325-57f010d26af8
-	github.com/google/uuid v1.3.0
-	github.com/minio/minio-go/v7 v7.0.52
-	github.com/onsi/gomega v1.27.6
+	github.com/elazarl/goproxy v1.7.2
+	github.com/fluxcd/cli-utils v0.36.0-flux.13
+	github.com/fluxcd/pkg/apis/event v0.17.0
+	github.com/fluxcd/pkg/apis/meta v1.12.0
+	github.com/fluxcd/pkg/auth v0.18.0
+	github.com/fluxcd/pkg/cache v0.9.0
+	github.com/fluxcd/pkg/git v0.32.0
+	github.com/fluxcd/pkg/git/gogit v0.35.1
+	github.com/fluxcd/pkg/gittestserver v0.17.0
+	github.com/fluxcd/pkg/helmtestserver v0.24.0
+	github.com/fluxcd/pkg/lockedfile v0.6.0
+	github.com/fluxcd/pkg/masktoken v0.7.0
+	github.com/fluxcd/pkg/oci v0.49.0
+	github.com/fluxcd/pkg/runtime v0.60.0
+	github.com/fluxcd/pkg/sourceignore v0.12.0
+	github.com/fluxcd/pkg/ssh v0.19.0
+	github.com/fluxcd/pkg/tar v0.12.0
+	github.com/fluxcd/pkg/testserver v0.11.0
+	github.com/fluxcd/pkg/version v0.7.0
+	github.com/fluxcd/source-controller/api v1.6.0
+	github.com/foxcpp/go-mockdns v1.1.0
+	github.com/go-git/go-billy/v5 v5.6.2
+	github.com/go-git/go-git/v5 v5.16.2
+	github.com/go-logr/logr v1.4.2
+	github.com/google/go-containerregistry v0.20.5
+	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20241111191718-6bce25ecf029
+	github.com/google/uuid v1.6.0
+	github.com/minio/minio-go/v7 v7.0.92
+	github.com/notaryproject/notation-core-go v1.3.0
+	github.com/notaryproject/notation-go v1.3.2
+	github.com/onsi/gomega v1.37.0
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/go-digest/blake3 v0.0.0-20220411205349-bde1400a84be
-	github.com/ory/dockertest/v3 v3.10.0
-	github.com/otiai10/copy v1.11.0
+	github.com/opencontainers/go-digest/blake3 v0.0.0-20240426182413-22b78e47854a
+	github.com/opencontainers/image-spec v1.1.1
+	github.com/ory/dockertest/v3 v3.12.0
+	github.com/otiai10/copy v1.14.1
 	github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5
-	github.com/prometheus/client_golang v1.15.1
-	github.com/sigstore/cosign v1.13.1
-	github.com/sigstore/sigstore v1.5.2
-	github.com/sirupsen/logrus v1.9.0
-	github.com/spf13/pflag v1.0.5
-	golang.org/x/crypto v0.9.0
-	golang.org/x/sync v0.2.0
-	google.golang.org/api v0.121.0
+	github.com/prometheus/client_golang v1.22.0
+	github.com/sigstore/cosign/v2 v2.5.0
+	github.com/sigstore/sigstore v1.9.1
+	github.com/sirupsen/logrus v1.9.3
+	github.com/spf13/pflag v1.0.6
+	golang.org/x/crypto v0.39.0
+	golang.org/x/oauth2 v0.30.0
+	golang.org/x/sync v0.15.0
+	google.golang.org/api v0.227.0
 	gotest.tools v2.2.0+incompatible
-	helm.sh/helm/v3 v3.11.3
-	k8s.io/api v0.26.3
-	k8s.io/apimachinery v0.26.3
-	k8s.io/client-go v0.26.3
-	k8s.io/utils v0.0.0-20230313181309-38a27ef9d749
-	sigs.k8s.io/cli-utils v0.34.0
-	sigs.k8s.io/controller-runtime v0.14.6
-	sigs.k8s.io/yaml v1.3.0
+	helm.sh/helm/v3 v3.17.3
+	k8s.io/api v0.33.0
+	k8s.io/apimachinery v0.33.0
+	k8s.io/client-go v0.33.0
+	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e
+	oras.land/oras-go/v2 v2.5.0
+	sigs.k8s.io/controller-runtime v0.21.0
+	sigs.k8s.io/yaml v1.4.0
 )
 
 require (
-	bitbucket.org/creachadair/shell v0.0.7 // indirect
-	cloud.google.com/go v0.110.0 // indirect
-	cloud.google.com/go/compute v1.19.1 // indirect
-	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/iam v0.13.0 // indirect
-	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
+	cel.dev/expr v0.19.1 // indirect
+	cloud.google.com/go v0.118.3 // indirect
+	cloud.google.com/go/auth v0.15.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect
+	cloud.google.com/go/iam v1.4.1 // indirect
+	cloud.google.com/go/monitoring v1.24.0 // indirect
+	dario.cat/mergo v1.0.1 // indirect
+	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.28 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.21 // indirect
-	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
+	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect
 	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v0.9.0 // indirect
-	github.com/BurntSushi/toml v1.2.1 // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.49.0 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
-	github.com/Masterminds/squirrel v1.5.3 // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
+	github.com/Masterminds/squirrel v1.5.4 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect
-	github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d // indirect
+	github.com/ProtonMail/go-crypto v1.2.0 // indirect
 	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
-	github.com/acomagu/bufpipe v1.0.3 // indirect
 	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect
 	github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect
 	github.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect
-	github.com/alibabacloud-go/darabonba-openapi v0.1.18 // indirect
-	github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68 // indirect
+	github.com/alibabacloud-go/darabonba-openapi v0.2.1 // indirect
+	github.com/alibabacloud-go/debug v1.0.0 // indirect
 	github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
-	github.com/alibabacloud-go/openapi-util v0.0.11 // indirect
-	github.com/alibabacloud-go/tea v1.1.18 // indirect
-	github.com/alibabacloud-go/tea-utils v1.4.4 // indirect
-	github.com/alibabacloud-go/tea-xml v1.1.2 // indirect
-	github.com/aliyun/credentials-go v1.2.3 // indirect
-	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
-	github.com/aws/aws-sdk-go-v2 v1.17.7 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.18.19 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.13.18 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.1 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.31 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.25 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.32 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.18.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.13.17 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.25 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.12.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.18.7 // indirect
-	github.com/aws/smithy-go v1.13.5 // indirect
-	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20221004211355-a250ad2ca1e3 // indirect
-	github.com/benbjohnson/clock v1.1.0 // indirect
+	github.com/alibabacloud-go/openapi-util v0.1.0 // indirect
+	github.com/alibabacloud-go/tea v1.2.1 // indirect
+	github.com/alibabacloud-go/tea-utils v1.4.5 // indirect
+	github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
+	github.com/aliyun/credentials-go v1.3.2 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.29.14 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.43.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
+	github.com/aws/smithy-go v1.22.3 // indirect
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bgentry/speakeasy v0.1.0 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/bradleyfalzon/ghinstallation/v2 v2.15.0 // indirect
 	github.com/bshuster-repo/logrus-logstash-hook v1.0.0 // indirect
-	github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd // indirect
-	github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b // indirect
-	github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 // indirect
-	github.com/cenkalti/backoff/v4 v4.2.0 // indirect
-	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/buildkite/agent/v3 v3.95.1 // indirect
+	github.com/buildkite/go-pipeline v0.13.3 // indirect
+	github.com/buildkite/interpolate v0.1.5 // indirect
+	github.com/buildkite/roko v1.3.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
-	github.com/chrismellard/docker-credential-acr-env v0.0.0-20221002210726-e883f69e0206 // indirect
-	github.com/clbanning/mxj/v2 v2.5.6 // indirect
-	github.com/cloudflare/circl v1.3.2 // indirect
-	github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe // indirect
-	github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b // indirect
+	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
+	github.com/clbanning/mxj/v2 v2.7.0 // indirect
+	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3 // indirect
 	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
-	github.com/containerd/containerd v1.7.0 // indirect
-	github.com/containerd/continuity v0.3.0 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
-	github.com/coreos/go-oidc/v3 v3.5.0 // indirect
-	github.com/coreos/go-semver v0.3.0 // indirect
+	github.com/containerd/containerd v1.7.27 // indirect
+	github.com/containerd/continuity v0.4.5 // indirect
+	github.com/containerd/errdefs v0.3.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/platforms v0.2.1 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
+	github.com/coreos/go-oidc/v3 v3.14.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
-	github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
+	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
-	github.com/docker/distribution v2.8.1+incompatible // indirect
-	github.com/docker/docker v23.0.5+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.7.0 // indirect
-	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker v28.1.1+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.9.3 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
-	github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.10.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.1 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/envoyproxy/go-control-plane v0.10.3 // indirect
-	github.com/envoyproxy/protoc-gen-validate v0.9.1 // indirect
-	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
-	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
+	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
+	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
+	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
-	github.com/fatih/color v1.13.0 // indirect
-	github.com/felixge/httpsnoop v1.0.3 // indirect
+	github.com/fatih/color v1.17.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fluxcd/gitkit v0.6.0 // indirect
-	github.com/fluxcd/pkg/apis/acl v0.1.0 // indirect
-	github.com/fluxcd/pkg/tar v0.2.0 // indirect
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/fullstorydev/grpcurl v1.8.7 // indirect
+	github.com/fluxcd/pkg/apis/acl v0.7.0 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
-	github.com/go-errors/errors v1.4.2 // indirect
-	github.com/go-git/gcfg v1.5.0 // indirect
+	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
+	github.com/go-ini/ini v1.67.0 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-ldap/ldap/v3 v3.4.10 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-logr/zapr v1.2.3 // indirect
-	github.com/go-openapi/analysis v0.21.4 // indirect
-	github.com/go-openapi/errors v0.20.3 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.20.0 // indirect
-	github.com/go-openapi/loads v0.21.2 // indirect
-	github.com/go-openapi/runtime v0.24.2 // indirect
-	github.com/go-openapi/spec v0.20.7 // indirect
-	github.com/go-openapi/strfmt v0.21.3 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
-	github.com/go-openapi/validate v0.22.0 // indirect
-	github.com/go-piv/piv-go v1.10.0 // indirect
-	github.com/go-playground/locales v0.14.0 // indirect
-	github.com/go-playground/universal-translator v0.18.0 // indirect
-	github.com/go-playground/validator/v10 v10.11.0 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
+	github.com/go-openapi/analysis v0.23.0 // indirect
+	github.com/go-openapi/errors v0.22.1 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/loads v0.22.0 // indirect
+	github.com/go-openapi/runtime v0.28.0 // indirect
+	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/strfmt v0.23.0 // indirect
+	github.com/go-openapi/swag v0.23.1 // indirect
+	github.com/go-openapi/validate v0.24.0 // indirect
+	github.com/go-piv/piv-go/v2 v2.3.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
-	github.com/gofrs/uuid v4.2.0+incompatible // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/gofrs/uuid v4.4.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
-	github.com/golang/glog v1.0.0 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/mock v1.6.0 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/gomodule/redigo v1.8.2 // indirect
-	github.com/google/btree v1.1.2 // indirect
-	github.com/google/certificate-transparency-go v1.1.3 // indirect
-	github.com/google/gnostic v0.6.9 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
-	github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20221017135236-9b4fdd506cdd // indirect
-	github.com/google/go-github/v45 v45.2.0 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/google/certificate-transparency-go v1.3.1 // indirect
+	github.com/google/gnostic-models v0.6.9 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20230516205744-dbecb1de8cfa // indirect
+	github.com/google/go-github/v55 v55.0.0 // indirect
+	github.com/google/go-github/v71 v71.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/s2a-go v0.1.3 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/google/trillian v1.5.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
-	github.com/googleapis/gax-go/v2 v2.8.0 // indirect
-	github.com/gorilla/handlers v1.5.1 // indirect
-	github.com/gorilla/mux v1.8.0 // indirect
-	github.com/gorilla/websocket v1.4.2 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
+	github.com/gorilla/handlers v1.5.2 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
+	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
-	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
-	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.2 // indirect
-	github.com/hashicorp/golang-lru v0.5.4 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/huandu/xstrings v1.4.0 // indirect
-	github.com/imdario/mergo v0.3.13 // indirect
-	github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/hashicorp/golang-lru/arc/v2 v2.0.5 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/in-toto/attestation v1.1.1 // indirect
+	github.com/in-toto/in-toto-golang v0.9.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
-	github.com/jhump/protoreflect v1.14.0 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/jmoiron/sqlx v1.3.5 // indirect
-	github.com/jonboulle/clockwork v0.3.0 // indirect
+	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
+	github.com/jmoiron/sqlx v1.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.16.5 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.4 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
-	github.com/leodido/go-urn v1.2.1 // indirect
-	github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect
-	github.com/lib/pq v1.10.7 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
+	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
-	github.com/magiconair/properties v1.8.6 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.17 // indirect
-	github.com/mattn/go-runewidth v0.0.14 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/miekg/dns v1.1.58 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/minio/crc64nvme v1.0.1 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
-	github.com/minio/sha256-simd v1.0.0 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
-	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/term v0.0.0-20221205130635-1aeaba878587 // indirect
+	github.com/moby/spdystream v0.5.0 // indirect
+	github.com/moby/sys/user v0.3.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
-	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect
+	github.com/mozillazg/docker-credential-acr-helper v0.4.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+	github.com/notaryproject/notation-plugin-framework-go v1.0.0 // indirect
+	github.com/notaryproject/tspclient-go v1.0.0 // indirect
+	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
-	github.com/olekukonko/tablewriter v0.0.5 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc3 // indirect
-	github.com/opencontainers/runc v1.1.5 // indirect
+	github.com/oleiade/reflections v1.1.0 // indirect
+	github.com/opencontainers/runc v1.2.4 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/pelletier/go-toml v1.9.5 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.5 // indirect
+	github.com/otiai10/mint v1.6.3 // indirect
+	github.com/pborman/uuid v1.2.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
-	github.com/pjbgf/sha1cd v0.2.3 // indirect
-	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
+	github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c // indirect
+	github.com/pjbgf/sha1cd v0.3.2 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/common v0.42.0 // indirect
-	github.com/prometheus/procfs v0.9.0 // indirect
-	github.com/rivo/uniseg v0.4.2 // indirect
-	github.com/rs/xid v1.4.0 // indirect
-	github.com/rubenv/sql-migrate v1.3.1 // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.63.0 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5 // indirect
+	github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 // indirect
+	github.com/redis/go-redis/v9 v9.7.3 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/rs/xid v1.6.0 // indirect
+	github.com/rubenv/sql-migrate v1.7.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 // indirect
-	github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
+	github.com/sagikazarmark/locafero v0.7.0 // indirect
+	github.com/sassoftware/relic v7.2.1+incompatible // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
-	github.com/sergi/go-diff v1.3.1 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/shopspring/decimal v1.3.1 // indirect
-	github.com/sigstore/fulcio v0.6.0 // indirect
-	github.com/sigstore/rekor v0.12.1-0.20220915152154-4bb6f441c1b2 // indirect
-	github.com/skeema/knownhosts v1.1.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/sigstore/fulcio v1.6.6 // indirect
+	github.com/sigstore/protobuf-specs v0.4.1 // indirect
+	github.com/sigstore/rekor v1.3.9 // indirect
+	github.com/sigstore/sigstore-go v0.7.1 // indirect
+	github.com/sigstore/timestamp-authority v1.2.5 // indirect
+	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
-	github.com/soheilhy/cmux v0.1.5 // indirect
-	github.com/spf13/afero v1.9.2 // indirect
-	github.com/spf13/cast v1.5.0 // indirect
-	github.com/spf13/cobra v1.7.0 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/spf13/viper v1.13.0 // indirect
-	github.com/spiffe/go-spiffe/v2 v2.1.1 // indirect
-	github.com/stretchr/testify v1.8.2 // indirect
-	github.com/subosito/gotenv v1.4.1 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.12.0 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/viper v1.20.1 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
-	github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
-	github.com/theupdateframework/go-tuf v0.5.2 // indirect
+	github.com/theupdateframework/go-tuf v0.7.0 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.0.2 // indirect
+	github.com/tinylib/msgp v1.3.0 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
-	github.com/tjfoc/gmsm v1.3.2 // indirect
-	github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect
-	github.com/transparency-dev/merkle v0.0.1 // indirect
-	github.com/urfave/cli v1.22.12 // indirect
-	github.com/vbatts/tar-split v0.11.3 // indirect
-	github.com/xanzy/go-gitlab v0.73.1 // indirect
+	github.com/tjfoc/gmsm v1.4.1 // indirect
+	github.com/transparency-dev/merkle v0.0.2 // indirect
+	github.com/vbatts/tar-split v0.12.1 // indirect
+	github.com/veraison/go-cose v1.3.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
-	github.com/xlab/treeprint v1.1.0 // indirect
-	github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 // indirect
-	github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 // indirect
-	github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f // indirect
-	github.com/zeebo/blake3 v0.1.1 // indirect
-	github.com/zeebo/errs v1.2.2 // indirect
-	go.etcd.io/bbolt v1.3.7 // indirect
-	go.etcd.io/etcd/api/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/client/v2 v2.306.0-alpha.0 // indirect
-	go.etcd.io/etcd/client/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/etcdctl/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/etcdutl/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/pkg/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/raft/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/server/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/tests/v3 v3.6.0-alpha.0 // indirect
-	go.etcd.io/etcd/v3 v3.6.0-alpha.0 // indirect
-	go.mongodb.org/mongo-driver v1.10.0 // indirect
-	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.40.0 // indirect
-	go.opentelemetry.io/otel v1.14.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.14.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0 // indirect
-	go.opentelemetry.io/otel/metric v0.37.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.14.0 // indirect
-	go.opentelemetry.io/otel/trace v1.14.0 // indirect
-	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
-	go.starlark.net v0.0.0-20221028183056-acb66ad56dd2 // indirect
-	go.uber.org/atomic v1.10.0 // indirect
-	go.uber.org/multierr v1.8.0 // indirect
-	go.uber.org/zap v1.24.0 // indirect
-	golang.org/x/exp v0.0.0-20220823124025-807a23277127 // indirect
-	golang.org/x/mod v0.10.0 // indirect
-	golang.org/x/net v0.10.0 // indirect
-	golang.org/x/oauth2 v0.7.0 // indirect
-	golang.org/x/sys v0.8.0 // indirect
-	golang.org/x/term v0.8.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.8.0 // indirect
-	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
-	google.golang.org/grpc v1.54.0 // indirect
-	google.golang.org/protobuf v1.30.0 // indirect
-	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
+	github.com/xlab/treeprint v1.2.0 // indirect
+	github.com/zeebo/blake3 v0.2.3 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
+	gitlab.com/gitlab-org/api/client-go v0.127.0 // indirect
+	go.mongodb.org/mongo-driver v1.14.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/bridges/prometheus v0.57.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.34.0 // indirect
+	go.opentelemetry.io/contrib/exporters/autoexport v0.57.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0 // indirect
+	go.opentelemetry.io/otel/exporters/prometheus v0.54.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0 // indirect
+	go.opentelemetry.io/otel/log v0.8.0 // indirect
+	go.opentelemetry.io/otel/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
+	go.opentelemetry.io/otel/sdk/log v0.8.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
+	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect
+	golang.org/x/mod v0.25.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/time v0.11.0 // indirect
+	golang.org/x/tools v0.33.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+	google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
+	google.golang.org/grpc v1.71.0 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
-	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.26.1 // indirect
-	k8s.io/apiserver v0.26.2 // indirect
-	k8s.io/cli-runtime v0.26.0 // indirect
-	k8s.io/component-base v0.26.3 // indirect
-	k8s.io/klog/v2 v2.90.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20221110221610-a28e98eb7c70 // indirect
-	k8s.io/kubectl v0.26.0 // indirect
-	oras.land/oras-go v1.2.2 // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/kustomize/api v0.12.1 // indirect
-	sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect
-	sigs.k8s.io/release-utils v0.7.3 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	k8s.io/apiextensions-apiserver v0.33.0 // indirect
+	k8s.io/apiserver v0.33.0 // indirect
+	k8s.io/cli-runtime v0.33.0 // indirect
+	k8s.io/component-base v0.33.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
+	k8s.io/kubectl v0.33.0 // indirect
+	oras.land/oras-go v1.2.5 // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/kustomize/api v0.19.0 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.19.0 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/release-utils v0.11.1 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
 )
 
 retract v0.32.0 // Refers to incorrect ./api version.

hack/boilerplate.go.txt

@@ -1,5 +1,5 @@
 /*
-Copyright 2023 The Flux authors
+Copyright 2024 The Flux authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

hack/ci/e2e.sh

@@ -6,16 +6,14 @@ CREATE_CLUSTER="${CREATE_CLUSTER:-true}"
 KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-kind}"
 LOAD_IMG_INTO_KIND="${LOAD_IMG_INTO_KIND:-true}"
 BUILD_PLATFORM="${BUILD_PLATFORM:-linux/amd64}"
-MINIO_HELM_VER="${MINIO_HELM_VER:-v6.3.1}"
-# Older tags do not bundle multiple architectures. Newer tags are 5-6 times larger.
-MINIO_TAG="${MINIO_TAG:-RELEASE.2020-09-17T04-49-20Z}"
+MINIO_HELM_VER="${MINIO_HELM_VER:-12.10.3}"
 
 IMG=test/source-controller
 TAG=latest
 
-MC_RELEASE=mc.RELEASE.2021-12-16T23-38-39Z
-MC_AMD64_SHA256=d14302bbdaa180a073c1627ff9fbf55243221e33d47e32df61a950f635810978
-MC_ARM64_SHA256=00791995bf8d102e3159e23b3af2f5e6f4c784fafd88c60161dcf3f0169aa217
+MC_RELEASE=mc.RELEASE.2023-11-20T16-30-59Z
+MC_AMD64_SHA256=fdd901a5169d676f32483f9a2de977b7ff3a4fe83e254dcbc35e7a1545591565
+MC_ARM64_SHA256=09816180f560875d344dc436ed4ec1348b3ff0c836ae9cf0415fef602489cc11
 
 ROOT_DIR="$(git rev-parse --show-toplevel)"
 BUILD_DIR="${ROOT_DIR}/build"
@@ -75,7 +73,6 @@ kubectl -n source-system rollout status deploy/source-controller --timeout=1m
 kubectl -n source-system wait gitrepository/gitrepository-sample --for=condition=ready --timeout=1m
 kubectl -n source-system wait ocirepository/ocirepository-sample --for=condition=ready --timeout=1m
 kubectl -n source-system wait helmrepository/helmrepository-sample --for=condition=ready --timeout=1m
-kubectl -n source-system wait helmrepository/helmrepository-sample-oci --for=condition=ready --timeout=1m
 kubectl -n source-system wait helmchart/helmchart-sample --for=condition=ready --timeout=1m
 kubectl -n source-system wait helmchart/helmchart-sample-oci --for=condition=ready --timeout=1m
 kubectl -n source-system delete -f "${ROOT_DIR}/config/samples"
@@ -88,15 +85,14 @@ kubectl -n source-system delete -f "${ROOT_DIR}/config/testdata/helmchart-values
 
 echo "Setup Minio"
 kubectl create ns minio
-helm repo add minio https://helm.min.io/ --force-update
-helm upgrade minio minio/minio --wait -i \
+helm upgrade minio oci://registry-1.docker.io/bitnamicharts/minio --wait -i \
     --version "${MINIO_HELM_VER}" \
+    --timeout 10m0s \
     --namespace minio \
-    --set accessKey=myaccesskey \
-    --set secretKey=mysecretkey \
+    --set auth.rootUser=myaccesskey \
+    --set auth.rootPassword=mysecretkey \
     --set resources.requests.memory=128Mi \
-    --set persistence.enable=false \
-    --set image.tag="${MINIO_TAG}"
+    --set persistence.enable=false
 kubectl -n minio port-forward svc/minio 9000:9000 &>/dev/null &
 
 sleep 2
@@ -145,10 +141,15 @@ kubectl -n source-system wait gitrepository/large-repo --for=condition=ready --t
 
 echo "Run HelmChart from OCI registry tests"
 kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/helmchart-from-oci/source.yaml"
-kubectl -n source-system wait helmrepository/podinfo --for=condition=ready --timeout=1m
 kubectl -n source-system wait helmchart/podinfo --for=condition=ready --timeout=1m
 kubectl -n source-system wait helmchart/podinfo-keyless --for=condition=ready --timeout=1m
 
+kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/helmchart-from-oci/notation.yaml"
+curl -sSLo notation.crt https://raw.githubusercontent.com/stefanprodan/podinfo/master/.notation/notation.crt
+curl -sSLo trustpolicy.json https://raw.githubusercontent.com/stefanprodan/podinfo/master/.notation/trustpolicy.json
+kubectl -n source-system create secret generic notation-config --from-file=notation.crt --from-file=trustpolicy.json --dry-run=client -o yaml | kubectl apply -f -
+kubectl -n source-system wait helmchart/podinfo-notation --for=condition=ready --timeout=1m
+
 echo "Run OCIRepository verify tests"
 kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/ocirepository/signed-with-key.yaml"
 kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/ocirepository/signed-with-keyless.yaml"
@@ -157,3 +158,6 @@ kubectl -n source-system create secret generic cosign-key --from-file=cosign.pub
 
 kubectl -n source-system wait ocirepository/podinfo-deploy-signed-with-key --for=condition=ready --timeout=1m
 kubectl -n source-system wait ocirepository/podinfo-deploy-signed-with-keyless --for=condition=ready --timeout=1m
+
+kubectl -n source-system apply -f "${ROOT_DIR}/config/testdata/ocirepository/signed-with-notation.yaml"
+kubectl -n source-system wait ocirepository/podinfo-deploy-signed-with-notation --for=condition=ready --timeout=1m

internal/cache/cache.go

@@ -132,7 +132,7 @@ func (c *cache) Delete(key string) {
 }
 
 // Clear all items from the cache.
-// This reallocate the inderlying array holding the items,
+// This reallocates the underlying array holding the items,
 // so that the memory used by the items is reclaimed.
 func (c *cache) Clear() {
 	c.mu.Lock()
@@ -163,11 +163,10 @@ func (c *cache) HasExpired(key string) bool {
 func (c *cache) SetExpiration(key string, expiration time.Duration) {
 	c.mu.Lock()
 	item, ok := c.Items[key]
-	if !ok {
-		c.mu.Unlock()
-		return
+	if ok {
+		item.Expiration = time.Now().Add(expiration).UnixNano()
+		c.Items[key] = item
 	}
-	item.Expiration = time.Now().Add(expiration).UnixNano()
 	c.mu.Unlock()
 }
 

internal/cache/cache_test.go

@@ -85,3 +85,55 @@ func TestCache(t *testing.T) {
 	g.Expect(found).To(BeFalse())
 	g.Expect(item).To(BeNil())
 }
+
+func TestCacheExpiration(t *testing.T) {
+	g := NewWithT(t)
+	cache := New(10, 0)
+
+	key := "testKey"
+	value := "testValue"
+	expiration := 1 * time.Second
+
+	err := cache.Add(key, value, expiration)
+	g.Expect(err).ToNot(HaveOccurred())
+
+	newExpiration := 2 * time.Second
+	cache.SetExpiration(key, newExpiration)
+	actualExpiration := cache.GetExpiration(key)
+
+	g.Expect(actualExpiration).Should(BeNumerically("~", newExpiration, 100*time.Millisecond))
+
+	g.Expect(cache.HasExpired(key)).To(BeFalse())
+
+	time.Sleep(newExpiration + 100*time.Millisecond)
+
+	g.Expect(cache.HasExpired(key)).To(BeTrue())
+
+	g.Expect(cache.GetExpiration(key)).To(BeZero())
+
+	nonExistentKey := "nonExistent"
+	cache.SetExpiration(nonExistentKey, 1*time.Second)
+	g.Expect(cache.GetExpiration(nonExistentKey)).To(BeZero())
+
+	g.Expect(cache.HasExpired(nonExistentKey)).To(BeTrue())
+}
+
+func TestCacheDeleteClear(t *testing.T) {
+	g := NewWithT(t)
+	cache := New(3, 0)
+
+	err := cache.Add("key1", "value1", 0)
+	g.Expect(err).ToNot(HaveOccurred())
+	err = cache.Add("key2", "value2", 0)
+	g.Expect(err).ToNot(HaveOccurred())
+	err = cache.Add("key3", "value3", 0)
+	g.Expect(err).ToNot(HaveOccurred())
+
+	cache.Delete("key2")
+	_, found := cache.Get("key2")
+	g.Expect(found).To(BeFalse())
+	g.Expect(cache.ItemCount()).To(Equal(2))
+
+	cache.Clear()
+	g.Expect(cache.ItemCount()).To(Equal(0))
+}

internal/cache/metrics.go

@@ -67,6 +67,11 @@ func (r *CacheRecorder) IncCacheEvents(event, name, namespace string) {
 	r.cacheEventsCounter.WithLabelValues(event, name, namespace).Inc()
 }
 
+// DeleteCacheEvent deletes the cache event metric.
+func (r *CacheRecorder) DeleteCacheEvent(event, name, namespace string) {
+	r.cacheEventsCounter.DeleteLabelValues(event, name, namespace)
+}
+
 // MustMakeMetrics creates a new CacheRecorder, and registers the metrics collectors in the controller-runtime metrics registry.
 func MustMakeMetrics() *CacheRecorder {
 	r := NewCacheRecorder()

internal/controller/bucket_controller.go

@@ -18,8 +18,10 @@ package controller
 
 import (
 	"context"
+	stdtls "crypto/tls"
 	"errors"
 	"fmt"
+	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
@@ -32,30 +34,31 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	kuberecorder "k8s.io/client-go/tools/record"
+	"k8s.io/client-go/util/workqueue"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
-	"sigs.k8s.io/controller-runtime/pkg/ratelimiter"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
+	eventv1 "github.com/fluxcd/pkg/apis/event/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/conditions"
 	helper "github.com/fluxcd/pkg/runtime/controller"
+	"github.com/fluxcd/pkg/runtime/jitter"
 	"github.com/fluxcd/pkg/runtime/patch"
 	"github.com/fluxcd/pkg/runtime/predicates"
 	rreconcile "github.com/fluxcd/pkg/runtime/reconcile"
-
-	eventv1 "github.com/fluxcd/pkg/apis/event/v1beta1"
 	"github.com/fluxcd/pkg/sourceignore"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	bucketv1 "github.com/fluxcd/source-controller/api/v1beta2"
 	intdigest "github.com/fluxcd/source-controller/internal/digest"
 	serror "github.com/fluxcd/source-controller/internal/error"
 	"github.com/fluxcd/source-controller/internal/index"
 	sreconcile "github.com/fluxcd/source-controller/internal/reconcile"
 	"github.com/fluxcd/source-controller/internal/reconcile/summarize"
+	"github.com/fluxcd/source-controller/internal/tls"
 	"github.com/fluxcd/source-controller/pkg/azure"
 	"github.com/fluxcd/source-controller/pkg/gcp"
 	"github.com/fluxcd/source-controller/pkg/minio"
@@ -74,7 +77,7 @@ import (
 const maxConcurrentBucketFetches = 100
 
 // bucketReadyCondition contains the information required to summarize a
-// v1beta2.Bucket Ready Condition.
+// v1.Bucket Ready Condition.
 var bucketReadyCondition = summarize.Conditions{
 	Target: meta.ReadyCondition,
 	Owned: []string{
@@ -114,7 +117,7 @@ var bucketFailConditions = []string{
 // +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=buckets/finalizers,verbs=get;create;update;patch;delete
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
 
-// BucketReconciler reconciles a v1beta2.Bucket object.
+// BucketReconciler reconciles a v1.Bucket object.
 type BucketReconciler struct {
 	client.Client
 	kuberecorder.EventRecorder
@@ -127,8 +130,7 @@ type BucketReconciler struct {
 }
 
 type BucketReconcilerOptions struct {
-	MaxConcurrentReconciles int
-	RateLimiter             ratelimiter.RateLimiter
+	RateLimiter workqueue.TypedRateLimiter[reconcile.Request]
 }
 
 // BucketProvider is an interface for fetching objects from a storage provider
@@ -145,7 +147,7 @@ type BucketProvider interface {
 	// bucket, calling visit for every item.
 	// If the underlying client or the visit callback returns an error,
 	// it returns early.
-	VisitObjects(ctx context.Context, bucketName string, visit func(key, etag string) error) error
+	VisitObjects(ctx context.Context, bucketName string, prefix string, visit func(key, etag string) error) error
 	// ObjectIsNotFound returns true if the given error indicates an object
 	// could not be found.
 	ObjectIsNotFound(error) bool
@@ -153,10 +155,10 @@ type BucketProvider interface {
 	Close(context.Context)
 }
 
-// bucketReconcileFunc is the function type for all the v1beta2.Bucket
+// bucketReconcileFunc is the function type for all the v1.Bucket
 // (sub)reconcile functions. The type implementations are grouped and
 // executed serially to perform the complete reconcile of the object.
-type bucketReconcileFunc func(ctx context.Context, sp *patch.SerialPatcher, obj *bucketv1.Bucket, index *index.Digester, dir string) (sreconcile.Result, error)
+type bucketReconcileFunc func(ctx context.Context, sp *patch.SerialPatcher, obj *sourcev1.Bucket, index *index.Digester, dir string) (sreconcile.Result, error)
 
 func (r *BucketReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return r.SetupWithManagerAndOptions(mgr, BucketReconcilerOptions{})
@@ -166,11 +168,10 @@ func (r *BucketReconciler) SetupWithManagerAndOptions(mgr ctrl.Manager, opts Buc
 	r.patchOptions = getPatchOptions(bucketReadyCondition.Owned, r.ControllerName)
 
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&bucketv1.Bucket{}).
+		For(&sourcev1.Bucket{}).
 		WithEventFilter(predicate.Or(predicate.GenerationChangedPredicate{}, predicates.ReconcileRequestedPredicate{})).
 		WithOptions(controller.Options{
-			MaxConcurrentReconciles: opts.MaxConcurrentReconciles,
-			RateLimiter:             opts.RateLimiter,
+			RateLimiter: opts.RateLimiter,
 		}).
 		Complete(r)
 }
@@ -180,14 +181,11 @@ func (r *BucketReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 	log := ctrl.LoggerFrom(ctx)
 
 	// Fetch the Bucket
-	obj := &bucketv1.Bucket{}
+	obj := &sourcev1.Bucket{}
 	if err := r.Get(ctx, req.NamespacedName, obj); err != nil {
 		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}
 
-	// Record suspended status metric
-	r.RecordSuspend(ctx, obj, obj.Spec.Suspend)
-
 	// Initialize the patch helper with the current version of the object.
 	serialPatcher := patch.NewSerialPatcher(obj, r.Client)
 
@@ -204,29 +202,33 @@ func (r *BucketReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 			summarize.WithReconcileError(retErr),
 			summarize.WithIgnoreNotFound(),
 			summarize.WithProcessors(
-				summarize.RecordContextualError,
+				summarize.ErrorActionHandler,
 				summarize.RecordReconcileReq,
 			),
-			summarize.WithResultBuilder(sreconcile.AlwaysRequeueResultBuilder{RequeueAfter: obj.GetRequeueAfter()}),
+			summarize.WithResultBuilder(sreconcile.AlwaysRequeueResultBuilder{
+				RequeueAfter: jitter.JitteredIntervalDuration(obj.GetRequeueAfter()),
+			}),
 			summarize.WithPatchFieldOwner(r.ControllerName),
 		}
 		result, retErr = summarizeHelper.SummarizeAndPatch(ctx, obj, summarizeOpts...)
 
-		// Always record readiness and duration metrics
-		r.Metrics.RecordReadiness(ctx, obj)
+		// Always record duration metrics.
 		r.Metrics.RecordDuration(ctx, obj, start)
 	}()
 
-	// Add finalizer first if not exist to avoid the race condition between init and delete
-	if !controllerutil.ContainsFinalizer(obj, sourcev1.SourceFinalizer) {
-		controllerutil.AddFinalizer(obj, sourcev1.SourceFinalizer)
-		recResult = sreconcile.ResultRequeue
+	// Examine if the object is under deletion.
+	if !obj.ObjectMeta.DeletionTimestamp.IsZero() {
+		recResult, retErr = r.reconcileDelete(ctx, obj)
 		return
 	}
 
-	// Examine if the object is under deletion
-	if !obj.ObjectMeta.DeletionTimestamp.IsZero() {
-		recResult, retErr = r.reconcileDelete(ctx, obj)
+	// Add finalizer first if not exist to avoid the race condition between init
+	// and delete.
+	// Note: Finalizers in general can only be added when the deletionTimestamp
+	// is not set.
+	if !controllerutil.ContainsFinalizer(obj, sourcev1.SourceFinalizer) {
+		controllerutil.AddFinalizer(obj, sourcev1.SourceFinalizer)
+		recResult = sreconcile.ResultRequeue
 		return
 	}
 
@@ -250,7 +252,7 @@ func (r *BucketReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 // reconcile iterates through the bucketReconcileFunc tasks for the
 // object. It returns early on the first call that returns
 // reconcile.ResultRequeue, or produces an error.
-func (r *BucketReconciler) reconcile(ctx context.Context, sp *patch.SerialPatcher, obj *bucketv1.Bucket, reconcilers []bucketReconcileFunc) (sreconcile.Result, error) {
+func (r *BucketReconciler) reconcile(ctx context.Context, sp *patch.SerialPatcher, obj *sourcev1.Bucket, reconcilers []bucketReconcileFunc) (sreconcile.Result, error) {
 	oldObj := obj.DeepCopy()
 
 	rreconcile.ProgressiveStatus(false, obj, meta.ProgressingReason, "reconciliation in progress")
@@ -266,22 +268,22 @@ func (r *BucketReconciler) reconcile(ctx context.Context, sp *patch.SerialPatche
 		rreconcile.ProgressiveStatus(false, obj, meta.ProgressingReason,
 			"processing object: new generation %d -> %d", obj.Status.ObservedGeneration, obj.Generation)
 		if err := sp.Patch(ctx, obj, r.patchOptions...); err != nil {
-			return sreconcile.ResultEmpty, err
+			return sreconcile.ResultEmpty, serror.NewGeneric(err, sourcev1.PatchOperationFailedReason)
 		}
 	case recAtVal != obj.Status.GetLastHandledReconcileRequest():
 		if err := sp.Patch(ctx, obj, r.patchOptions...); err != nil {
-			return sreconcile.ResultEmpty, err
+			return sreconcile.ResultEmpty, serror.NewGeneric(err, sourcev1.PatchOperationFailedReason)
 		}
 	}
 
 	// Create temp working dir
 	tmpDir, err := os.MkdirTemp("", fmt.Sprintf("%s-%s-%s-", obj.Kind, obj.Namespace, obj.Name))
 	if err != nil {
-		e := &serror.Event{
-			Err:    fmt.Errorf("failed to create temporary working directory: %w", err),
-			Reason: sourcev1.DirCreationFailedReason,
-		}
-		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, e.Err.Error())
+		e := serror.NewGeneric(
+			fmt.Errorf("failed to create temporary working directory: %w", err),
+			sourcev1.DirCreationFailedReason,
+		)
+		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
 	defer func() {
@@ -321,7 +323,7 @@ func (r *BucketReconciler) reconcile(ctx context.Context, sp *patch.SerialPatche
 }
 
 // notify emits notification related to the reconciliation.
-func (r *BucketReconciler) notify(ctx context.Context, oldObj, newObj *bucketv1.Bucket, index *index.Digester, res sreconcile.Result, resErr error) {
+func (r *BucketReconciler) notify(ctx context.Context, oldObj, newObj *sourcev1.Bucket, index *index.Digester, res sreconcile.Result, resErr error) {
 	// Notify successful reconciliation for new artifact and recovery from any
 	// failure.
 	if resErr == nil && res == sreconcile.ResultSuccess && newObj.Status.Artifact != nil {
@@ -359,18 +361,36 @@ func (r *BucketReconciler) notify(ctx context.Context, oldObj, newObj *bucketv1.
 // condition is added.
 // The hostname of any URL in the Status of the object are updated, to ensure
 // they match the Storage server hostname of current runtime.
-func (r *BucketReconciler) reconcileStorage(ctx context.Context, sp *patch.SerialPatcher, obj *bucketv1.Bucket, _ *index.Digester, _ string) (sreconcile.Result, error) {
+func (r *BucketReconciler) reconcileStorage(ctx context.Context, sp *patch.SerialPatcher, obj *sourcev1.Bucket, _ *index.Digester, _ string) (sreconcile.Result, error) {
 	// Garbage collect previous advertised artifact(s) from storage
 	_ = r.garbageCollect(ctx, obj)
 
-	// Determine if the advertised artifact is still in storage
 	var artifactMissing bool
-	if artifact := obj.GetArtifact(); artifact != nil && !r.Storage.ArtifactExist(*artifact) {
-		obj.Status.Artifact = nil
-		obj.Status.URL = ""
-		artifactMissing = true
-		// Remove the condition as the artifact doesn't exist.
-		conditions.Delete(obj, sourcev1.ArtifactInStorageCondition)
+	if artifact := obj.GetArtifact(); artifact != nil {
+		// Determine if the advertised artifact is still in storage
+		if !r.Storage.ArtifactExist(*artifact) {
+			artifactMissing = true
+		}
+
+		// If the artifact is in storage, verify if the advertised digest still
+		// matches the actual artifact
+		if !artifactMissing {
+			if err := r.Storage.VerifyArtifact(*artifact); err != nil {
+				r.Eventf(obj, corev1.EventTypeWarning, "ArtifactVerificationFailed", "failed to verify integrity of artifact: %s", err.Error())
+
+				if err = r.Storage.Remove(*artifact); err != nil {
+					return sreconcile.ResultEmpty, fmt.Errorf("failed to remove artifact after digest mismatch: %w", err)
+				}
+
+				artifactMissing = true
+			}
+		}
+
+		// If the artifact is missing, remove it from the object
+		if artifactMissing {
+			obj.Status.Artifact = nil
+			obj.Status.URL = ""
+		}
 	}
 
 	// Record that we do not have an artifact
@@ -379,10 +399,10 @@ func (r *BucketReconciler) reconcileStorage(ctx context.Context, sp *patch.Seria
 		if artifactMissing {
 			msg += ": disappeared from storage"
 		}
-		rreconcile.ProgressiveStatus(true, obj, meta.ProgressingReason, msg)
+		rreconcile.ProgressiveStatus(true, obj, meta.ProgressingReason, "%s", msg)
 		conditions.Delete(obj, sourcev1.ArtifactInStorageCondition)
 		if err := sp.Patch(ctx, obj, r.patchOptions...); err != nil {
-			return sreconcile.ResultEmpty, err
+			return sreconcile.ResultEmpty, serror.NewGeneric(err, sourcev1.PatchOperationFailedReason)
 		}
 		return sreconcile.ResultSuccess, nil
 	}
@@ -398,59 +418,132 @@ func (r *BucketReconciler) reconcileStorage(ctx context.Context, sp *patch.Seria
 // reconcileSource fetches the upstream bucket contents with the client for the
 // given object's Provider, and returns the result.
 // When a SecretRef is defined, it attempts to fetch the Secret before calling
-// the provider. If this fails, it records v1beta2.FetchFailedCondition=True on
+// the provider. If this fails, it records v1.FetchFailedCondition=True on
 // the object and returns early.
-func (r *BucketReconciler) reconcileSource(ctx context.Context, sp *patch.SerialPatcher, obj *bucketv1.Bucket, index *index.Digester, dir string) (sreconcile.Result, error) {
-	secret, err := r.getBucketSecret(ctx, obj)
+func (r *BucketReconciler) reconcileSource(ctx context.Context, sp *patch.SerialPatcher, obj *sourcev1.Bucket, index *index.Digester, dir string) (sreconcile.Result, error) {
+	secret, err := r.getSecret(ctx, obj.Spec.SecretRef, obj.GetNamespace())
 	if err != nil {
-		e := &serror.Event{Err: err, Reason: sourcev1.AuthenticationFailedReason}
-		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Error())
+		e := serror.NewGeneric(err, sourcev1.AuthenticationFailedReason)
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 		// Return error as the world as observed may change
 		return sreconcile.ResultEmpty, e
 	}
+	proxyURL, err := r.getProxyURL(ctx, obj)
+	if err != nil {
+		e := serror.NewGeneric(err, sourcev1.AuthenticationFailedReason)
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+		return sreconcile.ResultEmpty, e
+	}
 
