Update flux and install the image automation controller.

nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux.yaml

@@ -6,10 +6,10 @@ metadata:
   name: flux-operator-web
   namespace: flux-system
   labels:
-    helm.sh/chart: flux-operator-0.37.1
+    helm.sh/chart: flux-operator-0.48.0
     app.kubernetes.io/name: flux-operator
     app.kubernetes.io/instance: flux-operator
-    app.kubernetes.io/version: "v0.37.1"
+    app.kubernetes.io/version: "v0.48.0"
     app.kubernetes.io/managed-by: Helm
 spec:
   policyTypes:
@@ -32,10 +32,10 @@ metadata:
   name: flux-operator
   namespace: flux-system
   labels:
-    helm.sh/chart: flux-operator-0.37.1
+    helm.sh/chart: flux-operator-0.48.0
     app.kubernetes.io/name: flux-operator
     app.kubernetes.io/instance: flux-operator
-    app.kubernetes.io/version: "v0.37.1"
+    app.kubernetes.io/version: "v0.48.0"
     app.kubernetes.io/managed-by: Helm
 automountServiceAccountToken: true
 ---
@@ -44,14 +44,14 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.19.0
+    controller-gen.kubebuilder.io/version: v0.20.0
     helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'flux-operator'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'flux-operator'
-    app.kubernetes.io/version: 'v0.37.1'
-    helm.sh/chart: 'flux-operator-0.37.1'
+    app.kubernetes.io/version: 'v0.48.0'
+    helm.sh/chart: 'flux-operator-0.48.0'
   name: fluxinstances.fluxcd.controlplane.io
 spec:
   group: fluxcd.controlplane.io
@@ -205,7 +205,11 @@ spec:
               components:
                 description: |-
                   Components is the list of controllers to install.
-                  Defaults to a commonly used subset.
+                  Defaults to the core Flux controllers:
+                    - source-controller
+                    - kustomize-controller
+                    - helm-controller
+                    - notification-controller
                 items:
                   description: Component is the name of a controller to install.
                   enum:
@@ -661,14 +665,14 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.19.0
+    controller-gen.kubebuilder.io/version: v0.20.0
     helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'flux-operator'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'flux-operator'
-    app.kubernetes.io/version: 'v0.37.1'
-    helm.sh/chart: 'flux-operator-0.37.1'
+    app.kubernetes.io/version: 'v0.48.0'
+    helm.sh/chart: 'flux-operator-0.48.0'
   name: fluxreports.fluxcd.controlplane.io
 spec:
   group: fluxcd.controlplane.io
@@ -828,7 +832,7 @@ spec:
                         failing:
                           description: |-
                             Failing is the number of reconciled
-                            resources in the Failing state.
+                            resources in the Failing state and not Suspended.
                           type: integer
                         running:
                           description: |-
@@ -965,14 +969,14 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.19.0
+    controller-gen.kubebuilder.io/version: v0.20.0
     helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'flux-operator'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'flux-operator'
-    app.kubernetes.io/version: 'v0.37.1'
-    helm.sh/chart: 'flux-operator-0.37.1'
+    app.kubernetes.io/version: 'v0.48.0'
+    helm.sh/chart: 'flux-operator-0.48.0'
   name: resourcesetinputproviders.fluxcd.controlplane.io
 spec:
   group: fluxcd.controlplane.io
@@ -1029,9 +1033,9 @@ spec:
                   - a PEM-encoded CA certificate (`ca.crt`)
                   - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`)
 
