Sources: GitRepository & more
Where desired state comes from.
The source-controller is where desired state enters Flux. A source is a CRD describing where to fetch from and how often, and the controller pulls it, verifies it, and makes it available to the reconcilers as an artifact. The main source is GitRepository (a repo, a branch/tag/semver ref, an interval), but Flux also supports HelmRepository (chart repos), OCIRepository (manifests or charts as OCI artifacts), and Bucket (S3-compatible). Separating fetching from applying is central to the toolkit design.
apiVersion: source.toolkit.fluxcd.io/v1kind: GitRepositorymetadata: { name: payments, namespace: flux-system }spec:interval: 1murl: https://git.acme.internal/apps/payments.gitref:tag: v1.4.0 # or branch:, or semver: ">=1.4.0"secretRef: { name: git-credentials }
Verification at the source
A powerful property: the source-controller can verify what it fetches before anything is applied. For Git, it can check GPG/sigstore commit signatures against a set of trusted keys and refuse an unsigned or wrongly-signed revision. For OCI sources, it can verify Cosign signatures. This means supply-chain verification happens at ingestion — a tampered or unsigned source never reaches the reconcilers — which is one of Flux’s strongest security features.
spec:ref: { branch: main }verify:mode: HEADsecretRef: { name: flux-gpg-keys } # trusted public keys# Flux refuses to reconcile a revision whose commit signature does not verify