 	// Construct provider client
 	var provider BucketProvider
 	switch obj.Spec.Provider {
-	case bucketv1.GoogleBucketProvider:
+	case sourcev1.BucketProviderGoogle:
 		if err = gcp.ValidateSecret(secret); err != nil {
-			e := &serror.Event{Err: err, Reason: sourcev1.AuthenticationFailedReason}
-			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Error())
+			e := serror.NewGeneric(err, sourcev1.AuthenticationFailedReason)
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 			return sreconcile.ResultEmpty, e
 		}
-		if provider, err = gcp.NewClient(ctx, secret); err != nil {
-			e := &serror.Event{Err: err, Reason: "ClientError"}
-			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Error())
+		var opts []gcp.Option
+		if secret != nil {
+			opts = append(opts, gcp.WithSecret(secret))
+		}
+		if proxyURL != nil {
+			opts = append(opts, gcp.WithProxyURL(proxyURL))
+		}
+		if provider, err = gcp.NewClient(ctx, opts...); err != nil {
+			e := serror.NewGeneric(err, "ClientError")
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 			return sreconcile.ResultEmpty, e
 		}
-	case bucketv1.AzureBucketProvider:
+	case sourcev1.BucketProviderAzure:
 		if err = azure.ValidateSecret(secret); err != nil {
-			e := &serror.Event{Err: err, Reason: sourcev1.AuthenticationFailedReason}
-			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Error())
+			e := serror.NewGeneric(err, sourcev1.AuthenticationFailedReason)
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 			return sreconcile.ResultEmpty, e
 		}
-		if provider, err = azure.NewClient(obj, secret); err != nil {
-			e := &serror.Event{Err: err, Reason: "ClientError"}
-			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Error())
+		var opts []azure.Option
+		if secret != nil {
+			opts = append(opts, azure.WithSecret(secret))
+		}
+		if proxyURL != nil {
+			opts = append(opts, azure.WithProxyURL(proxyURL))
+		}
+		if provider, err = azure.NewClient(obj, opts...); err != nil {
+			e := serror.NewGeneric(err, "ClientError")
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 			return sreconcile.ResultEmpty, e
 		}
 	default:
 		if err = minio.ValidateSecret(secret); err != nil {
-			e := &serror.Event{Err: err, Reason: sourcev1.AuthenticationFailedReason}
-			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Error())
+			e := serror.NewGeneric(err, sourcev1.AuthenticationFailedReason)
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 			return sreconcile.ResultEmpty, e
 		}
-		if provider, err = minio.NewClient(obj, secret); err != nil {
-			e := &serror.Event{Err: err, Reason: "ClientError"}
-			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Error())
+		tlsConfig, err := r.getTLSConfig(ctx, obj.Spec.CertSecretRef, obj.GetNamespace(), obj.Spec.Endpoint)
+		if err != nil {
+			e := serror.NewGeneric(err, sourcev1.AuthenticationFailedReason)
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+			return sreconcile.ResultEmpty, e
+		}
+		stsSecret, err := r.getSTSSecret(ctx, obj)
+		if err != nil {
+			e := serror.NewGeneric(err, sourcev1.AuthenticationFailedReason)
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+			return sreconcile.ResultEmpty, e
+		}
+		stsTLSConfig, err := r.getSTSTLSConfig(ctx, obj)
+		if err != nil {
+			err := fmt.Errorf("failed to get STS TLS config: %w", err)
+			e := serror.NewGeneric(err, sourcev1.AuthenticationFailedReason)
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+			return sreconcile.ResultEmpty, e
+		}
+		if sts := obj.Spec.STS; sts != nil {
+			if err := minio.ValidateSTSProvider(obj.Spec.Provider, sts); err != nil {
+				e := serror.NewStalling(err, sourcev1.InvalidSTSConfigurationReason)
+				conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+				return sreconcile.ResultEmpty, e
+			}
+			if _, err := url.Parse(sts.Endpoint); err != nil {
+				err := fmt.Errorf("failed to parse STS endpoint '%s': %w", sts.Endpoint, err)
+				e := serror.NewStalling(err, sourcev1.URLInvalidReason)
+				conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+				return sreconcile.ResultEmpty, e
+			}
+			if err := minio.ValidateSTSSecret(sts.Provider, stsSecret); err != nil {
+				e := serror.NewGeneric(err, sourcev1.AuthenticationFailedReason)
+				conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+				return sreconcile.ResultEmpty, e
+			}
+		}
+		var opts []minio.Option
+		if secret != nil {
+			opts = append(opts, minio.WithSecret(secret))
+		}
+		if tlsConfig != nil {
+			opts = append(opts, minio.WithTLSConfig(tlsConfig))
+		}
+		if proxyURL != nil {
+			opts = append(opts, minio.WithProxyURL(proxyURL))
+		}
+		if stsSecret != nil {
+			opts = append(opts, minio.WithSTSSecret(stsSecret))
+		}
+		if stsTLSConfig != nil {
+			opts = append(opts, minio.WithSTSTLSConfig(stsTLSConfig))
+		}
+		if provider, err = minio.NewClient(obj, opts...); err != nil {
+			e := serror.NewGeneric(err, "ClientError")
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 			return sreconcile.ResultEmpty, e
 		}
 	}
 
 	// Fetch etag index
 	if err = fetchEtagIndex(ctx, provider, obj, index, dir); err != nil {
-		e := &serror.Event{Err: err, Reason: bucketv1.BucketOperationFailedReason}
-		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Error())
+		e := serror.NewGeneric(err, sourcev1.BucketOperationFailedReason)
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
 
@@ -471,7 +564,7 @@ func (r *BucketReconciler) reconcileSource(ctx context.Context, sp *patch.Serial
 
 			message := fmt.Sprintf("new upstream revision '%s'", revision)
 			if obj.GetArtifact() != nil {
-				conditions.MarkTrue(obj, sourcev1.ArtifactOutdatedCondition, "NewRevision", message)
+				conditions.MarkTrue(obj, sourcev1.ArtifactOutdatedCondition, "NewRevision", "%s", message)
 			}
 			rreconcile.ProgressiveStatus(true, obj, meta.ProgressingReason, "building artifact: %s", message)
 			if err := sp.Patch(ctx, obj, r.patchOptions...); err != nil {
@@ -481,8 +574,8 @@ func (r *BucketReconciler) reconcileSource(ctx context.Context, sp *patch.Serial
 		}()
 
 		if err = fetchIndexFiles(ctx, provider, obj, index, dir); err != nil {
-			e := &serror.Event{Err: err, Reason: bucketv1.BucketOperationFailedReason}
-			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Error())
+			e := serror.NewGeneric(err, sourcev1.BucketOperationFailedReason)
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 			return sreconcile.ResultEmpty, e
 		}
 	}
@@ -495,12 +588,12 @@ func (r *BucketReconciler) reconcileSource(ctx context.Context, sp *patch.Serial
 // (Status) data on the object does not match the given.
 //
 // The inspection of the given data to the object is differed, ensuring any
-// stale observations like v1beta2.ArtifactOutdatedCondition are removed.
+// stale observations like v1.ArtifactOutdatedCondition are removed.
 // If the given Artifact does not differ from the object's current, it returns
 // early.
 // On a successful archive, the Artifact in the Status of the object is set,
 // and the symlink in the Storage is updated to its path.
-func (r *BucketReconciler) reconcileArtifact(ctx context.Context, sp *patch.SerialPatcher, obj *bucketv1.Bucket, index *index.Digester, dir string) (sreconcile.Result, error) {
+func (r *BucketReconciler) reconcileArtifact(ctx context.Context, sp *patch.SerialPatcher, obj *sourcev1.Bucket, index *index.Digester, dir string) (sreconcile.Result, error) {
 	// Calculate revision
 	revision := index.Digest(intdigest.Canonical)
 
@@ -530,46 +623,46 @@ func (r *BucketReconciler) reconcileArtifact(ctx context.Context, sp *patch.Seri
 
 	// Ensure target path exists and is a directory
 	if f, err := os.Stat(dir); err != nil {
-		e := &serror.Event{
-			Err:    fmt.Errorf("failed to stat source path: %w", err),
-			Reason: sourcev1.StatOperationFailedReason,
-		}
-		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, e.Err.Error())
+		e := serror.NewGeneric(
+			fmt.Errorf("failed to stat source path: %w", err),
+			sourcev1.StatOperationFailedReason,
+		)
+		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	} else if !f.IsDir() {
-		e := &serror.Event{
-			Err:    fmt.Errorf("source path '%s' is not a directory", dir),
-			Reason: sourcev1.InvalidPathReason,
-		}
-		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, e.Err.Error())
+		e := serror.NewGeneric(
+			fmt.Errorf("source path '%s' is not a directory", dir),
+			sourcev1.InvalidPathReason,
+		)
+		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
 
 	// Ensure artifact directory exists and acquire lock
 	if err := r.Storage.MkdirAll(artifact); err != nil {
-		e := &serror.Event{
-			Err:    fmt.Errorf("failed to create artifact directory: %w", err),
-			Reason: sourcev1.DirCreationFailedReason,
-		}
-		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, e.Err.Error())
+		e := serror.NewGeneric(
+			fmt.Errorf("failed to create artifact directory: %w", err),
+			sourcev1.DirCreationFailedReason,
+		)
+		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
 	unlock, err := r.Storage.Lock(artifact)
 	if err != nil {
-		return sreconcile.ResultEmpty, &serror.Event{
-			Err:    fmt.Errorf("failed to acquire lock for artifact: %w", err),
-			Reason: meta.FailedReason,
-		}
+		return sreconcile.ResultEmpty, serror.NewGeneric(
+			fmt.Errorf("failed to acquire lock for artifact: %w", err),
+			meta.FailedReason,
+		)
 	}
 	defer unlock()
 
 	// Archive directory to storage
 	if err := r.Storage.Archive(&artifact, dir, nil); err != nil {
-		e := &serror.Event{
-			Err:    fmt.Errorf("unable to archive artifact to storage: %s", err),
-			Reason: sourcev1.ArchiveOperationFailedReason,
-		}
-		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, e.Err.Error())
+		e := serror.NewGeneric(
+			fmt.Errorf("unable to archive artifact to storage: %s", err),
+			sourcev1.ArchiveOperationFailedReason,
+		)
+		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
 
@@ -593,7 +686,7 @@ func (r *BucketReconciler) reconcileArtifact(ctx context.Context, sp *patch.Seri
 // reconcileDelete handles the deletion of the object.
 // It first garbage collects all Artifacts for the object from the Storage.
 // Removing the finalizer from the object if successful.
-func (r *BucketReconciler) reconcileDelete(ctx context.Context, obj *bucketv1.Bucket) (sreconcile.Result, error) {
+func (r *BucketReconciler) reconcileDelete(ctx context.Context, obj *sourcev1.Bucket) (sreconcile.Result, error) {
 	// Garbage collect the resource's artifacts
 	if err := r.garbageCollect(ctx, obj); err != nil {
 		// Return the error so we retry the failed garbage collection
@@ -612,13 +705,13 @@ func (r *BucketReconciler) reconcileDelete(ctx context.Context, obj *bucketv1.Bu
 // It removes all but the current Artifact from the Storage, unless the
 // deletion timestamp on the object is set. Which will result in the
 // removal of all Artifacts for the objects.
-func (r *BucketReconciler) garbageCollect(ctx context.Context, obj *bucketv1.Bucket) error {
+func (r *BucketReconciler) garbageCollect(ctx context.Context, obj *sourcev1.Bucket) error {
 	if !obj.DeletionTimestamp.IsZero() {
 		if deleted, err := r.Storage.RemoveAll(r.Storage.NewArtifactFor(obj.Kind, obj.GetObjectMeta(), "", "*")); err != nil {
-			return &serror.Event{
-				Err:    fmt.Errorf("garbage collection for deleted resource failed: %s", err),
-				Reason: "GarbageCollectionFailed",
-			}
+			return serror.NewGeneric(
+				fmt.Errorf("garbage collection for deleted resource failed: %s", err),
+				"GarbageCollectionFailed",
+			)
 		} else if deleted != "" {
 			r.eventLogf(ctx, obj, eventv1.EventTypeTrace, "GarbageCollectionSucceeded",
 				"garbage collected artifacts for deleted resource")
@@ -629,29 +722,29 @@ func (r *BucketReconciler) garbageCollect(ctx context.Context, obj *bucketv1.Buc
 	if obj.GetArtifact() != nil {
 		delFiles, err := r.Storage.GarbageCollect(ctx, *obj.GetArtifact(), time.Second*5)
 		if err != nil {
-			return &serror.Event{
-				Err:    fmt.Errorf("garbage collection of artifacts failed: %w", err),
-				Reason: "GarbageCollectionFailed",
-			}
+			return serror.NewGeneric(
+				fmt.Errorf("garbage collection of artifacts failed: %w", err),
+				"GarbageCollectionFailed",
+			)
 		}
 		if len(delFiles) > 0 {
 			r.eventLogf(ctx, obj, eventv1.EventTypeTrace, "GarbageCollectionSucceeded",
-				fmt.Sprintf("garbage collected %d artifacts", len(delFiles)))
+				"garbage collected %d artifacts", len(delFiles))
 			return nil
 		}
 	}
 	return nil
 }
 
-// getBucketSecret attempts to fetch the Secret reference if specified on the
-// obj. It returns any client error.
-func (r *BucketReconciler) getBucketSecret(ctx context.Context, obj *bucketv1.Bucket) (*corev1.Secret, error) {
-	if obj.Spec.SecretRef == nil {
+// getSecret attempts to fetch a Secret reference if specified. It returns any client error.
+func (r *BucketReconciler) getSecret(ctx context.Context, secretRef *meta.LocalObjectReference,
+	namespace string) (*corev1.Secret, error) {
+	if secretRef == nil {
 		return nil, nil
 	}
 	secretName := types.NamespacedName{
-		Namespace: obj.GetNamespace(),
-		Name:      obj.Spec.SecretRef.Name,
+		Namespace: namespace,
+		Name:      secretRef.Name,
 	}
 	secret := &corev1.Secret{}
 	if err := r.Get(ctx, secretName, secret); err != nil {
@@ -660,6 +753,68 @@ func (r *BucketReconciler) getBucketSecret(ctx context.Context, obj *bucketv1.Bu
 	return secret, nil
 }
 
+// getTLSConfig attempts to fetch a TLS configuration from the given
+// Secret reference, namespace and endpoint.
+func (r *BucketReconciler) getTLSConfig(ctx context.Context,
+	secretRef *meta.LocalObjectReference, namespace, endpoint string) (*stdtls.Config, error) {
+	certSecret, err := r.getSecret(ctx, secretRef, namespace)
+	if err != nil || certSecret == nil {
+		return nil, err
+	}
+	tlsConfig, _, err := tls.KubeTLSClientConfigFromSecret(*certSecret, endpoint)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create TLS config: %w", err)
+	}
+	if tlsConfig == nil {
+		return nil, fmt.Errorf("certificate secret does not contain any TLS configuration")
+	}
+	return tlsConfig, nil
+}
+
+// getProxyURL attempts to fetch a proxy URL from the object's proxy secret
+// reference.
+func (r *BucketReconciler) getProxyURL(ctx context.Context, obj *sourcev1.Bucket) (*url.URL, error) {
+	namespace := obj.GetNamespace()
+	proxySecret, err := r.getSecret(ctx, obj.Spec.ProxySecretRef, namespace)
+	if err != nil || proxySecret == nil {
+		return nil, err
+	}
+	proxyData := proxySecret.Data
+	address, ok := proxyData["address"]
+	if !ok {
+		return nil, fmt.Errorf("invalid proxy secret '%s/%s': key 'address' is missing",
+			namespace, obj.Spec.ProxySecretRef.Name)
+	}
+	proxyURL, err := url.Parse(string(address))
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse proxy address '%s': %w", address, err)
+	}
+	user, hasUser := proxyData["username"]
+	password, hasPassword := proxyData["password"]
+	if hasUser || hasPassword {
+		proxyURL.User = url.UserPassword(string(user), string(password))
+	}
+	return proxyURL, nil
+}
+
+// getSTSSecret attempts to fetch the secret from the object's STS secret
+// reference.
+func (r *BucketReconciler) getSTSSecret(ctx context.Context, obj *sourcev1.Bucket) (*corev1.Secret, error) {
+	if obj.Spec.STS == nil {
+		return nil, nil
+	}
+	return r.getSecret(ctx, obj.Spec.STS.SecretRef, obj.GetNamespace())
+}
+
+// getSTSTLSConfig attempts to fetch the certificate secret from the object's
+// STS configuration.
+func (r *BucketReconciler) getSTSTLSConfig(ctx context.Context, obj *sourcev1.Bucket) (*stdtls.Config, error) {
+	if obj.Spec.STS == nil {
+		return nil, nil
+	}
+	return r.getTLSConfig(ctx, obj.Spec.STS.CertSecretRef, obj.GetNamespace(), obj.Spec.STS.Endpoint)
+}
+
 // eventLogf records events, and logs at the same time.
 //
 // This log is different from the debug log in the EventRecorder, in the sense
@@ -690,7 +845,7 @@ func (r *BucketReconciler) annotatedEventLogf(ctx context.Context,
 // bucket using the given provider, while filtering them using .sourceignore
 // rules. After fetching an object, the etag value in the index is updated to
 // the current value to ensure accuracy.
-func fetchEtagIndex(ctx context.Context, provider BucketProvider, obj *bucketv1.Bucket, index *index.Digester, tempDir string) error {
+func fetchEtagIndex(ctx context.Context, provider BucketProvider, obj *sourcev1.Bucket, index *index.Digester, tempDir string) error {
 	ctxTimeout, cancel := context.WithTimeout(ctx, obj.Spec.Timeout.Duration)
 	defer cancel()
 
@@ -708,7 +863,7 @@ func fetchEtagIndex(ctx context.Context, provider BucketProvider, obj *bucketv1.
 	path := filepath.Join(tempDir, sourceignore.IgnoreFile)
 	if _, err := provider.FGetObject(ctxTimeout, obj.Spec.BucketName, sourceignore.IgnoreFile, path); err != nil {
 		if !provider.ObjectIsNotFound(err) {
-			return err
+			return fmt.Errorf("failed to get Etag for '%s' object: %w", sourceignore.IgnoreFile, serror.SanitizeError(err))
 		}
 	}
 	ps, err := sourceignore.ReadIgnoreFile(path, nil)
@@ -722,7 +877,7 @@ func fetchEtagIndex(ctx context.Context, provider BucketProvider, obj *bucketv1.
 	matcher := sourceignore.NewMatcher(ps)
 
 	// Build up index
-	err = provider.VisitObjects(ctxTimeout, obj.Spec.BucketName, func(key, etag string) error {
+	err = provider.VisitObjects(ctxTimeout, obj.Spec.BucketName, obj.Spec.Prefix, func(key, etag string) error {
 		if strings.HasSuffix(key, "/") || key == sourceignore.IgnoreFile {
 			return nil
 		}
@@ -744,7 +899,7 @@ func fetchEtagIndex(ctx context.Context, provider BucketProvider, obj *bucketv1.
 // using the given provider, and stores them into tempDir. It downloads in
 // parallel, but limited to the maxConcurrentBucketFetches.
 // Given an index is provided, the bucket is assumed to exist.
-func fetchIndexFiles(ctx context.Context, provider BucketProvider, obj *bucketv1.Bucket, index *index.Digester, tempDir string) error {
+func fetchIndexFiles(ctx context.Context, provider BucketProvider, obj *sourcev1.Bucket, index *index.Digester, tempDir string) error {
 	ctxTimeout, cancel := context.WithTimeout(ctx, obj.Spec.Timeout.Duration)
 	defer cancel()
 
@@ -772,7 +927,7 @@ func fetchIndexFiles(ctx context.Context, provider BucketProvider, obj *bucketv1
 						index.Delete(k)
 						return nil
 					}
-					return fmt.Errorf("failed to get '%s' object: %w", k, err)
+					return fmt.Errorf("failed to get '%s' object: %w", k, serror.SanitizeError(err))
 				}
 				if t != etag {
 					index.Add(k, etag)

internal/controller/bucket_controller_fetch_test.go

@@ -27,7 +27,7 @@ import (
 	"gotest.tools/assert"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/fluxcd/source-controller/internal/index"
 )
 
@@ -41,7 +41,7 @@ type mockBucketClient struct {
 	objects    map[string]mockBucketObject
 }
 
-var mockNotFound = fmt.Errorf("not found")
+var errMockNotFound = fmt.Errorf("not found")
 
 func (m mockBucketClient) BucketExists(_ context.Context, name string) (bool, error) {
 	return name == m.bucketName, nil
@@ -57,7 +57,7 @@ func (m mockBucketClient) FGetObject(_ context.Context, bucket, obj, path string
 	}
 	object, ok := m.objects[obj]
 	if !ok {
-		return "", mockNotFound
+		return "", errMockNotFound
 	}
 	if err := os.WriteFile(path, []byte(object.data), os.FileMode(0660)); err != nil {
 		return "", err
@@ -66,10 +66,10 @@ func (m mockBucketClient) FGetObject(_ context.Context, bucket, obj, path string
 }
 
 func (m mockBucketClient) ObjectIsNotFound(e error) bool {
-	return e == mockNotFound
+	return e == errMockNotFound
 }
 
-func (m mockBucketClient) VisitObjects(_ context.Context, _ string, f func(key, etag string) error) error {
+func (m mockBucketClient) VisitObjects(_ context.Context, _ string, _ string, f func(key, etag string) error) error {
 	for key, obj := range m.objects {
 		if err := f(key, obj.etag); err != nil {
 			return err
@@ -78,9 +78,7 @@ func (m mockBucketClient) VisitObjects(_ context.Context, _ string, f func(key,
 	return nil
 }
 
-func (m mockBucketClient) Close(_ context.Context) {
-	return
-}
+func (m mockBucketClient) Close(_ context.Context) {}
 
 func (m *mockBucketClient) addObject(key string, object mockBucketObject) {
 	if m.objects == nil {

internal/controller/gitrepository_controller.go

@@ -27,27 +27,34 @@ import (
 	"time"
 
 	securejoin "github.com/cyphar/filepath-securejoin"
+	"github.com/fluxcd/pkg/auth"
+	authutils "github.com/fluxcd/pkg/auth/utils"
+	"github.com/fluxcd/pkg/git/github"
 	"github.com/fluxcd/pkg/runtime/logger"
+	"github.com/go-git/go-git/v5/plumbing/transport"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	kuberecorder "k8s.io/client-go/tools/record"
-	"k8s.io/utils/pointer"
+	"k8s.io/client-go/util/workqueue"
+	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
-	"sigs.k8s.io/controller-runtime/pkg/ratelimiter"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	eventv1 "github.com/fluxcd/pkg/apis/event/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/cache"
 	"github.com/fluxcd/pkg/git"
 	"github.com/fluxcd/pkg/git/gogit"
 	"github.com/fluxcd/pkg/git/repository"
 	"github.com/fluxcd/pkg/runtime/conditions"
 	helper "github.com/fluxcd/pkg/runtime/controller"
+	"github.com/fluxcd/pkg/runtime/jitter"
 	"github.com/fluxcd/pkg/runtime/patch"
 	"github.com/fluxcd/pkg/runtime/predicates"
 	rreconcile "github.com/fluxcd/pkg/runtime/reconcile"
@@ -63,7 +70,7 @@ import (
 )
 
 // gitRepositoryReadyCondition contains the information required to summarize a
-// v1beta2.GitRepository Ready Condition.
+// v1.GitRepository Ready Condition.
 var gitRepositoryReadyCondition = summarize.Conditions{
 	Target: meta.ReadyCondition,
 	Owned: []string{
@@ -118,7 +125,7 @@ func getPatchOptions(ownedConditions []string, controllerName string) []patch.Op
 // +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=gitrepositories/finalizers,verbs=get;create;update;patch;delete
 // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
 
-// GitRepositoryReconciler reconciles a v1beta2.GitRepository object.
+// GitRepositoryReconciler reconciles a v1.GitRepository object.
 type GitRepositoryReconciler struct {
 	client.Client
 	kuberecorder.EventRecorder
@@ -126,6 +133,7 @@ type GitRepositoryReconciler struct {
 
 	Storage        *Storage
 	ControllerName string
+	TokenCache     *cache.TokenCache
 
 	requeueDependency time.Duration
 	features          map[string]bool
@@ -134,13 +142,12 @@ type GitRepositoryReconciler struct {
 }
 
 type GitRepositoryReconcilerOptions struct {
-	MaxConcurrentReconciles   int
 	DependencyRequeueInterval time.Duration
-	RateLimiter               ratelimiter.RateLimiter
+	RateLimiter               workqueue.TypedRateLimiter[reconcile.Request]
 }
 
 // gitRepositoryReconcileFunc is the function type for all the
-// v1beta2.GitRepository (sub)reconcile functions.
+// v1.GitRepository (sub)reconcile functions.
 type gitRepositoryReconcileFunc func(ctx context.Context, sp *patch.SerialPatcher, obj *sourcev1.GitRepository, commit *git.Commit, includes *artifactSet, dir string) (sreconcile.Result, error)
 
 func (r *GitRepositoryReconciler) SetupWithManager(mgr ctrl.Manager) error {
@@ -161,8 +168,7 @@ func (r *GitRepositoryReconciler) SetupWithManagerAndOptions(mgr ctrl.Manager, o
 			predicate.Or(predicate.GenerationChangedPredicate{}, predicates.ReconcileRequestedPredicate{}),
 		)).
 		WithOptions(controller.Options{
-			MaxConcurrentReconciles: opts.MaxConcurrentReconciles,
-			RateLimiter:             opts.RateLimiter,
+			RateLimiter: opts.RateLimiter,
 		}).
 		Complete(r)
 }
@@ -177,9 +183,6 @@ func (r *GitRepositoryReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}
 
-	// Record suspended status metric
-	r.RecordSuspend(ctx, obj, obj.Spec.Suspend)
-
 	// Initialize the patch helper with the current version of the object.
 	serialPatcher := patch.NewSerialPatcher(obj, r.Client)
 
@@ -200,27 +203,30 @@ func (r *GitRepositoryReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 				summarize.ErrorActionHandler,
 				summarize.RecordReconcileReq,
 			),
-			summarize.WithResultBuilder(sreconcile.AlwaysRequeueResultBuilder{RequeueAfter: obj.GetRequeueAfter()}),
+			summarize.WithResultBuilder(sreconcile.AlwaysRequeueResultBuilder{
+				RequeueAfter: jitter.JitteredIntervalDuration(obj.GetRequeueAfter()),
+			}),
 			summarize.WithPatchFieldOwner(r.ControllerName),
 		}
 		result, retErr = summarizeHelper.SummarizeAndPatch(ctx, obj, summarizeOpts...)
 
-		// Always record readiness and duration metrics
-		r.Metrics.RecordReadiness(ctx, obj)
+		// Always record duration metrics.
 		r.Metrics.RecordDuration(ctx, obj, start)
 	}()
 
-	// Add finalizer first if not exist to avoid the race condition
-	// between init and delete
-	if !controllerutil.ContainsFinalizer(obj, sourcev1.SourceFinalizer) {
-		controllerutil.AddFinalizer(obj, sourcev1.SourceFinalizer)
-		recResult = sreconcile.ResultRequeue
+	// Examine if the object is under deletion.
+	if !obj.ObjectMeta.DeletionTimestamp.IsZero() {
+		recResult, retErr = r.reconcileDelete(ctx, obj)
 		return
 	}
 
-	// Examine if the object is under deletion
-	if !obj.ObjectMeta.DeletionTimestamp.IsZero() {
-		recResult, retErr = r.reconcileDelete(ctx, obj)
+	// Add finalizer first if not exist to avoid the race condition
+	// between init and delete.
+	// Note: Finalizers in general can only be added when the deletionTimestamp
+	// is not set.
+	if !controllerutil.ContainsFinalizer(obj, sourcev1.SourceFinalizer) {
+		controllerutil.AddFinalizer(obj, sourcev1.SourceFinalizer)
+		recResult = sreconcile.ResultRequeue
 		return
 	}
 
@@ -262,11 +268,11 @@ func (r *GitRepositoryReconciler) reconcile(ctx context.Context, sp *patch.Seria
 		rreconcile.ProgressiveStatus(false, obj, meta.ProgressingReason,
 			"processing object: new generation %d -> %d", obj.Status.ObservedGeneration, obj.Generation)
 		if err := sp.Patch(ctx, obj, r.patchOptions...); err != nil {
-			return sreconcile.ResultEmpty, err
+			return sreconcile.ResultEmpty, serror.NewGeneric(err, sourcev1.PatchOperationFailedReason)
 		}
 	case recAtVal != obj.Status.GetLastHandledReconcileRequest():
 		if err := sp.Patch(ctx, obj, r.patchOptions...); err != nil {
-			return sreconcile.ResultEmpty, err
+			return sreconcile.ResultEmpty, serror.NewGeneric(err, sourcev1.PatchOperationFailedReason)
 		}
 	}
 
@@ -277,7 +283,7 @@ func (r *GitRepositoryReconciler) reconcile(ctx context.Context, sp *patch.Seria
 			fmt.Errorf("failed to create temporary working directory: %w", err),
 			sourcev1.DirCreationFailedReason,
 		)
-		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, e.Err.Error())
+		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
 	defer func() {
@@ -364,7 +370,7 @@ func (r *GitRepositoryReconciler) shouldNotify(oldObj, newObj *sourcev1.GitRepos
 	if resErr != nil && res == sreconcile.ResultEmpty && newObj.Status.Artifact != nil {
 		// Convert to Generic error and check for ignore.
 		if ge, ok := resErr.(*serror.Generic); ok {
-			return ge.Ignore == true
+			return ge.Ignore
 		}
 	}
 	return false
@@ -387,13 +393,31 @@ func (r *GitRepositoryReconciler) reconcileStorage(ctx context.Context, sp *patc
 	// Garbage collect previous advertised artifact(s) from storage
 	_ = r.garbageCollect(ctx, obj)
 
-	// Determine if the advertised artifact is still in storage
 	var artifactMissing bool
-	if artifact := obj.GetArtifact(); artifact != nil && !r.Storage.ArtifactExist(*artifact) {
-		obj.Status.Artifact = nil
-		artifactMissing = true
-		// Remove the condition as the artifact doesn't exist.
-		conditions.Delete(obj, sourcev1.ArtifactInStorageCondition)
+	if artifact := obj.GetArtifact(); artifact != nil {
+		// Determine if the advertised artifact is still in storage
+		if !r.Storage.ArtifactExist(*artifact) {
+			artifactMissing = true
+		}
+
+		// If the artifact is in storage, verify if the advertised digest still
+		// matches the actual artifact
+		if !artifactMissing {
+			if err := r.Storage.VerifyArtifact(*artifact); err != nil {
+				r.Eventf(obj, corev1.EventTypeWarning, "ArtifactVerificationFailed", "failed to verify integrity of artifact: %s", err.Error())
+
+				if err = r.Storage.Remove(*artifact); err != nil {
+					return sreconcile.ResultEmpty, fmt.Errorf("failed to remove artifact after digest mismatch: %w", err)
+				}
+
+				artifactMissing = true
+			}
+		}
+
+		// If the artifact is missing, remove it from the object
+		if artifactMissing {
+			obj.Status.Artifact = nil
+		}
 	}
 
 	// Record that we do not have an artifact
@@ -402,10 +426,10 @@ func (r *GitRepositoryReconciler) reconcileStorage(ctx context.Context, sp *patc
 		if artifactMissing {
 			msg += ": disappeared from storage"
 		}
-		rreconcile.ProgressiveStatus(true, obj, meta.ProgressingReason, msg)
+		rreconcile.ProgressiveStatus(true, obj, meta.ProgressingReason, "%s", msg)
 		conditions.Delete(obj, sourcev1.ArtifactInStorageCondition)
 		if err := sp.Patch(ctx, obj, r.patchOptions...); err != nil {
-			return sreconcile.ResultEmpty, err
+			return sreconcile.ResultEmpty, serror.NewGeneric(err, sourcev1.PatchOperationFailedReason)
 		}
 		return sreconcile.ResultSuccess, nil
 	}
@@ -423,23 +447,23 @@ func (r *GitRepositoryReconciler) reconcileStorage(ctx context.Context, sp *patc
 //
 // The included repositories are fetched and their metadata are stored. In case
 // one of the included repositories isn't ready, it records
-// v1beta2.IncludeUnavailableCondition=True and returns early. When all the
+// v1.IncludeUnavailableCondition=True and returns early. When all the
 // included repositories are ready, it removes
-// v1beta2.IncludeUnavailableCondition from the object.
+// v1.IncludeUnavailableCondition from the object.
 // When the included artifactSet differs from the current set in the Status of
-// the object, it marks the object with v1beta2.ArtifactOutdatedCondition=True.
+// the object, it marks the object with v1.ArtifactOutdatedCondition=True.
 // The repository is cloned to the given dir, using the specified configuration
 // to check out the reference. In case of an error during this process
-// (including transient errors), it records v1beta2.FetchFailedCondition=True
+// (including transient errors), it records v1.FetchFailedCondition=True
 // and returns early.
-// On a successful checkout, it removes v1beta2.FetchFailedCondition and
+// On a successful checkout, it removes v1.FetchFailedCondition and
 // compares the current revision of HEAD to the revision of the Artifact in the
-// Status of the object. It records v1beta2.ArtifactOutdatedCondition=True when
+// Status of the object. It records v1.ArtifactOutdatedCondition=True when
 // they differ.
 // If specified, the signature of the Git commit is verified. If the signature
 // can not be verified or the verification fails, it records
-// v1beta2.SourceVerifiedCondition=False and returns early. When successful,
-// it records v1beta2.SourceVerifiedCondition=True.
+// v1.SourceVerifiedCondition=False and returns early. When successful,
+// it records v1.SourceVerifiedCondition=True.
 // When all the above is successful, the given Commit pointer is set to the
 // commit of the checked out Git repository.
 //
@@ -457,24 +481,20 @@ func (r *GitRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch
 		conditions.Delete(obj, sourcev1.SourceVerifiedCondition)
 	}
 
-	var authData map[string][]byte
-	if obj.Spec.SecretRef != nil {
-		// Attempt to retrieve secret
-		name := types.NamespacedName{
-			Namespace: obj.GetNamespace(),
-			Name:      obj.Spec.SecretRef.Name,
-		}
-		var secret corev1.Secret
-		if err := r.Client.Get(ctx, name, &secret); err != nil {
+	var proxyOpts *transport.ProxyOptions
+	var proxyURL *url.URL
+	if obj.Spec.ProxySecretRef != nil {
+		var err error
+		proxyOpts, proxyURL, err = r.getProxyOpts(ctx, obj.Spec.ProxySecretRef.Name, obj.GetNamespace())
+		if err != nil {
 			e := serror.NewGeneric(
-				fmt.Errorf("failed to get secret '%s': %w", name.String(), err),
+				fmt.Errorf("failed to configure proxy options: %w", err),
 				sourcev1.AuthenticationFailedReason,
 			)
-			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 			// Return error as the world as observed may change
 			return sreconcile.ResultEmpty, e
 		}
-		authData = secret.Data
 	}
 
 	u, err := url.Parse(obj.Spec.URL)
@@ -483,19 +503,14 @@ func (r *GitRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch
 			fmt.Errorf("failed to parse url '%s': %w", obj.Spec.URL, err),
 			sourcev1.URLInvalidReason,
 		)
-		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
 
-	// Configure authentication strategy to access the source
-	authOpts, err := git.NewAuthOptions(*u, authData)
+	authOpts, err := r.getAuthOpts(ctx, obj, *u, proxyURL)
 	if err != nil {
-		e := serror.NewGeneric(
-			fmt.Errorf("failed to configure authentication options: %w", err),
-			sourcev1.AuthenticationFailedReason,
-		)
-		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
-		return sreconcile.ResultEmpty, e
+		// Return error as the world as observed may change
+		return sreconcile.ResultEmpty, err
 	}
 
 	// Fetch the included artifact metadata.
@@ -506,13 +521,13 @@ func (r *GitRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch
 
 	// Observe if the artifacts still match the previous included ones
 	if artifacts.Diff(obj.Status.IncludedArtifacts) {
-		message := fmt.Sprintf("included artifacts differ from last observed includes")
+		message := "included artifacts differ from last observed includes"
 		if obj.Status.IncludedArtifacts != nil {
-			conditions.MarkTrue(obj, sourcev1.ArtifactOutdatedCondition, "IncludeChange", message)
+			conditions.MarkTrue(obj, sourcev1.ArtifactOutdatedCondition, "IncludeChange", "%s", message)
 		}
 		rreconcile.ProgressiveStatus(true, obj, meta.ProgressingReason, "building artifact: %s", message)
 		if err := sp.Patch(ctx, obj, r.patchOptions...); err != nil {
-			return sreconcile.ResultEmpty, err
+			return sreconcile.ResultEmpty, serror.NewGeneric(err, sourcev1.PatchOperationFailedReason)
 		}
 	}
 	conditions.Delete(obj, sourcev1.ArtifactOutdatedCondition)
@@ -520,12 +535,7 @@ func (r *GitRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch
 	// Persist the ArtifactSet.
 	*includes = *artifacts
 
-	var optimizedClone bool
-	if val, ok := r.features[features.OptimizedGitClones]; ok && val {
-		optimizedClone = true
-	}
-
-	c, err := r.gitCheckout(ctx, obj, authOpts, dir, optimizedClone)
+	c, err := r.gitCheckout(ctx, obj, authOpts, proxyOpts, dir, true)
 	if err != nil {
 		return sreconcile.ResultEmpty, err
 	}
@@ -534,7 +544,7 @@ func (r *GitRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch
 			fmt.Errorf("git repository is empty"),
 			"EmptyGitRepository",
 		)
-		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
 	// Assign the commit to the shared commit reference.
@@ -551,6 +561,8 @@ func (r *GitRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch
 			)
 			ge.Notification = false
 			ge.Ignore = true
+			// Log it as this will not be passed to the runtime.
+			ge.Log = true
 			ge.Event = corev1.EventTypeNormal
 			// Remove any stale fetch failed condition.
 			conditions.Delete(obj, sourcev1.FetchFailedCondition)
@@ -567,7 +579,7 @@ func (r *GitRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch
 
 		// If we can't skip the reconciliation, checkout again without any
 		// optimization.
-		c, err := r.gitCheckout(ctx, obj, authOpts, dir, false)
+		c, err := r.gitCheckout(ctx, obj, authOpts, proxyOpts, dir, false)
 		if err != nil {
 			return sreconcile.ResultEmpty, err
 		}
@@ -576,8 +588,18 @@ func (r *GitRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch
 	ctrl.LoggerFrom(ctx).V(logger.DebugLevel).Info("git repository checked out", "url", obj.Spec.URL, "revision", commitReference(obj, commit))
 	conditions.Delete(obj, sourcev1.FetchFailedCondition)
 
+	// Validate sparse checkout paths after successful checkout.
+	if err := r.validateSparseCheckoutPaths(ctx, obj, dir); err != nil {
+		e := serror.NewStalling(
+			fmt.Errorf("failed to sparse checkout directories : %w", err),
+			sourcev1.GitOperationFailedReason,
+		)
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+		return sreconcile.ResultEmpty, e
+	}
+
 	// Verify commit signature
-	if result, err := r.verifyCommitSignature(ctx, obj, *commit); err != nil || result == sreconcile.ResultEmpty {
+	if result, err := r.verifySignature(ctx, obj, *commit); err != nil || result == sreconcile.ResultEmpty {
 		return result, err
 	}
 
@@ -585,21 +607,187 @@ func (r *GitRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch
 	if !obj.GetArtifact().HasRevision(commitReference(obj, commit)) {
 		message := fmt.Sprintf("new upstream revision '%s'", commitReference(obj, commit))
 		if obj.GetArtifact() != nil {
-			conditions.MarkTrue(obj, sourcev1.ArtifactOutdatedCondition, "NewRevision", message)
+			conditions.MarkTrue(obj, sourcev1.ArtifactOutdatedCondition, "NewRevision", "%s", message)
 		}
 		rreconcile.ProgressiveStatus(true, obj, meta.ProgressingReason, "building artifact: %s", message)
 		if err := sp.Patch(ctx, obj, r.patchOptions...); err != nil {
-			return sreconcile.ResultEmpty, err
+			return sreconcile.ResultEmpty, serror.NewGeneric(err, sourcev1.PatchOperationFailedReason)
 		}
 	}
 	return sreconcile.ResultSuccess, nil
 }
 
+// getProxyOpts fetches the secret containing the proxy settings, constructs a
+// transport.ProxyOptions object using those settings and then returns it.
+func (r *GitRepositoryReconciler) getProxyOpts(ctx context.Context, proxySecretName,
+	proxySecretNamespace string) (*transport.ProxyOptions, *url.URL, error) {
+	proxyData, err := r.getSecretData(ctx, proxySecretName, proxySecretNamespace)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to get proxy secret '%s/%s': %w", proxySecretNamespace, proxySecretName, err)
+	}
+	b, ok := proxyData["address"]
+	if !ok {
+		return nil, nil, fmt.Errorf("invalid proxy secret '%s/%s': key 'address' is missing", proxySecretNamespace, proxySecretName)
+	}
+
+	address := string(b)
+	username := string(proxyData["username"])
+	password := string(proxyData["password"])
+
+	proxyOpts := &transport.ProxyOptions{
+		URL:      address,
+		Username: username,
+		Password: password,
+	}
+
+	proxyURL, err := url.Parse(string(address))
+	if err != nil {
+		return nil, nil, fmt.Errorf("invalid address in proxy secret '%s/%s': %w", proxySecretNamespace, proxySecretName, err)
+	}
+	switch {
+	case username != "" && password == "":
+		proxyURL.User = url.User(username)
+	case username != "" && password != "":
+		proxyURL.User = url.UserPassword(username, password)
+	}
+
+	return proxyOpts, proxyURL, nil
+}
+
+// getAuthOpts fetches the secret containing the auth options (if specified),
+// constructs a git.AuthOptions object using those options along with the provided
+// URL and returns it.
+func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1.GitRepository,
+	u url.URL, proxyURL *url.URL) (*git.AuthOptions, error) {
+	var authData map[string][]byte
+	if obj.Spec.SecretRef != nil {
+		var err error
+		authData, err = r.getSecretData(ctx, obj.Spec.SecretRef.Name, obj.GetNamespace())
+		if err != nil {
+			e := serror.NewGeneric(
+				fmt.Errorf("failed to get secret '%s/%s': %w", obj.GetNamespace(), obj.Spec.SecretRef.Name, err),
+				sourcev1.AuthenticationFailedReason,
+			)
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+			return nil, e
+		}
+	}
+
+	// Configure authentication strategy to access the source
+	opts, err := git.NewAuthOptions(u, authData)
+	if err != nil {
+		e := serror.NewGeneric(
+			fmt.Errorf("failed to configure authentication options: %w", err),
+			sourcev1.AuthenticationFailedReason,
+		)
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+		return nil, e
+	}
+
+	// Configure provider authentication if specified.
+	var getCreds func() (*authutils.GitCredentials, error)
+	switch provider := obj.GetProvider(); provider {
+	case sourcev1.GitProviderAzure: // If AWS or GCP are added in the future they can be added here separated by a comma.
+		getCreds = func() (*authutils.GitCredentials, error) {
+			var opts []auth.Option
+
+			if r.TokenCache != nil {
+				involvedObject := cache.InvolvedObject{
+					Kind:      sourcev1.GitRepositoryKind,
+					Name:      obj.GetName(),
+					Namespace: obj.GetNamespace(),
+					Operation: cache.OperationReconcile,
+				}
+				opts = append(opts, auth.WithCache(*r.TokenCache, involvedObject))
+			}
+
+			if proxyURL != nil {
+				opts = append(opts, auth.WithProxyURL(*proxyURL))
+			}
+
+			return authutils.GetGitCredentials(ctx, provider, opts...)
+		}
+	case sourcev1.GitProviderGitHub:
+		// if provider is github, but secret ref is not specified
+		if obj.Spec.SecretRef == nil {
+			e := serror.NewStalling(
+				fmt.Errorf("secretRef with github app data must be specified when provider is set to github"),
+				sourcev1.InvalidProviderConfigurationReason,
+			)
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+			return nil, e
+		}
+
+		getCreds = func() (*authutils.GitCredentials, error) {
+			var opts []github.OptFunc
+
+			if len(authData) > 0 {
+				opts = append(opts, github.WithAppData(authData))
+			}
+
+			if proxyURL != nil {
+				opts = append(opts, github.WithProxyURL(proxyURL))
+			}
+
+			if r.TokenCache != nil {
+				opts = append(opts, github.WithCache(r.TokenCache, sourcev1.GitRepositoryKind,
+					obj.GetName(), obj.GetNamespace(), cache.OperationReconcile))
+			}
+
+			username, password, err := github.GetCredentials(ctx, opts...)
+			if err != nil {
+				return nil, err
+			}
+			return &authutils.GitCredentials{
+				Username: username,
+				Password: password,
+			}, nil
+		}
+	default:
+		// analyze secret, if it has github app data, perhaps provider should have been github.
+		if appID := authData[github.AppIDKey]; len(appID) != 0 {
+			e := serror.NewStalling(
+				fmt.Errorf("secretRef '%s/%s' has github app data but provider is not set to github", obj.GetNamespace(), obj.Spec.SecretRef.Name),
+				sourcev1.InvalidProviderConfigurationReason,
+			)
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+			return nil, e
+		}
+	}
+	if getCreds != nil {
+		creds, err := getCreds()
+		if err != nil {
+			e := serror.NewGeneric(
+				fmt.Errorf("failed to configure authentication options: %w", err),
+				sourcev1.AuthenticationFailedReason,
+			)
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+			return nil, e
+		}
+		opts.BearerToken = creds.BearerToken
+		opts.Username = creds.Username
+		opts.Password = creds.Password
+	}
+	return opts, nil
+}
+
+func (r *GitRepositoryReconciler) getSecretData(ctx context.Context, name, namespace string) (map[string][]byte, error) {
+	key := types.NamespacedName{
+		Namespace: namespace,
+		Name:      name,
+	}
+	var secret corev1.Secret
+	if err := r.Client.Get(ctx, key, &secret); err != nil {
+		return nil, err
+	}
+	return secret.Data, nil
+}
+
 // reconcileArtifact archives a new Artifact to the Storage, if the current
 // (Status) data on the object does not match the given.
 //
 // The inspection of the given data to the object is differed, ensuring any
-// stale observations like v1beta2.ArtifactOutdatedCondition are removed.
+// stale observations like v1.ArtifactOutdatedCondition are removed.
 // If the given Artifact and/or artifactSet (includes) and observed artifact
 // content config do not differ from the object's current, it returns early.
 // Source ignore patterns are loaded, and the given directory is archived while
@@ -637,14 +825,14 @@ func (r *GitRepositoryReconciler) reconcileArtifact(ctx context.Context, sp *pat
 			fmt.Errorf("failed to stat target artifact path: %w", err),
 			sourcev1.StatOperationFailedReason,
 		)
-		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, e.Err.Error())
+		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	} else if !f.IsDir() {
 		e := serror.NewGeneric(
 			fmt.Errorf("invalid target path: '%s' is not a directory", dir),
 			sourcev1.InvalidPathReason,
 		)
-		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, e.Err.Error())
+		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
 
@@ -654,7 +842,7 @@ func (r *GitRepositoryReconciler) reconcileArtifact(ctx context.Context, sp *pat
 			fmt.Errorf("failed to create artifact directory: %w", err),
 			sourcev1.DirCreationFailedReason,
 		)
-		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, e.Err.Error())
+		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
 	unlock, err := r.Storage.Lock(artifact)
@@ -685,7 +873,7 @@ func (r *GitRepositoryReconciler) reconcileArtifact(ctx context.Context, sp *pat
 			fmt.Errorf("unable to archive artifact to storage: %w", err),
 			sourcev1.ArchiveOperationFailedReason,
 		)
-		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, e.Err.Error())
+		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
 
@@ -695,6 +883,7 @@ func (r *GitRepositoryReconciler) reconcileArtifact(ctx context.Context, sp *pat
 	obj.Status.ObservedIgnore = obj.Spec.Ignore
 	obj.Status.ObservedRecurseSubmodules = obj.Spec.RecurseSubmodules
 	obj.Status.ObservedInclude = obj.Spec.Include
+	obj.Status.ObservedSparseCheckout = obj.Spec.SparseCheckout
 
 	// Remove the deprecated symlink.
 	// TODO(hidde): remove 2 minor versions from introduction of v1.
@@ -714,15 +903,15 @@ func (r *GitRepositoryReconciler) reconcileArtifact(ctx context.Context, sp *pat
 }
 
 // reconcileInclude reconciles the on the object specified
-// v1beta2.GitRepositoryInclude list by copying their Artifact (sub)contents to
+// v1.GitRepositoryInclude list by copying their Artifact (sub)contents to
 // the specified paths in the given directory.
 //
 // When one of the includes is unavailable, it marks the object with
-// v1beta2.IncludeUnavailableCondition=True and returns early.
+// v1.IncludeUnavailableCondition=True and returns early.
 // When the copy operations are successful, it removes the
-// v1beta2.IncludeUnavailableCondition from the object.
+// v1.IncludeUnavailableCondition from the object.
 // When the composed artifactSet differs from the current set in the Status of
-// the object, it marks the object with v1beta2.ArtifactOutdatedCondition=True.
+// the object, it marks the object with v1.ArtifactOutdatedCondition=True.
 func (r *GitRepositoryReconciler) reconcileInclude(ctx context.Context, sp *patch.SerialPatcher,
 	obj *sourcev1.GitRepository, _ *git.Commit, includes *artifactSet, dir string) (sreconcile.Result, error) {
 
@@ -734,7 +923,7 @@ func (r *GitRepositoryReconciler) reconcileInclude(ctx context.Context, sp *patc
 				fmt.Errorf("path calculation for include '%s' failed: %w", incl.GitRepositoryRef.Name, err),
 				"IllegalPath",
 			)
-			conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, e.Err.Error())
+			conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, "%s", e)
 			return sreconcile.ResultEmpty, e
 		}
 
@@ -751,11 +940,11 @@ func (r *GitRepositoryReconciler) reconcileInclude(ctx context.Context, sp *patc
 
 		// Copy artifact (sub)contents to configured directory.
 		if err := r.Storage.CopyToPath(artifact, incl.GetFromPath(), toPath); err != nil {
-			e := &serror.Event{
-				Err:    fmt.Errorf("failed to copy '%s' include from %s to %s: %w", incl.GitRepositoryRef.Name, incl.GetFromPath(), incl.GetToPath(), err),
-				Reason: "CopyFailure",
-			}
-			conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, e.Err.Error())
+			e := serror.NewGeneric(
+				fmt.Errorf("failed to copy '%s' include from %s to %s: %w", incl.GitRepositoryRef.Name, incl.GetFromPath(), incl.GetToPath(), err),
+				"CopyFailure",
+			)
+			conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, "%s", e)
 			return sreconcile.ResultEmpty, e
 		}
 	}
@@ -765,11 +954,11 @@ func (r *GitRepositoryReconciler) reconcileInclude(ctx context.Context, sp *patc
 
 // gitCheckout builds checkout options with the given configurations and
 // performs a git checkout.
-func (r *GitRepositoryReconciler) gitCheckout(ctx context.Context,
-	obj *sourcev1.GitRepository, authOpts *git.AuthOptions, dir string,
-	optimized bool) (*git.Commit, error) {
+func (r *GitRepositoryReconciler) gitCheckout(ctx context.Context, obj *sourcev1.GitRepository,
+	authOpts *git.AuthOptions, proxyOpts *transport.ProxyOptions, dir string, optimized bool) (*git.Commit, error) {
+
 	// Configure checkout strategy.
-	cloneOpts := repository.CloneOptions{
+	cloneOpts := repository.CloneConfig{
 		RecurseSubmodules: obj.Spec.RecurseSubmodules,
 		ShallowClone:      true,
 	}
@@ -780,7 +969,14 @@ func (r *GitRepositoryReconciler) gitCheckout(ctx context.Context,
 		cloneOpts.SemVer = ref.SemVer
 		cloneOpts.RefName = ref.Name
 	}
-
+	if obj.Spec.SparseCheckout != nil {
+		// Trim any leading "./" in the directory paths since underlying go-git API does not honor them.
+		sparseCheckoutDirs := make([]string, len(obj.Spec.SparseCheckout))
+		for i, path := range obj.Spec.SparseCheckout {
+			sparseCheckoutDirs[i] = strings.TrimPrefix(path, "./")
+		}
+		cloneOpts.SparseCheckoutDirectories = sparseCheckoutDirs
+	}
 	// Only if the object has an existing artifact in storage, attempt to
 	// short-circuit clone operation. reconcileStorage has already verified
 	// that the artifact exists.
@@ -797,6 +993,9 @@ func (r *GitRepositoryReconciler) gitCheckout(ctx context.Context,
 	if authOpts.Transport == git.HTTP {
 		clientOpts = append(clientOpts, gogit.WithInsecureCredentialsOverHTTP())
 	}
+	if proxyOpts != nil {
+		clientOpts = append(clientOpts, gogit.WithProxy(*proxyOpts))
+	}
 
 	gitReader, err := gogit.NewClient(dir, authOpts, clientOpts...)
 	if err != nil {
@@ -804,7 +1003,7 @@ func (r *GitRepositoryReconciler) gitCheckout(ctx context.Context,
 			fmt.Errorf("failed to create Git client: %w", err),
 			sourcev1.GitOperationFailedReason,
 		)
-		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 		return nil, e
 	}
 	defer gitReader.Close()
@@ -815,7 +1014,7 @@ func (r *GitRepositoryReconciler) gitCheckout(ctx context.Context,
 			fmt.Errorf("failed to checkout and determine revision: %w", err),
 			sourcev1.GitOperationFailedReason,
 		)
-		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 		return nil, e
 	}
 
@@ -834,7 +1033,7 @@ func (r *GitRepositoryReconciler) fetchIncludes(ctx context.Context, obj *source
 				"NotFound",
 			)
 			e.RequeueAfter = r.requeueDependency
-			conditions.MarkTrue(obj, sourcev1.IncludeUnavailableCondition, e.Reason, e.Err.Error())
+			conditions.MarkTrue(obj, sourcev1.IncludeUnavailableCondition, e.Reason, "%s", e)
 			return nil, e
 		}
 
@@ -845,7 +1044,7 @@ func (r *GitRepositoryReconciler) fetchIncludes(ctx context.Context, obj *source
 				"NoArtifact",
 			)
 			e.RequeueAfter = r.requeueDependency
-			conditions.MarkTrue(obj, sourcev1.IncludeUnavailableCondition, e.Reason, e.Err.Error())
+			conditions.MarkTrue(obj, sourcev1.IncludeUnavailableCondition, e.Reason, "%s", e)
 			return nil, e
 		}
 
@@ -858,17 +1057,18 @@ func (r *GitRepositoryReconciler) fetchIncludes(ctx context.Context, obj *source
 	return &artifacts, nil
 }
 
-// verifyCommitSignature verifies the signature of the given Git commit, if a
-// verification mode is specified on the object.
+// verifySignature verifies the signature of the given Git commit and/or its referencing tag
+// depending on the verification mode specified on the object.
 // If the signature can not be verified or the verification fails, it records
-// v1beta2.SourceVerifiedCondition=False and returns.
-// When successful, it records v1beta2.SourceVerifiedCondition=True.
+// v1.SourceVerifiedCondition=False and returns.
+// When successful, it records v1.SourceVerifiedCondition=True.
 // If no verification mode is specified on the object, the
-// v1beta2.SourceVerifiedCondition Condition is removed.
-func (r *GitRepositoryReconciler) verifyCommitSignature(ctx context.Context, obj *sourcev1.GitRepository, commit git.Commit) (sreconcile.Result, error) {
+// v1.SourceVerifiedCondition Condition is removed.
+func (r *GitRepositoryReconciler) verifySignature(ctx context.Context, obj *sourcev1.GitRepository, commit git.Commit) (sreconcile.Result, error) {
 	// Check if there is a commit verification is configured and remove any old
 	// observations if there is none
 	if obj.Spec.Verification == nil || obj.Spec.Verification.Mode == "" {
+		obj.Status.SourceVerificationMode = nil
 		conditions.Delete(obj, sourcev1.SourceVerifiedCondition)
 		return sreconcile.ResultSuccess, nil
 	}
@@ -884,7 +1084,7 @@ func (r *GitRepositoryReconciler) verifyCommitSignature(ctx context.Context, obj
 			fmt.Errorf("PGP public keys secret error: %w", err),
 			"VerificationError",
 		)
-		conditions.MarkFalse(obj, sourcev1.SourceVerifiedCondition, e.Reason, e.Err.Error())
+		conditions.MarkFalse(obj, sourcev1.SourceVerifiedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
 
@@ -892,21 +1092,74 @@ func (r *GitRepositoryReconciler) verifyCommitSignature(ctx context.Context, obj
 	for _, v := range secret.Data {
 		keyRings = append(keyRings, string(v))
 	}
-	// Verify commit with GPG data from secret
-	if _, err := commit.Verify(keyRings...); err != nil {
-		e := serror.NewGeneric(
-			fmt.Errorf("signature verification of commit '%s' failed: %w", commit.Hash.String(), err),
-			"InvalidCommitSignature",
-		)
-		conditions.MarkFalse(obj, sourcev1.SourceVerifiedCondition, e.Reason, e.Err.Error())
-		// Return error in the hope the secret changes
-		return sreconcile.ResultEmpty, e
+
+	var message strings.Builder
+	if obj.Spec.Verification.VerifyTag() {
+		// If we need to verify a tag object, then the commit must have a tag
+		// that points to it. If it does not, then its safe to asssume that
+		// the checkout didn't happen via a tag reference, thus the object can
+		// be marked as stalled.
+		tag := commit.ReferencingTag
+		if tag == nil {
+			err := serror.NewStalling(
+				errors.New("cannot verify tag object's signature if a tag reference is not specified"),
+				"InvalidVerificationMode",
+			)
+			conditions.MarkFalse(obj, sourcev1.SourceVerifiedCondition, err.Reason, "%s", err)
+			return sreconcile.ResultEmpty, err
+		}
+		if !git.IsSignedTag(*tag) {
+			// If the tag was not signed then we can't verify its signature
+			// but since the upstream tag object can change at any time, we can't
+			// mark the object as stalled.
+			err := serror.NewGeneric(
+				fmt.Errorf("cannot verify signature of tag '%s' since it is not signed", commit.ReferencingTag.String()),
+				"InvalidGitObject",
+			)
+			conditions.MarkFalse(obj, sourcev1.SourceVerifiedCondition, err.Reason, "%s", err)
+			return sreconcile.ResultEmpty, err
+		}
+
+		// Verify tag with GPG data from secret
+		tagEntity, err := tag.Verify(keyRings...)
+		if err != nil {
+			e := serror.NewGeneric(
+				fmt.Errorf("signature verification of tag '%s' failed: %w", tag.String(), err),
+				"InvalidTagSignature",
+			)
+			conditions.MarkFalse(obj, sourcev1.SourceVerifiedCondition, e.Reason, "%s", e)
+			// Return error in the hope the secret changes
+			return sreconcile.ResultEmpty, e
+		}
+
+		message.WriteString(fmt.Sprintf("verified signature of\n\t- tag '%s' with key '%s'", tag.String(), tagEntity))
 	}
 
-	conditions.MarkTrue(obj, sourcev1.SourceVerifiedCondition, meta.SucceededReason,
-		"verified signature of commit '%s'", commit.Hash.String())
-	r.eventLogf(ctx, obj, eventv1.EventTypeTrace, "VerifiedCommit",
-		"verified signature of commit '%s'", commit.Hash.String())
+	if obj.Spec.Verification.VerifyHEAD() {
+		// Verify commit with GPG data from secret
+		headEntity, err := commit.Verify(keyRings...)
+		if err != nil {
+			e := serror.NewGeneric(
+				fmt.Errorf("signature verification of commit '%s' failed: %w", commit.Hash.String(), err),
+				"InvalidCommitSignature",
+			)
+			conditions.MarkFalse(obj, sourcev1.SourceVerifiedCondition, e.Reason, "%s", e)
+			// Return error in the hope the secret changes
+			return sreconcile.ResultEmpty, e
+		}
+		// If we also verified the tag previously, then append to the message.
+		if message.Len() > 0 {
+			message.WriteString(fmt.Sprintf("\n\t- commit '%s' with key '%s'", commit.Hash.String(), headEntity))
+		} else {
+			message.WriteString(fmt.Sprintf("verified signature of\n\t- commit '%s' with key '%s'", commit.Hash.String(), headEntity))
+		}
+	}
+
+	reason := meta.SucceededReason
+	mode := obj.Spec.Verification.GetMode()
+	obj.Status.SourceVerificationMode = &mode
+	conditions.MarkTrue(obj, sourcev1.SourceVerifiedCondition, reason, "%s", message.String())
+	r.eventLogf(ctx, obj, eventv1.EventTypeTrace, reason, "%s", message.String())
 	return sreconcile.ResultSuccess, nil
 }
 
@@ -923,6 +1176,10 @@ func (r *GitRepositoryReconciler) reconcileDelete(ctx context.Context, obj *sour
 	// Remove our finalizer from the list
 	controllerutil.RemoveFinalizer(obj, sourcev1.SourceFinalizer)
 
+	// Cleanup caches.
+	r.TokenCache.DeleteEventsForObject(sourcev1.GitRepositoryKind,
+		obj.GetName(), obj.GetNamespace(), cache.OperationReconcile)
+
 	// Stop reconciliation as the object is being deleted
 	return sreconcile.ResultEmpty, nil
 }
@@ -956,7 +1213,7 @@ func (r *GitRepositoryReconciler) garbageCollect(ctx context.Context, obj *sourc
 		}
 		if len(delFiles) > 0 {
 			r.eventLogf(ctx, obj, eventv1.EventTypeTrace, "GarbageCollectionSucceeded",
-				fmt.Sprintf("garbage collected %d artifacts", len(delFiles)))
+				"garbage collected %d artifacts", len(delFiles))
 			return nil
 		}
 	}
@@ -981,9 +1238,10 @@ func (r *GitRepositoryReconciler) eventLogf(ctx context.Context, obj runtime.Obj
 
 // gitContentConfigChanged evaluates the current spec with the observations of
 // the artifact in the status to determine if artifact content configuration has
-// changed and requires rebuilding the artifact.
+// changed and requires rebuilding the artifact. Rebuilding the artifact is also
+// required if the object needs to be (re)verified.
 func gitContentConfigChanged(obj *sourcev1.GitRepository, includes *artifactSet) bool {
-	if !pointer.StringEqual(obj.Spec.Ignore, obj.Status.ObservedIgnore) {
+	if !ptr.Equal(obj.Spec.Ignore, obj.Status.ObservedIgnore) {
 		return true
 	}
 	if obj.Spec.RecurseSubmodules != obj.Status.ObservedRecurseSubmodules {
@@ -992,6 +1250,17 @@ func gitContentConfigChanged(obj *sourcev1.GitRepository, includes *artifactSet)
 	if len(obj.Spec.Include) != len(obj.Status.ObservedInclude) {
 		return true
 	}
+	if requiresVerification(obj) {
+		return true
+	}
+	if len(obj.Spec.SparseCheckout) != len(obj.Status.ObservedSparseCheckout) {
+		return true
+	}
+	for index, dir := range obj.Spec.SparseCheckout {
+		if dir != obj.Status.ObservedSparseCheckout[index] {
+			return true
+		}
+	}
 
 	// Convert artifactSet to index addressable artifacts and ensure that it and
 	// the included artifacts include all the include from the spec.
@@ -1026,6 +1295,19 @@ func gitContentConfigChanged(obj *sourcev1.GitRepository, includes *artifactSet)
 	return false
 }
 
+// validateSparseCheckoutPaths checks if the sparse checkout paths exist in the cloned repository.
+func (r *GitRepositoryReconciler) validateSparseCheckoutPaths(ctx context.Context, obj *sourcev1.GitRepository, dir string) error {
+	if obj.Spec.SparseCheckout != nil {
+		for _, path := range obj.Spec.SparseCheckout {
+			fullPath := filepath.Join(dir, path)
+			if _, err := os.Lstat(fullPath); err != nil {
+				return fmt.Errorf("sparse checkout dir '%s' does not exist in repository: %w", path, err)
+			}
+		}
+	}
+	return nil
+}
+
 // Returns true if both GitRepositoryIncludes are equal.
 func gitRepositoryIncludeEqual(a, b sourcev1.GitRepositoryInclude) bool {
 	if a.GitRepositoryRef != b.GitRepositoryRef {
@@ -1046,3 +1328,28 @@ func commitReference(obj *sourcev1.GitRepository, commit *git.Commit) string {
 	}
 	return commit.String()
 }
+
+// requiresVerification inspects a GitRepository's verification spec and its status
+// to determine whether the Git repository needs to be verified again. It does so by
+// first checking if the GitRepository has a verification spec. If it does, then
+// it returns true based on the following three conditions:
+//
+//   - If the object does not have a observed verification mode in its status.
+//   - If the observed verification mode indicates that only the tag had been
+//     verified earlier and the HEAD also needs to be verified now.
+//   - If the observed verification mode indicates that only the HEAD had been
+//     verified earlier and the tag also needs to be verified now.
+func requiresVerification(obj *sourcev1.GitRepository) bool {
+	if obj.Spec.Verification != nil {
+		observedMode := obj.Status.SourceVerificationMode
+		mode := obj.Spec.Verification.GetMode()
+		if observedMode == nil {
+			return true
+		}
+		if (*observedMode == sourcev1.ModeGitTag && (mode == sourcev1.ModeGitHEAD || mode == sourcev1.ModeGitTagAndHEAD)) ||
+			(*observedMode == sourcev1.ModeGitHEAD && (mode == sourcev1.ModeGitTag || mode == sourcev1.ModeGitTagAndHEAD)) {
+			return true
+		}
+	}
+	return false
+}

internal/controller/gitrepository_controller_fuzz_test.go

@@ -35,18 +35,19 @@ import (
 	"path/filepath"
 	"strings"
 	"sync"
+	"testing"
 	"time"
 
 	fuzz "github.com/AdaLogics/go-fuzz-headers"
-	"github.com/fluxcd/go-git/v5"
-	"github.com/fluxcd/go-git/v5/config"
-	"github.com/fluxcd/go-git/v5/plumbing"
-	"github.com/fluxcd/go-git/v5/plumbing/object"
-	gitclient "github.com/fluxcd/go-git/v5/plumbing/transport/client"
-	httptransport "github.com/fluxcd/go-git/v5/plumbing/transport/http"
-	"github.com/fluxcd/go-git/v5/storage/memory"
 	"github.com/go-git/go-billy/v5"
 	"github.com/go-git/go-billy/v5/memfs"
+	"github.com/go-git/go-git/v5"
+	"github.com/go-git/go-git/v5/config"
+	"github.com/go-git/go-git/v5/plumbing"
+	"github.com/go-git/go-git/v5/plumbing/object"
+	gitclient "github.com/go-git/go-git/v5/plumbing/transport/client"
+	httptransport "github.com/go-git/go-git/v5/plumbing/transport/http"
+	"github.com/go-git/go-git/v5/storage/memory"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"

internal/controller/helmrepository_controller.go

@@ -17,37 +17,39 @@ limitations under the License.
 package controller
 
 import (
+	"bytes"
 	"context"
-	"crypto/tls"
 	"errors"
 	"fmt"
 	"net/url"
+	"strings"
 	"time"
 
 	"github.com/docker/go-units"
 	"github.com/opencontainers/go-digest"
 	helmgetter "helm.sh/helm/v3/pkg/getter"
+	helmreg "helm.sh/helm/v3/pkg/registry"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
 	kuberecorder "k8s.io/client-go/tools/record"
+	"k8s.io/client-go/util/workqueue"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
-	"sigs.k8s.io/controller-runtime/pkg/ratelimiter"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	eventv1 "github.com/fluxcd/pkg/apis/event/v1beta1"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/runtime/conditions"
 	helper "github.com/fluxcd/pkg/runtime/controller"
+	"github.com/fluxcd/pkg/runtime/jitter"
 	"github.com/fluxcd/pkg/runtime/patch"
 	"github.com/fluxcd/pkg/runtime/predicates"
 	rreconcile "github.com/fluxcd/pkg/runtime/reconcile"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	helmv1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/fluxcd/source-controller/internal/cache"
 	intdigest "github.com/fluxcd/source-controller/internal/digest"
 	serror "github.com/fluxcd/source-controller/internal/error"
@@ -59,7 +61,7 @@ import (
 )
 
 // helmRepositoryReadyCondition contains the information required to summarize a
-// v1beta2.HelmRepository Ready Condition.
+// v1.HelmRepository Ready Condition.
 var helmRepositoryReadyCondition = summarize.Conditions{
 	Target: meta.ReadyCondition,
 	Owned: []string{
@@ -100,7 +102,7 @@ var helmRepositoryFailConditions = []string{
 // +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=helmrepositories/finalizers,verbs=get;create;update;patch;delete
 // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
 
-// HelmRepositoryReconciler reconciles a v1beta2.HelmRepository object.
+// HelmRepositoryReconciler reconciles a v1.HelmRepository object.
 type HelmRepositoryReconciler struct {
 	client.Client
 	kuberecorder.EventRecorder
@@ -118,15 +120,14 @@ type HelmRepositoryReconciler struct {
 }
 
 type HelmRepositoryReconcilerOptions struct {
-	MaxConcurrentReconciles int
-	RateLimiter             ratelimiter.RateLimiter
+	RateLimiter workqueue.TypedRateLimiter[reconcile.Request]
 }
 
 // helmRepositoryReconcileFunc is the function type for all the
-// v1beta2.HelmRepository (sub)reconcile functions. The type implementations
+// v1.HelmRepository (sub)reconcile functions. The type implementations
 // are grouped and executed serially to perform the complete reconcile of the
 // object.
-type helmRepositoryReconcileFunc func(ctx context.Context, sp *patch.SerialPatcher, obj *helmv1.HelmRepository, artifact *sourcev1.Artifact, repo *repository.ChartRepository) (sreconcile.Result, error)
+type helmRepositoryReconcileFunc func(ctx context.Context, sp *patch.SerialPatcher, obj *sourcev1.HelmRepository, artifact *sourcev1.Artifact, repo *repository.ChartRepository) (sreconcile.Result, error)
 
 func (r *HelmRepositoryReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return r.SetupWithManagerAndOptions(mgr, HelmRepositoryReconcilerOptions{})
@@ -136,19 +137,15 @@ func (r *HelmRepositoryReconciler) SetupWithManagerAndOptions(mgr ctrl.Manager,
 	r.patchOptions = getPatchOptions(helmRepositoryReadyCondition.Owned, r.ControllerName)
 
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&helmv1.HelmRepository{}).
+		For(&sourcev1.HelmRepository{}).
 		WithEventFilter(
 			predicate.And(
-				predicate.Or(
-					intpredicates.HelmRepositoryTypePredicate{RepositoryType: helmv1.HelmRepositoryTypeDefault},
-					intpredicates.HelmRepositoryTypePredicate{RepositoryType: ""},
-				),
+				intpredicates.HelmRepositoryOCIMigrationPredicate{},
 				predicate.Or(predicate.GenerationChangedPredicate{}, predicates.ReconcileRequestedPredicate{}),
 			),
 		).
 		WithOptions(controller.Options{
-			MaxConcurrentReconciles: opts.MaxConcurrentReconciles,
-			RateLimiter:             opts.RateLimiter,
+			RateLimiter: opts.RateLimiter,
 		}).
 		Complete(r)
 }
@@ -158,17 +155,19 @@ func (r *HelmRepositoryReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 	log := ctrl.LoggerFrom(ctx)
 
 	// Fetch the HelmRepository
-	obj := &helmv1.HelmRepository{}
+	obj := &sourcev1.HelmRepository{}
 	if err := r.Get(ctx, req.NamespacedName, obj); err != nil {
 		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}
 
-	// Record suspended status metric
-	r.RecordSuspend(ctx, obj, obj.Spec.Suspend)
-
 	// Initialize the patch helper with the current version of the object.
 	serialPatcher := patch.NewSerialPatcher(obj, r.Client)
 
+	// If it's of type OCI, migrate the object to static.
+	if obj.Spec.Type == sourcev1.HelmRepositoryTypeOCI {
+		return r.migrationToStatic(ctx, serialPatcher, obj)
+	}
+
 	// recResult stores the abstracted reconcile result.
 	var recResult sreconcile.Result
 
@@ -182,31 +181,33 @@ func (r *HelmRepositoryReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 			summarize.WithReconcileError(retErr),
 			summarize.WithIgnoreNotFound(),
 			summarize.WithProcessors(
-				summarize.RecordContextualError,
+				summarize.ErrorActionHandler,
 				summarize.RecordReconcileReq,
 			),
-			summarize.WithResultBuilder(sreconcile.AlwaysRequeueResultBuilder{RequeueAfter: obj.GetRequeueAfter()}),
+			summarize.WithResultBuilder(sreconcile.AlwaysRequeueResultBuilder{
+				RequeueAfter: jitter.JitteredIntervalDuration(obj.GetRequeueAfter()),
+			}),
 			summarize.WithPatchFieldOwner(r.ControllerName),
 		}
 		result, retErr = summarizeHelper.SummarizeAndPatch(ctx, obj, summarizeOpts...)
 
-		// Always record readiness and duration metrics
-		r.Metrics.RecordReadiness(ctx, obj)
+		// Always record duration metrics.
 		r.Metrics.RecordDuration(ctx, obj, start)
 	}()
 
-	// Add finalizer first if not exist to avoid the race condition
-	// between init and delete
-	if !controllerutil.ContainsFinalizer(obj, sourcev1.SourceFinalizer) {
-		controllerutil.AddFinalizer(obj, sourcev1.SourceFinalizer)
-		recResult = sreconcile.ResultRequeue
+	// Examine if the object is under deletion.
+	if !obj.ObjectMeta.DeletionTimestamp.IsZero() {
+		recResult, retErr = r.reconcileDelete(ctx, obj)
 		return
 	}
 
-	// Examine if the object is under deletion
-	// or if a type change has happened
-	if !obj.ObjectMeta.DeletionTimestamp.IsZero() || (obj.Spec.Type != "" && obj.Spec.Type != helmv1.HelmRepositoryTypeDefault) {
-		recResult, retErr = r.reconcileDelete(ctx, obj)
+	// Add finalizer first if not exist to avoid the race condition
+	// between init and delete.
+	// Note: Finalizers in general can only be added when the deletionTimestamp
+	// is not set.
+	if !controllerutil.ContainsFinalizer(obj, sourcev1.SourceFinalizer) {
+		controllerutil.AddFinalizer(obj, sourcev1.SourceFinalizer)
+		recResult = sreconcile.ResultRequeue
 		return
 	}
 
@@ -231,7 +232,7 @@ func (r *HelmRepositoryReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 // object. It returns early on the first call that returns
 // reconcile.ResultRequeue, or produces an error.
 func (r *HelmRepositoryReconciler) reconcile(ctx context.Context, sp *patch.SerialPatcher,
-	obj *helmv1.HelmRepository, reconcilers []helmRepositoryReconcileFunc) (sreconcile.Result, error) {
+	obj *sourcev1.HelmRepository, reconcilers []helmRepositoryReconcileFunc) (sreconcile.Result, error) {
 	oldObj := obj.DeepCopy()
 
 	rreconcile.ProgressiveStatus(false, obj, meta.ProgressingReason, "reconciliation in progress")
@@ -247,11 +248,11 @@ func (r *HelmRepositoryReconciler) reconcile(ctx context.Context, sp *patch.Seri
 		rreconcile.ProgressiveStatus(false, obj, meta.ProgressingReason,
 			"processing object: new generation %d -> %d", obj.Status.ObservedGeneration, obj.Generation)
 		if err := sp.Patch(ctx, obj, r.patchOptions...); err != nil {
-			return sreconcile.ResultEmpty, err
+			return sreconcile.ResultEmpty, serror.NewGeneric(err, sourcev1.PatchOperationFailedReason)
 		}
 	case reconcileAtVal != obj.Status.GetLastHandledReconcileRequest():
 		if err := sp.Patch(ctx, obj, r.patchOptions...); err != nil {
-			return sreconcile.ResultEmpty, err
+			return sreconcile.ResultEmpty, serror.NewGeneric(err, sourcev1.PatchOperationFailedReason)
 		}
 	}
 
@@ -284,7 +285,7 @@ func (r *HelmRepositoryReconciler) reconcile(ctx context.Context, sp *patch.Seri
 }
 
 // notify emits notification related to the reconciliation.
-func (r *HelmRepositoryReconciler) notify(ctx context.Context, oldObj, newObj *helmv1.HelmRepository, chartRepo *repository.ChartRepository, res sreconcile.Result, resErr error) {
+func (r *HelmRepositoryReconciler) notify(ctx context.Context, oldObj, newObj *sourcev1.HelmRepository, chartRepo *repository.ChartRepository, res sreconcile.Result, resErr error) {
 	// Notify successful reconciliation for new artifact and recovery from any
 	// failure.
 	if resErr == nil && res == sreconcile.ResultSuccess && newObj.Status.Artifact != nil {
@@ -328,18 +329,36 @@ func (r *HelmRepositoryReconciler) notify(ctx context.Context, oldObj, newObj *h
 // The hostname of any URL in the Status of the object are updated, to ensure
 // they match the Storage server hostname of current runtime.
 func (r *HelmRepositoryReconciler) reconcileStorage(ctx context.Context, sp *patch.SerialPatcher,
-	obj *helmv1.HelmRepository, _ *sourcev1.Artifact, _ *repository.ChartRepository) (sreconcile.Result, error) {
+	obj *sourcev1.HelmRepository, _ *sourcev1.Artifact, _ *repository.ChartRepository) (sreconcile.Result, error) {
 	// Garbage collect previous advertised artifact(s) from storage
 	_ = r.garbageCollect(ctx, obj)
 
-	// Determine if the advertised artifact is still in storage
 	var artifactMissing bool
-	if artifact := obj.GetArtifact(); artifact != nil && !r.Storage.ArtifactExist(*artifact) {
-		obj.Status.Artifact = nil
-		obj.Status.URL = ""
-		artifactMissing = true
-		// Remove the condition as the artifact doesn't exist.
-		conditions.Delete(obj, sourcev1.ArtifactInStorageCondition)
+	if artifact := obj.GetArtifact(); artifact != nil {
+		// Determine if the advertised artifact is still in storage
+		if !r.Storage.ArtifactExist(*artifact) {
+			artifactMissing = true
+		}
+
+		// If the artifact is in storage, verify if the advertised digest still
+		// matches the actual artifact
+		if !artifactMissing {
+			if err := r.Storage.VerifyArtifact(*artifact); err != nil {
+				r.Eventf(obj, corev1.EventTypeWarning, "ArtifactVerificationFailed", "failed to verify integrity of artifact: %s", err.Error())
+
+				if err = r.Storage.Remove(*artifact); err != nil {
+					return sreconcile.ResultEmpty, fmt.Errorf("failed to remove artifact after digest mismatch: %w", err)
+				}
+
+				artifactMissing = true
+			}
+		}
+
+		// If the artifact is missing, remove it from the object
+		if artifactMissing {
+			obj.Status.Artifact = nil
+			obj.Status.URL = ""
+		}
 	}
 
 	// Record that we do not have an artifact
@@ -348,10 +367,10 @@ func (r *HelmRepositoryReconciler) reconcileStorage(ctx context.Context, sp *pat
 		if artifactMissing {
 			msg += ": disappeared from storage"
 		}
-		rreconcile.ProgressiveStatus(true, obj, meta.ProgressingReason, msg)
+		rreconcile.ProgressiveStatus(true, obj, meta.ProgressingReason, "%s", msg)
 		conditions.Delete(obj, sourcev1.ArtifactInStorageCondition)
 		if err := sp.Patch(ctx, obj, r.patchOptions...); err != nil {
-			return sreconcile.ResultEmpty, err
+			return sreconcile.ResultEmpty, serror.NewGeneric(err, sourcev1.PatchOperationFailedReason)
 		}
 		return sreconcile.ResultSuccess, nil
 	}
@@ -365,94 +384,80 @@ func (r *HelmRepositoryReconciler) reconcileStorage(ctx context.Context, sp *pat
 }
 
 // reconcileSource attempts to fetch the Helm repository index using the
-// specified configuration on the v1beta2.HelmRepository object.
+// specified configuration on the v1.HelmRepository object.
 //
-// When the fetch fails, it records v1beta2.FetchFailedCondition=True and
+// When the fetch fails, it records v1.FetchFailedCondition=True and
 // returns early.
 // If successful and the index is valid, any previous
-// v1beta2.FetchFailedCondition is removed, and the repository.ChartRepository
+// v1.FetchFailedCondition is removed, and the repository.ChartRepository
 // pointer is set to the newly fetched index.
 func (r *HelmRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch.SerialPatcher,
-	obj *helmv1.HelmRepository, artifact *sourcev1.Artifact, chartRepo *repository.ChartRepository) (sreconcile.Result, error) {
-	var tlsConfig *tls.Config
-
-	// Configure Helm client to access repository
-	clientOpts := []helmgetter.Option{
-		helmgetter.WithTimeout(obj.Spec.Timeout.Duration),
-		helmgetter.WithURL(obj.Spec.URL),
-		helmgetter.WithPassCredentialsAll(obj.Spec.PassCredentials),
+	obj *sourcev1.HelmRepository, artifact *sourcev1.Artifact, chartRepo *repository.ChartRepository) (sreconcile.Result, error) {
+	// Ensure it's not an OCI URL. API validation ensures that only
+	// http/https/oci scheme are allowed.
+	if strings.HasPrefix(obj.Spec.URL, helmreg.OCIScheme) {
+		err := fmt.Errorf("'oci' URL scheme cannot be used with 'default' HelmRepository type")
+		e := serror.NewStalling(
+			fmt.Errorf("invalid Helm repository URL: %w", err),
+			sourcev1.URLInvalidReason,
+		)
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+		return sreconcile.ResultEmpty, e
 	}
 
-	// Configure any authentication related options
-	if obj.Spec.SecretRef != nil {
-		// Attempt to retrieve secret
-		name := types.NamespacedName{
-			Namespace: obj.GetNamespace(),
-			Name:      obj.Spec.SecretRef.Name,
-		}
-		var secret corev1.Secret
-		if err := r.Client.Get(ctx, name, &secret); err != nil {
-			e := &serror.Event{
-				Err:    fmt.Errorf("failed to get secret '%s': %w", name.String(), err),
-				Reason: sourcev1.AuthenticationFailedReason,
-			}
-			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
-			return sreconcile.ResultEmpty, e
-		}
+	normalizedURL, err := repository.NormalizeURL(obj.Spec.URL)
+	if err != nil {
+		e := serror.NewStalling(
+			fmt.Errorf("invalid Helm repository URL: %w", err),
+			sourcev1.URLInvalidReason,
+		)
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
+		return sreconcile.ResultEmpty, e
+	}
 
-		// Construct actual options
-		opts, err := getter.ClientOptionsFromSecret(secret)
-		if err != nil {
-			e := &serror.Event{
-				Err:    fmt.Errorf("failed to configure Helm client with secret data: %w", err),
-				Reason: sourcev1.AuthenticationFailedReason,
-			}
-			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
-			// Return err as the content of the secret may change.
-			return sreconcile.ResultEmpty, e
-		}
-		clientOpts = append(clientOpts, opts...)
-
-		tlsConfig, err = getter.TLSClientConfigFromSecret(secret, obj.Spec.URL)
-		if err != nil {
-			e := &serror.Event{
-				Err:    fmt.Errorf("failed to create TLS client config with secret data: %w", err),
-				Reason: sourcev1.AuthenticationFailedReason,
-			}
-			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
-			// Requeue as content of secret might change
+	clientOpts, _, err := getter.GetClientOpts(ctx, r.Client, obj, normalizedURL)
+	if err != nil {
+		if errors.Is(err, getter.ErrDeprecatedTLSConfig) {
+			ctrl.LoggerFrom(ctx).
+				Info("warning: specifying TLS authentication data via `.spec.secretRef` is deprecated, please use `.spec.certSecretRef` instead")
+		} else {
+			e := serror.NewGeneric(
+				err,
+				sourcev1.AuthenticationFailedReason,
+			)
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 			return sreconcile.ResultEmpty, e
 		}
 	}
 
 	// Construct Helm chart repository with options and download index
-	newChartRepo, err := repository.NewChartRepository(obj.Spec.URL, "", r.Getters, tlsConfig, clientOpts...)
+	newChartRepo, err := repository.NewChartRepository(obj.Spec.URL, "", r.Getters, clientOpts.TlsConfig, clientOpts.GetterOpts...)
 	if err != nil {
 		switch err.(type) {
 		case *url.Error:
-			e := &serror.Stalling{
-				Err:    fmt.Errorf("invalid Helm repository URL: %w", err),
-				Reason: sourcev1.URLInvalidReason,
-			}
-			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
+			e := serror.NewStalling(
+				fmt.Errorf("invalid Helm repository URL: %w", err),
+				sourcev1.URLInvalidReason,
+			)
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 			return sreconcile.ResultEmpty, e
 		default:
-			e := &serror.Stalling{
-				Err:    fmt.Errorf("failed to construct Helm client: %w", err),
-				Reason: meta.FailedReason,
-			}
-			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
+			e := serror.NewStalling(
+				fmt.Errorf("failed to construct Helm client: %w", err),
+				meta.FailedReason,
+			)
+			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 			return sreconcile.ResultEmpty, e
 		}
 	}
 
 	// Fetch the repository index from remote.
 	if err := newChartRepo.CacheIndex(); err != nil {
-		e := &serror.Event{
-			Err:    fmt.Errorf("failed to fetch Helm repository index: %w", err),
-			Reason: meta.FailedReason,
-		}
-		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
+		e := serror.NewGeneric(
+			fmt.Errorf("failed to fetch Helm repository index: %w", err),
+			meta.FailedReason,
+		)
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 		// Coin flip on transient or persistent error, return error and hope for the best
 		return sreconcile.ResultEmpty, e
 	}
@@ -460,11 +465,11 @@ func (r *HelmRepositoryReconciler) reconcileSource(ctx context.Context, sp *patc
 
 	// Early comparison to current Artifact.
 	if curArtifact := obj.GetArtifact(); curArtifact != nil {
-		curDig := digest.Digest(curArtifact.Digest)
-		if curDig.Validate() == nil {
+		curRev := digest.Digest(curArtifact.Revision)
+		if curRev.Validate() == nil {
 			// Short-circuit based on the fetched index being an exact match to the
 			// stored Artifact.
-			if newDig := chartRepo.Digest(curDig.Algorithm()); newDig.Validate() == nil && (newDig == curDig) {
+			if newRev := chartRepo.Digest(curRev.Algorithm()); newRev.Validate() == nil && (newRev == curRev) {
 				*artifact = *curArtifact
 				conditions.Delete(obj, sourcev1.FetchFailedCondition)
 				return sreconcile.ResultSuccess, nil
@@ -474,45 +479,35 @@ func (r *HelmRepositoryReconciler) reconcileSource(ctx context.Context, sp *patc
 
 	// Load the cached repository index to ensure it passes validation.
 	if err := chartRepo.LoadFromPath(); err != nil {
-		e := &serror.Event{
-			Err:    fmt.Errorf("failed to load Helm repository from index YAML: %w", err),
-			Reason: helmv1.IndexationFailedReason,
-		}
-		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
+		e := serror.NewGeneric(
+			fmt.Errorf("failed to load Helm repository from index YAML: %w", err),
+			sourcev1.IndexationFailedReason,
+		)
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
 	// Delete any stale failure observation
 	conditions.Delete(obj, sourcev1.FetchFailedCondition)
 
-	// Check if index has changed compared to current Artifact revision.
-	var changed bool
-	if artifact := obj.Status.Artifact; artifact != nil {
-		curRev := digest.Digest(artifact.Revision)
-		changed = curRev.Validate() != nil || curRev != chartRepo.Digest(curRev.Algorithm())
-	}
-
 	// Calculate revision.
 	revision := chartRepo.Digest(intdigest.Canonical)
 	if revision.Validate() != nil {
-		e := &serror.Event{
-			Err:    fmt.Errorf("failed to calculate revision: %w", err),
-			Reason: helmv1.IndexationFailedReason,
-		}
-		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
+		e := serror.NewGeneric(
+			fmt.Errorf("failed to calculate revision: %w", err),
+			sourcev1.IndexationFailedReason,
+		)
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
 
 	// Mark observations about the revision on the object.
-	if obj.Status.Artifact == nil || changed {
-		message := fmt.Sprintf("new index revision '%s'", revision)
-		if obj.GetArtifact() != nil {
-			conditions.MarkTrue(obj, sourcev1.ArtifactOutdatedCondition, "NewRevision", message)
-		}
-		rreconcile.ProgressiveStatus(true, obj, meta.ProgressingReason, "building artifact: %s", message)
-		if err := sp.Patch(ctx, obj, r.patchOptions...); err != nil {
-			ctrl.LoggerFrom(ctx).Error(err, "failed to patch")
-			return sreconcile.ResultEmpty, err
-		}
+	message := fmt.Sprintf("new index revision '%s'", revision)
+	if obj.GetArtifact() != nil {
+		conditions.MarkTrue(obj, sourcev1.ArtifactOutdatedCondition, "NewRevision", "%s", message)
+	}
+	rreconcile.ProgressiveStatus(true, obj, meta.ProgressingReason, "building artifact: %s", message)
+	if err := sp.Patch(ctx, obj, r.patchOptions...); err != nil {
+		return sreconcile.ResultEmpty, serror.NewGeneric(err, sourcev1.PatchOperationFailedReason)
 	}
 
 	// Create potential new artifact.
@@ -529,12 +524,12 @@ func (r *HelmRepositoryReconciler) reconcileSource(ctx context.Context, sp *patc
 // (Status) data on the object does not match the given.
 //
 // The inspection of the given data to the object is differed, ensuring any
-// stale observations like v1beta2.ArtifactOutdatedCondition are removed.
+// stale observations like v1.ArtifactOutdatedCondition are removed.
 // If the given Artifact does not differ from the object's current, it returns
 // early.
 // On a successful archive, the Artifact in the Status of the object is set,
 // and the symlink in the Storage is updated to its path.
-func (r *HelmRepositoryReconciler) reconcileArtifact(ctx context.Context, sp *patch.SerialPatcher, obj *helmv1.HelmRepository, artifact *sourcev1.Artifact, chartRepo *repository.ChartRepository) (sreconcile.Result, error) {
+func (r *HelmRepositoryReconciler) reconcileArtifact(ctx context.Context, sp *patch.SerialPatcher, obj *sourcev1.HelmRepository, artifact *sourcev1.Artifact, chartRepo *repository.ChartRepository) (sreconcile.Result, error) {
 	// Set the ArtifactInStorageCondition if there's no drift.
 	defer func() {
 		if obj.GetArtifact().HasRevision(artifact.Revision) {
@@ -559,31 +554,40 @@ func (r *HelmRepositoryReconciler) reconcileArtifact(ctx context.Context, sp *pa
 
 	// Create artifact dir
 	if err := r.Storage.MkdirAll(*artifact); err != nil {
-		e := &serror.Event{
-			Err:    fmt.Errorf("failed to create artifact directory: %w", err),
-			Reason: sourcev1.DirCreationFailedReason,
-		}
-		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, e.Err.Error())
+		e := serror.NewGeneric(
+			fmt.Errorf("failed to create artifact directory: %w", err),
+			sourcev1.DirCreationFailedReason,
+		)
+		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
 
 	// Acquire lock.
 	unlock, err := r.Storage.Lock(*artifact)
 	if err != nil {
-		return sreconcile.ResultEmpty, &serror.Event{
-			Err:    fmt.Errorf("failed to acquire lock for artifact: %w", err),
-			Reason: meta.FailedReason,
-		}
+		return sreconcile.ResultEmpty, serror.NewGeneric(
+			fmt.Errorf("failed to acquire lock for artifact: %w", err),
+			meta.FailedReason,
+		)
 	}
 	defer unlock()
 
-	// Save artifact to storage.
-	if err = r.Storage.CopyFromPath(artifact, chartRepo.Path); err != nil {
-		e := &serror.Event{
-			Err:    fmt.Errorf("unable to save artifact to storage: %w", err),
-			Reason: sourcev1.ArchiveOperationFailedReason,
-		}
-		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, e.Err.Error())
+	// Save artifact to storage in JSON format.
+	b, err := chartRepo.ToJSON()
+	if err != nil {
+		e := serror.NewGeneric(
+			fmt.Errorf("unable to get JSON index from chart repo: %w", err),
+			sourcev1.ArchiveOperationFailedReason,
+		)
+		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, "%s", e)
+		return sreconcile.ResultEmpty, e
+	}
+	if err = r.Storage.Copy(artifact, bytes.NewBuffer(b)); err != nil {
+		e := serror.NewGeneric(
+			fmt.Errorf("unable to save artifact to storage: %w", err),
+			sourcev1.ArchiveOperationFailedReason,
+		)
+		conditions.MarkTrue(obj, sourcev1.StorageOperationFailedCondition, e.Reason, "%s", e)
 		return sreconcile.ResultEmpty, e
 	}
 
@@ -617,7 +621,7 @@ func (r *HelmRepositoryReconciler) reconcileArtifact(ctx context.Context, sp *pa
 // reconcileDelete handles the deletion of the object.
 // It first garbage collects all Artifacts for the object from the Storage.
 // Removing the finalizer from the object if successful.
-func (r *HelmRepositoryReconciler) reconcileDelete(ctx context.Context, obj *helmv1.HelmRepository) (sreconcile.Result, error) {
+func (r *HelmRepositoryReconciler) reconcileDelete(ctx context.Context, obj *sourcev1.HelmRepository) (sreconcile.Result, error) {
 	// Garbage collect the resource's artifacts
 	if err := r.garbageCollect(ctx, obj); err != nil {
 		// Return the error so we retry the failed garbage collection
@@ -629,6 +633,12 @@ func (r *HelmRepositoryReconciler) reconcileDelete(ctx context.Context, obj *hel
 		controllerutil.RemoveFinalizer(obj, sourcev1.SourceFinalizer)
 	}
 
+	// Delete cache metrics.
+	if r.CacheRecorder != nil && r.Metrics.IsDelete(obj) {
+		r.DeleteCacheEvent(cache.CacheEventTypeHit, obj.Name, obj.Namespace)
+		r.DeleteCacheEvent(cache.CacheEventTypeMiss, obj.Name, obj.Namespace)
+	}
+
 	// Stop reconciliation as the object is being deleted
 	return sreconcile.ResultEmpty, nil
 }
@@ -639,13 +649,13 @@ func (r *HelmRepositoryReconciler) reconcileDelete(ctx context.Context, obj *hel
 // - the deletion timestamp on the object is set
 // - the obj.Spec.Type has changed and artifacts are not supported by the new type
 // Which will result in the removal of all Artifacts for the objects.
-func (r *HelmRepositoryReconciler) garbageCollect(ctx context.Context, obj *helmv1.HelmRepository) error {
-	if !obj.DeletionTimestamp.IsZero() || (obj.Spec.Type != "" && obj.Spec.Type != helmv1.HelmRepositoryTypeDefault) {
+func (r *HelmRepositoryReconciler) garbageCollect(ctx context.Context, obj *sourcev1.HelmRepository) error {
+	if !obj.DeletionTimestamp.IsZero() || (obj.Spec.Type != "" && obj.Spec.Type != sourcev1.HelmRepositoryTypeDefault) {
 		if deleted, err := r.Storage.RemoveAll(r.Storage.NewArtifactFor(obj.Kind, obj.GetObjectMeta(), "", "*")); err != nil {
-			return &serror.Event{
-				Err:    fmt.Errorf("garbage collection for deleted resource failed: %w", err),
-				Reason: "GarbageCollectionFailed",
-			}
+			return serror.NewGeneric(
+				fmt.Errorf("garbage collection for deleted resource failed: %w", err),
+				"GarbageCollectionFailed",
+			)
 		} else if deleted != "" {
 			r.eventLogf(ctx, obj, eventv1.EventTypeTrace, "GarbageCollectionSucceeded",
 				"garbage collected artifacts for deleted resource")
@@ -660,14 +670,14 @@ func (r *HelmRepositoryReconciler) garbageCollect(ctx context.Context, obj *helm
 	if obj.GetArtifact() != nil {
 		delFiles, err := r.Storage.GarbageCollect(ctx, *obj.GetArtifact(), time.Second*5)
 		if err != nil {
-			return &serror.Event{
-				Err:    fmt.Errorf("garbage collection of artifacts failed: %w", err),
-				Reason: "GarbageCollectionFailed",
-			}
+			return serror.NewGeneric(
+				fmt.Errorf("garbage collection of artifacts failed: %w", err),
+				"GarbageCollectionFailed",
+			)
 		}
 		if len(delFiles) > 0 {
 			r.eventLogf(ctx, obj, eventv1.EventTypeTrace, "GarbageCollectionSucceeded",
-				fmt.Sprintf("garbage collected %d artifacts", len(delFiles)))
+				"garbage collected %d artifacts", len(delFiles))
 			return nil
 		}
 	}
@@ -689,3 +699,31 @@ func (r *HelmRepositoryReconciler) eventLogf(ctx context.Context, obj runtime.Ob
 	}
 	r.Eventf(obj, eventType, reason, msg)
 }
+
+// migrateToStatic is HelmRepository OCI migration to static object.
+func (r *HelmRepositoryReconciler) migrationToStatic(ctx context.Context, sp *patch.SerialPatcher, obj *sourcev1.HelmRepository) (result ctrl.Result, err error) {
+	// Skip migration if suspended and not being deleted.
+	if obj.Spec.Suspend && obj.DeletionTimestamp.IsZero() {
+		return ctrl.Result{}, nil
+	}
+
+	if !intpredicates.HelmRepositoryOCIRequireMigration(obj) {
+		// Already migrated, nothing to do.
+		return ctrl.Result{}, nil
+	}
+
+	// Delete any artifact.
+	_, err = r.reconcileDelete(ctx, obj)
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+	// Delete finalizer and reset the status.
+	controllerutil.RemoveFinalizer(obj, sourcev1.SourceFinalizer)
+	obj.Status = sourcev1.HelmRepositoryStatus{}
+
+	if err := sp.Patch(ctx, obj); err != nil {
+		return ctrl.Result{}, err
+	}
+
+	return ctrl.Result{}, nil
+}

internal/controller/helmrepository_controller_oci.go

@@ -1,460 +0,0 @@
-/*
-Copyright 2022 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controller
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/url"
-	"os"
-	"time"
-
-	"github.com/google/go-containerregistry/pkg/authn"
-	helmgetter "helm.sh/helm/v3/pkg/getter"
-	helmreg "helm.sh/helm/v3/pkg/registry"
-	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
-	kerrors "k8s.io/apimachinery/pkg/util/errors"
-	kuberecorder "k8s.io/client-go/tools/record"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/controller"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-	"sigs.k8s.io/controller-runtime/pkg/predicate"
-
-	eventv1 "github.com/fluxcd/pkg/apis/event/v1beta1"
-	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/oci"
-	"github.com/fluxcd/pkg/runtime/conditions"
-	helper "github.com/fluxcd/pkg/runtime/controller"
-	"github.com/fluxcd/pkg/runtime/patch"
-	"github.com/fluxcd/pkg/runtime/predicates"
-	rreconcile "github.com/fluxcd/pkg/runtime/reconcile"
-
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	helmv1 "github.com/fluxcd/source-controller/api/v1beta2"
-	"github.com/fluxcd/source-controller/internal/helm/registry"
-	"github.com/fluxcd/source-controller/internal/helm/repository"
-	"github.com/fluxcd/source-controller/internal/object"
-	intpredicates "github.com/fluxcd/source-controller/internal/predicates"
-)
-
-var helmRepositoryOCIOwnedConditions = []string{
-	meta.ReadyCondition,
-	meta.ReconcilingCondition,
-	meta.StalledCondition,
-}
-
-var helmRepositoryOCINegativeConditions = []string{
-	meta.StalledCondition,
-	meta.ReconcilingCondition,
-}
-
-// +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=helmrepositories,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=helmrepositories/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=helmrepositories/finalizers,verbs=get;create;update;patch;delete
-// +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
-
-// HelmRepositoryOCI Reconciler reconciles a v1beta2.HelmRepository object of type OCI.
-type HelmRepositoryOCIReconciler struct {
-	client.Client
-	kuberecorder.EventRecorder
-	helper.Metrics
-	Getters                 helmgetter.Providers
-	ControllerName          string
-	RegistryClientGenerator RegistryClientGeneratorFunc
-
-	patchOptions []patch.Option
-
-	// unmanagedConditions are the conditions that are not managed by this
-	// reconciler and need to be removed from the object before taking ownership
-	// of the object being reconciled.
-	unmanagedConditions []string
-}
-
-// RegistryClientGeneratorFunc is a function that returns a registry client
-// and an optional file name.
-// The file is used to store the registry client credentials.
-// The caller is responsible for deleting the file.
-type RegistryClientGeneratorFunc func(isLogin bool) (*helmreg.Client, string, error)
-
-func (r *HelmRepositoryOCIReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	return r.SetupWithManagerAndOptions(mgr, HelmRepositoryReconcilerOptions{})
-}
-
-func (r *HelmRepositoryOCIReconciler) SetupWithManagerAndOptions(mgr ctrl.Manager, opts HelmRepositoryReconcilerOptions) error {
-	r.unmanagedConditions = conditionsDiff(helmRepositoryReadyCondition.Owned, helmRepositoryOCIOwnedConditions)
-	r.patchOptions = getPatchOptions(helmRepositoryOCIOwnedConditions, r.ControllerName)
-
-	return ctrl.NewControllerManagedBy(mgr).
-		For(&helmv1.HelmRepository{}).
-		WithEventFilter(
-			predicate.And(
-				intpredicates.HelmRepositoryTypePredicate{RepositoryType: helmv1.HelmRepositoryTypeOCI},
-				predicate.Or(predicate.GenerationChangedPredicate{}, predicates.ReconcileRequestedPredicate{}),
-			),
-		).
-		WithOptions(controller.Options{
-			MaxConcurrentReconciles: opts.MaxConcurrentReconciles,
-			RateLimiter:             opts.RateLimiter,
-		}).
-		Complete(r)
-}
-
-func (r *HelmRepositoryOCIReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, retErr error) {
-	start := time.Now()
-	log := ctrl.LoggerFrom(ctx)
-
-	// Fetch the HelmRepository
-	obj := &helmv1.HelmRepository{}
-	if err := r.Get(ctx, req.NamespacedName, obj); err != nil {
-		return ctrl.Result{}, client.IgnoreNotFound(err)
-	}
-
-	// If the object contains any of the unmanaged conditions, requeue and wait
-	// for those conditions to be removed first before processing the object.
-	// NOTE: This will happen only when a HelmRepository's spec.type is switched
-	// from "default" to "oci".
-	if conditions.HasAny(obj, r.unmanagedConditions) {
-		r.eventLogf(ctx, obj, eventv1.EventTypeTrace, "IncompleteTransition",
-			"object contains conditions managed by other reconciler")
-		return ctrl.Result{RequeueAfter: time.Second}, nil
-	}
-
-	// Record suspended status metric
-	r.RecordSuspend(ctx, obj, obj.Spec.Suspend)
-
-	// Initialize the patch helper with the current version of the object.
-	serialPatcher := patch.NewSerialPatcher(obj, r.Client)
-
-	// Always attempt to patch the object after each reconciliation.
-	defer func() {
-		// If a reconcile annotation value is found, set it in the object status
-		// as status.lastHandledReconcileAt.
-		if v, ok := meta.ReconcileAnnotationValue(obj.GetAnnotations()); ok {
-			object.SetStatusLastHandledReconcileAt(obj, v)
-		}
-
-		patchOpts := []patch.Option{}
-		patchOpts = append(patchOpts, r.patchOptions...)
-
-		// Set status observed generation option if the object is stalled, or
-		// if the object is ready.
-		if conditions.IsStalled(obj) || conditions.IsReady(obj) {
-			patchOpts = append(patchOpts, patch.WithStatusObservedGeneration{})
-		}
-
-		if err := serialPatcher.Patch(ctx, obj, patchOpts...); err != nil {
-			// Ignore patch error "not found" when the object is being deleted.
-			if !obj.GetDeletionTimestamp().IsZero() {
-				err = kerrors.FilterOut(err, func(e error) bool { return apierrors.IsNotFound(e) })
-			}
-			retErr = kerrors.NewAggregate([]error{retErr, err})
-		}
-
-		// Always record readiness and duration metrics
-		r.Metrics.RecordReadiness(ctx, obj)
-		r.Metrics.RecordDuration(ctx, obj, start)
-	}()
-
-	// Add finalizer first if it doesn't exist to avoid the race condition
-	// between init and delete.
-	if !controllerutil.ContainsFinalizer(obj, sourcev1.SourceFinalizer) {
-		controllerutil.AddFinalizer(obj, sourcev1.SourceFinalizer)
-		return ctrl.Result{Requeue: true}, nil
-	}
-
-	// Examine if the object is under deletion.
-	if !obj.ObjectMeta.DeletionTimestamp.IsZero() {
-		return r.reconcileDelete(ctx, obj)
-	}
-
-	// Return if the object is suspended.
-	if obj.Spec.Suspend {
-		log.Info("reconciliation is suspended for this object")
-		return ctrl.Result{}, nil
-	}
-
-	// Examine if a type change has happened and act accordingly
-	if obj.Spec.Type != helmv1.HelmRepositoryTypeOCI {
-		// Remove any stale condition and ignore the object if the type has
-		// changed.
-		obj.Status.Conditions = nil
-		return ctrl.Result{}, nil
-	}
-
-	result, retErr = r.reconcile(ctx, serialPatcher, obj)
-	return
-}
-
-// reconcile reconciles the HelmRepository object. While reconciling, when an
-// error is encountered, it sets the failure details in the appropriate status
-// condition type and returns the error with appropriate ctrl.Result. The object
-// status conditions and the returned results are evaluated in the deferred
-// block at the very end to summarize the conditions to be in a consistent
-// state.
-func (r *HelmRepositoryOCIReconciler) reconcile(ctx context.Context, sp *patch.SerialPatcher, obj *helmv1.HelmRepository) (result ctrl.Result, retErr error) {
-	ctxTimeout, cancel := context.WithTimeout(ctx, obj.Spec.Timeout.Duration)
-	defer cancel()
-
-	oldObj := obj.DeepCopy()
-
-	defer func() {
-		// If it's stalled, ensure reconciling is removed.
-		if sc := conditions.Get(obj, meta.StalledCondition); sc != nil && sc.Status == metav1.ConditionTrue {
-			conditions.Delete(obj, meta.ReconcilingCondition)
-		}
-
-		// Check if it's a successful reconciliation.
-		if result.RequeueAfter == obj.GetRequeueAfter() && result.Requeue == false &&
-			retErr == nil {
-			// Remove reconciling condition if the reconciliation was successful.
-			conditions.Delete(obj, meta.ReconcilingCondition)
-			// If it's not ready even though it's not reconciling or stalled,
-			// set the ready failure message as the error.
-			// Based on isNonStalledSuccess() from internal/reconcile/summarize.
-			if ready := conditions.Get(obj, meta.ReadyCondition); ready != nil &&
-				ready.Status == metav1.ConditionFalse && !conditions.IsStalled(obj) {
-				retErr = errors.New(conditions.GetMessage(obj, meta.ReadyCondition))
-			}
-		}
-
-		// Presence of reconciling means that the reconciliation didn't succeed.
-		// Set the Reconciling reason to ProgressingWithRetry to indicate a
-		// failure retry.
-		if conditions.IsReconciling(obj) {
-			reconciling := conditions.Get(obj, meta.ReconcilingCondition)
-			reconciling.Reason = meta.ProgressingWithRetryReason
-			conditions.Set(obj, reconciling)
-		}
-
-		// If it's still a successful reconciliation and it's not reconciling or
-		// stalled, mark Ready=True.
-		if !conditions.IsReconciling(obj) && !conditions.IsStalled(obj) &&
-			retErr == nil && result.RequeueAfter == obj.GetRequeueAfter() {
-			conditions.MarkTrue(obj, meta.ReadyCondition, meta.SucceededReason, "Helm repository is ready")
-		}
-
-		// Emit events when object's state changes.
-		ready := conditions.Get(obj, meta.ReadyCondition)
-		// Became ready from not ready.
-		if !conditions.IsReady(oldObj) && conditions.IsReady(obj) {
-			r.eventLogf(ctx, obj, corev1.EventTypeNormal, ready.Reason, ready.Message)
-		}
-		// Became not ready from ready.
-		if conditions.IsReady(oldObj) && !conditions.IsReady(obj) {
-			r.eventLogf(ctx, obj, corev1.EventTypeWarning, ready.Reason, ready.Message)
-		}
-	}()
-
-	// Set reconciling condition.
-	rreconcile.ProgressiveStatus(false, obj, meta.ProgressingReason, "reconciliation in progress")
-
-	var reconcileAtVal string
-	if v, ok := meta.ReconcileAnnotationValue(obj.GetAnnotations()); ok {
-		reconcileAtVal = v
-	}
-
-	// Persist reconciling if generation differs or reconciliation is requested.
-	switch {
-	case obj.Generation != obj.Status.ObservedGeneration:
-		rreconcile.ProgressiveStatus(false, obj, meta.ProgressingReason,
-			"processing object: new generation %d -> %d", obj.Status.ObservedGeneration, obj.Generation)
-		if err := sp.Patch(ctx, obj, r.patchOptions...); err != nil {
-			result, retErr = ctrl.Result{}, err
-			return
-		}
-	case reconcileAtVal != obj.Status.GetLastHandledReconcileRequest():
-		if err := sp.Patch(ctx, obj, r.patchOptions...); err != nil {
-			result, retErr = ctrl.Result{}, err
-			return
-		}
-	}
-
-	// Ensure that it's an OCI URL before continuing.
-	if !helmreg.IsOCI(obj.Spec.URL) {
-		u, err := url.Parse(obj.Spec.URL)
-		if err != nil {
-			err = fmt.Errorf("failed to parse URL: %w", err)
-		} else {
-			err = fmt.Errorf("URL scheme '%s' in '%s' is not supported", u.Scheme, obj.Spec.URL)
-		}
-		conditions.MarkStalled(obj, sourcev1.URLInvalidReason, err.Error())
-		conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.URLInvalidReason, err.Error())
-		ctrl.LoggerFrom(ctx).Error(err, "reconciliation stalled")
-		result, retErr = ctrl.Result{}, nil
-		return
-	}
-	conditions.Delete(obj, meta.StalledCondition)
-
-	var (
-		authenticator authn.Authenticator
-		keychain      authn.Keychain
-		err           error
-	)
-	// Configure any authentication related options.
-	if obj.Spec.SecretRef != nil {
-		keychain, err = authFromSecret(ctx, r.Client, obj)
-		if err != nil {
-			conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.AuthenticationFailedReason, err.Error())
-			result, retErr = ctrl.Result{}, err
-			return
-		}
-	} else if obj.Spec.Provider != helmv1.GenericOCIProvider && obj.Spec.Type == helmv1.HelmRepositoryTypeOCI {
-		auth, authErr := oidcAuth(ctxTimeout, obj.Spec.URL, obj.Spec.Provider)
-		if authErr != nil && !errors.Is(authErr, oci.ErrUnconfiguredProvider) {
-			e := fmt.Errorf("failed to get credential from %s: %w", obj.Spec.Provider, authErr)
-			conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.AuthenticationFailedReason, e.Error())
-			result, retErr = ctrl.Result{}, e
-			return
-		}
-		if auth != nil {
-			authenticator = auth
-		}
-	}
-
-	loginOpt, err := makeLoginOption(authenticator, keychain, obj.Spec.URL)
-	if err != nil {
-		conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.AuthenticationFailedReason, err.Error())
-		result, retErr = ctrl.Result{}, err
-		return
-	}
-
-	// Create registry client and login if needed.
-	registryClient, file, err := r.RegistryClientGenerator(loginOpt != nil)
-	if err != nil {
-		e := fmt.Errorf("failed to create registry client: %w", err)
-		conditions.MarkFalse(obj, meta.ReadyCondition, meta.FailedReason, e.Error())
-		result, retErr = ctrl.Result{}, e
-		return
-	}
-	if file != "" {
-		defer func() {
-			if err := os.Remove(file); err != nil {
-				r.eventLogf(ctx, obj, corev1.EventTypeWarning, meta.FailedReason,
-					"failed to delete temporary credentials file: %s", err)
-			}
-		}()
-	}
-
-	chartRepo, err := repository.NewOCIChartRepository(obj.Spec.URL, repository.WithOCIRegistryClient(registryClient))
-	if err != nil {
-		e := fmt.Errorf("failed to parse URL '%s': %w", obj.Spec.URL, err)
-		conditions.MarkStalled(obj, sourcev1.URLInvalidReason, e.Error())
-		conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.URLInvalidReason, e.Error())
-		result, retErr = ctrl.Result{}, nil
-		return
-	}
-	conditions.Delete(obj, meta.StalledCondition)
-
-	// Attempt to login to the registry if credentials are provided.
-	if loginOpt != nil {
-		err = chartRepo.Login(loginOpt)
-		if err != nil {
-			e := fmt.Errorf("failed to login to registry '%s': %w", obj.Spec.URL, err)
-			conditions.MarkFalse(obj, meta.ReadyCondition, sourcev1.AuthenticationFailedReason, e.Error())
-			result, retErr = ctrl.Result{}, e
-			return
-		}
-	}
-
-	// Remove any stale Ready condition, most likely False, set above. Its value
-	// is derived from the overall result of the reconciliation in the deferred
-	// block at the very end.
-	conditions.Delete(obj, meta.ReadyCondition)
-
-	result, retErr = ctrl.Result{RequeueAfter: obj.GetRequeueAfter()}, nil
-	return
-}
-
-func (r *HelmRepositoryOCIReconciler) reconcileDelete(ctx context.Context, obj *helmv1.HelmRepository) (ctrl.Result, error) {
-	// Remove our finalizer from the list
-	controllerutil.RemoveFinalizer(obj, sourcev1.SourceFinalizer)
-
-	// Stop reconciliation as the object is being deleted
-	return ctrl.Result{}, nil
-}
-
-// eventLogf records events, and logs at the same time.
-//
-// This log is different from the debug log in the EventRecorder, in the sense
-// that this is a simple log. While the debug log contains complete details
-// about the event.
-func (r *HelmRepositoryOCIReconciler) eventLogf(ctx context.Context, obj runtime.Object, eventType string, reason string, messageFmt string, args ...interface{}) {
-	msg := fmt.Sprintf(messageFmt, args...)
-	// Log and emit event.
-	if eventType == corev1.EventTypeWarning {
-		ctrl.LoggerFrom(ctx).Error(errors.New(reason), msg)
-	} else {
-		ctrl.LoggerFrom(ctx).Info(msg)
-	}
-	r.Eventf(obj, eventType, reason, msg)
-}
-
-// authFromSecret returns an authn.Keychain for the given HelmRepository.
-// If the HelmRepository does not specify a secretRef, an anonymous keychain is returned.
-func authFromSecret(ctx context.Context, client client.Client, obj *helmv1.HelmRepository) (authn.Keychain, error) {
-	// Attempt to retrieve secret.
-	name := types.NamespacedName{
-		Namespace: obj.GetNamespace(),
-		Name:      obj.Spec.SecretRef.Name,
-	}
-	var secret corev1.Secret
-	if err := client.Get(ctx, name, &secret); err != nil {
-		return nil, fmt.Errorf("failed to get secret '%s': %w", name.String(), err)
-	}
-
-	// Construct login options.
-	keychain, err := registry.LoginOptionFromSecret(obj.Spec.URL, secret)
-	if err != nil {
-		return nil, fmt.Errorf("failed to configure Helm client with secret data: %w", err)
-	}
-	return keychain, nil
-}
-
-// makeLoginOption returns a registry login option for the given HelmRepository.
-// If the HelmRepository does not specify a secretRef, a nil login option is returned.
-func makeLoginOption(auth authn.Authenticator, keychain authn.Keychain, registryURL string) (helmreg.LoginOption, error) {
-	if auth != nil {
-		return registry.AuthAdaptHelper(auth)
-	}
-
-	if keychain != nil {
-		return registry.KeychainAdaptHelper(keychain)(registryURL)
-	}
-
-	return nil, nil
-}
-
-func conditionsDiff(a, b []string) []string {
-	bMap := make(map[string]struct{}, len(b))
-	for _, j := range b {
-		bMap[j] = struct{}{}
-	}
-
-	r := []string{}
-	for _, i := range a {
-		if _, exists := bMap[i]; !exists {
-			r = append(r, i)
-		}
-	}
-	return r
-}

internal/controller/helmrepository_controller_oci_test.go

@@ -1,345 +0,0 @@
-/*
-Copyright 2022 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controller
-
-import (
-	"encoding/base64"
-	"fmt"
-	"strconv"
-	"testing"
-
-	. "github.com/onsi/gomega"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/tools/record"
-	kstatus "sigs.k8s.io/cli-utils/pkg/kstatus/status"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
-
-	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/conditions"
-	conditionscheck "github.com/fluxcd/pkg/runtime/conditions/check"
-	"github.com/fluxcd/pkg/runtime/patch"
-
-	sourcev1 "github.com/fluxcd/source-controller/api/v1"
-	helmv1 "github.com/fluxcd/source-controller/api/v1beta2"
-	"github.com/fluxcd/source-controller/internal/helm/registry"
-)
-
-func TestHelmRepositoryOCIReconciler_Reconcile(t *testing.T) {
-	tests := []struct {
-		name       string
-		secretType corev1.SecretType
-		secretData map[string][]byte
-	}{
-		{
-			name: "valid auth data",
-			secretData: map[string][]byte{
-				"username": []byte(testRegistryUsername),
-				"password": []byte(testRegistryPassword),
-			},
-		},
-		{
-			name:       "no auth data",
-			secretData: nil,
-		},
-		{
-			name:       "dockerconfigjson Secret",
-			secretType: corev1.SecretTypeDockerConfigJson,
-			secretData: map[string][]byte{
-				".dockerconfigjson": []byte(`{"auths":{"` +
-					testRegistryServer.registryHost + `":{"` +
-					`auth":"` + base64.StdEncoding.EncodeToString([]byte(testRegistryUsername+":"+testRegistryPassword)) + `"}}}`),
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			g := NewWithT(t)
-
-			ns, err := testEnv.CreateNamespace(ctx, "helmrepository-oci-reconcile-test")
-			g.Expect(err).ToNot(HaveOccurred())
-			defer func() { g.Expect(testEnv.Delete(ctx, ns)).To(Succeed()) }()
-
-			secret := &corev1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					GenerateName: "helmrepository-",
-					Namespace:    ns.Name,
-				},
-				Data: tt.secretData,
-			}
-			if tt.secretType != "" {
-				secret.Type = tt.secretType
-			}
-
-			g.Expect(testEnv.CreateAndWait(ctx, secret)).To(Succeed())
-
-			origObj := &helmv1.HelmRepository{
-				ObjectMeta: metav1.ObjectMeta{
-					GenerateName: "helmrepository-oci-reconcile-",
-					Namespace:    ns.Name,
-				},
-				Spec: helmv1.HelmRepositorySpec{
-					Interval: metav1.Duration{Duration: interval},
-					URL:      fmt.Sprintf("oci://%s", testRegistryServer.registryHost),
-					SecretRef: &meta.LocalObjectReference{
-						Name: secret.Name,
-					},
-					Provider: helmv1.GenericOCIProvider,
-					Type:     helmv1.HelmRepositoryTypeOCI,
-				},
-			}
-			obj := origObj.DeepCopy()
-			g.Expect(testEnv.Create(ctx, obj)).To(Succeed())
-
-			key := client.ObjectKey{Name: obj.Name, Namespace: obj.Namespace}
-
-			// Wait for finalizer to be set
-			g.Eventually(func() bool {
-				if err := testEnv.Get(ctx, key, obj); err != nil {
-					return false
-				}
-				return len(obj.Finalizers) > 0
-			}, timeout).Should(BeTrue())
-
-			// Wait for HelmRepository to be Ready
-			waitForSourceReadyWithoutArtifact(ctx, g, obj)
-
-			// Check if the object status is valid.
-			condns := &conditionscheck.Conditions{NegativePolarity: helmRepositoryReadyCondition.NegativePolarity}
-			checker := conditionscheck.NewChecker(testEnv.Client, condns)
-			checker.WithT(g).CheckErr(ctx, obj)
-
-			// kstatus client conformance check.
-			u, err := patch.ToUnstructured(obj)
-			g.Expect(err).ToNot(HaveOccurred())
-			res, err := kstatus.Compute(u)
-			g.Expect(err).ToNot(HaveOccurred())
-			g.Expect(res.Status).To(Equal(kstatus.CurrentStatus))
-
-			// Patch the object with reconcile request annotation.
-			patchHelper, err := patch.NewHelper(obj, testEnv.Client)
-			g.Expect(err).ToNot(HaveOccurred())
-			annotations := map[string]string{
-				meta.ReconcileRequestAnnotation: "now",
-			}
-			obj.SetAnnotations(annotations)
-			g.Expect(patchHelper.Patch(ctx, obj)).ToNot(HaveOccurred())
-			g.Eventually(func() bool {
-				if err := testEnv.Get(ctx, key, obj); err != nil {
-					return false
-				}
-				return obj.Status.LastHandledReconcileAt == "now"
-			}, timeout).Should(BeTrue())
-
-			g.Expect(testEnv.Delete(ctx, obj)).To(Succeed())
-
-			// Wait for HelmRepository to be deleted
-			waitForSourceDeletion(ctx, g, obj)
-
-			// Check if a suspended object gets deleted.
-			obj = origObj.DeepCopy()
-			testSuspendedObjectDeleteWithoutArtifact(ctx, g, obj)
-		})
-	}
-}
-
-func TestHelmRepositoryOCIReconciler_authStrategy(t *testing.T) {
-	type secretOptions struct {
-		username string
-		password string
-	}
-
-	tests := []struct {
-		name             string
-		url              string
-		registryOpts     registryOptions
-		secretOpts       secretOptions
-		provider         string
-		providerImg      string
-		want             ctrl.Result
-		wantErr          bool
-		assertConditions []metav1.Condition
-	}{
-		{
-			name: "HTTP without basic auth",
-			want: ctrl.Result{RequeueAfter: interval},
-			assertConditions: []metav1.Condition{
-				*conditions.TrueCondition(meta.ReadyCondition, meta.SucceededReason, "Helm repository is ready"),
-			},
-		},
-		{
-			name: "HTTP with basic auth secret",
-			want: ctrl.Result{RequeueAfter: interval},
-			registryOpts: registryOptions{
-				withBasicAuth: true,
-			},
-			secretOpts: secretOptions{
-				username: testRegistryUsername,
-				password: testRegistryPassword,
-			},
-			assertConditions: []metav1.Condition{
-				*conditions.TrueCondition(meta.ReadyCondition, meta.SucceededReason, "Helm repository is ready"),
-			},
-		},
-		{
-			name:    "HTTP registry - basic auth with invalid secret",
-			want:    ctrl.Result{},
-			wantErr: true,
-			registryOpts: registryOptions{
-				withBasicAuth: true,
-			},
-			secretOpts: secretOptions{
-				username: "wrong-pass",
-				password: "wrong-pass",
-			},
-			assertConditions: []metav1.Condition{
-				*conditions.TrueCondition(meta.ReconcilingCondition, meta.ProgressingWithRetryReason, "processing object: new generation"),
-				*conditions.FalseCondition(meta.ReadyCondition, sourcev1.AuthenticationFailedReason, "failed to login to registry"),
-			},
-		},
-		{
-			name:        "with contextual login provider",
-			wantErr:     true,
-			provider:    "aws",
-			providerImg: "oci://123456789000.dkr.ecr.us-east-2.amazonaws.com/test",
-			assertConditions: []metav1.Condition{
-				*conditions.TrueCondition(meta.ReconcilingCondition, meta.ProgressingWithRetryReason, "processing object: new generation"),
-				*conditions.FalseCondition(meta.ReadyCondition, sourcev1.AuthenticationFailedReason, "failed to get credential from"),
-			},
-		},
-		{
-			name: "with contextual login provider and secretRef",
-			want: ctrl.Result{RequeueAfter: interval},
-			registryOpts: registryOptions{
-				withBasicAuth: true,
-			},
-			secretOpts: secretOptions{
-				username: testRegistryUsername,
-				password: testRegistryPassword,
-			},
-			provider: "azure",
-			assertConditions: []metav1.Condition{
-				*conditions.TrueCondition(meta.ReadyCondition, meta.SucceededReason, "Helm repository is ready"),
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			g := NewWithT(t)
-
-			builder := fakeclient.NewClientBuilder().WithScheme(testEnv.GetScheme())
-			workspaceDir := t.TempDir()
-			server, err := setupRegistryServer(ctx, workspaceDir, tt.registryOpts)
-			g.Expect(err).NotTo(HaveOccurred())
-
-			obj := &helmv1.HelmRepository{
-				ObjectMeta: metav1.ObjectMeta{
-					GenerateName: "auth-strategy-",
-					Generation:   1,
-				},
-				Spec: helmv1.HelmRepositorySpec{
-					Interval: metav1.Duration{Duration: interval},
-					Timeout:  &metav1.Duration{Duration: timeout},
-					Type:     helmv1.HelmRepositoryTypeOCI,
-					Provider: helmv1.GenericOCIProvider,
-					URL:      fmt.Sprintf("oci://%s", server.registryHost),
-				},
-			}
-
-			if tt.provider != "" {
-				obj.Spec.Provider = tt.provider
-			}
-			// If a provider specific image is provided, overwrite existing URL
-			// set earlier. It'll fail but it's necessary to set them because
-			// the login check expects the URLs to be of certain pattern.
-			if tt.providerImg != "" {
-				obj.Spec.URL = tt.providerImg
-			}
-
-			if tt.secretOpts.username != "" && tt.secretOpts.password != "" {
-				secret := &corev1.Secret{
-					ObjectMeta: metav1.ObjectMeta{
-						Name: "auth-secretref",
-					},
-					Type: corev1.SecretTypeDockerConfigJson,
-					Data: map[string][]byte{
-						".dockerconfigjson": []byte(fmt.Sprintf(`{"auths": {%q: {"username": %q, "password": %q}}}`,
-							server.registryHost, tt.secretOpts.username, tt.secretOpts.password)),
-					},
-				}
-
-				builder.WithObjects(secret)
-
-				obj.Spec.SecretRef = &meta.LocalObjectReference{
-					Name: secret.Name,
-				}
-			}
-
-			r := &HelmRepositoryOCIReconciler{
-				Client:                  builder.Build(),
-				EventRecorder:           record.NewFakeRecorder(32),
-				Getters:                 testGetters,
-				RegistryClientGenerator: registry.ClientGenerator,
-				patchOptions:            getPatchOptions(helmRepositoryOCIOwnedConditions, "sc"),
-			}
-
-			g.Expect(r.Client.Create(ctx, obj)).ToNot(HaveOccurred())
-			defer func() {
-				g.Expect(r.Client.Delete(ctx, obj)).ToNot(HaveOccurred())
-			}()
-
-			sp := patch.NewSerialPatcher(obj, r.Client)
-
-			got, err := r.reconcile(ctx, sp, obj)
-			g.Expect(err != nil).To(Equal(tt.wantErr))
-			g.Expect(got).To(Equal(tt.want))
-			g.Expect(obj.Status.Conditions).To(conditions.MatchConditions(tt.assertConditions))
-
-			// In-progress status condition validity.
-			checker := conditionscheck.NewInProgressChecker(r.Client)
-			// NOTE: Check the object directly as reconcile() doesn't apply the
-			// final patch, the object has unapplied changes.
-			checker.DisableFetch = true
-			checker.WithT(g).CheckErr(ctx, obj)
-		})
-	}
-}
-
-func TestConditionsDiff(t *testing.T) {
-	tests := []struct {
-		a, b, want []string
-	}{
-		{[]string{"a", "b", "c"}, []string{"b", "d"}, []string{"a", "c"}},
-		{[]string{"a", "b", "c"}, []string{}, []string{"a", "b", "c"}},
-		{[]string{}, []string{"b", "d"}, []string{}},
-		{[]string{}, []string{}, []string{}},
-		{[]string{"a", "b"}, nil, []string{"a", "b"}},
-		{nil, []string{"a", "b"}, []string{}},
-		{nil, nil, []string{}},
-	}
-
-	for i, tt := range tests {
-		t.Run(strconv.Itoa(i), func(t *testing.T) {
-			g := NewWithT(t)
-			g.Expect(conditionsDiff(tt.a, tt.b)).To(Equal(tt.want))
-		})
-	}
-}

internal/controller/storage.go

@@ -31,13 +31,14 @@ import (
 	"time"
 
 	securejoin "github.com/cyphar/filepath-securejoin"
-	"github.com/fluxcd/go-git/v5/plumbing/format/gitignore"
+	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
+	"github.com/opencontainers/go-digest"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kerrors "k8s.io/apimachinery/pkg/util/errors"
 
 	"github.com/fluxcd/pkg/lockedfile"
 	"github.com/fluxcd/pkg/sourceignore"
-	"github.com/fluxcd/pkg/untar"
+	pkgtar "github.com/fluxcd/pkg/tar"
 
 	v1 "github.com/fluxcd/source-controller/api/v1"
 	intdigest "github.com/fluxcd/source-controller/internal/digest"
@@ -47,10 +48,12 @@ import (
 const GarbageCountLimit = 1000
 
 const (
-	// defaultFileMode is the permission mode applied to all files inside an artifact archive.
-	defaultFileMode int64 = 0o644
+	// defaultFileMode is the permission mode applied to files inside an artifact archive.
+	defaultFileMode int64 = 0o600
 	// defaultDirMode is the permission mode applied to all directories inside an artifact archive.
-	defaultDirMode int64 = 0o755
+	defaultDirMode int64 = 0o750
+	// defaultExeFileMode is the permission mode applied to executable files inside an artifact archive.
+	defaultExeFileMode int64 = 0o700
 )
 
 // Storage manages artifacts
@@ -84,7 +87,7 @@ func NewStorage(basePath string, hostname string, artifactRetentionTTL time.Dura
 }
 
 // NewArtifactFor returns a new v1.Artifact.
-func (s *Storage) NewArtifactFor(kind string, metadata metav1.Object, revision, fileName string) v1.Artifact {
+func (s Storage) NewArtifactFor(kind string, metadata metav1.Object, revision, fileName string) v1.Artifact {
 	path := v1.ArtifactPath(kind, metadata.GetNamespace(), metadata.GetName(), fileName)
 	artifact := v1.Artifact{
 		Path:     path,
@@ -117,13 +120,18 @@ func (s Storage) SetHostname(URL string) string {
 }
 
 // MkdirAll calls os.MkdirAll for the given v1.Artifact base dir.
-func (s *Storage) MkdirAll(artifact v1.Artifact) error {
+func (s Storage) MkdirAll(artifact v1.Artifact) error {
 	dir := filepath.Dir(s.LocalPath(artifact))
 	return os.MkdirAll(dir, 0o700)
 }
 
+// Remove calls os.Remove for the given v1.Artifact path.
+func (s Storage) Remove(artifact v1.Artifact) error {
+	return os.Remove(s.LocalPath(artifact))
+}
+
 // RemoveAll calls os.RemoveAll for the given v1.Artifact base dir.
-func (s *Storage) RemoveAll(artifact v1.Artifact) (string, error) {
+func (s Storage) RemoveAll(artifact v1.Artifact) (string, error) {
 	var deletedDir string
 	dir := filepath.Dir(s.LocalPath(artifact))
 	// Check if the dir exists.
@@ -135,7 +143,7 @@ func (s *Storage) RemoveAll(artifact v1.Artifact) (string, error) {
 }
 
 // RemoveAllButCurrent removes all files for the given v1.Artifact base dir, excluding the current one.
-func (s *Storage) RemoveAllButCurrent(artifact v1.Artifact) ([]string, error) {
+func (s Storage) RemoveAllButCurrent(artifact v1.Artifact) ([]string, error) {
 	deletedFiles := []string{}
 	localPath := s.LocalPath(artifact)
 	dir := filepath.Dir(localPath)
@@ -168,7 +176,7 @@ func (s *Storage) RemoveAllButCurrent(artifact v1.Artifact) ([]string, error) {
 // 1. collect all artifact files with an expired ttl
 // 2. if we satisfy maxItemsToBeRetained, then return
 // 3. else, collect all artifact files till the latest n files remain, where n=maxItemsToBeRetained
-func (s *Storage) getGarbageFiles(artifact v1.Artifact, totalCountLimit, maxItemsToBeRetained int, ttl time.Duration) (garbageFiles []string, _ error) {
+func (s Storage) getGarbageFiles(artifact v1.Artifact, totalCountLimit, maxItemsToBeRetained int, ttl time.Duration) (garbageFiles []string, _ error) {
 	localPath := s.LocalPath(artifact)
 	dir := filepath.Dir(localPath)
 	artifactFilesWithCreatedTs := make(map[time.Time]string)
@@ -255,7 +263,7 @@ func (s *Storage) getGarbageFiles(artifact v1.Artifact, totalCountLimit, maxItem
 
 // GarbageCollect removes all garbage files in the artifact dir according to the provided
 // retention options.
-func (s *Storage) GarbageCollect(ctx context.Context, artifact v1.Artifact, timeout time.Duration) ([]string, error) {
+func (s Storage) GarbageCollect(ctx context.Context, artifact v1.Artifact, timeout time.Duration) ([]string, error) {
 	delFilesChan := make(chan []string)
 	errChan := make(chan error)
 	// Abort if it takes more than the provided timeout duration.
@@ -317,7 +325,7 @@ func stringInSlice(a string, list []string) bool {
 }
 
 // ArtifactExist returns a boolean indicating whether the v1.Artifact exists in storage and is a regular file.
-func (s *Storage) ArtifactExist(artifact v1.Artifact) bool {
+func (s Storage) ArtifactExist(artifact v1.Artifact) bool {
 	fi, err := os.Lstat(s.LocalPath(artifact))
 	if err != nil {
 		return false
@@ -325,6 +333,35 @@ func (s *Storage) ArtifactExist(artifact v1.Artifact) bool {
 	return fi.Mode().IsRegular()
 }
 
+// VerifyArtifact verifies if the Digest of the v1.Artifact matches the digest
+// of the file in Storage. It returns an error if the digests don't match, or
+// if it can't be verified.
+func (s Storage) VerifyArtifact(artifact v1.Artifact) error {
+	if artifact.Digest == "" {
+		return fmt.Errorf("artifact has no digest")
+	}
+
+	d, err := digest.Parse(artifact.Digest)
+	if err != nil {
+		return fmt.Errorf("failed to parse artifact digest '%s': %w", artifact.Digest, err)
+	}
+
+	f, err := os.Open(s.LocalPath(artifact))
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	verifier := d.Verifier()
+	if _, err = io.Copy(verifier, f); err != nil {
+		return err
+	}
+	if !verifier.Verified() {
+		return fmt.Errorf("computed digest doesn't match '%s'", d.String())
+	}
+	return nil
+}
+
 // ArchiveFileFilter must return true if a file should not be included in the archive after inspecting the given path
 // and/or os.FileInfo.
 type ArchiveFileFilter func(p string, fi os.FileInfo) bool
@@ -347,7 +384,7 @@ func SourceIgnoreFilter(ps []gitignore.Pattern, domain []string) ArchiveFileFilt
 // directories and any ArchiveFileFilter matches. While archiving, any environment specific data (for example,
 // the user and group name) is stripped from file headers.
 // If successful, it sets the digest and last update time on the artifact.
-func (s *Storage) Archive(artifact *v1.Artifact, dir string, filter ArchiveFileFilter) (err error) {
+func (s Storage) Archive(artifact *v1.Artifact, dir string, filter ArchiveFileFilter) (err error) {
 	if f, err := os.Stat(dir); os.IsNotExist(err) || !f.IsDir() {
 		return fmt.Errorf("invalid dir path: %s", dir)
 	}
@@ -389,6 +426,7 @@ func (s *Storage) Archive(artifact *v1.Artifact, dir string, filter ArchiveFileF
 		if err != nil {
 			return err
 		}
+
 		// The name needs to be modified to maintain directory structure
 		// as tar.FileInfoHeader only has access to the base name of the file.
 		// Ref: https://golang.org/src/archive/tar/common.go?#L626
@@ -399,21 +437,7 @@ func (s *Storage) Archive(artifact *v1.Artifact, dir string, filter ArchiveFileF
 				return err
 			}
 		}
-		header.Name = relFilePath
-
-		// We want to remove any environment specific data as well, this
-		// ensures the checksum is purely content based.
-		header.Gid = 0
-		header.Uid = 0
-		header.Uname = ""
-		header.Gname = ""
-		header.ModTime = time.Time{}
-		header.AccessTime = time.Time{}
-		header.ChangeTime = time.Time{}
-		header.Mode = defaultFileMode
-		if fi.Mode().IsDir() {
-			header.Mode = defaultDirMode
-		}
+		sanitizeHeader(relFilePath, header)
 
 		if err := tw.WriteHeader(header); err != nil {
 			return err
@@ -469,7 +493,7 @@ func (s *Storage) Archive(artifact *v1.Artifact, dir string, filter ArchiveFileF
 
 // AtomicWriteFile atomically writes the io.Reader contents to the v1.Artifact path.
 // If successful, it sets the digest and last update time on the artifact.
-func (s *Storage) AtomicWriteFile(artifact *v1.Artifact, reader io.Reader, mode os.FileMode) (err error) {
+func (s Storage) AtomicWriteFile(artifact *v1.Artifact, reader io.Reader, mode os.FileMode) (err error) {
 	localPath := s.LocalPath(*artifact)
 	tf, err := os.CreateTemp(filepath.Split(localPath))
 	if err != nil {
@@ -511,7 +535,7 @@ func (s *Storage) AtomicWriteFile(artifact *v1.Artifact, reader io.Reader, mode
 
 // Copy atomically copies the io.Reader contents to the v1.Artifact path.
 // If successful, it sets the digest and last update time on the artifact.
-func (s *Storage) Copy(artifact *v1.Artifact, reader io.Reader) (err error) {
+func (s Storage) Copy(artifact *v1.Artifact, reader io.Reader) (err error) {
 	localPath := s.LocalPath(*artifact)
 	tf, err := os.CreateTemp(filepath.Split(localPath))
 	if err != nil {
@@ -549,7 +573,7 @@ func (s *Storage) Copy(artifact *v1.Artifact, reader io.Reader) (err error) {
 
 // CopyFromPath atomically copies the contents of the given path to the path of the v1.Artifact.
 // If successful, the digest and last update time on the artifact is set.
-func (s *Storage) CopyFromPath(artifact *v1.Artifact, path string) (err error) {
+func (s Storage) CopyFromPath(artifact *v1.Artifact, path string) (err error) {
 	f, err := os.Open(path)
 	if err != nil {
 		return err
@@ -564,7 +588,7 @@ func (s *Storage) CopyFromPath(artifact *v1.Artifact, path string) (err error) {
 }
 
 // CopyToPath copies the contents in the (sub)path of the given artifact to the given path.
-func (s *Storage) CopyToPath(artifact *v1.Artifact, subPath, toPath string) error {
+func (s Storage) CopyToPath(artifact *v1.Artifact, subPath, toPath string) error {
 	// create a tmp directory to store artifact
 	tmp, err := os.MkdirTemp("", "flux-include-")
 	if err != nil {
@@ -582,7 +606,7 @@ func (s *Storage) CopyToPath(artifact *v1.Artifact, subPath, toPath string) erro
 
 	// untar the artifact
 	untarPath := filepath.Join(tmp, "unpack")
-	if _, err = untar.Untar(f, untarPath); err != nil {
+	if err = pkgtar.Untar(f, untarPath, pkgtar.WithMaxUntarSize(-1)); err != nil {
 		return err
 	}
 
@@ -603,7 +627,7 @@ func (s *Storage) CopyToPath(artifact *v1.Artifact, subPath, toPath string) erro
 }
 
 // Symlink creates or updates a symbolic link for the given v1.Artifact and returns the URL for the symlink.
-func (s *Storage) Symlink(artifact v1.Artifact, linkName string) (string, error) {
+func (s Storage) Symlink(artifact v1.Artifact, linkName string) (string, error) {
 	localPath := s.LocalPath(artifact)
 	dir := filepath.Dir(localPath)
 	link := filepath.Join(dir, linkName)
@@ -625,14 +649,14 @@ func (s *Storage) Symlink(artifact v1.Artifact, linkName string) (string, error)
 }
 
 // Lock creates a file lock for the given v1.Artifact.
-func (s *Storage) Lock(artifact v1.Artifact) (unlock func(), err error) {
+func (s Storage) Lock(artifact v1.Artifact) (unlock func(), err error) {
 	lockFile := s.LocalPath(artifact) + ".lock"
 	mutex := lockedfile.MutexAt(lockFile)
 	return mutex.Lock()
 }
 
 // LocalPath returns the secure local path of the given artifact (that is: relative to the Storage.BasePath).
-func (s *Storage) LocalPath(artifact v1.Artifact) string {
+func (s Storage) LocalPath(artifact v1.Artifact) string {
 	if artifact.Path == "" {
 		return ""
 	}
@@ -654,3 +678,42 @@ func (wc *writeCounter) Write(p []byte) (int, error) {
 	wc.written += int64(n)
 	return n, nil
 }
+
+// sanitizeHeader modifies the tar.Header to be relative to the root of the
+// archive and removes any environment specific data.
+func sanitizeHeader(relP string, h *tar.Header) {
+	// Modify the name to be relative to the root of the archive,
+	// this ensures we maintain the same structure when extracting.
+	h.Name = relP
+
+	// We want to remove any environment specific data as well, this
+	// ensures the checksum is purely content based.
+	h.Gid = 0
+	h.Uid = 0
+	h.Uname = ""
+	h.Gname = ""
+	h.ModTime = time.Time{}
+	h.AccessTime = time.Time{}
+	h.ChangeTime = time.Time{}
+
+	// Override the mode to be the default for the type of file.
+	setDefaultMode(h)
+}
+
+// setDefaultMode sets the default mode for the given header.
+func setDefaultMode(h *tar.Header) {
+	if h.FileInfo().IsDir() {
+		h.Mode = defaultDirMode
+		return
+	}
+
+	if h.FileInfo().Mode().IsRegular() {
+		mode := h.FileInfo().Mode()
+		if mode&os.ModeType == 0 && mode&0o111 != 0 {
+			h.Mode = defaultExeFileMode
+			return
+		}
+		h.Mode = defaultFileMode
+		return
+	}
+}