-                  When connecting to a Git or OCI provider that uses self-signed certificates, the CA certificate
-                  must be set in the Secret under the 'ca.crt' key to establish the trust relationship.
-                  When connecting to an OCI provider that supports client certificates (mTLS), the client certificate
+                  When connecting to a Git, OCI, or ExternalService provider that uses self-signed certificates,
+                  the CA certificate must be set in the Secret under the 'ca.crt' key to establish the trust relationship.
+                  When connecting to a provider that supports client certificates (mTLS), the client certificate
                   and private key must be set in the Secret under the 'tls.crt' and 'tls.key' keys, respectively.
                 properties:
                   name:
@@ -1102,6 +1106,11 @@ spec:
                       Supported only for tags at the moment.
                     type: string
                 type: object
+              insecure:
+                description: |-
+                  Insecure allows connecting to an ExternalService or OCIArtifactTag provider
+                  over plain HTTP without TLS. When not set, the URL must use HTTPS.
+                type: boolean
               schedule:
                 description: Schedule defines the schedules for the input provider
                   to run.
@@ -1129,13 +1138,16 @@ spec:
                 type: array
               secretRef:
                 description: |-
-                  SecretRef specifies the Kubernetes Secret containing the basic-auth credentials
+                  SecretRef specifies the Kubernetes Secret containing the credentials
                   to access the input provider.
                   When connecting to a Git provider, the secret must contain the keys
                   'username' and 'password', and the password should be a personal access token
                   that grants read-only access to the repository.
                   When connecting to an OCI provider, the secret must contain a Kubernetes
                   Image Pull Secret, as if created by `kubectl create secret docker-registry`.
+                  When connecting to an ExternalService provider, the secret must contain either
+                  a 'token' key for bearer token authentication, or 'username' and 'password'
+                  keys for basic authentication.
                 properties:
                   name:
                     description: Name of the referent.
@@ -1177,10 +1189,14 @@ spec:
                 - AzureDevOpsBranch
                 - AzureDevOpsTag
                 - AzureDevOpsPullRequest
+                - GiteaBranch
+                - GiteaTag
+                - GiteaPullRequest
                 - OCIArtifactTag
                 - ACRArtifactTag
                 - ECRArtifactTag
                 - GARArtifactTag
+                - ExternalService
                 type: string
               url:
                 description: |-
@@ -1206,6 +1222,16 @@ spec:
             - message: spec.url must start with 'oci://' when spec.type is an OCI
                 provider
               rule: '!self.type.endsWith(''ArtifactTag'') || self.url.startsWith(''oci'')'
+            - message: spec.url must start with 'http://' or 'https://' when spec.type
+                is 'ExternalService'
+              rule: self.type != 'ExternalService' || self.url.startsWith('http')
+            - message: spec.insecure can only be set when spec.type is 'ExternalService'
+                or 'OCIArtifactTag'
+              rule: '!has(self.insecure) || !self.insecure || self.type == ''ExternalService''
+                || self.type == ''OCIArtifactTag'''
+            - message: spec.url must use 'https://' unless spec.insecure is true
+              rule: self.type != 'ExternalService' || !self.url.startsWith('http://')
+                || (has(self.insecure) && self.insecure)
             - message: cannot specify spec.serviceAccountName when spec.type is not
                 one of AzureDevOps* or *ArtifactTag
               rule: '!has(self.serviceAccountName) || self.type.startsWith(''AzureDevOps'')
@@ -1345,14 +1371,14 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.19.0
+    controller-gen.kubebuilder.io/version: v0.20.0
     helm.sh/resource-policy: keep
   labels:
     app.kubernetes.io/instance: 'flux-operator'
     app.kubernetes.io/managed-by: 'Helm'
     app.kubernetes.io/name: 'flux-operator'
-    app.kubernetes.io/version: 'v0.37.1'
-    helm.sh/chart: 'flux-operator-0.37.1'
+    app.kubernetes.io/version: 'v0.48.0'
+    helm.sh/chart: 'flux-operator-0.48.0'
   name: resourcesets.fluxcd.controlplane.io
 spec:
   group: fluxcd.controlplane.io
@@ -1459,6 +1485,15 @@ spec:
                   input provider objects are used. Defaults to flattening all inputs
                   from all providers into a single list of input sets.
                 properties:
+                  includeEmptyProviders:
+                    description: |-
+                      IncludeEmptyProviders controls how input providers that export no
+                      inputs are treated. Only applies when Name is Permute. When true, if
+                      any provider has zero inputs the resulting permutation set is empty
+                      (mathematically correct Cartesian product behavior). When false or
+                      unset (default), providers with zero inputs are silently skipped and
+                      the remaining providers still permute among themselves.
+                    type: boolean
                   name:
                     description: |-
                       Name defines how the inputs are combined when multiple
@@ -1481,6 +1516,9 @@ spec:
                 required:
                 - name
                 type: object
+                x-kubernetes-validations:
+                - message: includeEmptyProviders only applies when name is Permute
+                  rule: '!has(self.includeEmptyProviders) || self.name == ''Permute'''
               inputs:
                 description: Inputs contains the list of ResourceSet inputs.
                 items:
@@ -1659,6 +1697,16 @@ spec:
                   - type
                   type: object
                 type: array
+              externalChecksumRefs:
+                description: |-
+                  ExternalChecksumRefs lists the ConfigMap and Secret references
+                  discovered in checksumFrom annotations on the last reconciliation
+                  that point to objects not rendered by this ResourceSet. Each entry
+                  has the form "Kind/namespace/name". It is used to trigger a
+                  reconciliation when one of the referenced objects changes.
+                items:
+                  type: string
+                type: array
               history:
                 description: |-
                   History contains the reconciliation history of the ResourceSet
@@ -1764,10 +1812,10 @@ metadata:
   labels:
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    helm.sh/chart: flux-operator-0.37.1
+    helm.sh/chart: flux-operator-0.48.0
     app.kubernetes.io/name: flux-operator
     app.kubernetes.io/instance: flux-operator
-    app.kubernetes.io/version: "v0.37.1"
+    app.kubernetes.io/version: "v0.48.0"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -1791,10 +1839,10 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-view: "true"
-    helm.sh/chart: flux-operator-0.37.1
+    helm.sh/chart: flux-operator-0.48.0
     app.kubernetes.io/name: flux-operator
     app.kubernetes.io/instance: flux-operator
-    app.kubernetes.io/version: "v0.37.1"
+    app.kubernetes.io/version: "v0.48.0"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -1807,16 +1855,86 @@ rules:
       - list
       - watch
 ---
+# Source: flux-operator/templates/web-standard-roles.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flux-web-user
+  labels:
+    helm.sh/chart: flux-operator-0.48.0
+    app.kubernetes.io/name: flux-operator
+    app.kubernetes.io/instance: flux-operator
+    app.kubernetes.io/version: "v0.48.0"
+    app.kubernetes.io/managed-by: Helm
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+---
+# Source: flux-operator/templates/web-standard-roles.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flux-web-admin
+  labels:
+    helm.sh/chart: flux-operator-0.48.0
+    app.kubernetes.io/name: flux-operator
+    app.kubernetes.io/instance: flux-operator
+    app.kubernetes.io/version: "v0.48.0"
+    app.kubernetes.io/managed-by: Helm
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups:
+      - fluxcd.controlplane.io
+      - source.toolkit.fluxcd.io
+      - source.extensions.fluxcd.io
+      - kustomize.toolkit.fluxcd.io
+      - helm.toolkit.fluxcd.io
+      - image.toolkit.fluxcd.io
+      - notification.toolkit.fluxcd.io
+    resources: ["*"]
+    verbs:
+      - patch
+      - reconcile
+      - suspend
+      - resume
+      - download
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+      - daemonsets
+    verbs:
+      - patch
+      - restart
+  - apiGroups:
+      - batch
+    resources:
+      - cronjobs
+      - jobs
+    verbs:
+      - create
+      - restart
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - delete
+---
 # Source: flux-operator/templates/admin-clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: flux-operator
   labels:
-    helm.sh/chart: flux-operator-0.37.1
+    helm.sh/chart: flux-operator-0.48.0
     app.kubernetes.io/name: flux-operator
     app.kubernetes.io/instance: flux-operator
-    app.kubernetes.io/version: "v0.37.1"
+    app.kubernetes.io/version: "v0.48.0"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -1834,10 +1952,10 @@ metadata:
   name: flux-operator
   namespace: flux-system
   labels:
-    helm.sh/chart: flux-operator-0.37.1
+    helm.sh/chart: flux-operator-0.48.0
     app.kubernetes.io/name: flux-operator
     app.kubernetes.io/instance: flux-operator
-    app.kubernetes.io/version: "v0.37.1"
+    app.kubernetes.io/version: "v0.48.0"
     app.kubernetes.io/managed-by: Helm
 spec:
   ports:
@@ -1860,10 +1978,10 @@ metadata:
   name: flux-operator
   namespace: flux-system
   labels:
-    helm.sh/chart: flux-operator-0.37.1
+    helm.sh/chart: flux-operator-0.48.0
     app.kubernetes.io/name: flux-operator
     app.kubernetes.io/instance: flux-operator
-    app.kubernetes.io/version: "v0.37.1"
+    app.kubernetes.io/version: "v0.48.0"
     app.kubernetes.io/managed-by: Helm
 spec:
   selector:
@@ -1877,10 +1995,10 @@ spec:
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics"
       labels:
-        helm.sh/chart: flux-operator-0.37.1
+        helm.sh/chart: flux-operator-0.48.0
         app.kubernetes.io/name: flux-operator
         app.kubernetes.io/instance: flux-operator
-        app.kubernetes.io/version: "v0.37.1"
+        app.kubernetes.io/version: "v0.48.0"
         app.kubernetes.io/managed-by: Helm
     spec:
       serviceAccountName: flux-operator
@@ -1906,7 +2024,7 @@ spec:
             runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
-          image: "ghcr.io/controlplaneio-fluxcd/flux-operator:v0.37.1"
+          image: "ghcr.io/controlplaneio-fluxcd/flux-operator:v0.48.0"
           imagePullPolicy: "IfNotPresent"
           ports:
             - name: http-metrics

nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_instance.yaml

@@ -5,5 +5,13 @@ metadata:
   namespace: flux-system
 spec:
   distribution:
-    version: "2.7.x"
+    version: "2.8.x"
     registry: "ghcr.io/fluxcd"
+  components:
+    - source-controller
+    - kustomize-controller
+    - helm-controller
+    - notification-controller
+    - image-automation-controller
+    - image-reflector-controller
+    # - source-watcher

nix/kubernetes/keys/package/bootstrap-script/package.nix

@@ -35,6 +35,10 @@ let
         "${k8s.cilium-manifest}/cilium.yaml"
         "${k8s.coredns-manifest}/coredns.yaml"
         ./files/manifests/flux_namespace.yaml
+
+        #
+        # Generate with: helm template --dry-run=server flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --namespace flux-system --create-namespace
+        #
         ./files/manifests/flux.yaml
         ./files/manifests/flux_instance.yaml
       ]

nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix

@@ -58,6 +58,17 @@ let
           };
         };
         "flux-system" = {
+          "registry-credentials" =
+            (generate_docker_secret {
+              username = builtins.readFile "${./secrets/flux-system/registry-credentials/username}";
+              password = builtins.readFile "${./secrets/flux-system/registry-credentials/password}";
+              email = builtins.readFile "${./secrets/flux-system/registry-credentials/email}";
+            })
+            // {
+              # "__annotations" = {
+              #   "tekton.dev/docker-0" = "https://harbor.fizz.buzz";
+              # };
+            };
           "webhook-token" = {
             "token" = generate_key 64 "flux-system.webhook-token.token";
           };
@@ -140,6 +151,7 @@ let
 
   ## Utilities
   inherit ((import ../../../functions/to_yaml.nix) { inherit pkgs; }) to_yaml;
+  inherit (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }) toBase64;
   generate_key =
     len: name:
     builtins.readFile (
@@ -174,6 +186,21 @@ let
         "\\}"
       ]
       json;
+  generate_docker_secret =
+    {
+      username,
+      password,
+      email,
+    }:
+    let
+    in
+    {
+      "__type" = "kubernetes.io/dockerconfigjson";
+      ".dockerconfigjson" = builtins.toJSON {
+        inherit username password email;
+        "auth" = toBase64 "${username}:${password}";
+      };
+    };
   ## dex
   get_dex_config =
     client_id: