Merge pull request #4440 from natasha41575/pinToCmdConfig

Pin to cmd/config v0.10.3

.github/workflows/go.yml

@@ -16,14 +16,14 @@ jobs:
     - name: Set up Go 1.x
       uses: actions/setup-go@v2
       with:
-        go-version: ^1.13
+        go-version: ^1.16
       id: go
 
     - name: Check out code into the Go module directory
       uses: actions/checkout@v2
 
     - name: Lint
-      run: ./scripts/kyaml-pre-commit.sh
+      run: ./hack/kyaml-pre-commit.sh
       env:
         KUSTOMIZE_DOCKER_E2E: false # don't need to do e2e tests for linting
 
@@ -35,7 +35,7 @@ jobs:
       - name: Set up Go 1.x
         uses: actions/setup-go@v2
         with:
-          go-version: ^1.13
+          go-version: ^1.16
         id: go
 
       - name: Check out code into the Go module directory
@@ -45,6 +45,10 @@ jobs:
         run: go test -cover ./...
         working-directory: ./kyaml
 
+      - name: Test api
+        run: go test -cover ./... -ldflags "-X sigs.k8s.io/kustomize/api/provenance.version=v444.333.222"
+        working-directory: ./api
+
       - name: Test cmd/config
         run: go test -cover ./...
         working-directory: ./cmd/config
@@ -59,7 +63,7 @@ jobs:
       - name: Set up Go 1.x
         uses: actions/setup-go@v2
         with:
-          go-version: ^1.13
+          go-version: ^1.16
         id: go
 
       - name: Check out code into the Go module directory
@@ -69,6 +73,10 @@ jobs:
         run: go test -cover ./...
         working-directory: ./kyaml
 
+      - name: Test api
+        run: go test -cover ./... -ldflags "-X sigs.k8s.io/kustomize/api/provenance.version=v444.333.222"
+        working-directory: ./api
+
       - name: Test cmd/config
         run: go test -cover ./...
         working-directory: ./cmd/config
@@ -83,7 +91,7 @@ jobs:
       - name: Set up Go 1.x
         uses: actions/setup-go@v2
         with:
-          go-version: ^1.13
+          go-version: ^1.16
         id: go
 
       - name: Check out code into the Go module directory
@@ -93,6 +101,11 @@ jobs:
         run: go test -cover ./...
         working-directory: ./kyaml
 
+      # TODO: uncomment once Windows tests are passing.
+      # - name: Test api
+      #   run: go test -cover ./... -ldflags "-X sigs.k8s.io/kustomize/api/provenance.version=v444.333.222"
+      #   working-directory: ./api
+
       - name: Test cmd/config
         run: go test -cover ./...
         working-directory: ./cmd/config

ARCHITECTURE.md

@@ -0,0 +1,299 @@
+# Architecture
+
+* _Updated: December 2021_
+
+This document describes the repository organization and the kustomize
+build process. It's meant to lower the barrier to learning and
+contributing to the code base.
+
+If not kept up to date, it will just be a historical snapshot.
+
+
+## Repository layout
+
+[human-edited docs]: https://github.com/kubernetes-sigs/cli-experimental/tree/master/site
+[generated docs]: https://github.com/kubernetes-sigs/cli-experimental/tree/master/docs
+[rendered docs]: https://kubectl.docs.kubernetes.io
+[openapi]: https://kubernetes.io/blog/2016/12/kubernetes-supports-openapi
+
+[`api` module]: https://github.com/kubernetes-sigs/kustomize/blob/master/api/go.mod
+[`api`]: #the-api-module
+[`cmd/config` module]: https://github.com/kubernetes-sigs/kustomize/blob/master/cmd/config/go.mod
+[`cmd/config`]: #the-cmdconfig-module
+[`kustomize` module]: https://github.com/kubernetes-sigs/kustomize/blob/master/kustomize/go.mod
+[`kustomize`]: #the-kustomize-module
+[`kyaml` module]: https://github.com/kubernetes-sigs/kustomize/blob/master/kyaml/go.mod
+[`kyaml`]: #the-kyaml-module
+[`kyaml/kio.Filter`]: https://github.com/Kubernetes-sigs/kustomize/blob/master/kyaml/kio/kio.go
+[`go-yaml`]: https://github.com/go-yaml/yaml/tree/v3
+
+
+[3922]: https://github.com/kubernetes-sigs/kustomize/issues/3922
+
+
+
+ |  directory  | purpose      |
+ | ---------:  | :---------- |
+ |       `api` | The [`api`] module, holding high level kustomize code, suitable for import by other programs.  |
+ |       `cmd` | Various Go programs aiding repo management. See also `hack`. As an outlier, includes the special [`cmd/config`] module. |
+ |      `docs` | Old home of documentation; contains pointers to new homes: [human-edited docs], [generated docs] and [rendered docs]. |
+ |  `examples` | Full kustomization examples that run as pre-merge tests.  |
+ | `functions` | Examples of plugins in KRM function form. TODO([3922]): Move under `plugin`. |
+ |      `hack` | Various shell scripts to help with code management. |
+ | `kustomize` | The [`kustomize`] module holds the `main.go` for kustomize. |
+ |     `kyaml` | The [`kyaml`] module, holding Kubernetes-specific YAML editing packages used by the [`api`] module. Wraps [`go-yaml`] v3.|
+ |    `plugin` | Examples of Kustomize plugins. |
+ | `releasing` | Instructions for releasing the various modules. |
+ |      `site` | Old generated documentation, kept to provide redirection links to the new docs. |
+
+
+## Modules
+
+[semantically versioned]: https://semver.org
+[Go modules]: https://github.com/golang/go/wiki/Modules
+
+The [Go modules] in the kustomize repository are [semantically versioned].
+
+
+### `kustomize`
+
+> _Depends on [`api`], [`cmd/config`], [`kyaml`]_
+
+The [`kustomize` module] contains the `main.go` for `kustomize`, buildable with
+
+```
+(cd kustomize; go install .)
+```
+
+[appears in kubectl]: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/kubectl/pkg/cmd/kustomize/kustomize.go
+
+Below this are packages containing
+[cobra](http://github.com/spf13/cobra) commands implementing `build`,
+`edit`, `fix`, etc., packages linked together by `main.go`.
+
+These command packages are intentionally public, semantically
+versioned, and can be used in other programs.  Specifically, the
+`kustomize build` command [appears in kubectl] as `kubectl kustomize`.
+
+The code in the `build` package is dominated by flag validation,
+with minimal business logic.  The critical lines are something
+like
+
+```
+# Make a kustomizer.
+k := krusty.MakeKustomizer(
+  HonorKustomizeFlags(krusty.MakeDefaultOptions()),
+)
+
+# Run the kustomizer, sending location of kustomization.yaml
+m := k.Run(fSys, "/path/to/dir")
+
+# Write the result as YAML.
+writer.Write(m.AsYaml())
+```
+
+The `krusty` package is in the [`api`] module.
+
+### `api`
+
+> _Depends on [`kyaml`] and code generated from builtin plugin modules_
+
+The [`api` module] is used by CLI programs like `kustomize` and `kubectl`
+to read and honor `kustomization.yaml` files and all that implies.
+
+The main public packages in the [`api` module] are
+
+ | package   |             |
+ | --------: | :---------- |
+ | `filters` | Implementations of [`kyaml/kio.Filter`] used by kustomize to transform Kubernetes objects. |
+ |  `konfig` | Configuration methods and constants in the kustomize API. |
+ |  `krusty` | Primary API entry point.  Holds the kustomizer and hundreds of tests for it. |
+ |  `loader` | Loads kustomization files and the files they refer to, enforcing security rules. |
+ |  `resmap` | The primary internal data structure over which the kustomizer and filters work. |
+ |   `types` | The `Kustomization` object and ancillary structs. |
+
+### `cmd/config`
+
+> _Depends on [`kyaml`]_
+
+This module contains cobra commands and kyaml-based functionality to
+provide unix-like file manipulation commands to kustomize like `grep`
+and `tree`.  These commands may be included in any program that
+manipulates k8s YAML (e.g. kustomize).
+
+### `kyaml`
+
+> _Has no in-repo dependence_
+
+The [`kyaml` module] is a kubernetes-focussed enhancement of [go-yaml].
+
+The YAML manipulation performed by a kustomize is based on these libraries.
+
+These libraries evolve independently of kustomize, and other programs depend on them.
+
+The key public packages in the [`kyaml` module] include
+
+ | package   |             |
+ | --------: | :---------- |
+ | `errors` | Wrapper for the go-errors/errors lib |
+ | `filesys` | A kustomize-specific file system abstraction, to ease writing tests |
+ | `fn/framework` | An SDK for writing KRM Functions in Go |
+ | `fn/runtime` | Implements the runtime for KRM Function extensions |
+ | `kio` | Libraries for reading and writing collections of Kubernetes resources as RNodes |
+ | `openapi` | Loads and accesses openapi schemas for schema-aware resource manipultaion |
+ | `resid` | Representations to aid in unique identification of Kubernetes resources |
+ | `yaml` | A Kubernetes-focused wrapper of [go-yaml], notably including the RNode object |
+
+
+-------
+
+## How _kustomize build_ works
+
+The command `kustomize build` accepts a single string argument,
+which must resolve to a directory, possibly in a git repository,
+called the _kustomization root_.
+
+This directory must contain a file called `kustomization.yaml`, with
+YAML that marshals into a single instance of a `Kustomization` object.
+
+For the remainder of this document, the word _kustomization_ refers to
+either of these things.
+
+This kustomization is the access point to a directed, acyclic graph of
+Kubernetes objects, including other kustomizations, to include in a
+build.
+
+Execution of `build` starts and ends in the [`api`] module,
+frequently dipping into the [`kyaml`] module for lower level
+YAML manipulation.
+
+### The `build` flow
+
+  - Validate command lines arguments and flags.
+
+  - Make a `Kustomizer` as a function of those arguments.
+
+  - Call `Run` on the kustomizer, passing it the path to the
+    kustomization.
+
+    `Run` returns an instance of `ResMap`, the `api` package's
+    representation of a set of kubernetes `Resource` objects.
+
+    This structure offers resource lookup methods (map behavior),
+    but also retains the resources in the order they were
+    specified in kustomization files (list behavior).
+
+    Post-run, the objects are fully hydrated, per the
+    instructions in the kustomization.
+
+  - Marshal the objects as YAML to a file or `stdout`.
+
+
+### The `Run` function
+
+  - Create various objects
+
+    - A `ResMap` factory.
+
+      Makes  `ResMaps` from byte streams, other `ResMaps`, etc.
+
+    - A file `loader.Loader`.
+
+      It's fed an appropriate set of restrictions, and the path to the kustomization.
+
+    - A plugin loader.
+
+      It finds plugins (transformers, generators or validators)
+      and prepares them for running.
+
+    - A `KustTarget` encapsulating all of the above.
+
+      A KustTarget contains one `Kustomization` and represents
+	  everything that kustomization can reach.  This will include
+	  other `KustTarget` instances, each having a smaller purview than
+	  the one referencing it.
+
+  - Call `KustTarget.Load` to load its kustomization.
+
+    This step deals with deprecations and field changes.
+
+  - Load [openapi] data specified by the kustomization.
+
+    This is needed to recognize k8s kinds and their special
+    properties, e.g. which kinds are cluster-scoped, which kinds
+    refer to others, etc.
+
+  - Call `KustTarget.makeCustomizedResmap` to create the `ResMap` result.
+
+    This visits everything referenced by the kustomization,
+    performing all generation, transformation and validation.
+
+  - Finish the `Run` with
+
+    - Optional reordering of objects in `ResMap`, overriding the
+      FIFO rule.
+
+    - Optional addition of _kustomize build annotations_ to the
+      resources.  E.g. from which repo and file the resource was
+      read, the fact that kustomize touched the resource, etc.
+      These kustomize-specific annotations are intended for
+      server-side data analytics, file structure traceability and
+      reconstruction, etc.
+
+### The `makeCustomizedResmap` function
+
+  This function starts the process of object transformation,
+  as well as accumulation of recursively referenced data.
+
+  - Call `ra := KustTarget.AccumulateTarget`.
+
+    The result, `ra`, is a resource accumulator that contains
+    everything referred to by the current kustomization, now fully
+    hydrated.
+
+  - Uniquify names of generated objects by appending content hashes.
+
+    This cannot be done until the objects are complete.
+
+  - Fix all name references (given that names may have changed).
+
+    E.g. if a ConfigMaps was given a generated name, all objects that
+    refer to that ConfigMap must be given its name.
+
+  - Resolve vars, replacing them with whatever they refer to (a legacy feature).
+
+### The `AccumulateTarget` function
+
+  - Call `AccumulateResources` over the `resources` field (this can recurse).
+  - Call `AccumulateComponents` over the `components` field (this can recurse),
+  - Load legacy (pre-plugin) global kustomize configuration,
+  - Load legacy (pre-openapi) _Custom Resource Definition_ data.
+  - In the context of the data loaded above, run the kustomization's
+    - generators,
+    - transformers,
+    - and validators.
+  - Accumulate `vars` (make note of them for later replacement).
+
+### `AccumulateResources` and component accumulation
+
+  - If the path is a file:
+    - Accumulate the objects in the file (treating them
+      as opaque kubernetes objects).
+
+  - If the path is a directory:
+    - Create a new `KustTarget` referring to that directory's kustomization.
+	- Call `subRa := KustTarget.AccumulateTarget`.
+    - Call `ra.MergeAccumulator(subRa)`
+	This completes a recursion.
+
+  - If the path is a git URL:
+    - Clone the repository to a temporary directory.
+    - Process the path optionally specified in the URL
+      as a path in the clone.
+	- If no path specified, work from the repository root.
+
+
+That's as deep as this discussion will go.
+
+The deeper this document goes into the details, the faster
+it will get out of date.

CONTRIBUTING.md

@@ -1,6 +1,25 @@
+[SIG-CLI]: https://github.com/kubernetes/community/tree/master/sig-cli
+[Slack channel]: https://kubernetes.slack.com/messages/kustomize
+[Mailing list]: https://groups.google.com/forum/#!forum/kubernetes-sig-cli
+
+[OWNERS file spec]: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
+[Kustomize OWNERS_ALIASES]: https://github.com/kubernetes-sigs/kustomize/blob/8049f7b1af52e8a7ec26faf6cf714f560d0043c5/OWNERS_ALIASES
+[SIG-CLI Teams]: https://github.com/kubernetes/org/blob/main/config/kubernetes-sigs/sig-cli/teams.yaml
+[Github permissions]: https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-permission-levels-for-an-organization#repository-access-for-each-permission-level
+
+[Contributor License Agreement]: https://git.k8s.io/community/CLA.md
+[Kubernetes Contributor Guide]: http://git.k8s.io/community/contributors/guide
+[Contributor Cheat Sheet]: https://git.k8s.io/community/contributors/guide/contributor-cheatsheet/README.md
+[CNCF Code of Conduct]: https://github.com/cncf/foundation/blob/master/code-of-conduct.md
+[Kubernetes Community Membership]: https://github.com/kubernetes/community/blob/master/community-membership.md
+
+[Contribution Guide]: https://kubectl.docs.kubernetes.io/contributing/kustomize/
+[MacOS Dev Guide]: https://kubectl.docs.kubernetes.io/contributing/kustomize/mac/
+[Windows Dev Guide]: https://kubectl.docs.kubernetes.io/contributing/kustomize/windows/
+
 # Contributing Guidelines
 
-Welcome to Kubernetes. We are excited about the prospect of you joining our [community](https://github.com/kubernetes/community)! The Kubernetes community abides by the CNCF [code of conduct](code-of-conduct.md). Here is an excerpt:
+Welcome to Kubernetes. We are excited about the prospect of you joining our [community](https://github.com/kubernetes/community)! The Kubernetes community abides by the [CNCF Code of Conduct]. Here is an excerpt:
 
 _As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities._
 
@@ -8,19 +27,45 @@ _As contributors and maintainers of this project, and in the interest of fosteri
 
 Dev guides:
 
-- [Mac](docs/macDevGuide.md)
+- [Contribution Guide]
+- [MacOS Dev Guide]
+- [Windows Dev Guide]
 
-We have full documentation on how to get started contributing here:
+General resources for contributors:
 
-- [Contributor License Agreement](https://git.k8s.io/community/CLA.md) Kubernetes projects require that you sign a Contributor License Agreement (CLA) before we can accept your pull requests
-- [Kubernetes Contributor Guide](http://git.k8s.io/community/contributors/guide) - Main contributor documentation, or you can just jump directly to the [contributing section](http://git.k8s.io/community/contributors/guide#contributing)
-- [Contributor Cheat Sheet](https://git.k8s.io/community/contributors/guide/contributor-cheatsheet/README.md) - Common resources for existing developers
+- [Contributor License Agreement] - Kubernetes projects require that you sign a Contributor License Agreement (CLA) before we can accept your pull requests.
+- [Kubernetes Contributor Guide] - Main contributor documentation.
+- [Contributor Cheat Sheet] - Common resources for existing developers.
+
+Here are some additional ideas to help you get started with Kustomize:
+- Attend a Kustomize Bug Scrub. Check the [SIG-CLI] meetings list to find the next one.
+- Help triage issues by confirming validity and applying the appropriate `kind` label (e.g. comment `/kind bug`).
+- Pick up an issue to fix. Issues with the `help-wanted` label are a good place to start, but you can also look for any issue with the `triage/accepted` label and no assignee. Remember to `/assign` yourself to let others know you're working on it.
+- Help confirm new issues labelled `kind/bug` by reproducing them with the latest release.
+- Support Kustomize users by responding to questions on issues labelled `kind/support` or in the [Slack channel].
 
 ## Mentorship
 
 - [Mentoring Initiatives](https://git.k8s.io/community/mentoring) - We have a diverse set of mentorship programs available that are always looking for volunteers!
 
+## Contributor Ladder
+
+Kustomize follows the [Kubernetes Community Membership] contributor ladder. Roles are as follows:
+
+1. Contributor: Anyone who actively contributes code, issues or reviews to the project. All contributors must sign the [Contributor License Agreement].
+1. Reviewer: Contributors with a history of review and authorship on Kustomize. Has LGTM rights on the Kustomize repo (as do all kubernetes-sigs org members). Active contributors are encouraged to join the reviewers list to be automatically pinged on PRs.
+1. Approver: Highly experienced active reviewer and contributor to Kustomize. Has both LTGM and approval rights on the Kustomize repo, as well as "maintain" [Github permissions].
+1. Owner: Approver who sets technical direction and makes or approves design decisions for the project. Has LGTM and approval rights on the Kustomize repo as well as "admin" [Github permissions].
+
+The kyaml module within the Kustomize repo has additional owners following the same ladder.
+
+Administrative notes:
+
+- The [OWNERS file spec] is a useful resources in making changes.
+- Maintainers and admins must be added to the appropriate lists in both [Kustomize OWNERS_ALIASES] and [SIG-CLI Teams]. If this isn't done, the individual in question will lack either PR approval rights (Kustomize list) or the appropriate Github repository permissions (community list).
+
+
 ## Contact Information
 
-- [Slack channel](https://kubernetes.slack.com/messages/sig-cli)
-- [Mailing list](https://groups.google.com/forum/#!forum/kubernetes-sig-cli)
+- [Slack channel]
+- [Mailing list]

Makefile

@@ -3,10 +3,16 @@
 #
 # Makefile for kustomize CLI and API.
 
-MYGOBIN := $(shell go env GOPATH)/bin
-SHELL := /bin/bash
+SHELL := /usr/bin/env bash
+GOOS = $(shell go env GOOS)
+GOARCH = $(shell go env GOARCH)
+MYGOBIN = $(shell go env GOBIN)
+ifeq ($(MYGOBIN),)
+MYGOBIN = $(shell go env GOPATH)/bin
+endif
 export PATH := $(MYGOBIN):$(PATH)
 MODULES := '"cmd/config" "api/" "kustomize/" "kyaml/"'
+LATEST_V4_RELEASE=v4.4.1
 
 # Provide defaults for REPO_OWNER and REPO_NAME if not present.
 # Typically these values would be provided by Prow.
@@ -19,78 +25,65 @@ REPO_NAME := "kustomize"
 endif
 
 .PHONY: all
-all: verify-kustomize
+all: install-tools verify-kustomize
 
 .PHONY: verify-kustomize
 verify-kustomize: \
 	lint-kustomize \
 	test-unit-kustomize-all \
 	test-examples-kustomize-against-HEAD \
-	test-examples-kustomize-against-3.9.0 \
-	test-examples-kustomize-against-3.8.8
+	test-examples-kustomize-against-v4-release
 
 # The following target referenced by a file in
 # https://github.com/kubernetes/test-infra/tree/master/config/jobs/kubernetes-sigs/kustomize
 .PHONY: prow-presubmit-check
 prow-presubmit-check: \
+	install-tools \
 	lint-kustomize \
-	test-multi-module \
 	test-unit-kustomize-all \
 	test-unit-cmd-all \
 	test-go-mod \
 	test-examples-kustomize-against-HEAD \
-	test-examples-kustomize-against-3.9.0 \
-	test-examples-kustomize-against-3.8.8
+	test-examples-kustomize-against-v4-release
 
 .PHONY: verify-kustomize-e2e
 verify-kustomize-e2e: test-examples-e2e-kustomize
 
 # Other builds in this repo might want a different linter version.
 # Without one Makefile to rule them all, the different makes
-# cannot assume that golanci-lint is at the version they want
-# since everything uses the same implicit GOPATH.
-# This installs in a temp dir to avoid overwriting someone else's
-# linter, then installs in MYGOBIN with a new name.
-# Version pinned by hack/go.mod
+# cannot assume that golanci-lint is at the version they want.
+# This installs what kustomize wants to use.
 $(MYGOBIN)/golangci-lint-kustomize:
-	( \
-		set -e; \
-		cd hack; \
-		GO111MODULE=on go build -tags=tools -o $(MYGOBIN)/golangci-lint-kustomize github.com/golangci/golangci-lint/cmd/golangci-lint; \
-	)
+	rm -f $(CURDIR)/hack/golangci-lint
+	GOBIN=$(CURDIR)/hack go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.23.8
+	mv $(CURDIR)/hack/golangci-lint $(MYGOBIN)/golangci-lint-kustomize
 
-# Install from version specified in api/go.mod.
 $(MYGOBIN)/mdrip:
-	cd api; \
-	go install github.com/monopole/mdrip
+	go install github.com/monopole/mdrip@v1.0.2
 
-# Install from version specified in api/go.mod.
 $(MYGOBIN)/stringer:
-	cd api; \
-	go install golang.org/x/tools/cmd/stringer
+	go get golang.org/x/tools/cmd/stringer
 
-# Install from version specified in api/go.mod.
 $(MYGOBIN)/goimports:
-	cd api; \
-	go install golang.org/x/tools/cmd/goimports
+	go get golang.org/x/tools/cmd/goimports
 
 # Build from local source.
 $(MYGOBIN)/gorepomod:
 	cd cmd/gorepomod; \
 	go install .
 
+# Build from local source.
+$(MYGOBIN)/k8scopy:
+	cd cmd/k8scopy; \
+	go install .
+
 # Build from local source.
 $(MYGOBIN)/pluginator:
 	cd cmd/pluginator; \
 	go install .
 
 # Build from local source.
-$(MYGOBIN)/prchecker:
-	cd cmd/prchecker; \
-	go install .
-
-# Build from local source.
-$(MYGOBIN)/kustomize:
+$(MYGOBIN)/kustomize: build-kustomize-api
 	cd kustomize; \
 	go install .
 
@@ -98,13 +91,12 @@ $(MYGOBIN)/kustomize:
 install-tools: \
 	$(MYGOBIN)/goimports \
 	$(MYGOBIN)/golangci-lint-kustomize \
-	$(MYGOBIN)/gh \
 	$(MYGOBIN)/gorepomod \
+	$(MYGOBIN)/helmV3 \
+	$(MYGOBIN)/k8scopy \
 	$(MYGOBIN)/mdrip \
 	$(MYGOBIN)/pluginator \
-	$(MYGOBIN)/prchecker \
-	$(MYGOBIN)/stringer \
-	$(MYGOBIN)/helm
+	$(MYGOBIN)/stringer
 
 ### Begin kustomize plugin rules.
 #
@@ -128,13 +120,14 @@ install-tools: \
 #   module (it's linked into the api).
 
 # Where all generated builtin plugin code should go.
-pGen=api/builtins
+pGen=api/internal/builtins
 # Where the builtin Go plugin modules live.
 pSrc=plugin/builtin
 
 _builtinplugins = \
 	AnnotationsTransformer.go \
 	ConfigMapGenerator.go \
+	IAMPolicyGenerator.go \
 	HashTransformer.go \
 	ImageTagTransformer.go \
 	LabelTransformer.go \
@@ -143,7 +136,9 @@ _builtinplugins = \
 	PatchJson6902Transformer.go \
 	PatchStrategicMergeTransformer.go \
 	PatchTransformer.go \
-	PrefixSuffixTransformer.go \
+	PrefixTransformer.go \
+	SuffixTransformer.go \
+	ReplacementTransformer.go \
 	ReplicaCountTransformer.go \
 	SecretGenerator.go \
 	ValueAddTransformer.go \
@@ -161,6 +156,7 @@ builtinplugins = $(patsubst %,$(pGen)/%,$(_builtinplugins))
 # that file, will be recreated.
 $(pGen)/AnnotationsTransformer.go: $(pSrc)/annotationstransformer/AnnotationsTransformer.go
 $(pGen)/ConfigMapGenerator.go: $(pSrc)/configmapgenerator/ConfigMapGenerator.go
+$(pGen)/GkeSaGenerator.go: $(pSrc)/gkesagenerator/GkeSaGenerator.go
 $(pGen)/HashTransformer.go: $(pSrc)/hashtransformer/HashTransformer.go
 $(pGen)/ImageTagTransformer.go: $(pSrc)/imagetagtransformer/ImageTagTransformer.go
 $(pGen)/LabelTransformer.go: $(pSrc)/labeltransformer/LabelTransformer.go
@@ -169,7 +165,9 @@ $(pGen)/NamespaceTransformer.go: $(pSrc)/namespacetransformer/NamespaceTransform
 $(pGen)/PatchJson6902Transformer.go: $(pSrc)/patchjson6902transformer/PatchJson6902Transformer.go
 $(pGen)/PatchStrategicMergeTransformer.go: $(pSrc)/patchstrategicmergetransformer/PatchStrategicMergeTransformer.go
 $(pGen)/PatchTransformer.go: $(pSrc)/patchtransformer/PatchTransformer.go
-$(pGen)/PrefixSuffixTransformer.go: $(pSrc)/prefixsuffixtransformer/PrefixSuffixTransformer.go
+$(pGen)/PrefixTransformer.go: $(pSrc)/prefixtransformer/PrefixTransformer.go
+$(pGen)/SuffixTransformer.go: $(pSrc)/suffixtransformer/SuffixTransformer.go
+$(pGen)/ReplacementTransformer.go: $(pSrc)/replacementtransformer/ReplacementTransformer.go
 $(pGen)/ReplicaCountTransformer.go: $(pSrc)/replicacounttransformer/ReplicaCountTransformer.go
 $(pGen)/SecretGenerator.go: $(pSrc)/secretgenerator/SecretGenerator.go
 $(pGen)/ValueAddTransformer.go: $(pSrc)/valueaddtransformer/ValueAddTransformer.go
@@ -203,7 +201,7 @@ clean-kustomize-external-go-plugin:
 ### End kustomize plugin rules.
 
 .PHONY: lint-kustomize
-lint-kustomize: install-tools $(builtinplugins)
+lint-kustomize: $(MYGOBIN)/golangci-lint-kustomize $(builtinplugins)
 	cd api; $(MYGOBIN)/golangci-lint-kustomize \
 	  -c ../.golangci-kustomize.yml \
 	  run ./...
@@ -221,12 +219,13 @@ build-kustomize-api: $(builtinplugins)
 	cd api; go build ./...
 
 .PHONY: generate-kustomize-api
-generate-kustomize-api:
+generate-kustomize-api: $(MYGOBIN)/k8scopy
 	cd api; go generate ./...
 
 .PHONY: test-unit-kustomize-api
 test-unit-kustomize-api: build-kustomize-api
 	cd api; go test ./...  -ldflags "-X sigs.k8s.io/kustomize/api/provenance.version=v444.333.222"
+	cd api/krusty; OPENAPI_TEST=true go test -run TestCustomOpenAPIFieldFromComponentWithOverlays
 
 .PHONY: test-unit-kustomize-plugins
 test-unit-kustomize-plugins:
@@ -243,23 +242,10 @@ test-unit-kustomize-all: \
 	test-unit-kustomize-plugins
 
 test-unit-cmd-all:
-	./scripts/kyaml-pre-commit.sh
+	./hack/kyaml-pre-commit.sh
 
 test-go-mod:
-	./scripts/check-go-mod.sh
-
-# Environment variables are defined at
-# https://github.com/kubernetes/test-infra/blob/master/prow/jobs.md#job-environment-variables
-.PHONY: test-multi-module
-test-multi-module: $(MYGOBIN)/prchecker
-	( \
-		export MYGOBIN=$(MYGOBIN); \
-		export REPO_OWNER=$(REPO_OWNER); \
-		export REPO_NAME=$(REPO_NAME); \
-		export PULL_NUMBER=$(PULL_NUMBER); \
-		export MODULES=$(MODULES); \
-		./scripts/check-multi-module.sh; \
-	)
+	./hack/check-go-mod.sh
 
 .PHONY:
 test-examples-e2e-kustomize: $(MYGOBIN)/mdrip $(MYGOBIN)/kind
@@ -276,12 +262,8 @@ test-examples-kustomize-against-HEAD: $(MYGOBIN)/kustomize $(MYGOBIN)/mdrip
 	./hack/testExamplesAgainstKustomize.sh HEAD
 
 .PHONY:
-test-examples-kustomize-against-3.9.0: $(MYGOBIN)/mdrip
-	./hack/testExamplesAgainstKustomize.sh v3.9.0
-
-.PHONY:
-test-examples-kustomize-against-3.8.8: $(MYGOBIN)/mdrip
-	./hack/testExamplesAgainstKustomize.sh v3.8.8
+test-examples-kustomize-against-v4-release: $(MYGOBIN)/mdrip
+	./hack/testExamplesAgainstKustomize.sh v4@$(LATEST_V4_RELEASE)
 
 # linux only.
 # This is for testing an example plugin that
@@ -293,8 +275,8 @@ $(MYGOBIN)/kubeval:
 	( \
 		set -e; \
 		d=$(shell mktemp -d); cd $$d; \
-		wget https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-linux-amd64.tar.gz; \
-		tar xf kubeval-linux-amd64.tar.gz; \
+		wget https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-$(GOOS)-$(GOARCH).tar.gz; \
+		tar xf kubeval-$(GOOS)-$(GOARCH).tar.gz; \
 		mv kubeval $(MYGOBIN); \
 		rm -rf $$d; \
 	)
@@ -308,10 +290,10 @@ $(MYGOBIN)/helmV2:
 	( \
 		set -e; \
 		d=$(shell mktemp -d); cd $$d; \
-		tgzFile=helm-v2.13.1-linux-amd64.tar.gz; \
+		tgzFile=helm-v2.13.1-$(GOOS)-$(GOARCH).tar.gz; \
 		wget https://storage.googleapis.com/kubernetes-helm/$$tgzFile; \
 		tar -xvzf $$tgzFile; \
-		mv linux-amd64/helm $(MYGOBIN)/helmV2; \
+		mv $(GOOS)-$(GOARCH)/helm $(MYGOBIN)/helmV2; \
 		rm -rf $$d \
 	)
 
@@ -321,22 +303,18 @@ $(MYGOBIN)/helmV3:
 	( \
 		set -e; \
 		d=$(shell mktemp -d); cd $$d; \
-		tgzFile=helm-v3.4.0-linux-amd64.tar.gz; \
+		tgzFile=helm-v3.6.3-$(GOOS)-$(GOARCH).tar.gz; \
 		wget https://get.helm.sh/$$tgzFile; \
 		tar -xvzf $$tgzFile; \
-		mv linux-amd64/helm $(MYGOBIN)/helmV3; \
+		mv $(GOOS)-$(GOARCH)/helm $(MYGOBIN)/helmV3; \
 		rm -rf $$d \
 	)
 
-# Default version of helm is v3.
-$(MYGOBIN)/helm: $(MYGOBIN)/helmV3
-	ln -s $(MYGOBIN)/helmV3 $(MYGOBIN)/helm
-
 $(MYGOBIN)/kind:
 	( \
         set -e; \
         d=$(shell mktemp -d); cd $$d; \
-        wget -O ./kind https://github.com/kubernetes-sigs/kind/releases/download/v0.7.0/kind-$(shell uname)-amd64; \
+        wget -O ./kind https://github.com/kubernetes-sigs/kind/releases/download/v0.7.0/kind-$(GOOS)-$(GOARCH); \
         chmod +x ./kind; \
         mv ./kind $(MYGOBIN); \
         rm -rf $$d; \
@@ -347,10 +325,10 @@ $(MYGOBIN)/gh:
 	( \
 		set -e; \
 		d=$(shell mktemp -d); cd $$d; \
-		tgzFile=gh_1.0.0_linux_amd64.tar.gz; \
+		tgzFile=gh_1.0.0_$(GOOS)_$(GOARCH).tar.gz; \
 		wget https://github.com/cli/cli/releases/download/v1.0.0/$$tgzFile; \
 		tar -xvzf $$tgzFile; \
-		mv gh_1.0.0_linux_amd64/bin/gh  $(MYGOBIN)/gh; \
+		mv gh_1.0.0_$(GOOS)_$(GOARCH)/bin/gh  $(MYGOBIN)/gh; \
 		rm -rf $$d \
 	)
 
@@ -358,8 +336,11 @@ $(MYGOBIN)/gh:
 clean: clean-kustomize-external-go-plugin
 	go clean --cache
 	rm -f $(builtinplugins)
-	rm -f $(MYGOBIN)/kustomize
+	rm -f $(MYGOBIN)/goimports
 	rm -f $(MYGOBIN)/golangci-lint-kustomize
+	rm -f $(MYGOBIN)/kustomize
+	rm -f $(MYGOBIN)/mdrip
+	rm -f $(MYGOBIN)/stringer
 
 # Handle pluginator manually.
 # rm -f $(MYGOBIN)/pluginator

OWNERS

@@ -1,4 +1,6 @@
 # See https://github.com/kubernetes/community/blob/master/community-membership.md
 approvers:
-  - kustomize-admins
-  - kustomize-maintainers
+  - kustomize-approvers
+
+reviewers:
+  - kustomize-reviewers

OWNERS_ALIASES

@@ -1,14 +1,29 @@
+# Keep *-owners and *-approvers lists in sync with *-admins and *-maintainers in
+# https://github.com/kubernetes/org/blob/main/config/kubernetes-sigs/sig-cli/teams.yaml
 aliases:
-  kustomize-admins:
-    - monopole
-    - pwittrock
-  kustomize-maintainers:
-    - droot
-    - justinsb
-    - liujingfang1
+  kustomize-owners:
+    - knverey
+    - natasha41575
+  kustomize-approvers:
+    - knverey
+    - natasha41575
+  kustomize-reviewers:
+    - knverey
+    - natasha41575
+    - yuwenma
+
+  kyaml-approvers:
     - mengqiy
-    - monopole
-    - pwittrock
     - mortent
     - phanimarupaka
+  kyaml-reviewers:
+    - mengqiy
+    - mortent
+    - phanimarupaka
+
+  emeritus-approvers:
+    - liujingfang1
     - Shell32-Natsu
+    - justinsb
+    - monopole
+    - pwittrock

README.md

@@ -22,15 +22,22 @@ This tool is sponsored by [sig-cli] ([KEP]).
 
 The kustomize build flow at [v2.0.3] was added
 to [kubectl v1.14][kubectl announcement].  The kustomize
-flow in kubectl has remained frozen at v2.0.3 while work
-to extract kubectl from the k/k repo, and work to remove
-kustomize's dependence on core k/k code ([#2506]) has proceeded.
-The reintegration effort is tracked in [#1500] (and its blocking
-issues).
+flow in kubectl remained frozen at v2.0.3 until kubectl v1.21,
+which [updated it to v4.0.5][kust-in-kubectl update]. It will
+be updated on a regular basis going forward, and such updates
+will be reflected in the Kubernetes release notes.
+
+| Kubectl version | Kustomize version |
+| --- | --- |
+| < v1.14 | n/a |
+| v1.14-v1.20 | v2.0.3 |
+| v1.21 | v4.0.5 |
+| v1.22 | v4.2.0 |
 
 [v2.0.3]: /../../tree/v2.0.3
 [#2506]: https://github.com/kubernetes-sigs/kustomize/issues/2506
 [#1500]: https://github.com/kubernetes-sigs/kustomize/issues/1500
+[kust-in-kubectl update]: https://github.com/kubernetes/kubernetes/blob/4d75a6238a6e330337526e0513e67d02b1940b63/CHANGELOG/CHANGELOG-1.21.md#kustomize-updates-in-kubectl
 
 For examples and guides for using the kubectl integration please
 see the [kubectl book] or the [kubernetes documentation].
@@ -145,7 +152,7 @@ is governed by the [Kubernetes Code of Conduct].
 [`make`]: https://www.gnu.org/software/make
 [`sed`]: https://www.gnu.org/software/sed
 [DAM]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#declarative-application-management
-[KEP]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/0008-kustomize.md
+[KEP]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/2377-Kustomize/README.md
 [Kubernetes Code of Conduct]: code-of-conduct.md
 [applied]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#apply
 [base]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#base

api/builtins/HelmChartInflationGenerator.go

@@ -1,251 +0,0 @@
-// Code generated by pluginator on HelmChartInflationGenerator; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
-
-package builtins
-
-import (
-	"bytes"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"os"
-	"os/exec"
-	"path"
-	"regexp"
-	"strings"
-
-	"github.com/imdario/mergo"
-	"github.com/pkg/errors"
-	"sigs.k8s.io/kustomize/api/filesys"
-	"sigs.k8s.io/kustomize/api/resmap"
-	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/yaml"
-)
-
-// HelmChartInflationGeneratorPlugin is a plugin to generate resources
-// from a remote or local helm chart.
-type HelmChartInflationGeneratorPlugin struct {
-	h                *resmap.PluginHelpers
-	types.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
-	runHelmCommand   func([]string) ([]byte, error)
-	types.HelmChartArgs
-	tmpDir string
-}
-
-var KustomizePlugin HelmChartInflationGeneratorPlugin
-
-// Config uses the input plugin configurations `config` to setup the generator
-// options
-func (p *HelmChartInflationGeneratorPlugin) Config(h *resmap.PluginHelpers, config []byte) error {
-	p.h = h
-	err := yaml.Unmarshal(config, p)
-	if err != nil {
-		return err
-	}
-	tmpDir, err := filesys.NewTmpConfirmedDir()
-	if err != nil {
-		return err
-	}
-	p.tmpDir = string(tmpDir)
-	if p.ChartName == "" {
-		return fmt.Errorf("chartName cannot be empty")
-	}
-	if p.ChartHome == "" {
-		p.ChartHome = path.Join(p.tmpDir, "chart")
-	}
-	if p.ChartRepoName == "" {
-		p.ChartRepoName = "stable"
-	}
-	if p.HelmBin == "" {
-		p.HelmBin = "helm"
-	}
-	if p.HelmHome == "" {
-		p.HelmHome = path.Join(p.tmpDir, ".helm")
-	}
-	if p.Values == "" {
-		p.Values = path.Join(p.ChartHome, p.ChartName, "values.yaml")
-	}
-	if p.ValuesMerge == "" {
-		p.ValuesMerge = "override"
-	}
-	// runHelmCommand will run `helm` command with args provided. Return stdout
-	// and error if there is any.
-	p.runHelmCommand = func(args []string) ([]byte, error) {
-		stdout := new(bytes.Buffer)
-		stderr := new(bytes.Buffer)
-		cmd := exec.Command(p.HelmBin, args...)
-		cmd.Stdout = stdout
-		cmd.Stderr = stderr
-		cmd.Env = append(cmd.Env,
-			fmt.Sprintf("HELM_CONFIG_HOME=%s", p.HelmHome),
-			fmt.Sprintf("HELM_CACHE_HOME=%s/.cache", p.HelmHome),
-			fmt.Sprintf("HELM_DATA_HOME=%s/.data", p.HelmHome),
-		)
-		err := cmd.Run()
-		if err != nil {
-			return stdout.Bytes(),
-				errors.Wrap(
-					fmt.Errorf("failed to run command %s %s", p.HelmBin, strings.Join(args, " ")),
-					stderr.String(),
-				)
-		}
-		return stdout.Bytes(), nil
-	}
-	return nil
-}
-
-// EncodeValues for writing
-func (p *HelmChartInflationGeneratorPlugin) EncodeValues(w io.Writer) error {
-	d, err := yaml.Marshal(p.ValuesLocal)
-	if err != nil {
-		return err
-	}
-	_, err = w.Write(d)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// useValuesLocal process (merge) inflator config provided values with chart default values.yaml
-func (p *HelmChartInflationGeneratorPlugin) useValuesLocal() error {
-	fn := path.Join(p.ChartHome, p.ChartName, "kustomize-values.yaml")
-	vf, err := os.Create(fn)
-	defer vf.Close()
-	if err != nil {
-		return err
-	}
-	// override, merge, none
-	if p.ValuesMerge == "none" || p.ValuesMerge == "no" || p.ValuesMerge == "false" {
-		p.Values = fn
-	} else {
-		pValues, err := ioutil.ReadFile(p.Values)
-		if err != nil {
-			return err
-		}
-		chValues := make(map[string]interface{})
-		err = yaml.Unmarshal(pValues, &chValues)
-		if err != nil {
-			return err
-		}
-		if p.ValuesMerge == "override" {
-			err = mergo.Merge(&chValues, p.ValuesLocal, mergo.WithOverride)
-			if err != nil {
-				return err
-			}
-		}
-		if p.ValuesMerge == "merge" {
-			err = mergo.Merge(&chValues, p.ValuesLocal)
-			if err != nil {
-				return err
-			}
-		}
-		p.ValuesLocal = chValues
-		p.Values = fn
-	}
-	err = p.EncodeValues(vf)
-	if err != nil {
-		return err
-	}
-	vf.Sync()
-	return nil
-}
-
-// Generate implements generator
-func (p *HelmChartInflationGeneratorPlugin) Generate() (resmap.ResMap, error) {
-	// cleanup
-	defer os.RemoveAll(p.tmpDir)
-	// check helm version. we only support V3
-	err := p.checkHelmVersion()
-	if err != nil {
-		return nil, err
-	}
-	// pull the chart
-	if !p.checkLocalChart() {
-		_, err := p.runHelmCommand(p.getPullCommandArgs())
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	// inflator config valuesLocal
-	if len(p.ValuesLocal) > 0 {
-		err := p.useValuesLocal()
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	// render the charts
-	stdout, err := p.runHelmCommand(p.getTemplateCommandArgs())
-	if err != nil {
-		return nil, err
-	}
-
-	return p.h.ResmapFactory().NewResMapFromBytes(stdout)
-}
-
-func (p *HelmChartInflationGeneratorPlugin) getTemplateCommandArgs() []string {
-	args := []string{"template"}
-	if p.ReleaseName != "" {
-		args = append(args, p.ReleaseName)
-	}
-	args = append(args, path.Join(p.ChartHome, p.ChartName))
-	if p.ReleaseNamespace != "" {
-		args = append(args, "--namespace", p.ReleaseNamespace)
-	}
-	if p.Values != "" {
-		args = append(args, "--values", p.Values)
-	}
-	args = append(args, p.ExtraArgs...)
-	return args
-}
-
-func (p *HelmChartInflationGeneratorPlugin) getPullCommandArgs() []string {
-	args := []string{"pull", "--untar", "--untardir", p.ChartHome}
-	chartName := fmt.Sprintf("%s/%s", p.ChartRepoName, p.ChartName)
-	if p.ChartVersion != "" {
-		args = append(args, "--version", p.ChartVersion)
-	}
-	if p.ChartRepoURL != "" {
-		args = append(args, "--repo", p.ChartRepoURL)
-		chartName = p.ChartName
-	}
-
-	args = append(args, chartName)
-
-	return args
-}
-
-// checkLocalChart will return true if the chart does exist in
-// local chart home.
-func (p *HelmChartInflationGeneratorPlugin) checkLocalChart() bool {
-	path := path.Join(p.ChartHome, p.ChartName)
-	s, err := os.Stat(path)
-	if err != nil {
-		return false
-	}
-	return s.IsDir()
-}
-
-// checkHelmVersion will return an error if the helm version is not V3
-func (p *HelmChartInflationGeneratorPlugin) checkHelmVersion() error {
-	stdout, err := p.runHelmCommand([]string{"version", "-c", "--short"})
-	if err != nil {
-		return err
-	}
-	r, err := regexp.Compile(`v\d+(\.\d+)+`)
-	if err != nil {
-		return err
-	}
-	v := string(r.Find(stdout))[1:]
-	majorVersion := strings.Split(v, ".")[0]
-	if majorVersion != "3" {
-		return fmt.Errorf("this plugin requires helm V3 but got v%s", v)
-	}
-	return nil
-}
-
-func NewHelmChartInflationGeneratorPlugin() resmap.GeneratorPlugin {
-	return &HelmChartInflationGeneratorPlugin{}
-}

api/builtins/ImageTagTransformer.go

@@ -1,187 +0,0 @@
-// Code generated by pluginator on ImageTagTransformer; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
-
-package builtins
-
-import (
-	"fmt"
-	"regexp"
-	"strings"
-
-	"sigs.k8s.io/kustomize/api/filters/imagetag"
-	"sigs.k8s.io/kustomize/api/resmap"
-	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/yaml"
-)
-
-// Find matching image declarations and replace
-// the name, tag and/or digest.
-type ImageTagTransformerPlugin struct {
-	ImageTag   types.Image       `json:"imageTag,omitempty" yaml:"imageTag,omitempty"`
-	FieldSpecs []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
-}
-
-func (p *ImageTagTransformerPlugin) Config(
-	_ *resmap.PluginHelpers, c []byte) (err error) {
-	p.ImageTag = types.Image{}
-	p.FieldSpecs = nil
-	return yaml.Unmarshal(c, p)
-}
-
-func (p *ImageTagTransformerPlugin) Transform(m resmap.ResMap) error {
-	for _, r := range m.Resources() {
-		// traverse all fields at first
-		err := r.ApplyFilter(imagetag.LegacyFilter{
-			ImageTag: p.ImageTag,
-		})
-		if err != nil {
-			return err
-		}
-		// then use user specified field specs
-		err = r.ApplyFilter(imagetag.Filter{
-			ImageTag: p.ImageTag,
-			FsSlice:  p.FieldSpecs,
-		})
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (p *ImageTagTransformerPlugin) mutateImage(in interface{}) (interface{}, error) {
-	original, ok := in.(string)
-	if !ok {
-		return nil, fmt.Errorf("image path is not of type string but %T", in)
-	}
-
-	if !isImageMatched(original, p.ImageTag.Name) {
-		return original, nil
-	}
-	name, tag := split(original)
-	if p.ImageTag.NewName != "" {
-		name = p.ImageTag.NewName
-	}
-	if p.ImageTag.NewTag != "" {
-		tag = ":" + p.ImageTag.NewTag
-	}
-	if p.ImageTag.Digest != "" {
-		tag = "@" + p.ImageTag.Digest
-	}
-	return name + tag, nil
-}
-
-// findAndReplaceImage replaces the image name and
-// tags inside one object.
-// It searches the object for container session
-// then loops though all images inside containers
-// session, finds matched ones and update the
-// image name and tag name
-func (p *ImageTagTransformerPlugin) findAndReplaceImage(obj map[string]interface{}) error {
-	paths := []string{"containers", "initContainers"}
-	updated := false
-	for _, path := range paths {
-		containers, found := obj[path]
-		if found && containers != nil {
-			if _, err := p.updateContainers(containers); err != nil {
-				return err
-			}
-			updated = true
-		}
-	}
-	if !updated {
-		return p.findContainers(obj)
-	}
-	return nil
-}
-
-func (p *ImageTagTransformerPlugin) updateContainers(in interface{}) (interface{}, error) {
-	containers, ok := in.([]interface{})
-	if !ok {
-		return nil, fmt.Errorf(
-			"containers path is not of type []interface{} but %T", in)
-	}
-	for i := range containers {
-		container := containers[i].(map[string]interface{})
-		containerImage, found := container["image"]
-		if !found {
-			continue
-		}
-		imageName := containerImage.(string)
-		if isImageMatched(imageName, p.ImageTag.Name) {
-			newImage, err := p.mutateImage(imageName)
-			if err != nil {
-				return nil, err
-			}
-			container["image"] = newImage
-		}
-	}
-	return containers, nil
-}
-
-func (p *ImageTagTransformerPlugin) findContainers(obj map[string]interface{}) error {
-	for key := range obj {
-		switch typedV := obj[key].(type) {
-		case map[string]interface{}:
-			err := p.findAndReplaceImage(typedV)
-			if err != nil {
-				return err
-			}
-		case []interface{}:
-			for i := range typedV {
-				item := typedV[i]
-				typedItem, ok := item.(map[string]interface{})
-				if ok {
-					err := p.findAndReplaceImage(typedItem)
-					if err != nil {
-						return err
-					}
-				}
-			}
-		}
-	}
-	return nil
-}
-
-func isImageMatched(s, t string) bool {
-	// Tag values are limited to [a-zA-Z0-9_.{}-].
-	// Some tools like Bazel rules_k8s allow tag patterns with {} characters.
-	// More info: https://github.com/bazelbuild/rules_k8s/pull/423
-	pattern, _ := regexp.Compile("^" + t + "(@sha256)?(:[a-zA-Z0-9_.{}-]*)?$")
-	return pattern.MatchString(s)
-}
-
-// split separates and returns the name and tag parts
-// from the image string using either colon `:` or at `@` separators.
-// Note that the returned tag keeps its separator.
-func split(imageName string) (name string, tag string) {
-	// check if image name contains a domain
-	// if domain is present, ignore domain and check for `:`
-	ic := -1
-	if slashIndex := strings.Index(imageName, "/"); slashIndex < 0 {
-		ic = strings.LastIndex(imageName, ":")
-	} else {
-		lastIc := strings.LastIndex(imageName[slashIndex:], ":")
-		// set ic only if `:` is present
-		if lastIc > 0 {
-			ic = slashIndex + lastIc
-		}
-	}
-	ia := strings.LastIndex(imageName, "@")
-	if ic < 0 && ia < 0 {
-		return imageName, ""
-	}
-
-	i := ic
-	if ia > 0 {
-		i = ia
-	}
-
-	name = imageName[:i]
-	tag = imageName[i:]
-	return
-}
-
-func NewImageTagTransformerPlugin() resmap.TransformerPlugin {
-	return &ImageTagTransformerPlugin{}
-}

api/builtins/PrefixSuffixTransformer.go

@@ -1,104 +0,0 @@
-// Code generated by pluginator on PrefixSuffixTransformer; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
-
-package builtins
-
-import (
-	"errors"
-
-	"sigs.k8s.io/kustomize/api/filters/prefixsuffix"
-	"sigs.k8s.io/kustomize/api/resid"
-	"sigs.k8s.io/kustomize/api/resmap"
-	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/yaml"
-)
-
-// Add the given prefix and suffix to the field.
-type PrefixSuffixTransformerPlugin struct {
-	Prefix     string        `json:"prefix,omitempty" yaml:"prefix,omitempty"`
-	Suffix     string        `json:"suffix,omitempty" yaml:"suffix,omitempty"`
-	FieldSpecs types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
-}
-
-// A Gvk skip list for prefix/suffix modification.
-// hard coded for now - eventually should be part of config.
-var prefixSuffixFieldSpecsToSkip = types.FsSlice{
-	{Gvk: resid.Gvk{Kind: "CustomResourceDefinition"}},
-	{Gvk: resid.Gvk{Group: "apiregistration.k8s.io", Kind: "APIService"}},
-	{Gvk: resid.Gvk{Kind: "Namespace"}},
-}
-
-func (p *PrefixSuffixTransformerPlugin) Config(
-	_ *resmap.PluginHelpers, c []byte) (err error) {
-	p.Prefix = ""
-	p.Suffix = ""
-	p.FieldSpecs = nil
-	err = yaml.Unmarshal(c, p)
-	if err != nil {
-		return
-	}
-	if p.FieldSpecs == nil {
-		return errors.New("fieldSpecs is not expected to be nil")
-	}
-	return
-}
-
-func (p *PrefixSuffixTransformerPlugin) Transform(m resmap.ResMap) error {
-	// Even if both the Prefix and Suffix are empty we want
-	// to proceed with the transformation. This allows to add contextual
-	// information to the resources (AddNamePrefix and AddNameSuffix).
-	for _, r := range m.Resources() {
-		// TODO: move this test into the filter (i.e. make a better filter)
-		if p.shouldSkip(r.OrgId()) {
-			continue
-		}
-		id := r.OrgId()
-		// current default configuration contains
-		// only one entry: "metadata/name" with no GVK
-		for _, fs := range p.FieldSpecs {
-			// TODO: this is redundant to filter (but needed for now)
-			if !id.IsSelected(&fs.Gvk) {
-				continue
-			}
-			// TODO: move this test into the filter.
-			if smellsLikeANameChange(&fs) {
-				// "metadata/name" is the only field.
-				// this will add a prefix and a suffix
-				// to the resource even if those are
-				// empty
-
-				r.AddNamePrefix(p.Prefix)
-				r.AddNameSuffix(p.Suffix)
-				if p.Prefix != "" || p.Suffix != "" {
-					r.SetOriginalName(r.GetName(), false)
-				}
-			}
-			err := r.ApplyFilter(prefixsuffix.Filter{
-				Prefix:    p.Prefix,
-				Suffix:    p.Suffix,
-				FieldSpec: fs,
-			})
-			if err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
-
-func smellsLikeANameChange(fs *types.FieldSpec) bool {
-	return fs.Path == "metadata/name"
-}
-
-func (p *PrefixSuffixTransformerPlugin) shouldSkip(id resid.ResId) bool {
-	for _, path := range prefixSuffixFieldSpecsToSkip {
-		if id.IsSelected(&path.Gvk) {
-			return true
-		}
-	}
-	return false
-}
-
-func NewPrefixSuffixTransformerPlugin() resmap.TransformerPlugin {
-	return &PrefixSuffixTransformerPlugin{}
-}

api/builtins/builtins.go

@@ -0,0 +1,51 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Deprecated: Package api/builtins will not be available in API v1.
+package builtins
+
+import (
+	internal "sigs.k8s.io/kustomize/api/internal/builtins"
+)
+
+type (
+	AnnotationsTransformerPlugin         = internal.AnnotationsTransformerPlugin
+	ConfigMapGeneratorPlugin             = internal.ConfigMapGeneratorPlugin
+	HashTransformerPlugin                = internal.HashTransformerPlugin
+	HelmChartInflationGeneratorPlugin    = internal.HelmChartInflationGeneratorPlugin
+	IAMPolicyGeneratorPlugin             = internal.IAMPolicyGeneratorPlugin
+	ImageTagTransformerPlugin            = internal.ImageTagTransformerPlugin
+	LabelTransformerPlugin               = internal.LabelTransformerPlugin
+	LegacyOrderTransformerPlugin         = internal.LegacyOrderTransformerPlugin
+	NamespaceTransformerPlugin           = internal.NamespaceTransformerPlugin
+	PatchJson6902TransformerPlugin       = internal.PatchJson6902TransformerPlugin
+	PatchStrategicMergeTransformerPlugin = internal.PatchStrategicMergeTransformerPlugin
+	PatchTransformerPlugin               = internal.PatchTransformerPlugin
+	PrefixTransformerPlugin              = internal.PrefixTransformerPlugin
+	SuffixTransformerPlugin              = internal.SuffixTransformerPlugin
+	ReplacementTransformerPlugin         = internal.ReplacementTransformerPlugin
+	ReplicaCountTransformerPlugin        = internal.ReplicaCountTransformerPlugin
+	SecretGeneratorPlugin                = internal.SecretGeneratorPlugin
+	ValueAddTransformerPlugin            = internal.ValueAddTransformerPlugin
+)
+
+var (
+	NewAnnotationsTransformerPlugin         = internal.NewAnnotationsTransformerPlugin
+	NewConfigMapGeneratorPlugin             = internal.NewConfigMapGeneratorPlugin
+	NewHashTransformerPlugin                = internal.NewHashTransformerPlugin
+	NewHelmChartInflationGeneratorPlugin    = internal.NewHelmChartInflationGeneratorPlugin
+	NewIAMPolicyGeneratorPlugin             = internal.NewIAMPolicyGeneratorPlugin
+	NewImageTagTransformerPlugin            = internal.NewImageTagTransformerPlugin
+	NewLabelTransformerPlugin               = internal.NewLabelTransformerPlugin
+	NewLegacyOrderTransformerPlugin         = internal.NewLegacyOrderTransformerPlugin
+	NewNamespaceTransformerPlugin           = internal.NewNamespaceTransformerPlugin
+	NewPatchJson6902TransformerPlugin       = internal.NewPatchJson6902TransformerPlugin
+	NewPatchStrategicMergeTransformerPlugin = internal.NewPatchStrategicMergeTransformerPlugin
+	NewPatchTransformerPlugin               = internal.NewPatchTransformerPlugin
+	NewPrefixTransformerPlugin              = internal.NewPrefixTransformerPlugin
+	NewSuffixTransformerPlugin              = internal.NewSuffixTransformerPlugin
+	NewReplacementTransformerPlugin         = internal.NewReplacementTransformerPlugin
+	NewReplicaCountTransformerPlugin        = internal.NewReplicaCountTransformerPlugin
+	NewSecretGeneratorPlugin                = internal.NewSecretGeneratorPlugin
+	NewValueAddTransformerPlugin            = internal.NewValueAddTransformerPlugin
+)

api/filesys/filesys.go

@@ -0,0 +1,61 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package filesys provides a file system abstraction,
+// a subset of that provided by golang.org/pkg/os,
+// with an on-disk and in-memory representation.
+//
+// Deprecated: use sigs.k8s.io/kustomize/kyaml/filesys instead.
+package filesys
+
+import "sigs.k8s.io/kustomize/kyaml/filesys"
+
+const (
+	// Separator is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.Separator.
+	Separator = filesys.Separator
+	// SelfDir is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.SelfDir.
+	SelfDir = filesys.SelfDir
+	// ParentDir is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.ParentDir.
+	ParentDir = filesys.ParentDir
+)
+
+type (
+	// FileSystem is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.FileSystem.
+	FileSystem = filesys.FileSystem
+	// FileSystemOrOnDisk is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.FileSystemOrOnDisk.
+	FileSystemOrOnDisk = filesys.FileSystemOrOnDisk
+	// ConfirmedDir is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.ConfirmedDir.
+	ConfirmedDir = filesys.ConfirmedDir
+)
+
+// MakeEmptyDirInMemory is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.MakeEmptyDirInMemory.
+func MakeEmptyDirInMemory() FileSystem { return filesys.MakeEmptyDirInMemory() }
+
+// MakeFsInMemory is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.MakeFsInMemory.
+func MakeFsInMemory() FileSystem { return filesys.MakeFsInMemory() }
+
+// MakeFsOnDisk is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.MakeFsOnDisk.
+func MakeFsOnDisk() FileSystem { return filesys.MakeFsOnDisk() }
+
+// NewTmpConfirmedDir is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.NewTmpConfirmedDir.
+func NewTmpConfirmedDir() (filesys.ConfirmedDir, error) { return filesys.NewTmpConfirmedDir() }
+
+// RootedPath is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.RootedPath.
+func RootedPath(elem ...string) string { return filesys.RootedPath(elem...) }
+
+// StripTrailingSeps is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.StripTrailingSeps.
+func StripTrailingSeps(s string) string { return filesys.StripTrailingSeps(s) }
+
+// StripLeadingSeps is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.StripLeadingSeps.
+func StripLeadingSeps(s string) string { return filesys.StripLeadingSeps(s) }
+
+// PathSplit is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.PathSplit.
+func PathSplit(incoming string) []string { return filesys.PathSplit(incoming) }
+
+// PathJoin is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.PathJoin.
+func PathJoin(incoming []string) string { return filesys.PathJoin(incoming) }
+
+// InsertPathPart is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.InsertPathPart.
+func InsertPathPart(path string, pos int, part string) string {
+	return filesys.InsertPathPart(path, pos, part)
+}

api/filesys/filesystem.go

@@ -1,50 +0,0 @@
-// Copyright 2019 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-// Package filesys provides a file system abstraction layer.
-package filesys
-
-import (
-	"path/filepath"
-)
-
-const (
-	Separator = string(filepath.Separator)
-	SelfDir   = "."
-	ParentDir = ".."
-)
-
-// FileSystem groups basic os filesystem methods.
-// It's supposed be functional subset of https://golang.org/pkg/os
-type FileSystem interface {
-	// Create a file.
-	Create(path string) (File, error)
-	// MkDir makes a directory.
-	Mkdir(path string) error
-	// MkDirAll makes a directory path, creating intervening directories.
-	MkdirAll(path string) error
-	// RemoveAll removes path and any children it contains.
-	RemoveAll(path string) error
-	// Open opens the named file for reading.
-	Open(path string) (File, error)
-	// IsDir returns true if the path is a directory.
-	IsDir(path string) bool
-	// CleanedAbs converts the given path into a
-	// directory and a file name, where the directory
-	// is represented as a ConfirmedDir and all that implies.
-	// If the entire path is a directory, the file component
-	// is an empty string.
-	CleanedAbs(path string) (ConfirmedDir, string, error)
-	// Exists is true if the path exists in the file system.
-	Exists(path string) bool
-	// Glob returns the list of matching files,
-	// emulating https://golang.org/pkg/path/filepath/#Glob
-	Glob(pattern string) ([]string, error)
-	// ReadFile returns the contents of the file at the given path.
-	ReadFile(path string) ([]byte, error)
-	// WriteFile writes the data to a file at the given path,
-	// overwriting anything that's already there.
-	WriteFile(path string, data []byte) error
-	// Walk walks the file system with the given WalkFunc.
-	Walk(path string, walkFn filepath.WalkFunc) error
-}

api/filters/annotations/annotations.go

@@ -19,9 +19,17 @@ type Filter struct {
 
 	// FsSlice contains the FieldSpecs to locate the namespace field
 	FsSlice types.FsSlice
+
+	trackableSetter filtersutil.TrackableSetter
 }
 
 var _ kio.Filter = Filter{}
+var _ kio.TrackableFilter = &Filter{}
+
+// WithMutationTracker registers a callback which will be invoked each time a field is mutated
+func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
+	f.trackableSetter.WithMutationTracker(callback)
+}
 
 func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 	keys := yaml.SortedMapKeys(f.Annotations)
@@ -30,7 +38,7 @@ func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 			for _, k := range keys {
 				if err := node.PipeE(fsslice.Filter{
 					FsSlice: f.FsSlice,
-					SetValue: filtersutil.SetEntry(
+					SetValue: f.trackableSetter.SetEntry(
 						k, f.Annotations[k], yaml.NodeTagString),
 					CreateKind: yaml.MappingNode, // Annotations are MappingNodes.
 					CreateTag:  yaml.NodeTagMap,

api/filters/annotations/annotations_test.go

@@ -11,16 +11,20 @@ import (
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
 	filtertest_test "sigs.k8s.io/kustomize/api/testutils/filtertest"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
 var annosFs = builtinconfig.MakeDefaultConfig().CommonAnnotations
 
 func TestAnnotations_Filter(t *testing.T) {
+	mutationTrackStub := filtertest_test.MutationTrackerStub{}
 	testCases := map[string]struct {
-		input          string
-		expectedOutput string
-		filter         Filter
-		fsslice        types.FsSlice
+		input                string
+		expectedOutput       string
+		filter               Filter
+		fsslice              types.FsSlice
+		setEntryCallback     func(key, value, tag string, node *yaml.RNode)
+		expectedSetEntryArgs []filtertest_test.SetValueArg
 	}{
 		"add": {
 			input: `
@@ -210,17 +214,86 @@ metadata:
 				"b": "b1",
 			}},
 		},
+
+		// test usage of SetEntryCallback
+		"set_entry_callback": {
+			input: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+`,
+			expectedOutput: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+  annotations:
+    a: a1
+    b: b1
+spec:
+  template:
+    metadata:
+      annotations:
+        a: a1
+        b: b1
+`,
+			filter: Filter{
+				Annotations: annoMap{
+					"a": "a1",
+					"b": "b1",
+				},
+			},
+			setEntryCallback: mutationTrackStub.MutationTracker,
+			fsslice: []types.FieldSpec{
+				{
+					Path:               "spec/template/metadata/annotations",
+					CreateIfNotPresent: true,
+				},
+			},
+			expectedSetEntryArgs: []filtertest_test.SetValueArg{
+				{
+					Key:      "a",
+					Value:    "a1",
+					Tag:      "!!str",
+					NodePath: []string{"metadata", "annotations"},
+				},
+				{
+					Key:      "a",
+					Value:    "a1",
+					Tag:      "!!str",
+					NodePath: []string{"spec", "template", "metadata", "annotations"},
+				},
+				{
+					Key:      "b",
+					Value:    "b1",
+					Tag:      "!!str",
+					NodePath: []string{"metadata", "annotations"},
+				},
+				{
+					Key:      "b",
+					Value:    "b1",
+					Tag:      "!!str",
+					NodePath: []string{"spec", "template", "metadata", "annotations"},
+				},
+			},
+		},
 	}
 
 	for tn, tc := range testCases {
+		mutationTrackStub.Reset()
 		t.Run(tn, func(t *testing.T) {
 			filter := tc.filter
+			filter.WithMutationTracker(tc.setEntryCallback)
 			filter.FsSlice = append(annosFs, tc.fsslice...)
 			if !assert.Equal(t,
 				strings.TrimSpace(tc.expectedOutput),
 				strings.TrimSpace(filtertest_test.RunFilter(t, tc.input, filter))) {
 				t.FailNow()
 			}
+			if !assert.Equal(t, tc.expectedSetEntryArgs, mutationTrackStub.SetValueArgs()) {
+				t.FailNow()
+			}
 		})
 	}
 }

api/filters/doc.go

@@ -0,0 +1,5 @@
+package filters
+
+// Package filters collects various implementations
+// sigs.k8s.io/kustomize/kyaml/kio.Filter used by kustomize
+// transformers to modify kubernetes objects.

api/filters/fieldspec/fieldspec.go

@@ -4,17 +4,29 @@
 package fieldspec
 
 import (
+	"fmt"
 	"strings"
 
 	"sigs.k8s.io/kustomize/api/filters/filtersutil"
+	"sigs.k8s.io/kustomize/api/internal/utils"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/resid"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
 var _ yaml.Filter = Filter{}
 
-// Filter applies a single fieldSpec to a single object
+// Filter possibly mutates its object argument using a FieldSpec.
+// If the object matches the FieldSpec, and the node found
+// by following the fieldSpec's path is non-null, this filter calls
+// the setValue function on the node at the end of the path.
+// If any part of the path doesn't exist, the filter returns
+// without doing anything and without error, unless it was set
+// to create the path. If set to create, it creates a tree of maps
+// along the path, and the leaf node gets the setValue called on it.
+// Error on GVK mismatch, empty or poorly formed path.
+// Filter expect kustomize style paths, not JSON paths.
 // Filter stores internal state and should not be reused
 type Filter struct {
 	// FieldSpec contains the path to the value to set.
@@ -34,47 +46,52 @@ type Filter struct {
 
 func (fltr Filter) Filter(obj *yaml.RNode) (*yaml.RNode, error) {
 	// check if the FieldSpec applies to the object
-	if match, err := isMatchGVK(fltr.FieldSpec, obj); !match || err != nil {
-		return obj, errors.Wrap(err)
+	if match := isMatchGVK(fltr.FieldSpec, obj); !match {
+		return obj, nil
 	}
-	fltr.path = splitPath(fltr.FieldSpec.Path)
+	fltr.path = utils.PathSplitter(fltr.FieldSpec.Path, "/")
 	if err := fltr.filter(obj); err != nil {
-		s, _ := obj.String()
 		return nil, errors.WrapPrefixf(err,
-			"obj '%s' at path '%v'", s, fltr.FieldSpec.Path)
+			"considering field '%s' of object %s", fltr.FieldSpec.Path, resid.FromRNode(obj))
 	}
 	return obj, nil
 }
 
+// Recursively called.
 func (fltr Filter) filter(obj *yaml.RNode) error {
 	if len(fltr.path) == 0 {
 		// found the field -- set its value
 		return fltr.SetValue(obj)
 	}
-	if obj.IsTaggedNull() {
+	if obj.IsTaggedNull() || obj.IsNil() {
 		return nil
 	}
 	switch obj.YNode().Kind {
 	case yaml.SequenceNode:
-		return fltr.seq(obj)
+		return fltr.handleSequence(obj)
 	case yaml.MappingNode:
-		return fltr.field(obj)
+		return fltr.handleMap(obj)
+	case yaml.AliasNode:
+		return fltr.filter(yaml.NewRNode(obj.YNode().Alias))
 	default:
 		return errors.Errorf("expected sequence or mapping node")
 	}
 }
 
-// field calls filter on the field matching the next path element
-func (fltr Filter) field(obj *yaml.RNode) error {
+// handleMap calls filter on the map field matching the next path element
+func (fltr Filter) handleMap(obj *yaml.RNode) error {
 	fieldName, isSeq := isSequenceField(fltr.path[0])
+	if fieldName == "" {
+		return fmt.Errorf("cannot set or create an empty field name")
+	}
 	// lookup the field matching the next path element
-	var lookupField yaml.Filter
+	var operation yaml.Filter
 	var kind yaml.Kind
 	tag := yaml.NodeTagEmpty
 	switch {
 	case !fltr.FieldSpec.CreateIfNotPresent || fltr.CreateKind == 0 || isSeq:
-		// dont' create the field if we don't find it
-		lookupField = yaml.Lookup(fieldName)
+		// don't create the field if we don't find it
+		operation = yaml.Lookup(fieldName)
 		if isSeq {
 			// The query path thinks this field should be a sequence;
 			// accept this hint for use later if the tag is NodeTagNull.
@@ -82,21 +99,25 @@ func (fltr Filter) field(obj *yaml.RNode) error {
 		}
 	case len(fltr.path) <= 1:
 		// create the field if it is missing: use the provided node kind
-		lookupField = yaml.LookupCreate(fltr.CreateKind, fieldName)
+		operation = yaml.LookupCreate(fltr.CreateKind, fieldName)
 		kind = fltr.CreateKind
 		tag = fltr.CreateTag
 	default:
 		// create the field if it is missing: must be a mapping node
-		lookupField = yaml.LookupCreate(yaml.MappingNode, fieldName)
+		operation = yaml.LookupCreate(yaml.MappingNode, fieldName)
 		kind = yaml.MappingNode
 		tag = yaml.NodeTagMap
 	}
 
 	// locate (or maybe create) the field
-	field, err := obj.Pipe(lookupField)
-	if err != nil || field == nil {
+	field, err := obj.Pipe(operation)
+	if err != nil {
 		return errors.WrapPrefixf(err, "fieldName: %s", fieldName)
 	}
+	if field == nil {
+		// No error if field not found.
+		return nil
+	}
 
 	// if the value exists, but is null and kind is set,
 	// then change it to the creation type
@@ -114,8 +135,10 @@ func (fltr Filter) field(obj *yaml.RNode) error {
 }
 
 // seq calls filter on all sequence elements
-func (fltr Filter) seq(obj *yaml.RNode) error {
+func (fltr Filter) handleSequence(obj *yaml.RNode) error {
 	if err := obj.VisitElements(func(node *yaml.RNode) error {
+		// set an accurate FieldPath for nested elements
+		node.AppendToFieldPath(obj.FieldPath()...)
 		// recurse on each element -- re-allocating a Filter is
 		// not strictly required, but is more consistent with field
 		// and less likely to have side effects
@@ -125,56 +148,35 @@ func (fltr Filter) seq(obj *yaml.RNode) error {
 		return errors.WrapPrefixf(err,
 			"visit traversal on path: %v", fltr.path)
 	}
-
 	return nil
 }
 
 // isSequenceField returns true if the path element is for a sequence field.
 // isSequence also returns the path element with the '[]' suffix trimmed
 func isSequenceField(name string) (string, bool) {
-	isSeq := strings.HasSuffix(name, "[]")
-	name = strings.TrimSuffix(name, "[]")
-	return name, isSeq
+	shorter := strings.TrimSuffix(name, "[]")
+	return shorter, shorter != name
 }
 
 // isMatchGVK returns true if the fs.GVK matches the obj GVK.
-func isMatchGVK(fs types.FieldSpec, obj *yaml.RNode) (bool, error) {
-	meta, err := obj.GetMeta()
-	if err != nil {
-		return false, err
-	}
-	if fs.Kind != "" && fs.Kind != meta.Kind {
+func isMatchGVK(fs types.FieldSpec, obj *yaml.RNode) bool {
+	if kind := obj.GetKind(); fs.Kind != "" && fs.Kind != kind {
 		// kind doesn't match
-		return false, err
+		return false
 	}
 
 	// parse the group and version from the apiVersion field
-	group, version := parseGV(meta.APIVersion)
+	group, version := resid.ParseGroupVersion(obj.GetApiVersion())
 
 	if fs.Group != "" && fs.Group != group {
 		// group doesn't match
-		return false, nil
+		return false
 	}
 
 	if fs.Version != "" && fs.Version != version {
 		// version doesn't match
-		return false, nil
+		return false
 	}
 
-	return true, nil
-}
-
-func splitPath(path string) []string {
-	ps := strings.Split(path, "/")
-	var res []string
-	res = append(res, ps[0])
-	for i := 1; i < len(ps); i++ {
-		lastIndex := len(res) - 1
-		if strings.HasSuffix(res[lastIndex], "\\") {
-			res[lastIndex] = strings.TrimSuffix(res[lastIndex], "\\") + "/" + ps[i]
-		} else {
-			res = append(res, ps[i])
-		}
-	}
-	return res
+	return true
 }

api/filters/fieldspec/fieldspec_test.go

@@ -15,206 +15,239 @@ import (
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
-type TestCase struct {
-	name      string
-	input     string
-	expected  string
-	filter    fieldspec.Filter
-	fieldSpec string
-	error     string
-}
-
-var tests = []TestCase{
-	{
-		name: "update",
-		fieldSpec: `
+func TestFilter_Filter(t *testing.T) {
+	testCases := map[string]struct {
+		input     string
+		expected  string
+		filter    fieldspec.Filter
+		fieldSpec string
+		error     string
+	}{
+		"path not found": {
+			fieldSpec: `
 path: a/b
 group: foo
 kind: Bar
 `,
-		input: `
+			input: `
+apiVersion: foo
+kind: Bar
+xxx:
+`,
+			expected: `
+apiVersion: foo
+kind: Bar
+xxx:
+`,
+			filter: fieldspec.Filter{
+				SetValue: filtersutil.SetScalar("e"),
+			},
+		},
+		"empty path": {
+			fieldSpec: `
+group: foo
+version: v1
+kind: Bar
+`,
+			input: `
+apiVersion: foo/v1
+kind: Bar
+xxx:
+`,
+			expected: `
+apiVersion: foo
+kind: Bar
+xxx:
+`,
+			error: `considering field '' of object Bar.v1.foo/[noName].[noNs]: cannot set or create an empty field name`,
+			filter: fieldspec.Filter{
+				SetValue: filtersutil.SetScalar("e"),
+			},
+		},
+
+		"update": {
+			fieldSpec: `
+path: a/b
+group: foo
+kind: Bar
+`,
+			input: `
 apiVersion: foo/v1beta1
 kind: Bar
 a:
   b: c
 `,
-		expected: `
+			expected: `
 apiVersion: foo/v1beta1
 kind: Bar
 a:
   b: e
 `,
-		filter: fieldspec.Filter{
-			SetValue: filtersutil.SetScalar("e"),
+			filter: fieldspec.Filter{
+				SetValue: filtersutil.SetScalar("e"),
+			},
 		},
-	},
 
-	{
-		name: "update-kind-not-match",
-		fieldSpec: `
+		"update-kind-not-match": {
+			fieldSpec: `
 path: a/b
 group: foo
 kind: Bar1
 `,
-		input: `
+			input: `
 apiVersion: foo/v1beta1
 kind: Bar2
 a:
   b: c
 `,
-		expected: `
+			expected: `
 apiVersion: foo/v1beta1
 kind: Bar2
 a:
   b: c
 `,
-		filter: fieldspec.Filter{
-			SetValue: filtersutil.SetScalar("e"),
+			filter: fieldspec.Filter{
+				SetValue: filtersutil.SetScalar("e"),
+			},
 		},
-	},
 
-	{
-		name: "update-group-not-match",
-		fieldSpec: `
+		"update-group-not-match": {
+			fieldSpec: `
 path: a/b
 group: foo1
 kind: Bar
 `,
-		input: `
+			input: `
 apiVersion: foo2/v1beta1
 kind: Bar
 a:
   b: c
 `,
-		expected: `
+			expected: `
 apiVersion: foo2/v1beta1
 kind: Bar
 a:
   b: c
 `,
-		filter: fieldspec.Filter{
-			SetValue: filtersutil.SetScalar("e"),
+			filter: fieldspec.Filter{
+				SetValue: filtersutil.SetScalar("e"),
+			},
 		},
-	},
 
-	{
-		name: "update-version-not-match",
-		fieldSpec: `
+		"update-version-not-match": {
+			fieldSpec: `
 path: a/b
 group: foo
 version: v1beta1
 kind: Bar
 `,
-		input: `
+			input: `
 apiVersion: foo/v1beta2
 kind: Bar
 a:
   b: c
 `,
-		expected: `
+			expected: `
 apiVersion: foo/v1beta2
 kind: Bar
 a:
   b: c
 `,
-		filter: fieldspec.Filter{
-			SetValue: filtersutil.SetScalar("e"),
+			filter: fieldspec.Filter{
+				SetValue: filtersutil.SetScalar("e"),
+			},
 		},
-	},
 
-	{
-		name: "bad-version",
-		fieldSpec: `
+		"bad-version": {
+			fieldSpec: `
 path: a/b
 group: foo
 version: v1beta1
 kind: Bar
 `,
-		input: `
+			input: `
 apiVersion: foo/v1beta2/something
 kind: Bar
 a:
   b: c
 `,
-		expected: `
+			expected: `
 apiVersion: foo/v1beta2/something
 kind: Bar
 a:
   b: c
 `,
-		filter: fieldspec.Filter{
-			SetValue: filtersutil.SetScalar("e"),
+			filter: fieldspec.Filter{
+				SetValue: filtersutil.SetScalar("e"),
+			},
 		},
-	},
 
-	{
-		name: "bad-meta",
-		fieldSpec: `
+		"bad-meta": {
+			fieldSpec: `
 path: a/b
 group: foo
 version: v1beta1
 kind: Bar
 `,
-		input: `
+			input: `
 a:
   b: c
 `,
-		filter: fieldspec.Filter{
-			SetValue: filtersutil.SetScalar("e"),
+			expected: `
+a:
+  b: c
+`,
+			filter: fieldspec.Filter{
+				SetValue: filtersutil.SetScalar("e"),
+			},
 		},
-		error: "missing Resource metadata",
-	},
 
-	{
-		name: "miss-match-type",
-		fieldSpec: `
+		"miss-match-type": {
+			fieldSpec: `
 path: a/b/c
 kind: Bar
 `,
-		input: `
+			input: `
 kind: Bar
 a:
   b: a
 `,
-		error: "obj 'kind: Bar\na:\n  b: a\n' at path 'a/b/c': " +
-			"expected sequence or mapping node",
-		filter: fieldspec.Filter{
-			SetValue: filtersutil.SetScalar("e"),
+			error: `considering field 'a/b/c' of object Bar.[noVer].[noGrp]/[noName].[noNs]: expected sequence or mapping node`,
+			filter: fieldspec.Filter{
+				SetValue: filtersutil.SetScalar("e"),
+			},
 		},
-	},
 
-	{
-		name: "add",
-		fieldSpec: `
+		"add": {
+			fieldSpec: `
 path: a/b/c/d
 group: foo
 create: true
 kind: Bar
 `,
-		input: `
+			input: `
 apiVersion: foo/v1beta1
 kind: Bar
 a: {}
 `,
-		expected: `
+			expected: `
 apiVersion: foo/v1beta1
 kind: Bar
 a: {b: {c: {d: e}}}
 `,
-		filter: fieldspec.Filter{
-			SetValue:   filtersutil.SetScalar("e"),
-			CreateKind: yaml.ScalarNode,
+			filter: fieldspec.Filter{
+				SetValue:   filtersutil.SetScalar("e"),
+				CreateKind: yaml.ScalarNode,
+			},
 		},
-	},
 
-	{
-		name: "update-in-sequence",
-		fieldSpec: `
+		"update-in-sequence": {
+			fieldSpec: `
 path: a/b[]/c/d
 group: foo
 kind: Bar
 `,
-		input: `
+			input: `
 apiVersion: foo/v1beta1
 kind: Bar
 a:
@@ -222,7 +255,7 @@ a:
   - c:
       d: a
 `,
-		expected: `
+			expected: `
 apiVersion: foo/v1beta1
 kind: Bar
 a:
@@ -230,244 +263,237 @@ a:
   - c:
       d: e
 `,
-		filter: fieldspec.Filter{
-			SetValue: filtersutil.SetScalar("e"),
+			filter: fieldspec.Filter{
+				SetValue: filtersutil.SetScalar("e"),
+			},
 		},
-	},
 
-	// Don't create a sequence
-	{
-		name: "empty-sequence-no-create",
-		fieldSpec: `
+		// Don't create a sequence
+		"empty-sequence-no-create": {
+			fieldSpec: `
 path: a/b[]/c/d
 group: foo
 create: true
 kind: Bar
 `,
-		input: `
+			input: `
 apiVersion: foo/v1beta1
 kind: Bar
 a: {}
 `,
-		expected: `
+			expected: `
 apiVersion: foo/v1beta1
 kind: Bar
 a: {}
 `,
-		filter: fieldspec.Filter{
-			SetValue:   filtersutil.SetScalar("e"),
-			CreateKind: yaml.ScalarNode,
+			filter: fieldspec.Filter{
+				SetValue:   filtersutil.SetScalar("e"),
+				CreateKind: yaml.ScalarNode,
+			},
 		},
-	},
 
-	// Create a new field for an element in a sequence
-	{
-		name: "empty-sequence-create",
-		fieldSpec: `
+		// Create a new field for an element in a sequence
+		"empty-sequence-create": {
+			fieldSpec: `
 path: a/b[]/c/d
 group: foo
 create: true
 kind: Bar
 `,
-		input: `
+			input: `
 apiVersion: foo/v1beta1
 kind: Bar
 a:
   b:
   - c: {}
 `,
-		expected: `
+			expected: `
 apiVersion: foo/v1beta1
 kind: Bar
 a:
   b:
   - c: {d: e}
 `,
-		filter: fieldspec.Filter{
-			SetValue:   filtersutil.SetScalar("e"),
-			CreateKind: yaml.ScalarNode,
+			filter: fieldspec.Filter{
+				SetValue:   filtersutil.SetScalar("e"),
+				CreateKind: yaml.ScalarNode,
+			},
 		},
-	},
 
-	{
-		name: "group v1",
-		fieldSpec: `
+		"group v1": {
+			fieldSpec: `
 path: a/b
 group: v1
 create: true
 kind: Bar
 `,
-		input: `
+			input: `
 apiVersion: v1
 kind: Bar
 `,
-		expected: `
+			expected: `
 apiVersion: v1
 kind: Bar
 `,
-		filter: fieldspec.Filter{
-			SetValue:   filtersutil.SetScalar("e"),
-			CreateKind: yaml.ScalarNode,
+			filter: fieldspec.Filter{
+				SetValue:   filtersutil.SetScalar("e"),
+				CreateKind: yaml.ScalarNode,
+			},
 		},
-	},
 
-	{
-		name: "version v1",
-		fieldSpec: `
+		"version v1": {
+			fieldSpec: `
 path: a/b
 version: v1
 create: true
 kind: Bar
 `,
-		input: `
+			input: `
 apiVersion: v1
 kind: Bar
 `,
-		expected: `
+			expected: `
 apiVersion: v1
 kind: Bar
 a:
   b: e
 `,
-		filter: fieldspec.Filter{
-			SetValue:   filtersutil.SetScalar("e"),
-			CreateKind: yaml.ScalarNode,
+			filter: fieldspec.Filter{
+				SetValue:   filtersutil.SetScalar("e"),
+				CreateKind: yaml.ScalarNode,
+			},
 		},
-	},
-	{
-		name: "successfully set field on array entry no sequence hint",
-		fieldSpec: `
+
+		"successfully set field on array entry no sequence hint": {
+			fieldSpec: `
 path: spec/containers/image
 version: v1
 kind: Bar
 `,
-		input: `
+			input: `
 apiVersion: v1
 kind: Bar
 spec:
   containers:
   - image: foo
 `,
-		expected: `
+			expected: `
 apiVersion: v1
 kind: Bar
 spec:
   containers:
   - image: bar
 `,
-		filter: fieldspec.Filter{
-			SetValue:   filtersutil.SetScalar("bar"),
-			CreateKind: yaml.ScalarNode,
+			filter: fieldspec.Filter{
+				SetValue:   filtersutil.SetScalar("bar"),
+				CreateKind: yaml.ScalarNode,
+			},
 		},
-	},
-	{
-		name: "successfully set field on array entry with sequence hint",
-		fieldSpec: `
+
+		"successfully set field on array entry with sequence hint": {
+			fieldSpec: `
 path: spec/containers[]/image
 version: v1
 kind: Bar
 `,
-		input: `
+			input: `
 apiVersion: v1
 kind: Bar
 spec:
   containers:
   - image: foo
 `,
-		expected: `
+			expected: `
 apiVersion: v1
 kind: Bar
 spec:
   containers:
   - image: bar
 `,
-		filter: fieldspec.Filter{
-			SetValue:   filtersutil.SetScalar("bar"),
-			CreateKind: yaml.ScalarNode,
+			filter: fieldspec.Filter{
+				SetValue:   filtersutil.SetScalar("bar"),
+				CreateKind: yaml.ScalarNode,
+			},
 		},
-	},
-	{
-		name: "failure to set field on array entry with sequence hint in path",
-		fieldSpec: `
+		"failure to set field on array entry with sequence hint in path": {
+			fieldSpec: `
 path: spec/containers[]/image
 version: v1
 kind: Bar
 `,
-		input: `
+			input: `
 apiVersion: v1
 kind: Bar
 spec:
   containers:
 `,
-		expected: `
+			expected: `
 apiVersion: v1
 kind: Bar
 spec:
   containers: []
 `,
-		filter: fieldspec.Filter{
-			SetValue:   filtersutil.SetScalar("bar"),
-			CreateKind: yaml.ScalarNode,
+			filter: fieldspec.Filter{
+				SetValue:   filtersutil.SetScalar("bar"),
+				CreateKind: yaml.ScalarNode,
+			},
 		},
-	},
-	{
-		name: "failure to set field on array entry, no sequence hint in path",
-		fieldSpec: `
+
+		"failure to set field on array entry, no sequence hint in path": {
+			fieldSpec: `
 path: spec/containers/image
 version: v1
 kind: Bar
 `,
-		input: `
+			input: `
 apiVersion: v1
 kind: Bar
 spec:
   containers:
 `,
-		expected: `
+			expected: `
 apiVersion: v1
 kind: Bar
 spec:
   containers:
 `,
-		filter: fieldspec.Filter{
-			SetValue:   filtersutil.SetScalar("bar"),
-			CreateKind: yaml.ScalarNode,
+			filter: fieldspec.Filter{
+				SetValue:   filtersutil.SetScalar("bar"),
+				CreateKind: yaml.ScalarNode,
+			},
 		},
-	},
-	{
-		name: "filedname with slash '/'",
-		fieldSpec: `
+		"fieldname with slash '/'": {
+			fieldSpec: `
 path: a/b\/c/d
 version: v1
 kind: Bar
 `,
-		input: `
+			input: `
 apiVersion: v1
 kind: Bar
 a:
   b/c:
     d: foo
 `,
-		expected: `
+			expected: `
 apiVersion: v1
 kind: Bar
 a:
   b/c:
     d: bar
 `,
-		filter: fieldspec.Filter{
-			SetValue:   filtersutil.SetScalar("bar"),
-			CreateKind: yaml.ScalarNode,
+			filter: fieldspec.Filter{
+				SetValue:   filtersutil.SetScalar("bar"),
+				CreateKind: yaml.ScalarNode,
+			},
 		},
-	},
-	{
-		name: "filedname with multiple '/'",
-		fieldSpec: `
+		"fieldname with multiple '/'": {
+			fieldSpec: `
 path: a/b\/c/d\/e/f
 version: v1
 kind: Bar
 `,
-		input: `
+			input: `
 apiVersion: v1
 kind: Bar
 a:
@@ -475,7 +501,7 @@ a:
     d/e:
       f: foo
 `,
-		expected: `
+			expected: `
 apiVersion: v1
 kind: Bar
 a:
@@ -483,25 +509,24 @@ a:
     d/e:
       f: bar
 `,
-		filter: fieldspec.Filter{
-			SetValue:   filtersutil.SetScalar("bar"),
-			CreateKind: yaml.ScalarNode,
+			filter: fieldspec.Filter{
+				SetValue:   filtersutil.SetScalar("bar"),
+				CreateKind: yaml.ScalarNode,
+			},
 		},
-	},
-}
+	}
 
-func TestFilter_Filter(t *testing.T) {
-	for i := range tests {
-		test := tests[i]
-		t.Run(test.name, func(t *testing.T) {
-			err := yaml.Unmarshal([]byte(test.fieldSpec), &test.filter.FieldSpec)
+	for n := range testCases {
+		tc := testCases[n]
+		t.Run(n, func(t *testing.T) {
+			err := yaml.Unmarshal([]byte(tc.fieldSpec), &tc.filter.FieldSpec)
 			if !assert.NoError(t, err) {
 				t.FailNow()
 			}
 
 			out := &bytes.Buffer{}
 			rw := &kio.ByteReadWriter{
-				Reader:                bytes.NewBufferString(test.input),
+				Reader:                bytes.NewBufferString(tc.input),
 				Writer:                out,
 				OmitReaderAnnotations: true,
 			}
@@ -509,11 +534,11 @@ func TestFilter_Filter(t *testing.T) {
 			// run the filter
 			err = kio.Pipeline{
 				Inputs:  []kio.Reader{rw},
-				Filters: []kio.Filter{kio.FilterAll(test.filter)},
+				Filters: []kio.Filter{kio.FilterAll(tc.filter)},
 				Outputs: []kio.Writer{rw},
 			}.Execute()
-			if test.error != "" {
-				if !assert.EqualError(t, err, test.error) {
+			if tc.error != "" {
+				if !assert.EqualError(t, err, tc.error) {
 					t.FailNow()
 				}
 				// stop rest of test
@@ -526,10 +551,92 @@ func TestFilter_Filter(t *testing.T) {
 
 			// check results
 			if !assert.Equal(t,
-				strings.TrimSpace(test.expected),
+				strings.TrimSpace(tc.expected),
 				strings.TrimSpace(out.String())) {
 				t.FailNow()
 			}
 		})
 	}
 }
+
+func TestFilter_FieldPaths(t *testing.T) {
+	testCases := map[string]struct {
+		input     string
+		fieldSpec string
+		expected  []string
+	}{
+		"fieldpath containing SequenceNode": {
+			input: `
+apiVersion: v1
+kind: Pod
+metadata:
+  name: app
+spec:
+  containers:
+  - name: store
+    image: redis:6.2.6
+  - name: server
+    image: nginx:latest
+`,
+			fieldSpec: `
+path: spec/containers[]/image
+kind: Pod
+`,
+			expected: []string{
+				"spec.containers.image",
+				"spec.containers.image",
+			},
+		},
+		"fieldpath with MappingNode": {
+			input: `
+apiVersion: v1
+kind: Pod
+metadata:
+  name: app
+spec:
+  containers:
+  - name: store
+    image: redis:6.2.6
+  - name: server
+    image: nginx:latest
+`,
+			fieldSpec: `
+path: metadata/name
+kind: Pod
+`,
+			expected: []string{
+				"metadata.name",
+			},
+		},
+	}
+	for name, tc := range testCases {
+		var fieldPaths []string
+		trackableSetter := filtersutil.TrackableSetter{}
+		trackableSetter.WithMutationTracker(func(key, value, tag string, node *yaml.RNode) {
+			fieldPaths = append(fieldPaths, strings.Join(node.FieldPath(), "."))
+		})
+		filter := fieldspec.Filter{
+			SetValue: trackableSetter.SetScalar("foo"),
+		}
+
+		t.Run(name, func(t *testing.T) {
+			err := yaml.Unmarshal([]byte(tc.fieldSpec), &filter.FieldSpec)
+			assert.NoError(t, err)
+			rw := &kio.ByteReadWriter{
+				Reader:                bytes.NewBufferString(tc.input),
+				Writer:                &bytes.Buffer{},
+				OmitReaderAnnotations: true,
+			}
+
+			// run the filter
+			err = kio.Pipeline{
+				Inputs:  []kio.Reader{rw},
+				Filters: []kio.Filter{kio.FilterAll(filter)},
+				Outputs: []kio.Writer{rw},
+			}.Execute()
+
+			assert.NoError(t, err)
+			assert.Equal(t, tc.expected, fieldPaths)
+		})
+	}
+}

api/filters/fieldspec/gvk.go

@@ -1,49 +0,0 @@
-// Copyright 2019 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-package fieldspec
-
-import (
-	"strings"
-
-	"sigs.k8s.io/kustomize/api/resid"
-	"sigs.k8s.io/kustomize/kyaml/yaml"
-)
-
-// Return true for 'v' followed by a 1 or 2, and don't look at rest.
-// I.e. 'v1', 'v1beta1', 'v2', would return true.
-func looksLikeACoreApiVersion(s string) bool {
-	if len(s) < 2 {
-		return false
-	}
-	if s[0:1] != "v" {
-		return false
-	}
-	return s[1:2] == "1" || s[1:2] == "2"
-}
-
-// parseGV parses apiVersion field into group and version.
-func parseGV(apiVersion string) (group, version string) {
-	// parse the group and version from the apiVersion field
-	parts := strings.SplitN(apiVersion, "/", 2)
-	group = parts[0]
-	if len(parts) > 1 {
-		version = parts[1]
-	}
-	// Special case the original "apiVersion" of what
-	// we now call the "core" (empty) group.
-	if version == "" && looksLikeACoreApiVersion(group) {
-		version = group
-		group = ""
-	}
-	return
-}
-
-// GetGVK parses the metadata into a GVK
-func GetGVK(meta yaml.ResourceMeta) resid.Gvk {
-	group, version := parseGV(meta.APIVersion)
-	return resid.Gvk{
-		Group:   group,
-		Version: version,
-		Kind:    meta.Kind,
-	}
-}

api/filters/fieldspec/gvk_test.go

@@ -1,156 +0,0 @@
-// Copyright 2019 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-package fieldspec
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"sigs.k8s.io/kustomize/api/resid"
-	"sigs.k8s.io/kustomize/kyaml/yaml"
-)
-
-func TestParseGV(t *testing.T) {
-	testCases := map[string]struct {
-		input           string
-		expectedGroup   string
-		expectedVersion string
-	}{
-		"empty": {
-			input:           "",
-			expectedGroup:   "",
-			expectedVersion: "",
-		},
-		"certSigning": {
-			input:           "certificates.k8s.io/v1beta1",
-			expectedGroup:   "certificates.k8s.io",
-			expectedVersion: "v1beta1",
-		},
-		"extensions": {
-			input:           "extensions/v1beta1",
-			expectedGroup:   "extensions",
-			expectedVersion: "v1beta1",
-		},
-		"normal": {
-			input:           "apps/v1",
-			expectedGroup:   "apps",
-			expectedVersion: "v1",
-		},
-		"justApps": {
-			input:           "apps",
-			expectedGroup:   "apps",
-			expectedVersion: "",
-		},
-		"coreV1": {
-			input:           "v1",
-			expectedGroup:   "",
-			expectedVersion: "v1",
-		},
-		"coreV2": {
-			input:           "v2",
-			expectedGroup:   "",
-			expectedVersion: "v2",
-		},
-		"coreV2Beta1": {
-			input:           "v2beta1",
-			expectedGroup:   "",
-			expectedVersion: "v2beta1",
-		},
-	}
-
-	for tn, tc := range testCases {
-		t.Run(tn, func(t *testing.T) {
-			group, version := parseGV(tc.input)
-			if !assert.Equal(t, tc.expectedGroup, group) {
-				t.FailNow()
-			}
-			if !assert.Equal(t, tc.expectedVersion, version) {
-				t.FailNow()
-			}
-		})
-	}
-}
-
-func TestGetGVK(t *testing.T) {
-	testCases := map[string]struct {
-		input      string
-		expected   resid.Gvk
-		parseError string
-		metaError  string
-	}{
-		"empty": {
-			input: `
-`,
-			parseError: "EOF",
-		},
-		"junk": {
-			input: `
-congress: effective
-`,
-			metaError: "missing Resource metadata",
-		},
-		"normal": {
-			input: `
-apiVersion: apps/v1
-kind: Deployment
-`,
-			expected: resid.Gvk{Group: "apps", Version: "v1", Kind: "Deployment"},
-		},
-		"apiVersionOnlyWithSlash": {
-			input: `
-apiVersion: apps/v1
-`,
-			expected: resid.Gvk{Group: "apps", Version: "v1", Kind: ""},
-		},
-		"apiVersionOnlyNoSlash1": {
-			input: `
-apiVersion: apps
-`,
-			expected: resid.Gvk{Group: "apps", Version: "", Kind: ""},
-		},
-		"apiVersionOnlyNoSlash2": {
-			input: `
-apiVersion: v1
-`,
-			expected: resid.Gvk{Group: "", Version: "v1", Kind: ""},
-		},
-	}
-
-	for tn, tc := range testCases {
-		t.Run(tn, func(t *testing.T) {
-			obj, err := yaml.Parse(tc.input)
-			if len(tc.parseError) != 0 {
-				if err == nil {
-					t.Error("expected parse error")
-					return
-				}
-				if !strings.Contains(err.Error(), tc.parseError) {
-					t.Errorf("expected parse err '%s', got '%v'", tc.parseError, err)
-				}
-				return
-			}
-			if !assert.NoError(t, err) {
-				t.FailNow()
-			}
-			meta, err := obj.GetMeta()
-			if len(tc.metaError) != 0 {
-				if err == nil {
-					t.Error("expected meta error")
-					return
-				}
-				if !strings.Contains(err.Error(), tc.metaError) {
-					t.Errorf("expected meta err '%s', got '%v'", tc.metaError, err)
-				}
-				return
-			}
-			if !assert.NoError(t, err) {
-				t.FailNow()
-			}
-			gvk := GetGVK(meta)
-			if !assert.Equal(t, tc.expected, gvk) {
-				t.FailNow()
-			}
-		})
-	}
-}

api/filters/filtersutil/setters.go

@@ -31,3 +31,39 @@ func SetEntry(key, value, tag string) SetFn {
 		})
 	}
 }
+
+type TrackableSetter struct {
+	// SetValueCallback will be invoked each time a field is set
+	setValueCallback func(key, value, tag string, node *yaml.RNode)
+}
+
+// WithMutationTracker registers a callback which will be invoked each time a field is mutated
+func (s *TrackableSetter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
+	s.setValueCallback = callback
+}
+
+// SetScalar returns a SetFn to set a scalar value
+// if a mutation tracker has been registered, the tracker will be invoked each
+// time a scalar is set
+func (s TrackableSetter) SetScalar(value string) SetFn {
+	origSetScalar := SetScalar(value)
+	return func(node *yaml.RNode) error {
+		if s.setValueCallback != nil {
+			s.setValueCallback("", value, "", node)
+		}
+		return origSetScalar(node)
+	}
+}
+
+// SetEntry returns a SetFn to set an entry in a map
+// if a mutation tracker has been registered, the tracker will be invoked each
+// time an entry is set
+func (s TrackableSetter) SetEntry(key, value, tag string) SetFn {
+	origSetEntry := SetEntry(key, value, tag)
+	return func(node *yaml.RNode) error {
+		if s.setValueCallback != nil {
+			s.setValueCallback(key, value, tag, node)
+		}
+		return origSetEntry(node)
+	}
+}

api/filters/iampolicygenerator/doc.go

@@ -0,0 +1,3 @@
+// Package gkesagenerator contains a kio.Filter that that generates a
+// iampolicy-related resources for a given cloud provider
+package iampolicygenerator

api/filters/iampolicygenerator/example_test.go

@@ -0,0 +1,46 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package iampolicygenerator
+
+import (
+	"log"
+	"os"
+
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+func ExampleFilter() {
+	f := Filter{}
+	var err = yaml.Unmarshal([]byte(`
+cloud: gke
+kubernetesService: 
+  namespace: k8s-namespace
+  name: k8s-sa-name
+serviceAccount:
+  name: gsa-name
+  projectId: project-id
+`), &f)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = kio.Pipeline{
+		Inputs:  []kio.Reader{},
+		Filters: []kio.Filter{f},
+		Outputs: []kio.Writer{kio.ByteWriter{Writer: os.Stdout}},
+	}.Execute()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Output:
+	// apiVersion: v1
+	// kind: ServiceAccount
+	// metadata:
+	//   annotations:
+	//     iam.gke.io/gcp-service-account: gsa-name@project-id.iam.gserviceaccount.com
+	//   name: k8s-sa-name
+	//   namespace: k8s-namespace
+}

api/filters/iampolicygenerator/iampolicygenerator.go

@@ -0,0 +1,55 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package iampolicygenerator
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+type Filter struct {
+	IAMPolicyGenerator types.IAMPolicyGeneratorArgs `json:",inline,omitempty" yaml:",inline,omitempty"`
+}
+
+// Filter adds a GKE service account object to nodes
+func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	switch f.IAMPolicyGenerator.Cloud {
+	case types.GKE:
+		IAMPolicyResources, err := f.generateGkeIAMPolicyResources()
+		if err != nil {
+			return nil, err
+		}
+		nodes = append(nodes, IAMPolicyResources...)
+	default:
+		return nil, fmt.Errorf("cloud provider %s not supported yet", f.IAMPolicyGenerator.Cloud)
+	}
+	return nodes, nil
+}
+
+func (f Filter) generateGkeIAMPolicyResources() ([]*yaml.RNode, error) {
+	var result []*yaml.RNode
+	input := fmt.Sprintf(`
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: %s@%s.iam.gserviceaccount.com
+  name: %s
+`, f.IAMPolicyGenerator.ServiceAccount.Name,
+		f.IAMPolicyGenerator.ProjectId,
+		f.IAMPolicyGenerator.KubernetesService.Name)
+
+	if f.IAMPolicyGenerator.Namespace != "" {
+		input = input + fmt.Sprintf("\n  namespace: %s", f.IAMPolicyGenerator.Namespace)
+	}
+
+	sa, err := yaml.Parse(input)
+	if err != nil {
+		return nil, err
+	}
+
+	return append(result, sa), nil
+}

api/filters/iampolicygenerator/iampolicygenerator_test.go

@@ -0,0 +1,75 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package iampolicygenerator
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	filtertest "sigs.k8s.io/kustomize/api/testutils/filtertest"
+	"sigs.k8s.io/kustomize/api/types"
+)
+
+func TestFilter(t *testing.T) {
+	testCases := map[string]struct {
+		args     types.IAMPolicyGeneratorArgs
+		expected string
+	}{
+		"with namespace": {
+			args: types.IAMPolicyGeneratorArgs{
+				Cloud: types.GKE,
+				KubernetesService: types.KubernetesService{
+					Namespace: "k8s-namespace",
+					Name:      "k8s-sa-name",
+				},
+				ServiceAccount: types.ServiceAccount{
+					Name:      "gsa-name",
+					ProjectId: "project-id",
+				},
+			},
+			expected: `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: gsa-name@project-id.iam.gserviceaccount.com
+  name: k8s-sa-name
+  namespace: k8s-namespace
+`,
+		},
+		"without namespace": {
+			args: types.IAMPolicyGeneratorArgs{
+				Cloud: types.GKE,
+				KubernetesService: types.KubernetesService{
+					Name: "k8s-sa-name",
+				},
+				ServiceAccount: types.ServiceAccount{
+					Name:      "gsa-name",
+					ProjectId: "project-id",
+				},
+			},
+			expected: `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: gsa-name@project-id.iam.gserviceaccount.com
+  name: k8s-sa-name
+`,
+		},
+	}
+
+	for tn, tc := range testCases {
+		t.Run(tn, func(t *testing.T) {
+			f := Filter{
+				IAMPolicyGenerator: tc.args,
+			}
+			actual := filtertest.RunFilter(t, "", f)
+			if !assert.Equal(t, strings.TrimSpace(tc.expected), strings.TrimSpace(actual)) {
+				t.FailNow()
+			}
+		})
+	}
+}

api/filters/imagetag/imagetag.go

@@ -23,9 +23,17 @@ type Filter struct {
 	// FsSlice contains the FieldSpecs to locate an image field,
 	// e.g. Path: "spec/myContainers[]/image"
 	FsSlice types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+
+	trackableSetter filtersutil.TrackableSetter
 }
 
 var _ kio.Filter = Filter{}
+var _ kio.TrackableFilter = &Filter{}
+
+// WithMutationTracker registers a callback which will be invoked each time a field is mutated
+func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
+	f.trackableSetter.WithMutationTracker(callback)
+}
 
 func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 	_, err := kio.FilterAll(yaml.FilterFunc(f.filter)).Filter(nodes)
@@ -40,8 +48,11 @@ func (f Filter) filter(node *yaml.RNode) (*yaml.RNode, error) {
 		return node, nil
 	}
 	if err := node.PipeE(fsslice.Filter{
-		FsSlice:  f.FsSlice,
-		SetValue: updateImageTagFn(f.ImageTag),
+		FsSlice: f.FsSlice,
+		SetValue: imageTagUpdater{
+			ImageTag:        f.ImageTag,
+			trackableSetter: f.trackableSetter,
+		}.SetImageValue,
 	}); err != nil {
 		return nil, err
 	}
@@ -59,11 +70,3 @@ func (f Filter) isOnDenyList(node *yaml.RNode) bool {
 	// https://github.com/kubernetes-sigs/kustomize/issues/890
 	return meta.Kind == `CustomResourceDefinition`
 }
-
-func updateImageTagFn(imageTag types.Image) filtersutil.SetFn {
-	return func(node *yaml.RNode) error {
-		return node.PipeE(imageTagUpdater{
-			ImageTag: imageTag,
-		})
-	}
-}

api/filters/imagetag/imagetag_test.go

@@ -10,14 +10,18 @@ import (
 	"github.com/stretchr/testify/assert"
 	filtertest "sigs.k8s.io/kustomize/api/testutils/filtertest"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
 func TestImageTagUpdater_Filter(t *testing.T) {
+	mutationTrackerStub := filtertest.MutationTrackerStub{}
 	testCases := map[string]struct {
-		input          string
-		expectedOutput string
-		filter         Filter
-		fsSlice        types.FsSlice
+		input                string
+		expectedOutput       string
+		filter               Filter
+		fsSlice              types.FsSlice
+		setValueCallback     func(key, value, tag string, node *yaml.RNode)
+		expectedSetValueArgs []filtertest.SetValueArg
 	}{
 		"ignore CustomResourceDefinition": {
 			input: `
@@ -658,17 +662,108 @@ spec:
 				},
 			},
 		},
+		"mutation tracker": {
+			input: `
+group: apps
+apiVersion: v1
+kind: Deployment
+metadata:
+  name: deploy1
+spec:
+  template:
+    spec:
+      containers:
+      - image: nginx:1.7.9
+        name: nginx-tagged
+      - image: nginx:latest
+        name: nginx-latest
+      - image: foobar:1
+        name: replaced-with-digest
+      - image: postgres:1.8.0
+        name: postgresdb
+      initContainers:
+      - image: nginx
+        name: nginx-notag
+      - image: nginx@sha256:111111111111111111
+        name: nginx-sha256
+      - image: alpine:1.8.0
+        name: init-alpine
+`,
+			expectedOutput: `
+group: apps
+apiVersion: v1
+kind: Deployment
+metadata:
+  name: deploy1
+spec:
+  template:
+    spec:
+      containers:
+      - image: busybox:v3
+        name: nginx-tagged
+      - image: busybox:v3
+        name: nginx-latest
+      - image: foobar:1
+        name: replaced-with-digest
+      - image: postgres:1.8.0
+        name: postgresdb
+      initContainers:
+      - image: busybox:v3
+        name: nginx-notag
+      - image: busybox:v3
+        name: nginx-sha256
+      - image: alpine:1.8.0
+        name: init-alpine
+`,
+			filter: Filter{
+				ImageTag: types.Image{
+					Name:    "nginx",
+					NewName: "busybox",
+					NewTag:  "v3",
+				},
+			},
+			fsSlice: []types.FieldSpec{
+				{
+					Path: "spec/template/spec/containers[]/image",
+				},
+				{
+					Path: "spec/template/spec/initContainers[]/image",
+				},
+			},
+			setValueCallback: mutationTrackerStub.MutationTracker,
+			expectedSetValueArgs: []filtertest.SetValueArg{
+				{
+					Value:    "busybox:v3",
+					NodePath: []string{"spec", "template", "spec", "containers", "image"},
+				},
+				{
+					Value:    "busybox:v3",
+					NodePath: []string{"spec", "template", "spec", "containers", "image"},
+				},
+				{
+					Value:    "busybox:v3",
+					NodePath: []string{"spec", "template", "spec", "initContainers", "image"},
+				},
+				{
+					Value:    "busybox:v3",
+					NodePath: []string{"spec", "template", "spec", "initContainers", "image"},
+				},
+			},
+		},
 	}
 
 	for tn, tc := range testCases {
+		mutationTrackerStub.Reset()
 		t.Run(tn, func(t *testing.T) {
 			filter := tc.filter
+			filter.WithMutationTracker(tc.setValueCallback)
 			filter.FsSlice = tc.fsSlice
 			if !assert.Equal(t,
 				strings.TrimSpace(tc.expectedOutput),
 				strings.TrimSpace(filtertest.RunFilter(t, tc.input, filter))) {
 				t.FailNow()
 			}
+			assert.Equal(t, tc.expectedSetValueArgs, mutationTrackerStub.SetValueArgs())
 		})
 	}
 }

api/filters/imagetag/legacy.go

@@ -4,6 +4,7 @@
 package imagetag
 
 import (
+	"sigs.k8s.io/kustomize/api/internal/utils"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/kio"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
@@ -74,7 +75,7 @@ func (f findFieldsFilter) walk(node *yaml.RNode) error {
 				return err
 			}
 			key := n.Key.YNode().Value
-			if contains(f.fields, key) {
+			if utils.StringSliceContains(f.fields, key) {
 				return f.fieldCallback(n.Value)
 			}
 			return nil
@@ -87,15 +88,6 @@ func (f findFieldsFilter) walk(node *yaml.RNode) error {
 	return nil
 }
 
-func contains(slice []string, str string) bool {
-	for _, s := range slice {
-		if s == str {
-			return true
-		}
-	}
-	return false
-}
-
 func checkImageTagsFn(imageTag types.Image) fieldCallback {
 	return func(node *yaml.RNode) error {
 		if node.YNode().Kind != yaml.SequenceNode {

api/filters/imagetag/updater.go

@@ -4,6 +4,7 @@
 package imagetag
 
 import (
+	"sigs.k8s.io/kustomize/api/filters/filtersutil"
 	"sigs.k8s.io/kustomize/api/image"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
@@ -13,19 +14,20 @@ import (
 // that will update the value of the yaml node based on the provided
 // ImageTag if the current value matches the format of an image reference.
 type imageTagUpdater struct {
-	Kind     string      `yaml:"kind,omitempty"`
-	ImageTag types.Image `yaml:"imageTag,omitempty"`
+	Kind            string      `yaml:"kind,omitempty"`
+	ImageTag        types.Image `yaml:"imageTag,omitempty"`
+	trackableSetter filtersutil.TrackableSetter
 }
 
-func (u imageTagUpdater) Filter(rn *yaml.RNode) (*yaml.RNode, error) {
+func (u imageTagUpdater) SetImageValue(rn *yaml.RNode) error {
 	if err := yaml.ErrorIfInvalid(rn, yaml.ScalarNode); err != nil {
-		return nil, err
+		return err
 	}
 
 	value := rn.YNode().Value
 
 	if !image.IsImageMatched(value, u.ImageTag.Name) {
-		return rn, nil
+		return nil
 	}
 
 	name, tag := image.Split(value)
@@ -39,5 +41,12 @@ func (u imageTagUpdater) Filter(rn *yaml.RNode) (*yaml.RNode, error) {
 		tag = "@" + u.ImageTag.Digest
 	}
 
-	return rn.Pipe(yaml.FieldSetter{StringValue: name + tag})
+	return u.trackableSetter.SetScalar(name + tag)(rn)
+}
+
+func (u imageTagUpdater) Filter(rn *yaml.RNode) (*yaml.RNode, error) {
+	if err := u.SetImageValue(rn); err != nil {
+		return nil, err
+	}
+	return rn, nil
 }

api/filters/labels/labels.go

@@ -20,9 +20,17 @@ type Filter struct {
 
 	// FsSlice identifies the label fields.
 	FsSlice types.FsSlice
+
+	trackableSetter filtersutil.TrackableSetter
 }
 
 var _ kio.Filter = Filter{}
+var _ kio.TrackableFilter = &Filter{}
+
+// WithMutationTracker registers a callback which will be invoked each time a field is mutated
+func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
+	f.trackableSetter.WithMutationTracker(callback)
+}
 
 func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 	keys := yaml.SortedMapKeys(f.Labels)
@@ -31,7 +39,7 @@ func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 			for _, k := range keys {
 				if err := node.PipeE(fsslice.Filter{
 					FsSlice: f.FsSlice,
-					SetValue: filtersutil.SetEntry(
+					SetValue: f.trackableSetter.SetEntry(
 						k, f.Labels[k], yaml.NodeTagString),
 					CreateKind: yaml.MappingNode, // Labels are MappingNodes.
 					CreateTag:  yaml.NodeTagMap,

api/filters/labels/labels_test.go

@@ -8,16 +8,20 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"sigs.k8s.io/kustomize/api/resid"
 	filtertest_test "sigs.k8s.io/kustomize/api/testutils/filtertest"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
 func TestLabels_Filter(t *testing.T) {
+	mutationTrackerStub := filtertest_test.MutationTrackerStub{}
 	testCases := map[string]struct {
-		input          string
-		expectedOutput string
-		filter         Filter
+		input                string
+		expectedOutput       string
+		filter               Filter
+		setEntryCallback     func(key, value, tag string, node *yaml.RNode)
+		expectedSetEntryArgs []filtertest_test.SetValueArg
 	}{
 		"add": {
 			input: `
@@ -399,15 +403,74 @@ metadata:
 				},
 			},
 		},
+
+		// test usage of SetEntryCallback
+		"set_entry_callback": {
+			input: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+  labels:
+    witcher: geralt
+`,
+			expectedOutput: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+  labels:
+    witcher: geralt
+    mage: yennefer
+a:
+  b:
+    mage: yennefer
+`,
+			filter: Filter{
+				Labels: labelMap{
+					"mage": "yennefer",
+				},
+				FsSlice: []types.FieldSpec{
+					{
+						Path:               "metadata/labels",
+						CreateIfNotPresent: true,
+					},
+					{
+						Path:               "a/b",
+						CreateIfNotPresent: true,
+					},
+				},
+			},
+			setEntryCallback: mutationTrackerStub.MutationTracker,
+			expectedSetEntryArgs: []filtertest_test.SetValueArg{
+				{
+					Key:      "mage",
+					Value:    "yennefer",
+					Tag:      "!!str",
+					NodePath: []string{"metadata", "labels"},
+				},
+				{
+					Key:      "mage",
+					Value:    "yennefer",
+					Tag:      "!!str",
+					NodePath: []string{"a", "b"},
+				},
+			},
+		},
 	}
 
 	for tn, tc := range testCases {
+		mutationTrackerStub.Reset()
 		t.Run(tn, func(t *testing.T) {
+			tc.filter.WithMutationTracker(tc.setEntryCallback)
 			if !assert.Equal(t,
 				strings.TrimSpace(tc.expectedOutput),
 				strings.TrimSpace(filtertest_test.RunFilter(t, tc.input, tc.filter))) {
 				t.FailNow()
 			}
+			if !assert.Equal(t, tc.expectedSetEntryArgs, mutationTrackerStub.SetValueArgs()) {
+				t.FailNow()
+			}
 		})
 	}
 }

api/filters/nameref/nameref.go

@@ -1,34 +1,40 @@
 package nameref
 
 import (
-	"encoding/json"
 	"fmt"
 	"strings"
 
+	"github.com/pkg/errors"
 	"sigs.k8s.io/kustomize/api/filters/fieldspec"
-	"sigs.k8s.io/kustomize/api/resid"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/api/types"
-	kyaml_filtersutil "sigs.k8s.io/kustomize/kyaml/filtersutil"
 	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/resid"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
 // Filter updates a name references.
 type Filter struct {
-	// Referrer is the object that refers to something else by a name,
-	// a name that this filter seeks to update.
+	// Referrer refers to another resource X by X's name.
+	// E.g. A Deployment can refer to a ConfigMap.
+	// The Deployment is the Referrer,
+	// the ConfigMap is the ReferralTarget.
+	// This filter seeks to repair the reference in Deployment, given
+	// that the ConfigMap's name may have changed.
 	Referrer *resource.Resource
 
-	// NameFieldToUpdate is the field in the Referrer that holds the
-	// name requiring an update.
-	NameFieldToUpdate types.FieldSpec `json:"nameFieldToUpdate,omitempty" yaml:"nameFieldToUpdate,omitempty"`
+	// NameFieldToUpdate is the field in the Referrer
+	// that holds the name requiring an update.
+	// This is the field to write.
+	NameFieldToUpdate types.FieldSpec
 
-	// Source of the new value for the name (in its name field).
+	// ReferralTarget is the source of the new value for
+	// the name, always in the 'metadata/name' field.
+	// This is the field to read.
 	ReferralTarget resid.Gvk
 
-	// Set of resources to hunt through to find the ReferralTarget.
+	// Set of resources to scan to find the ReferralTarget.
 	ReferralCandidates resmap.ResMap
 }
 
@@ -38,18 +44,32 @@ func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 	return kio.FilterAll(yaml.FilterFunc(f.run)).Filter(nodes)
 }
 
-// The node passed in here is the same node as held in Referrer, and
+// The node passed in here is the same node as held in Referrer;
 // that's how the referrer's name field is updated.
-// However, this filter still needs the extra methods on Referrer
+// Currently, however, this filter still needs the extra methods on Referrer
 // to consult things like the resource Id, its namespace, etc.
+// TODO(3455): No filter should use the Resource api; all information
+// about names should come from annotations, with helper methods
+// on the RNode object.  Resource should get stupider, RNode smarter.
 func (f Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
-	err := node.PipeE(fieldspec.Filter{
+	if err := f.confirmNodeMatchesReferrer(node); err != nil {
+		// sanity check.
+		return nil, err
+	}
+	f.NameFieldToUpdate.Gvk = f.Referrer.GetGvk()
+	if err := node.PipeE(fieldspec.Filter{
 		FieldSpec: f.NameFieldToUpdate,
 		SetValue:  f.set,
-	})
-	return node, err
+	}); err != nil {
+		return nil, errors.Wrapf(
+			err, "updating name reference in '%s' field of '%s'",
+			f.NameFieldToUpdate.Path, f.Referrer.CurId().String())
+	}
+	return node, nil
 }
 
+// This function is called on the node found at FieldSpec.Path.
+// It's some node in the Referrer.
 func (f Filter) set(node *yaml.RNode) error {
 	if yaml.IsMissingOrNull(node) {
 		return nil
@@ -65,100 +85,107 @@ func (f Filter) set(node *yaml.RNode) error {
 			setMappingFn: f.setMapping,
 		}, node)
 	default:
-		return fmt.Errorf(
-			"node is expected to be either a string or a slice of string or a map of string")
+		return fmt.Errorf("node must be a scalar, sequence or map")
 	}
 }
 
-// Replace name field within a map RNode and leverage the namespace field.
+// This method used when NameFieldToUpdate doesn't lead to
+// one scalar field (typically called 'name'), but rather
+// leads to a map field (called anything). In this case we
+// must complete the field path, looking for both  a 'name'
+// and a 'namespace' field to help select the proper
+// ReferralTarget to read the name and namespace from.
 func (f Filter) setMapping(node *yaml.RNode) error {
 	if node.YNode().Kind != yaml.MappingNode {
 		return fmt.Errorf("expect a mapping node")
 	}
 	nameNode, err := node.Pipe(yaml.FieldMatcher{Name: "name"})
-	if err != nil || nameNode == nil {
-		return fmt.Errorf("cannot find field 'name' in node")
-	}
-	namespaceNode, err := node.Pipe(yaml.FieldMatcher{Name: "namespace"})
 	if err != nil {
-		return fmt.Errorf("error when find field 'namespace'")
+		return errors.Wrap(err, "trying to match 'name' field")
 	}
-
-	// name will not be updated if the namespace doesn't match
-	subset := f.ReferralCandidates.Resources()
-	if namespaceNode != nil {
-		namespace := namespaceNode.YNode().Value
-		bynamespace := f.ReferralCandidates.GroupedByOriginalNamespace()
-		if _, ok := bynamespace[namespace]; !ok {
-			bynamespace = f.ReferralCandidates.GroupedByCurrentNamespace()
-			if _, ok := bynamespace[namespace]; !ok {
-				return nil
-			}
-		}
-		subset = bynamespace[namespace]
+	if nameNode == nil {
+		// This is a _configuration_ error; the field path
+		// specified in NameFieldToUpdate.Path doesn't resolve
+		// to a map with a 'name' field, so we have no idea what
+		// field to update with a new name.
+		return fmt.Errorf("path config error; no 'name' field in node")
 	}
-
-	oldName := nameNode.YNode().Value
-	res, err := f.selectReferral(oldName, subset)
-	if err != nil || res == nil {
-		// Nil res means nothing to do.
+	candidates, err := f.filterMapCandidatesByNamespace(node)
+	if err != nil {
 		return err
 	}
-	f.recordTheReferral(res)
-	if res.GetName() == oldName && res.GetNamespace() == "" {
+	oldName := nameNode.YNode().Value
+	referral, err := f.selectReferral(oldName, candidates)
+	if err != nil || referral == nil {
+		// Nil referral means nothing to do.
+		return err
+	}
+	f.recordTheReferral(referral)
+	if referral.GetName() == oldName && referral.GetNamespace() == "" {
 		// The name has not changed, nothing to do.
 		return nil
 	}
-	err = node.PipeE(yaml.FieldSetter{
+	if err = node.PipeE(yaml.FieldSetter{
 		Name:        "name",
-		StringValue: res.GetName(),
-	})
-	if err != nil {
+		StringValue: referral.GetName(),
+	}); err != nil {
 		return err
 	}
-	if res.GetNamespace() != "" {
-		// We don't want value "" to replace value "default" since
-		// the empty string is handled as a wild card here not default namespace
-		// by kubernetes.
-		err = node.PipeE(yaml.FieldSetter{
-			Name:        "namespace",
-			StringValue: res.GetNamespace(),
-		})
+	if referral.GetNamespace() == "" {
+		// Don't write an empty string into the namespace field, as
+		// it should not replace the value "default".  The empty
+		// string is handled as a wild card here, not as an implicit
+		// specification of the "default" k8s namespace.
+		return nil
 	}
-	return err
+	return node.PipeE(yaml.FieldSetter{
+		Name:        "namespace",
+		StringValue: referral.GetNamespace(),
+	})
+}
+
+func (f Filter) filterMapCandidatesByNamespace(
+	node *yaml.RNode) ([]*resource.Resource, error) {
+	namespaceNode, err := node.Pipe(yaml.FieldMatcher{Name: "namespace"})
+	if err != nil {
+		return nil, errors.Wrap(err, "trying to match 'namespace' field")
+	}
+	if namespaceNode == nil {
+		return f.ReferralCandidates.Resources(), nil
+	}
+	namespace := namespaceNode.YNode().Value
+	nsMap := f.ReferralCandidates.GroupedByOriginalNamespace()
+	if candidates, ok := nsMap[namespace]; ok {
+		return candidates, nil
+	}
+	nsMap = f.ReferralCandidates.GroupedByCurrentNamespace()
+	// This could be nil, or an empty list.
+	return nsMap[namespace], nil
 }
 
 func (f Filter) setScalar(node *yaml.RNode) error {
-	res, err := f.selectReferral(
+	referral, err := f.selectReferral(
 		node.YNode().Value, f.ReferralCandidates.Resources())
-	if err != nil || res == nil {
-		// Nil res means nothing to do.
+	if err != nil || referral == nil {
+		// Nil referral means nothing to do.
 		return err
 	}
-	f.recordTheReferral(res)
-	if res.GetName() == node.YNode().Value {
+	f.recordTheReferral(referral)
+	if referral.GetName() == node.YNode().Value {
 		// The name has not changed, nothing to do.
 		return nil
 	}
-	return node.PipeE(yaml.FieldSetter{StringValue: res.GetName()})
+	return node.PipeE(yaml.FieldSetter{StringValue: referral.GetName()})
 }
 
-// In the resource, make a note that it is referred to by the referrer.
-func (f Filter) recordTheReferral(res *resource.Resource) {
-	res.AppendRefBy(f.Referrer.CurId())
-}
-
-func (f Filter) isRoleRef() bool {
-	return strings.HasSuffix(f.NameFieldToUpdate.Path, "roleRef/name")
+// In the resource, make a note that it is referred to by the Referrer.
+func (f Filter) recordTheReferral(referral *resource.Resource) {
+	referral.AppendRefBy(f.Referrer.CurId())
 }
 
 // getRoleRefGvk returns a Gvk in the roleRef field. Return error
 // if the roleRef, roleRef/apiGroup or roleRef/kind is missing.
-func getRoleRefGvk(res json.Marshaler) (*resid.Gvk, error) {
-	n, err := kyaml_filtersutil.GetRNode(res)
-	if err != nil {
-		return nil, err
-	}
+func getRoleRefGvk(n *resource.Resource) (*resid.Gvk, error) {
 	roleRef, err := n.Pipe(yaml.Lookup("roleRef"))
 	if err != nil {
 		return nil, err
@@ -188,82 +215,182 @@ func getRoleRefGvk(res json.Marshaler) (*resid.Gvk, error) {
 	}, nil
 }
 
-func (f Filter) filterReferralCandidates(
-	matches []*resource.Resource) []*resource.Resource {
-	var ret []*resource.Resource
-	for _, m := range matches {
-		// If target kind is not ServiceAccount, we shouldn't consider condidates which
-		// doesn't have same namespace.
-		if f.ReferralTarget.Kind != "ServiceAccount" &&
-			m.GetNamespace() != f.Referrer.GetNamespace() {
-			continue
+// sieveFunc returns true if the resource argument satisfies some criteria.
+type sieveFunc func(*resource.Resource) bool
+
+// doSieve uses a function to accept or ignore resources from a list.
+// If list is nil, returns immediately.
+// It's a filter obviously, but that term is overloaded here.
+func doSieve(list []*resource.Resource, fn sieveFunc) (s []*resource.Resource) {
+	for _, r := range list {
+		if fn(r) {
+			s = append(s, r)
 		}
-		if !f.Referrer.PrefixesSuffixesEquals(m) {
-			continue
-		}
-		ret = append(ret, m)
 	}
-	return ret
+	return
 }
 
-// selectReferral picks the referral among a subset of candidates.
-// The content of the candidateSubset slice is most of the time
-// identical to the ReferralCandidates resmap. Still in some cases, such
-// as ClusterRoleBinding, the subset only contains the resources of a specific
-// namespace.
+func acceptAll(r *resource.Resource) bool {
+	return true
+}
+
+func previousNameMatches(name string) sieveFunc {
+	return func(r *resource.Resource) bool {
+		for _, id := range r.PrevIds() {
+			if id.Name == name {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+func previousIdSelectedByGvk(gvk *resid.Gvk) sieveFunc {
+	return func(r *resource.Resource) bool {
+		for _, id := range r.PrevIds() {
+			if id.IsSelected(gvk) {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+// If the we are updating a 'roleRef/name' field, the 'apiGroup' and 'kind'
+// fields in the same 'roleRef' map must be considered.
+// If either object is cluster-scoped, there can be a referral.
+// E.g. a RoleBinding (which exists in a namespace) can refer
+// to a ClusterRole (cluster-scoped) object.
+// https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
+// Likewise, a ClusterRole can refer to a Secret (in a namespace).
+// Objects in different namespaces generally cannot refer to other
+// with some exceptions (e.g. RoleBinding and ServiceAccount are both
+// namespaceable, but the former can refer to accounts in other namespaces).
+func (f Filter) roleRefFilter() sieveFunc {
+	if !strings.HasSuffix(f.NameFieldToUpdate.Path, "roleRef/name") {
+		return acceptAll
+	}
+	roleRefGvk, err := getRoleRefGvk(f.Referrer)
+	if err != nil {
+		return acceptAll
+	}
+	return previousIdSelectedByGvk(roleRefGvk)
+}
+
+func prefixSuffixEquals(other resource.ResCtx) sieveFunc {
+	return func(r *resource.Resource) bool {
+		return r.PrefixesSuffixesEquals(other)
+	}
+}
+
+func (f Filter) sameCurrentNamespaceAsReferrer() sieveFunc {
+	referrerCurId := f.Referrer.CurId()
+	if referrerCurId.IsClusterScoped() {
+		// If the referrer is cluster-scoped, let anything through.
+		return acceptAll
+	}
+	return func(r *resource.Resource) bool {
+		if r.CurId().IsClusterScoped() {
+			// Allow cluster-scoped through.
+			return true
+		}
+		if r.GetKind() == "ServiceAccount" {
+			// Allow service accounts through, even though they
+			// are in a namespace.  A RoleBinding in another namespace
+			// can reference them.
+			return true
+		}
+		return referrerCurId.IsNsEquals(r.CurId())
+	}
+}
+
+// selectReferral picks the best referral from a list of candidates.
 func (f Filter) selectReferral(
+	// The name referral that may need to be updated.
 	oldName string,
-	candidateSubset []*resource.Resource) (*resource.Resource, error) {
-	var roleRefGvk *resid.Gvk
-	if f.isRoleRef() {
-		var err error
-		roleRefGvk, err = getRoleRefGvk(f.Referrer)
-		if err != nil {
-			return nil, err
-		}
+	candidates []*resource.Resource) (*resource.Resource, error) {
+	candidates = doSieve(candidates, previousNameMatches(oldName))
+	candidates = doSieve(candidates, previousIdSelectedByGvk(&f.ReferralTarget))
+	candidates = doSieve(candidates, f.roleRefFilter())
+	candidates = doSieve(candidates, f.sameCurrentNamespaceAsReferrer())
+	if len(candidates) == 1 {
+		return candidates[0], nil
 	}
-	for _, res := range candidateSubset {
-		if res.GetOriginalName() != oldName {
-			continue
-		}
-		id := res.OrgId()
-		if !id.IsSelected(&f.ReferralTarget) {
-			continue
-		}
-		// If the we are processing a roleRef, the apiGroup and Kind in the
-		// roleRef are needed to be considered.
-		if f.isRoleRef() && !id.IsSelected(roleRefGvk) {
-			continue
-		}
-		matches := f.ReferralCandidates.GetMatchingResourcesByOriginalId(id.Equals)
-		// If there's more than one match,
-		// filter the matches by prefix and suffix
-		if len(matches) > 1 {
-			filteredMatches := f.filterReferralCandidates(matches)
-			if len(filteredMatches) > 1 {
-				return nil, fmt.Errorf(
-					"multiple matches for %s:\n  %v",
-					id, getIds(filteredMatches))
-			}
-			// Check is the match the resource we are working on
-			if len(filteredMatches) == 0 || res != filteredMatches[0] {
-				continue
-			}
-		}
-		// In the resource, note that it is referenced
-		// by the referrer.
-		res.AppendRefBy(f.Referrer.CurId())
-		// Return transformed name of the object,
-		// complete with prefixes, hashes, etc.
-		return res, nil
+	candidates = doSieve(candidates, prefixSuffixEquals(f.Referrer))
+	if len(candidates) == 1 {
+		return candidates[0], nil
 	}
-	return nil, nil
+	if len(candidates) == 0 {
+		return nil, nil
+	}
+	if allNamesAreTheSame(candidates) {
+		// Just take the first one.
+		return candidates[0], nil
+	}
+	ids := getIds(candidates)
+	f.failureDetails(candidates)
+	return nil, fmt.Errorf(" found multiple possible referrals: %s", ids)
 }
 
-func getIds(rs []*resource.Resource) []string {
+func (f Filter) failureDetails(resources []*resource.Resource) {
+	fmt.Printf(
+		"\n**** Too many possible referral targets to referrer:\n%s\n",
+		f.Referrer.MustYaml())
+	for i, r := range resources {
+		fmt.Printf(
+			"--- possible referral %d:\n%s", i, r.MustYaml())
+		fmt.Println("------")
+	}
+}
+
+func allNamesAreTheSame(resources []*resource.Resource) bool {
+	name := resources[0].GetName()
+	for i := 1; i < len(resources); i++ {
+		if name != resources[i].GetName() {
+			return false
+		}
+	}
+	return true
+}
+
+func getIds(rs []*resource.Resource) string {
 	var result []string
 	for _, r := range rs {
-		result = append(result, r.CurId().String()+"\n")
+		result = append(result, r.CurId().String())
 	}
-	return result
+	return strings.Join(result, ", ")
+}
+
+func checkEqual(k, a, b string) error {
+	if a != b {
+		return fmt.Errorf(
+			"node-referrerOriginal '%s' mismatch '%s' != '%s'",
+			k, a, b)
+	}
+	return nil
+}
+
+func (f Filter) confirmNodeMatchesReferrer(node *yaml.RNode) error {
+	meta, err := node.GetMeta()
+	if err != nil {
+		return err
+	}
+	gvk := f.Referrer.GetGvk()
+	if err = checkEqual(
+		"APIVersion", meta.APIVersion, gvk.ApiVersion()); err != nil {
+		return err
+	}
+	if err = checkEqual(
+		"Kind", meta.Kind, gvk.Kind); err != nil {
+		return err
+	}
+	if err = checkEqual(
+		"Name", meta.Name, f.Referrer.GetName()); err != nil {
+		return err
+	}
+	if err = checkEqual(
+		"Namespace", meta.Namespace, f.Referrer.GetNamespace()); err != nil {
+		return err
+	}
+	return nil
 }

api/filters/nameref/nameref_test.go

@@ -6,22 +6,22 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"sigs.k8s.io/kustomize/api/provider"
-	"sigs.k8s.io/kustomize/api/resid"
 	"sigs.k8s.io/kustomize/api/resmap"
 	filtertest_test "sigs.k8s.io/kustomize/api/testutils/filtertest"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/resid"
 )
 
 func TestNamerefFilter(t *testing.T) {
 	testCases := map[string]struct {
-		input         string
-		candidates    string
-		expected      string
-		filter        Filter
-		originalNames []string
+		referrerOriginal string
+		candidates       string
+		referrerFinal    string
+		filter           Filter
+		originalNames    []string
 	}{
 		"simple scalar": {
-			input: `
+			referrerOriginal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -40,8 +40,8 @@ kind: NotSecret
 metadata:
   name: newName2
 `,
-			originalNames: []string{"oldName", ""},
-			expected: `
+			originalNames: []string{"oldName", "newName2"},
+			referrerFinal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -59,7 +59,7 @@ ref:
 			},
 		},
 		"sequence": {
-			input: `
+			referrerOriginal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -79,8 +79,8 @@ kind: NotSecret
 metadata:
   name: newName2
 `,
-			originalNames: []string{"oldName1", ""},
-			expected: `
+			originalNames: []string{"oldName1", "newName2"},
+			referrerFinal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -99,7 +99,7 @@ seq:
 			},
 		},
 		"mapping": {
-			input: `
+			referrerOriginal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -118,8 +118,8 @@ kind: NotSecret
 metadata:
   name: newName2
 `,
-			originalNames: []string{"oldName", ""},
-			expected: `
+			originalNames: []string{"oldName", "newName2"},
+			referrerFinal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -137,36 +137,43 @@ map:
 			},
 		},
 		"mapping with namespace": {
-			input: `
+			referrerOriginal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: dep
+  namespace: someNs
 map:
   name: oldName
-  namespace: oldNs
+  namespace: someNs
 `,
 			candidates: `
 apiVersion: apps/v1
 kind: Secret
 metadata:
   name: newName
-  namespace: oldNs
+  namespace: someNs
 ---
 apiVersion: apps/v1
 kind: NotSecret
 metadata:
   name: newName2
+---
+apiVersion: apps/v1
+kind: Secret
+metadata:
+  name: thirdName
 `,
-			originalNames: []string{"oldName", ""},
-			expected: `
+			originalNames: []string{"oldName", "oldName", "oldName"},
+			referrerFinal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: dep
+  namespace: someNs
 map:
   name: newName
-  namespace: oldNs
+  namespace: someNs
 `,
 			filter: Filter{
 				NameFieldToUpdate: types.FieldSpec{Path: "map"},
@@ -178,7 +185,7 @@ map:
 			},
 		},
 		"null value": {
-			input: `
+			referrerOriginal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -197,8 +204,8 @@ kind: NotSecret
 metadata:
   name: newName2
 `,
-			originalNames: []string{"oldName", ""},
-			expected: `
+			originalNames: []string{"oldName", "newName2"},
+			referrerFinal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -220,13 +227,13 @@ map:
 	for tn, tc := range testCases {
 		t.Run(tn, func(t *testing.T) {
 			factory := provider.NewDefaultDepProvider().GetResourceFactory()
-			referrer, err := factory.FromBytes([]byte(tc.input))
+			referrer, err := factory.FromBytes([]byte(tc.referrerOriginal))
 			if err != nil {
 				t.Fatal(err)
 			}
 			tc.filter.Referrer = referrer
 
-			resMapFactory := resmap.NewFactory(factory, nil)
+			resMapFactory := resmap.NewFactory(factory)
 			candidatesRes, err := factory.SliceFromBytesWithNames(
 				tc.originalNames, []byte(tc.candidates))
 			if err != nil {
@@ -236,10 +243,10 @@ map:
 			candidates := resMapFactory.FromResourceSlice(candidatesRes)
 			tc.filter.ReferralCandidates = candidates
 
+			result := filtertest_test.RunFilter(t, tc.referrerOriginal, tc.filter)
 			if !assert.Equal(t,
-				strings.TrimSpace(tc.expected),
-				strings.TrimSpace(
-					filtertest_test.RunFilter(t, tc.input, tc.filter))) {
+				strings.TrimSpace(tc.referrerFinal),
+				strings.TrimSpace(result)) {
 				t.FailNow()
 			}
 		})
@@ -248,14 +255,14 @@ map:
 
 func TestNamerefFilterUnhappy(t *testing.T) {
 	testCases := map[string]struct {
-		input         string
-		candidates    string
-		expected      string
-		filter        Filter
-		originalNames []string
+		referrerOriginal string
+		candidates       string
+		referrerFinal    string
+		filter           Filter
+		originalNames    []string
 	}{
 		"multiple match": {
-			input: `
+			referrerOriginal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -275,7 +282,7 @@ metadata:
   name: newName2
 `,
 			originalNames: []string{"oldName", "oldName"},
-			expected:      "",
+			referrerFinal: "",
 			filter: Filter{
 				NameFieldToUpdate: types.FieldSpec{Path: "ref/name"},
 				ReferralTarget: resid.Gvk{
@@ -286,7 +293,7 @@ metadata:
 			},
 		},
 		"no name": {
-			input: `
+			referrerOriginal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -306,7 +313,7 @@ metadata:
   name: newName2
 `,
 			originalNames: []string{"oldName", "oldName"},
-			expected:      "",
+			referrerFinal: "",
 			filter: Filter{
 				NameFieldToUpdate: types.FieldSpec{Path: "ref"},
 				ReferralTarget: resid.Gvk{
@@ -321,13 +328,13 @@ metadata:
 	for tn, tc := range testCases {
 		t.Run(tn, func(t *testing.T) {
 			factory := provider.NewDefaultDepProvider().GetResourceFactory()
-			referrer, err := factory.FromBytes([]byte(tc.input))
+			referrer, err := factory.FromBytes([]byte(tc.referrerOriginal))
 			if err != nil {
 				t.Fatal(err)
 			}
 			tc.filter.Referrer = referrer
 
-			resMapFactory := resmap.NewFactory(factory, nil)
+			resMapFactory := resmap.NewFactory(factory)
 			candidatesRes, err := factory.SliceFromBytesWithNames(
 				tc.originalNames, []byte(tc.candidates))
 			if err != nil {
@@ -337,11 +344,11 @@ metadata:
 			candidates := resMapFactory.FromResourceSlice(candidatesRes)
 			tc.filter.ReferralCandidates = candidates
 
-			_, err = filtertest_test.RunFilterE(t, tc.input, tc.filter)
+			_, err = filtertest_test.RunFilterE(t, tc.referrerOriginal, tc.filter)
 			if err == nil {
 				t.Fatalf("expect an error")
 			}
-			if tc.expected != "" && !assert.EqualError(t, err, tc.expected) {
+			if tc.referrerFinal != "" && !assert.EqualError(t, err, tc.referrerFinal) {
 				t.FailNow()
 			}
 		})
@@ -350,19 +357,19 @@ metadata:
 
 func TestCandidatesWithDifferentPrefixSuffix(t *testing.T) {
 	testCases := map[string]struct {
-		input         string
-		candidates    string
-		expected      string
-		filter        Filter
-		originalNames []string
-		prefix        []string
-		suffix        []string
-		inputPrefix   string
-		inputSuffix   string
-		err           bool
+		referrerOriginal string
+		candidates       string
+		referrerFinal    string
+		filter           Filter
+		originalNames    []string
+		prefix           []string
+		suffix           []string
+		inputPrefix      string
+		inputSuffix      string
+		err              bool
 	}{
 		"prefix match": {
-			input: `
+			referrerOriginal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -386,7 +393,7 @@ metadata:
 			suffix:        []string{"", "suffix2"},
 			inputPrefix:   "prefix1",
 			inputSuffix:   "",
-			expected: `
+			referrerFinal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -405,7 +412,7 @@ ref:
 			err: false,
 		},
 		"suffix match": {
-			input: `
+			referrerOriginal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -429,7 +436,7 @@ metadata:
 			suffix:        []string{"suffix1", "suffix2"},
 			inputPrefix:   "",
 			inputSuffix:   "suffix1",
-			expected: `
+			referrerFinal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -448,7 +455,7 @@ ref:
 			err: false,
 		},
 		"prefix suffix both match": {
-			input: `
+			referrerOriginal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -472,7 +479,7 @@ metadata:
 			suffix:        []string{"suffix1", "suffix2"},
 			inputPrefix:   "prefix1",
 			inputSuffix:   "suffix1",
-			expected: `
+			referrerFinal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -491,7 +498,7 @@ ref:
 			err: false,
 		},
 		"multiple match: both": {
-			input: `
+			referrerOriginal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -515,7 +522,7 @@ metadata:
 			suffix:        []string{"suffix", "suffix"},
 			inputPrefix:   "prefix",
 			inputSuffix:   "suffix",
-			expected:      "",
+			referrerFinal: "",
 			filter: Filter{
 				NameFieldToUpdate: types.FieldSpec{Path: "ref/name"},
 				ReferralTarget: resid.Gvk{
@@ -527,7 +534,7 @@ metadata:
 			err: true,
 		},
 		"multiple match: only prefix": {
-			input: `
+			referrerOriginal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -551,7 +558,7 @@ metadata:
 			suffix:        []string{"", ""},
 			inputPrefix:   "prefix",
 			inputSuffix:   "",
-			expected:      "",
+			referrerFinal: "",
 			filter: Filter{
 				NameFieldToUpdate: types.FieldSpec{Path: "ref/name"},
 				ReferralTarget: resid.Gvk{
@@ -563,7 +570,7 @@ metadata:
 			err: true,
 		},
 		"multiple match: only suffix": {
-			input: `
+			referrerOriginal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -587,7 +594,7 @@ metadata:
 			suffix:        []string{"suffix", "suffix"},
 			inputPrefix:   "",
 			inputSuffix:   "suffix",
-			expected:      "",
+			referrerFinal: "",
 			filter: Filter{
 				NameFieldToUpdate: types.FieldSpec{Path: "ref/name"},
 				ReferralTarget: resid.Gvk{
@@ -599,7 +606,7 @@ metadata:
 			err: true,
 		},
 		"no match: neither match": {
-			input: `
+			referrerOriginal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -623,7 +630,7 @@ metadata:
 			suffix:        []string{"suffix1", "suffix2"},
 			inputPrefix:   "prefix",
 			inputSuffix:   "suffix",
-			expected: `
+			referrerFinal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -642,7 +649,7 @@ ref:
 			err: false,
 		},
 		"no match: prefix doesn't match": {
-			input: `
+			referrerOriginal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -666,7 +673,7 @@ metadata:
 			suffix:        []string{"suffix", "suffix"},
 			inputPrefix:   "prefix",
 			inputSuffix:   "suffix",
-			expected: `
+			referrerFinal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -685,7 +692,7 @@ ref:
 			err: false,
 		},
 		"no match: suffix doesn't match": {
-			input: `
+			referrerOriginal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -709,7 +716,7 @@ metadata:
 			suffix:        []string{"suffix1", "suffix2"},
 			inputPrefix:   "prefix",
 			inputSuffix:   "suffix",
-			expected: `
+			referrerFinal: `
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -732,7 +739,7 @@ ref:
 	for tn, tc := range testCases {
 		t.Run(tn, func(t *testing.T) {
 			factory := provider.NewDefaultDepProvider().GetResourceFactory()
-			referrer, err := factory.FromBytes([]byte(tc.input))
+			referrer, err := factory.FromBytes([]byte(tc.referrerOriginal))
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -744,7 +751,7 @@ ref:
 			}
 			tc.filter.Referrer = referrer
 
-			resMapFactory := resmap.NewFactory(factory, nil)
+			resMapFactory := resmap.NewFactory(factory)
 			candidatesRes, err := factory.SliceFromBytesWithNames(
 				tc.originalNames, []byte(tc.candidates))
 			if err != nil {
@@ -764,13 +771,15 @@ ref:
 
 			if !tc.err {
 				if !assert.Equal(t,
-					strings.TrimSpace(tc.expected),
+					strings.TrimSpace(tc.referrerFinal),
 					strings.TrimSpace(
-						filtertest_test.RunFilter(t, tc.input, tc.filter))) {
+						filtertest_test.RunFilter(
+							t, tc.referrerOriginal, tc.filter))) {
 					t.FailNow()
 				}
 			} else {
-				_, err := filtertest_test.RunFilterE(t, tc.input, tc.filter)
+				_, err := filtertest_test.RunFilterE(
+					t, tc.referrerOriginal, tc.filter)
 				if err == nil {
 					t.Fatalf("an error is expected")
 				}

api/filters/namespace/namespace.go

@@ -4,11 +4,11 @@
 package namespace
 
 import (
-	"sigs.k8s.io/kustomize/api/filters/fieldspec"
 	"sigs.k8s.io/kustomize/api/filters/filtersutil"
 	"sigs.k8s.io/kustomize/api/filters/fsslice"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/resid"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
@@ -18,9 +18,17 @@ type Filter struct {
 
 	// FsSlice contains the FieldSpecs to locate the namespace field
 	FsSlice types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+
+	trackableSetter filtersutil.TrackableSetter
 }
 
 var _ kio.Filter = Filter{}
+var _ kio.TrackableFilter = &Filter{}
+
+// WithMutationTracker registers a callback which will be invoked each time a field is mutated
+func (ns *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
+	ns.trackableSetter.WithMutationTracker(callback)
+}
 
 func (ns Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 	return kio.FilterAll(yaml.FilterFunc(ns.run)).Filter(nodes)
@@ -44,7 +52,7 @@ func (ns Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
 	// transformations based on data -- :)
 	err := node.PipeE(fsslice.Filter{
 		FsSlice:    ns.FsSlice,
-		SetValue:   filtersutil.SetScalar(ns.Namespace),
+		SetValue:   ns.trackableSetter.SetScalar(ns.Namespace),
 		CreateKind: yaml.ScalarNode, // Namespace is a ScalarNode
 		CreateTag:  yaml.NodeTagString,
 	})
@@ -54,16 +62,11 @@ func (ns Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
 // hacks applies the namespace transforms that are hardcoded rather
 // than specified through FieldSpecs.
 func (ns Filter) hacks(obj *yaml.RNode) error {
-	meta, err := obj.GetMeta()
-	if err != nil {
+	gvk := resid.GvkFromNode(obj)
+	if err := ns.metaNamespaceHack(obj, gvk); err != nil {
 		return err
 	}
-
-	if err := ns.metaNamespaceHack(obj, meta); err != nil {
-		return err
-	}
-
-	return ns.roleBindingHack(obj, meta)
+	return ns.roleBindingHack(obj, gvk)
 }
 
 // metaNamespaceHack is a hack for implementing the namespace transform
@@ -74,16 +77,15 @@ func (ns Filter) hacks(obj *yaml.RNode) error {
 // This hack should be updated to allow individual resources to specify
 // if they are cluster scoped through either an annotation on the resources,
 // or through inlined OpenAPI on the resource as a YAML comment.
-func (ns Filter) metaNamespaceHack(obj *yaml.RNode, meta yaml.ResourceMeta) error {
-	gvk := fieldspec.GetGVK(meta)
-	if !gvk.IsNamespaceableKind() {
+func (ns Filter) metaNamespaceHack(obj *yaml.RNode, gvk resid.Gvk) error {
+	if gvk.IsClusterScoped() {
 		return nil
 	}
 	f := fsslice.Filter{
 		FsSlice: []types.FieldSpec{
 			{Path: types.MetadataNamespacePath, CreateIfNotPresent: true},
 		},
-		SetValue:   filtersutil.SetScalar(ns.Namespace),
+		SetValue:   ns.trackableSetter.SetScalar(ns.Namespace),
 		CreateKind: yaml.ScalarNode, // Namespace is a ScalarNode
 	}
 	_, err := f.Filter(obj)
@@ -104,8 +106,8 @@ func (ns Filter) metaNamespaceHack(obj *yaml.RNode, meta yaml.ResourceMeta) erro
 //   ...
 // - name: "something-else" # this will not have the namespace set
 //   ...
-func (ns Filter) roleBindingHack(obj *yaml.RNode, meta yaml.ResourceMeta) error {
-	if meta.Kind != roleBindingKind && meta.Kind != clusterRoleBindingKind {
+func (ns Filter) roleBindingHack(obj *yaml.RNode, gvk resid.Gvk) error {
+	if gvk.Kind != roleBindingKind && gvk.Kind != clusterRoleBindingKind {
 		return nil
 	}
 
@@ -118,7 +120,6 @@ func (ns Filter) roleBindingHack(obj *yaml.RNode, meta yaml.ResourceMeta) error
 
 	// add the namespace to each "subject" with name: default
 	err = obj.VisitElements(func(o *yaml.RNode) error {
-		// copied from kunstruct based kustomize NamespaceTransformer plugin
 		// The only case we need to force the namespace
 		// if for the "service account". "default" is
 		// kind of hardcoded here for right now.
@@ -130,11 +131,15 @@ func (ns Filter) roleBindingHack(obj *yaml.RNode, meta yaml.ResourceMeta) error
 		}
 
 		// set the namespace for the default account
-		v := yaml.NewScalarRNode(ns.Namespace)
-		return o.PipeE(
+		node, err := o.Pipe(
 			yaml.LookupCreate(yaml.ScalarNode, "namespace"),
-			yaml.FieldSetter{Value: v},
 		)
+		if err != nil {
+			return err
+		}
+
+		return ns.trackableSetter.SetScalar(ns.Namespace)(node)
+
 	})
 
 	return err

api/filters/namespace/namespace_test.go

@@ -12,8 +12,11 @@ import (
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
 	filtertest_test "sigs.k8s.io/kustomize/api/testutils/filtertest"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
+var mutationTrackerStub = filtertest_test.MutationTrackerStub{}
+
 var tests = []TestCase{
 	{
 		name: "add",
@@ -283,21 +286,91 @@ a:
 			},
 		},
 	},
+
+	{
+		name: "mutation tracker",
+		input: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+---
+apiVersion: example.com/v1
+kind: RoleBinding
+subjects:
+- name: default
+`,
+		expected: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+  namespace: bar
+a:
+  b:
+    c: bar
+---
+apiVersion: example.com/v1
+kind: RoleBinding
+subjects:
+- name: default
+  namespace: bar
+metadata:
+  namespace: bar
+a:
+  b:
+    c: bar
+`,
+		filter: namespace.Filter{Namespace: "bar"},
+		fsslice: []types.FieldSpec{
+			{
+				Path:               "a/b/c",
+				CreateIfNotPresent: true,
+			},
+		},
+		mutationTracker: mutationTrackerStub.MutationTracker,
+		expectedSetValueArgs: []filtertest_test.SetValueArg{
+			{
+				Value:    "bar",
+				NodePath: []string{"metadata", "namespace"},
+			},
+			{
+				Value:    "bar",
+				NodePath: []string{"a", "b", "c"},
+			},
+			{
+				Value:    "bar",
+				NodePath: []string{"metadata", "namespace"},
+			},
+			{
+				Value:    "bar",
+				NodePath: []string{"namespace"},
+			},
+			{
+				Value:    "bar",
+				NodePath: []string{"a", "b", "c"},
+			},
+		},
+	},
 }
 
 type TestCase struct {
-	name     string
-	input    string
-	expected string
-	filter   namespace.Filter
-	fsslice  types.FsSlice
+	name                 string
+	input                string
+	expected             string
+	filter               namespace.Filter
+	fsslice              types.FsSlice
+	mutationTracker      func(key, value, tag string, node *yaml.RNode)
+	expectedSetValueArgs []filtertest_test.SetValueArg
 }
 
 var config = builtinconfig.MakeDefaultConfig()
 
 func TestNamespace_Filter(t *testing.T) {
 	for i := range tests {
+		mutationTrackerStub.Reset()
 		test := tests[i]
+		test.filter.WithMutationTracker(test.mutationTracker)
 		t.Run(test.name, func(t *testing.T) {
 			test.filter.FsSlice = append(config.NameSpace, test.fsslice...)
 			if !assert.Equal(t,
@@ -306,6 +379,7 @@ func TestNamespace_Filter(t *testing.T) {
 					filtertest_test.RunFilter(t, test.input, test.filter))) {
 				t.FailNow()
 			}
+			assert.Equal(t, test.expectedSetValueArgs, mutationTrackerStub.SetValueArgs())
 		})
 	}
 }

api/filters/patchstrategicmerge/patchstrategicmerge.go

@@ -4,7 +4,6 @@
 package patchstrategicmerge
 
 import (
-	"sigs.k8s.io/kustomize/api/konfig"
 	"sigs.k8s.io/kustomize/kyaml/kio"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 	"sigs.k8s.io/kustomize/kyaml/yaml/merge2"
@@ -29,7 +28,7 @@ func (pf Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 		if err != nil {
 			return nil, err
 		}
-		if !konfig.FlagEnableKyamlDefaultValue || r != nil {
+		if r != nil {
 			result = append(result, r)
 		}
 	}

api/filters/patchstrategicmerge/patchstrategicmerge_test.go

@@ -672,6 +672,63 @@ spec:
         ports:
         - containerPort: 80
         - containerPort: 8080
+`,
+		},
+
+		// Test for issue #3513
+		// Currently broken; when one port has only containerPort, the output
+		// should not merge containerPort 8301 together
+		// This occurs because when protocol is missing on the first port,
+		// the merge code uses [containerPort] as the merge key rather than
+		// [containerPort, protocol]
+		"list map keys - protocol only present on some ports": {
+			input: `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-deployment
+spec:
+  template:
+    spec:
+      containers:
+      - name: consul
+        image: "dashicorp/consul:1.9.1"
+        ports:
+        - containerPort: 8500
+          name: http
+        - containerPort: 8301
+          protocol: "TCP"
+        - containerPort: 8301
+          protocol: "UDP"
+`,
+			patch: yaml.MustParse(`
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-deployment
+  labels:
+    test: label
+`),
+			expected: `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-deployment
+  labels:
+    test: label
+spec:
+  template:
+    spec:
+      containers:
+      - name: consul
+        image: "dashicorp/consul:1.9.1"
+        ports:
+        - containerPort: 8500
+          name: http
+        - containerPort: 8301
+          protocol: "TCP"
+        - containerPort: 8301
+          protocol: "UDP"
 `,
 		},
 	}

api/filters/prefix/doc.go

@@ -0,0 +1,6 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package prefix contains a kio.Filter implementation of the kustomize
+// PrefixTransformer.
+package prefix

api/filters/prefix/example_test.go

@@ -1,14 +1,14 @@
 // Copyright 2020 The Kubernetes Authors.
 // SPDX-License-Identifier: Apache-2.0
 
-package prefixsuffix_test
+package prefix_test
 
 import (
 	"bytes"
 	"log"
 	"os"
 
-	"sigs.k8s.io/kustomize/api/filters/prefixsuffix"
+	"sigs.k8s.io/kustomize/api/filters/prefix"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/kio"
 )
@@ -26,7 +26,7 @@ kind: Bar
 metadata:
   name: instance
 `)}},
-		Filters: []kio.Filter{prefixsuffix.Filter{
+		Filters: []kio.Filter{prefix.Filter{
 			Prefix: "baz-", FieldSpec: types.FieldSpec{Path: "metadata/name"}}},
 		Outputs: []kio.Writer{kio.ByteWriter{Writer: os.Stdout}},
 	}.Execute()

api/filters/prefix/prefix.go

@@ -1,7 +1,7 @@
 // Copyright 2019 The Kubernetes Authors.
 // SPDX-License-Identifier: Apache-2.0
 
-package prefixsuffix
+package prefix
 
 import (
 	"fmt"
@@ -13,15 +13,22 @@ import (
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
-// Filter applies resource name prefix's and suffix's using the fieldSpecs
+// Filter applies resource name prefix's using the fieldSpecs
 type Filter struct {
 	Prefix string `json:"prefix,omitempty" yaml:"prefix,omitempty"`
-	Suffix string `json:"suffix,omitempty" yaml:"suffix,omitempty"`
 
 	FieldSpec types.FieldSpec `json:"fieldSpec,omitempty" yaml:"fieldSpec,omitempty"`
+
+	trackableSetter filtersutil.TrackableSetter
 }
 
 var _ kio.Filter = Filter{}
+var _ kio.TrackableFilter = &Filter{}
+
+// WithMutationTracker registers a callback which will be invoked each time a field is mutated
+func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
+	f.trackableSetter.WithMutationTracker(callback)
+}
 
 func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 	return kio.FilterAll(yaml.FilterFunc(f.run)).Filter(nodes)
@@ -38,6 +45,6 @@ func (f Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
 }
 
 func (f Filter) evaluateField(node *yaml.RNode) error {
-	return filtersutil.SetScalar(fmt.Sprintf(
-		"%s%s%s", f.Prefix, node.YNode().Value, f.Suffix))(node)
+	return f.trackableSetter.SetScalar(fmt.Sprintf(
+		"%s%s", f.Prefix, node.YNode().Value))(node)
 }

api/filters/prefix/prefix_test.go

@@ -1,18 +1,21 @@
 // Copyright 2019 The Kubernetes Authors.
 // SPDX-License-Identifier: Apache-2.0
 
-package prefixsuffix_test
+package prefix_test
 
 import (
 	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"sigs.k8s.io/kustomize/api/filters/prefixsuffix"
+	"sigs.k8s.io/kustomize/api/filters/prefix"
 	filtertest_test "sigs.k8s.io/kustomize/api/testutils/filtertest"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
+var mutationTrackerStub = filtertest_test.MutationTrackerStub{}
+
 var tests = map[string]TestCase{
 	"prefix": {
 		input: `
@@ -37,62 +40,10 @@ kind: Bar
 metadata:
   name: foo-instance
 `,
-		filter: prefixsuffix.Filter{Prefix: "foo-"},
-		fs:     types.FieldSpec{Path: "metadata/name"},
-	},
-
-	"suffix": {
-		input: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
----
-apiVersion: example.com/v1
-kind: Bar
-metadata:
-  name: instance
-`,
-		expected: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance-foo
----
-apiVersion: example.com/v1
-kind: Bar
-metadata:
-  name: instance-foo
-`,
-		filter: prefixsuffix.Filter{Suffix: "-foo"},
-		fs:     types.FieldSpec{Path: "metadata/name"},
-	},
-
-	"prefix-suffix": {
-		input: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: instance
----
-apiVersion: example.com/v1
-kind: Bar
-metadata:
-  name: instance
-`,
-		expected: `
-apiVersion: example.com/v1
-kind: Foo
-metadata:
-  name: bar-instance-foo
----
-apiVersion: example.com/v1
-kind: Bar
-metadata:
-  name: bar-instance-foo
-`,
-		filter: prefixsuffix.Filter{Prefix: "bar-", Suffix: "-foo"},
-		fs:     types.FieldSpec{Path: "metadata/name"},
+		filter: prefix.Filter{
+			Prefix:    "foo-",
+			FieldSpec: types.FieldSpec{Path: "metadata/name"},
+		},
 	},
 
 	"data-fieldspecs": {
@@ -130,29 +81,74 @@ a:
   b:
     c: foo-d
 `,
-		filter: prefixsuffix.Filter{Prefix: "foo-"},
-		fs:     types.FieldSpec{Path: "a/b/c"},
+		filter: prefix.Filter{
+			Prefix:    "foo-",
+			FieldSpec: types.FieldSpec{Path: "a/b/c"},
+		},
+	},
+
+	"mutation tracker": {
+		input: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: instance
+`,
+		expected: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: foo-instance
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: foo-instance
+`,
+		filter: prefix.Filter{
+			Prefix:    "foo-",
+			FieldSpec: types.FieldSpec{Path: "metadata/name"},
+		},
+		mutationTracker: mutationTrackerStub.MutationTracker,
+		expectedSetValueArgs: []filtertest_test.SetValueArg{
+			{
+				Value:    "foo-instance",
+				NodePath: []string{"metadata", "name"},
+			},
+			{
+				Value:    "foo-instance",
+				NodePath: []string{"metadata", "name"},
+			},
+		},
 	},
 }
 
 type TestCase struct {
-	input    string
-	expected string
-	filter   prefixsuffix.Filter
-	fs       types.FieldSpec
+	input                string
+	expected             string
+	filter               prefix.Filter
+	mutationTracker      func(key, value, tag string, node *yaml.RNode)
+	expectedSetValueArgs []filtertest_test.SetValueArg
 }
 
 func TestFilter(t *testing.T) {
 	for name := range tests {
+		mutationTrackerStub.Reset()
 		test := tests[name]
+		test.filter.WithMutationTracker(test.mutationTracker)
 		t.Run(name, func(t *testing.T) {
-			test.filter.FieldSpec = test.fs
 			if !assert.Equal(t,
 				strings.TrimSpace(test.expected),
 				strings.TrimSpace(
 					filtertest_test.RunFilter(t, test.input, test.filter))) {
 				t.FailNow()
 			}
+			assert.Equal(t, test.expectedSetValueArgs, mutationTrackerStub.SetValueArgs())
 		})
 	}
 }

api/filters/prefixsuffix/doc.go

@@ -1,6 +0,0 @@
-// Copyright 2020 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-// Package prefixsuffix contains a kio.Filter implementation of the kustomize
-// PrefixSuffixTransformer.
-package prefixsuffix

api/filters/refvar/refvar_test.go

@@ -243,16 +243,7 @@ metadata:
 data:
   slice:
   - false`,
-			expectedError: `obj 'apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: dep
-  annotations:
-    config.kubernetes.io/index: '0'
-data:
-  slice:
-  - false
-' at path 'data/slice': invalid value type expect a string`,
+			expectedError: `considering field 'data/slice' of object Deployment.v1.apps/dep.[noNs]: invalid value type expect a string`,
 			filter: Filter{
 				MappingFunc: makeMf(map[string]interface{}{
 					"VAR": int64(5),
@@ -268,15 +259,7 @@ metadata:
   name: dep
 data:
   1: str`,
-			expectedError: `obj 'apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: dep
-  annotations:
-    config.kubernetes.io/index: '0'
-data:
-  1: str
-' at path 'data': invalid map key: value='1', tag='` + yaml.NodeTagInt + `'`,
+			expectedError: `considering field 'data' of object Deployment.v1.apps/dep.[noNs]: invalid map key: value='1', tag='` + yaml.NodeTagInt + `'`,
 			filter: Filter{
 				MappingFunc: makeMf(map[string]interface{}{
 					"VAR": int64(5),

api/filters/replacement/doc.go

@@ -0,0 +1,4 @@
+// Package replacement contains a kio.Filter implementation of the kustomize
+// replacement transformer (accepts sources and looks for targets to replace
+// their values with values from the sources).
+package replacement

api/filters/replacement/example_test.go

@@ -0,0 +1,68 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package replacement
+
+import (
+	"bytes"
+	"log"
+	"os"
+
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+func ExampleFilter() {
+	f := Filter{}
+	err := yaml.Unmarshal([]byte(`
+replacements:
+- source:
+    kind: Foo2
+    fieldPath: spec.replicas
+  targets:
+  - select:
+      kind: Foo1
+    fieldPaths: 
+    - spec.replicas`), &f)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = kio.Pipeline{
+		Inputs: []kio.Reader{&kio.ByteReader{Reader: bytes.NewBufferString(`
+apiVersion: example.com/v1
+kind: Foo1
+metadata:
+  name: instance
+spec:
+  replicas: 3
+---
+apiVersion: example.com/v1
+kind: Foo2
+metadata:
+  name: instance
+spec:
+  replicas: 99
+`)}},
+		Filters: []kio.Filter{f},
+		Outputs: []kio.Writer{kio.ByteWriter{Writer: os.Stdout}},
+	}.Execute()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Output:
+	// apiVersion: example.com/v1
+	// kind: Foo1
+	// metadata:
+	//   name: instance
+	// spec:
+	//   replicas: 99
+	// ---
+	// apiVersion: example.com/v1
+	// kind: Foo2
+	// metadata:
+	//   name: instance
+	// spec:
+	//   replicas: 99
+}

api/filters/replacement/replacement.go

@@ -0,0 +1,221 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package replacement
+
+import (
+	"fmt"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/internal/utils"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+type Filter struct {
+	Replacements []types.Replacement `json:"replacements,omitempty" yaml:"replacements,omitempty"`
+}
+
+// Filter replaces values of targets with values from sources
+func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	for _, r := range f.Replacements {
+		if r.Source == nil || r.Targets == nil {
+			return nil, fmt.Errorf("replacements must specify a source and at least one target")
+		}
+		value, err := getReplacement(nodes, &r)
+		if err != nil {
+			return nil, err
+		}
+		nodes, err = applyReplacement(nodes, value, r.Targets)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return nodes, nil
+}
+
+func applyReplacement(nodes []*yaml.RNode, value *yaml.RNode, targets []*types.TargetSelector) ([]*yaml.RNode, error) {
+	for _, t := range targets {
+		if t.Select == nil {
+			return nil, fmt.Errorf("target must specify resources to select")
+		}
+		if len(t.FieldPaths) == 0 {
+			t.FieldPaths = []string{types.DefaultReplacementFieldPath}
+		}
+		for _, n := range nodes {
+			ids, err := utils.MakeResIds(n)
+			if err != nil {
+				return nil, err
+			}
+
+			// filter targets by label and annotation selectors
+			selectByAnnoAndLabel, err := selectByAnnoAndLabel(n, t)
+			if err != nil {
+				return nil, err
+			}
+			if !selectByAnnoAndLabel {
+				continue
+			}
+
+			// filter targets by matching resource IDs
+			for _, id := range ids {
+				if id.IsSelectedBy(t.Select.ResId) && !rejectId(t.Reject, &id) {
+					err := applyToNode(n, value, t)
+					if err != nil {
+						return nil, err
+					}
+					break
+				}
+			}
+		}
+	}
+	return nodes, nil
+}
+
+func selectByAnnoAndLabel(n *yaml.RNode, t *types.TargetSelector) (bool, error) {
+	if matchesSelect, err := matchesAnnoAndLabelSelector(n, t.Select); !matchesSelect || err != nil {
+		return false, err
+	}
+	for _, reject := range t.Reject {
+		if reject.AnnotationSelector == "" && reject.LabelSelector == "" {
+			continue
+		}
+		if m, err := matchesAnnoAndLabelSelector(n, reject); m || err != nil {
+			return false, err
+		}
+	}
+	return true, nil
+}
+
+func matchesAnnoAndLabelSelector(n *yaml.RNode, selector *types.Selector) (bool, error) {
+	r := resource.Resource{RNode: *n}
+	annoMatch, err := r.MatchesAnnotationSelector(selector.AnnotationSelector)
+	if err != nil {
+		return false, err
+	}
+	labelMatch, err := r.MatchesLabelSelector(selector.LabelSelector)
+	if err != nil {
+		return false, err
+	}
+	return annoMatch && labelMatch, nil
+}
+
+func rejectId(rejects []*types.Selector, id *resid.ResId) bool {
+	for _, r := range rejects {
+		if !r.ResId.IsEmpty() && id.IsSelectedBy(r.ResId) {
+			return true
+		}
+	}
+	return false
+}
+
+func applyToNode(node *yaml.RNode, value *yaml.RNode, target *types.TargetSelector) error {
+	for _, fp := range target.FieldPaths {
+		fieldPath := utils.SmarterPathSplitter(fp, ".")
+		var t *yaml.RNode
+		var err error
+		if target.Options != nil && target.Options.Create {
+			t, err = node.Pipe(yaml.LookupCreate(value.YNode().Kind, fieldPath...))
+		} else {
+			t, err = node.Pipe(yaml.Lookup(fieldPath...))
+		}
+		if err != nil {
+			return err
+		}
+		if t != nil {
+			if err = setTargetValue(target.Options, t, value); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func setTargetValue(options *types.FieldOptions, t *yaml.RNode, value *yaml.RNode) error {
+	value = value.Copy()
+	if options != nil && options.Delimiter != "" {
+		if t.YNode().Kind != yaml.ScalarNode {
+			return fmt.Errorf("delimiter option can only be used with scalar nodes")
+		}
+		tv := strings.Split(t.YNode().Value, options.Delimiter)
+		v := yaml.GetValue(value)
+		// TODO: Add a way to remove an element
+		switch {
+		case options.Index < 0: // prefix
+			tv = append([]string{v}, tv...)
+		case options.Index >= len(tv): // suffix
+			tv = append(tv, v)
+		default: // replace an element
+			tv[options.Index] = v
+		}
+		value.YNode().Value = strings.Join(tv, options.Delimiter)
+	}
+	t.SetYNode(value.YNode())
+	return nil
+}
+
+func getReplacement(nodes []*yaml.RNode, r *types.Replacement) (*yaml.RNode, error) {
+	source, err := selectSourceNode(nodes, r.Source)
+	if err != nil {
+		return nil, err
+	}
+
+	if r.Source.FieldPath == "" {
+		r.Source.FieldPath = types.DefaultReplacementFieldPath
+	}
+	fieldPath := utils.SmarterPathSplitter(r.Source.FieldPath, ".")
+
+	rn, err := source.Pipe(yaml.Lookup(fieldPath...))
+	if err != nil {
+		return nil, err
+	}
+	if rn.IsNilOrEmpty() {
+		return nil, fmt.Errorf("fieldPath `%s` is missing for replacement source %s", r.Source.FieldPath, r.Source.ResId)
+	}
+
+	return getRefinedValue(r.Source.Options, rn)
+}
+
+func getRefinedValue(options *types.FieldOptions, rn *yaml.RNode) (*yaml.RNode, error) {
+	if options == nil || options.Delimiter == "" {
+		return rn, nil
+	}
+	if rn.YNode().Kind != yaml.ScalarNode {
+		return nil, fmt.Errorf("delimiter option can only be used with scalar nodes")
+	}
+	value := strings.Split(yaml.GetValue(rn), options.Delimiter)
+	if options.Index >= len(value) || options.Index < 0 {
+		return nil, fmt.Errorf("options.index %d is out of bounds for value %s", options.Index, yaml.GetValue(rn))
+	}
+	n := rn.Copy()
+	n.YNode().Value = value[options.Index]
+	return n, nil
+}
+
+// selectSourceNode finds the node that matches the selector, returning
+// an error if multiple or none are found
+func selectSourceNode(nodes []*yaml.RNode, selector *types.SourceSelector) (*yaml.RNode, error) {
+	var matches []*yaml.RNode
+	for _, n := range nodes {
+		ids, err := utils.MakeResIds(n)
+		if err != nil {
+			return nil, err
+		}
+		for _, id := range ids {
+			if id.IsSelectedBy(selector.ResId) {
+				if len(matches) > 0 {
+					return nil, fmt.Errorf(
+						"multiple matches for selector %s", selector)
+				}
+				matches = append(matches, n)
+				break
+			}
+		}
+	}
+	if len(matches) == 0 {
+		return nil, fmt.Errorf("nothing selected by %s", selector)
+	}
+	return matches[0], nil
+}

api/filters/replicacount/replicacount.go

@@ -14,9 +14,17 @@ import (
 type Filter struct {
 	Replica   types.Replica   `json:"replica,omitempty" yaml:"replica,omitempty"`
 	FieldSpec types.FieldSpec `json:"fieldSpec,omitempty" yaml:"fieldSpec,omitempty"`
+
+	trackableSetter filtersutil.TrackableSetter
 }
 
 var _ kio.Filter = Filter{}
+var _ kio.TrackableFilter = &Filter{}
+
+// WithMutationTracker registers a callback which will be invoked each time a field is mutated
+func (rc *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
+	rc.trackableSetter.WithMutationTracker(callback)
+}
 
 func (rc Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 	return kio.FilterAll(yaml.FilterFunc(rc.run)).Filter(nodes)
@@ -33,5 +41,5 @@ func (rc Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
 }
 
 func (rc Filter) set(node *yaml.RNode) error {
-	return filtersutil.SetScalar(strconv.FormatInt(rc.Replica.Count, 10))(node)
+	return rc.trackableSetter.SetScalar(strconv.FormatInt(rc.Replica.Count, 10))(node)
 }

api/filters/replicacount/replicacount_test.go

@@ -7,14 +7,17 @@ import (
 	"github.com/stretchr/testify/assert"
 	filtertest_test "sigs.k8s.io/kustomize/api/testutils/filtertest"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
 func TestFilter(t *testing.T) {
-
+	mutationTrackerStub := filtertest_test.MutationTrackerStub{}
 	testCases := map[string]struct {
-		input    string
-		expected string
-		filter   Filter
+		input                string
+		expected             string
+		filter               Filter
+		mutationTracker      func(key, value, tag string, node *yaml.RNode)
+		expectedSetValueArgs []filtertest_test.SetValueArg
 	}{
 		"update field": {
 			input: `
@@ -161,9 +164,43 @@ spec:
 				FieldSpec: types.FieldSpec{Path: "spec/template/replicas"},
 			},
 		},
+		"mutation tracker": {
+			input: `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dep
+spec:
+  replicas: 5
+`,
+			expected: `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dep
+spec:
+  replicas: 42
+`,
+			filter: Filter{
+				Replica: types.Replica{
+					Name:  "dep",
+					Count: 42,
+				},
+				FieldSpec: types.FieldSpec{Path: "spec/replicas"},
+			},
+			mutationTracker: mutationTrackerStub.MutationTracker,
+			expectedSetValueArgs: []filtertest_test.SetValueArg{
+				{
+					Value:    "42",
+					NodePath: []string{"spec", "replicas"},
+				},
+			},
+		},
 	}
 
 	for tn, tc := range testCases {
+		mutationTrackerStub.Reset()
+		tc.filter.WithMutationTracker(tc.mutationTracker)
 		t.Run(tn, func(t *testing.T) {
 			if !assert.Equal(t,
 				strings.TrimSpace(tc.expected),
@@ -171,6 +208,7 @@ spec:
 					filtertest_test.RunFilter(t, tc.input, tc.filter))) {
 				t.FailNow()
 			}
+			assert.Equal(t, tc.expectedSetValueArgs, mutationTrackerStub.SetValueArgs())
 		})
 	}
 }

api/filters/suffix/doc.go

@@ -0,0 +1,6 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package suffix contains a kio.Filter implementation of the kustomize
+// SuffixTransformer.
+package suffix

api/filters/suffix/example_test.go

@@ -0,0 +1,47 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package suffix_test
+
+import (
+	"bytes"
+	"log"
+	"os"
+
+	"sigs.k8s.io/kustomize/api/filters/suffix"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+)
+
+func ExampleFilter() {
+	err := kio.Pipeline{
+		Inputs: []kio.Reader{&kio.ByteReader{Reader: bytes.NewBufferString(`
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: instance
+`)}},
+		Filters: []kio.Filter{suffix.Filter{
+			Suffix: "-baz", FieldSpec: types.FieldSpec{Path: "metadata/name"}}},
+		Outputs: []kio.Writer{kio.ByteWriter{Writer: os.Stdout}},
+	}.Execute()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Output:
+	// apiVersion: example.com/v1
+	// kind: Foo
+	// metadata:
+	//   name: instance-baz
+	// ---
+	// apiVersion: example.com/v1
+	// kind: Bar
+	// metadata:
+	//   name: instance-baz
+}

api/filters/suffix/suffix.go

@@ -0,0 +1,50 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package suffix
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/api/filters/fieldspec"
+	"sigs.k8s.io/kustomize/api/filters/filtersutil"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Filter applies resource name suffix's using the fieldSpecs
+type Filter struct {
+	Suffix string `json:"suffix,omitempty" yaml:"suffix,omitempty"`
+
+	FieldSpec types.FieldSpec `json:"fieldSpec,omitempty" yaml:"fieldSpec,omitempty"`
+
+	trackableSetter filtersutil.TrackableSetter
+}
+
+var _ kio.Filter = Filter{}
+var _ kio.TrackableFilter = &Filter{}
+
+// WithMutationTracker registers a callback which will be invoked each time a field is mutated
+func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) {
+	f.trackableSetter.WithMutationTracker(callback)
+}
+
+func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	return kio.FilterAll(yaml.FilterFunc(f.run)).Filter(nodes)
+}
+
+func (f Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
+	err := node.PipeE(fieldspec.Filter{
+		FieldSpec:  f.FieldSpec,
+		SetValue:   f.evaluateField,
+		CreateKind: yaml.ScalarNode, // Name is a ScalarNode
+		CreateTag:  yaml.NodeTagString,
+	})
+	return node, err
+}
+
+func (f Filter) evaluateField(node *yaml.RNode) error {
+	return f.trackableSetter.SetScalar(fmt.Sprintf(
+		"%s%s", node.YNode().Value, f.Suffix))(node)
+}

api/filters/suffix/suffix_test.go

@@ -0,0 +1,154 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package suffix_test
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"sigs.k8s.io/kustomize/api/filters/suffix"
+	filtertest_test "sigs.k8s.io/kustomize/api/testutils/filtertest"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+var mutationTrackerStub = filtertest_test.MutationTrackerStub{}
+
+var tests = map[string]TestCase{
+	"suffix": {
+		input: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: instance
+`,
+		expected: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance-foo
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: instance-foo
+`,
+		filter: suffix.Filter{
+			Suffix:    "-foo",
+			FieldSpec: types.FieldSpec{Path: "metadata/name"},
+		},
+	},
+
+	"data-fieldspecs": {
+		input: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+a:
+  b:
+    c: d
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: instance
+a:
+  b:
+    c: d
+`,
+		expected: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+a:
+  b:
+    c: d-foo
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: instance
+a:
+  b:
+    c: d-foo
+`,
+		filter: suffix.Filter{
+			Suffix:    "-foo",
+			FieldSpec: types.FieldSpec{Path: "a/b/c"},
+		},
+	},
+
+	"mutation tracker": {
+		input: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: instance
+`,
+		expected: `
+apiVersion: example.com/v1
+kind: Foo
+metadata:
+  name: instance-foo
+---
+apiVersion: example.com/v1
+kind: Bar
+metadata:
+  name: instance-foo
+`,
+		filter: suffix.Filter{
+			Suffix:    "-foo",
+			FieldSpec: types.FieldSpec{Path: "metadata/name"},
+		},
+		mutationTracker: mutationTrackerStub.MutationTracker,
+		expectedSetValueArgs: []filtertest_test.SetValueArg{
+			{
+				Value:    "instance-foo",
+				NodePath: []string{"metadata", "name"},
+			},
+			{
+				Value:    "instance-foo",
+				NodePath: []string{"metadata", "name"},
+			},
+		},
+	},
+}
+
+type TestCase struct {
+	input                string
+	expected             string
+	filter               suffix.Filter
+	mutationTracker      func(key, value, tag string, node *yaml.RNode)
+	expectedSetValueArgs []filtertest_test.SetValueArg
+}
+
+func TestFilter(t *testing.T) {
+	for name := range tests {
+		mutationTrackerStub.Reset()
+		test := tests[name]
+		test.filter.WithMutationTracker(test.mutationTracker)
+		t.Run(name, func(t *testing.T) {
+			if !assert.Equal(t,
+				strings.TrimSpace(test.expected),
+				strings.TrimSpace(
+					filtertest_test.RunFilter(t, test.input, test.filter))) {
+				t.FailNow()
+			}
+			assert.Equal(t, test.expectedSetValueArgs, mutationTrackerStub.SetValueArgs())
+		})
+	}
+}

api/filters/valueadd/valueadd.go

@@ -6,7 +6,7 @@ package valueadd
 import (
 	"strings"
 
-	"sigs.k8s.io/kustomize/api/filesys"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 	"sigs.k8s.io/kustomize/kyaml/kio"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
@@ -98,7 +98,17 @@ var _ kio.Filter = Filter{}
 func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 	_, err := kio.FilterAll(yaml.FilterFunc(
 		func(node *yaml.RNode) (*yaml.RNode, error) {
-			fields := strings.Split(f.FieldPath, "/")
+			var fields []string
+			// if there is forward slash '/' in the field name, a back slash '\'
+			// will be used to escape it.
+			for _, f := range strings.Split(f.FieldPath, "/") {
+				if len(fields) > 0 && strings.HasSuffix(fields[len(fields)-1], "\\") {
+					concatField := strings.TrimSuffix(fields[len(fields)-1], "\\") + "/" + f
+					fields = append(fields[:len(fields)-1], concatField)
+				} else {
+					fields = append(fields, f)
+				}
+			}
 			// TODO: support SequenceNode.
 			// Presumably here one could look for array indices (digits) at
 			// the end of the field path (as described in IETF RFC 6902 JSON),

api/filters/valueadd/valueadd_test.go

@@ -94,6 +94,20 @@ spec:
 				FilePathPosition: 2,
 			},
 		},
+		"backSlash": {
+			input: `
+kind: SomeKind
+`,
+			expectedOutput: `
+kind: SomeKind
+spec:
+  resourceRef/external: valueAdded
+`,
+			filter: Filter{
+				Value:     "valueAdded",
+				FieldPath: "spec/resourceRef\\/external",
+			},
+		},
 	}
 
 	for tn, tc := range testCases {

api/go.mod

@@ -1,26 +1,16 @@
 module sigs.k8s.io/kustomize/api
 
-go 1.15
+go 1.16
 
 require (
-	github.com/evanphx/json-patch v4.5.0+incompatible
+	github.com/evanphx/json-patch v4.11.0+incompatible
 	github.com/go-errors/errors v1.0.1
-	github.com/go-openapi/spec v0.19.5
-	github.com/golangci/golangci-lint v1.21.0
-	github.com/google/go-cmp v0.3.0
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
-	github.com/hashicorp/go-multierror v1.1.0
 	github.com/imdario/mergo v0.3.5
-	github.com/pkg/errors v0.8.1
-	github.com/stretchr/testify v1.4.0
-	github.com/yujunz/go-getter v1.5.1-lite.0.20201201013212-6d9c071adddf
-	golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e
-	gopkg.in/yaml.v2 v2.3.0
-	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c
-	k8s.io/api v0.17.0
-	k8s.io/apimachinery v0.17.0
-	k8s.io/client-go v0.17.0
-	k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a
-	sigs.k8s.io/kustomize/kyaml v0.10.6
+	github.com/pkg/errors v0.9.1
+	github.com/stretchr/testify v1.7.0
+	gopkg.in/yaml.v2 v2.4.0
+	k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e
+	sigs.k8s.io/kustomize/kyaml v0.13.2
 	sigs.k8s.io/yaml v1.2.0
 )

api/hasher/hasher.go

@@ -20,12 +20,12 @@ func SortArrayAndComputeHash(s []string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	return Encode(Hash(string(data)))
+	return encode(hex256(string(data)))
 }
 
 // Copied from https://github.com/kubernetes/kubernetes
 // /blob/master/pkg/kubectl/util/hash/hash.go
-func Encode(hex string) (string, error) {
+func encode(hex string) (string, error) {
 	if len(hex) < 10 {
 		return "", fmt.Errorf(
 			"input length must be at least 10")
@@ -48,23 +48,18 @@ func Encode(hex string) (string, error) {
 	return string(enc), nil
 }
 
-// Hash returns the hex form of the sha256 of the argument.
-func Hash(data string) string {
+// hex256 returns the hex form of the sha256 of the argument.
+func hex256(data string) string {
 	return fmt.Sprintf("%x", sha256.Sum256([]byte(data)))
 }
 
-// HashRNode returns the hash value of input RNode
-func HashRNode(node *yaml.RNode) (string, error) {
-	// get node kind
-	kindNode, err := node.Pipe(yaml.FieldMatcher{Name: "kind"})
-	if err != nil {
-		return "", err
-	}
-	kind := kindNode.YNode().Value
+// Hasher computes the hash of an RNode.
+type Hasher struct{}
 
-	// calculate hash for different kinds
-	encoded := ""
-	switch kind {
+// Hash returns a hash of the argument.
+func (h *Hasher) Hash(node *yaml.RNode) (r string, err error) {
+	var encoded string
+	switch node.GetKind() {
 	case "ConfigMap":
 		encoded, err = encodeConfigMap(node)
 	case "Secret":
@@ -77,10 +72,11 @@ func HashRNode(node *yaml.RNode) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	return Encode(Hash(encoded))
+	return encode(hex256(encoded))
 }
 
-func getNodeValues(node *yaml.RNode, paths []string) (map[string]interface{}, error) {
+func getNodeValues(
+	node *yaml.RNode, paths []string) (map[string]interface{}, error) {
 	values := make(map[string]interface{})
 	for _, p := range paths {
 		vn, err := node.Pipe(yaml.Lookup(p))
@@ -117,8 +113,11 @@ func encodeConfigMap(node *yaml.RNode) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	m := map[string]interface{}{"kind": "ConfigMap", "name": values["metadata/name"],
-		"data": values["data"]}
+	m := map[string]interface{}{
+		"kind": "ConfigMap",
+		"name": values["metadata/name"],
+		"data": values["data"],
+	}
 	if _, ok := values["binaryData"].(map[string]interface{}); ok {
 		m["binaryData"] = values["binaryData"]
 	}

api/hasher/hasher_test.go

@@ -32,10 +32,10 @@ func TestSortArrayAndComputeHash(t *testing.T) {
 	}
 }
 
-func TestHash(t *testing.T) {
+func Test_hex256(t *testing.T) {
 	// hash the empty string to be sure that sha256 is being used
 	expect := "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
-	sum := Hash("")
+	sum := hex256("")
 	if expect != sum {
 		t.Errorf("expected hash %q but got %q", expect, sum)
 	}
@@ -56,7 +56,7 @@ kind: ConfigMap`, "6ct58987ht", ""},
 		{"one key", `
 apiVersion: v1
 kind: ConfigMap
-data: 
+data:
   one: ""`, "9g67k2htb6", ""},
 		// three keys (tests sorting order)
 		{"three keys", `
@@ -93,17 +93,17 @@ data:
 binaryData:
   two: ""`, "698h7c7t9m", ""},
 	}
-
+	h := &Hasher{}
 	for _, c := range cases {
 		node, err := yaml.Parse(c.cmYaml)
 		if err != nil {
 			t.Fatal(err)
 		}
-		h, err := HashRNode(node)
+		hashed, err := h.Hash(node)
 		if SkipRest(t, c.desc, err, c.err) {
 			continue
 		}
-		if c.hash != h {
+		if c.hash != hashed {
 			t.Errorf("case %q, expect hash %q but got %q", c.desc, c.hash, h)
 		}
 	}
@@ -154,35 +154,34 @@ type: my-type
 data:
   one: ""`, "74bd68bm66", ""},
 	}
-
+	h := &Hasher{}
 	for _, c := range cases {
 		node, err := yaml.Parse(c.secretYaml)
 		if err != nil {
 			t.Fatal(err)
 		}
-		h, err := HashRNode(node)
+		hashed, err := h.Hash(node)
 		if SkipRest(t, c.desc, err, c.err) {
 			continue
 		}
-		if c.hash != h {
+		if c.hash != hashed {
 			t.Errorf("case %q, expect hash %q but got %q", c.desc, c.hash, h)
 		}
 	}
 }
 
-func TestUnstructuredHash(t *testing.T) {
-	cases := []struct {
-		desc         string
-		unstructured string
-		hash         string
-		err          string
+func TestBasicHash(t *testing.T) {
+	cases := map[string]struct {
+		res  string
+		hash string
+		err  string
 	}{
-		{"minimal", `
+		"minimal": {`
 apiVersion: test/v1
 kind: TestResource
 metadata:
   name: my-resource`, "244782mkb7", ""},
-		{"with spec", `
+		"with spec": {`
 apiVersion: test/v1
 kind: TestResource
 metadata:
@@ -191,19 +190,22 @@ spec:
   foo: 1
   bar: abc`, "59m2mdccg4", ""},
 	}
-
-	for _, c := range cases {
-		node, err := yaml.Parse(c.unstructured)
-		if err != nil {
-			t.Fatal(err)
-		}
-		h, err := HashRNode(node)
-		if SkipRest(t, c.desc, err, c.err) {
-			continue
-		}
-		if c.hash != h {
-			t.Errorf("case %q, expect hash %q but got %q", c.desc, c.hash, h)
-		}
+	h := &Hasher{}
+	for n := range cases {
+		c := cases[n]
+		t.Run(n, func(t *testing.T) {
+			node, err := yaml.Parse(c.res)
+			if err != nil {
+				t.Fatal(err)
+			}
+			hashed, err := h.Hash(node)
+			if SkipRest(t, n, err, c.err) {
+				return
+			}
+			if c.hash != hashed {
+				t.Errorf("case %q, expect hash %q but got %q", n, c.hash, h)
+			}
+		})
 	}
 }
 
@@ -222,7 +224,7 @@ kind: ConfigMap`, `{"data":"","kind":"ConfigMap","name":""}`, ""},
 		{"one key", `
 apiVersion: v1
 kind: ConfigMap
-data: 
+data:
   one: ""`, `{"data":{"one":""},"kind":"ConfigMap","name":""}`, ""},
 		// three keys (tests sorting order)
 		{"three keys", `
@@ -334,9 +336,10 @@ data:
 	}
 }
 
-// SkipRest returns true if there was a non-nil error or if we expected an error that didn't happen,
-// and logs the appropriate error on the test object.
-// The return value indicates whether we should skip the rest of the test case due to the error result.
+// SkipRest returns true if there was a non-nil error or if we expected an
+// error that didn't happen, and logs the appropriate error on the test object.
+// The return value indicates whether we should skip the rest of the test case
+// due to the error result.
 func SkipRest(t *testing.T, desc string, err error, contains string) bool {
 	if err != nil {
 		if len(contains) == 0 {

api/ifc/ifc.go

@@ -5,8 +5,8 @@
 package ifc
 
 import (
-	"sigs.k8s.io/kustomize/api/resid"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
 // Validator provides functions to validate annotations and labels
@@ -38,87 +38,10 @@ type Loader interface {
 	Cleanup() error
 }
 
-// Kunstructured represents a Kubernetes Resource Model object.
-type Kunstructured interface {
-	// Several uses.
-	Copy() Kunstructured
-
-	// GetAnnotations returns the k8s annotations.
-	GetAnnotations() map[string]string
-
-	// GetData returns a top-level "data" field, as in a ConfigMap.
-	GetDataMap() map[string]string
-
-	// Used by ResAccumulator and ReplacementTransformer.
-	GetFieldValue(string) (interface{}, error)
-
-	// Used by Resource.OrgId
-	GetGvk() resid.Gvk
-
-	// Used by resource.Factory.SliceFromBytes
-	GetKind() string
-
-	// GetLabels returns the k8s labels.
-	GetLabels() map[string]string
-
-	// Used by Resource.CurId and resource factory.
-	GetName() string
-
-	// Used by special case code in
-	// ResMap.SubsetThatCouldBeReferencedByResource
-	GetSlice(path string) ([]interface{}, error)
-
-	// GetString returns the value of a string field.
-	// Used by Resource.GetNamespace
-	GetString(string) (string, error)
-
-	// Several uses.
-	Map() map[string]interface{}
-
-	// Used by Resource.AsYAML and Resource.String
-	MarshalJSON() ([]byte, error)
-
-	// Used by resWrangler.Select
-	MatchesAnnotationSelector(selector string) (bool, error)
-
-	// Used by resWrangler.Select
-	MatchesLabelSelector(selector string) (bool, error)
-
-	// SetAnnotations replaces the k8s annotations.
-	SetAnnotations(map[string]string)
-
-	// SetDataMap sets a top-level "data" field, as in a ConfigMap.
-	SetDataMap(map[string]string)
-
-	// Used by PatchStrategicMergeTransformer.
-	SetGvk(resid.Gvk)
-
-	// SetLabels replaces the k8s labels.
-	SetLabels(map[string]string)
-
-	// SetName changes the name.
-	SetName(string)
-
-	// SetNamespace changes the namespace.
-	SetNamespace(string)
-
-	// Needed, for now, by kyaml/filtersutil.ApplyToJSON.
-	UnmarshalJSON([]byte) error
-}
-
-// KunstructuredFactory makes instances of Kunstructured.
-type KunstructuredFactory interface {
-	SliceFromBytes([]byte) ([]Kunstructured, error)
-	FromMap(m map[string]interface{}) Kunstructured
-	Hasher() KunstructuredHasher
-	MakeConfigMap(kvLdr KvLoader, args *types.ConfigMapArgs) (Kunstructured, error)
-	MakeSecret(kvLdr KvLoader, args *types.SecretArgs) (Kunstructured, error)
-}
-
-// KunstructuredHasher returns a hash of the argument
+// KustHasher returns a hash of the argument
 // or an error.
-type KunstructuredHasher interface {
-	Hash(Kunstructured) (string, error)
+type KustHasher interface {
+	Hash(*yaml.RNode) (string, error)
 }
 
 // See core.v1.SecretTypeOpaque

api/internal/accumulator/loadconfigfromcrds.go

@@ -7,19 +7,26 @@ import (
 	"encoding/json"
 	"strings"
 
-	"github.com/go-openapi/spec"
 	"github.com/pkg/errors"
-	"k8s.io/kube-openapi/pkg/common"
-	"sigs.k8s.io/kustomize/api/filesys"
+	"k8s.io/kube-openapi/pkg/validation/spec"
 	"sigs.k8s.io/kustomize/api/ifc"
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
-	"sigs.k8s.io/kustomize/api/resid"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+	"sigs.k8s.io/kustomize/kyaml/resid"
 	"sigs.k8s.io/yaml"
 )
 
-type myProperties map[string]spec.Schema
-type nameToApiMap map[string]common.OpenAPIDefinition
+// OpenAPIDefinition describes single type.
+// Normally these definitions are auto-generated using gen-openapi.
+// Same as in k8s.io / kube-openapi / pkg / common.
+type OpenAPIDefinition struct {
+	Schema       spec.Schema
+	Dependencies []string
+}
+
+type myProperties = map[string]spec.Schema
+type nameToApiMap map[string]OpenAPIDefinition
 
 // LoadConfigFromCRDs parse CRD schemas from paths into a TransformerConfig
 func LoadConfigFromCRDs(
@@ -162,7 +169,7 @@ func loadCrdIntoConfig(
 				err = theConfig.AddNamereferenceFieldSpec(
 					builtinconfig.NameBackReferences{
 						Gvk: resid.Gvk{Kind: kind, Version: version},
-						FieldSpecs: []types.FieldSpec{
+						Referrers: []types.FieldSpec{
 							makeFs(theGvk, append(path, propName, nameKey))},
 					})
 				if err != nil {
@@ -171,9 +178,12 @@ func loadCrdIntoConfig(
 			}
 		}
 		if property.Ref.GetURL() != nil {
-			loadCrdIntoConfig(
+			err = loadCrdIntoConfig(
 				theConfig, theGvk, theMap,
 				property.Ref.String(), append(path, propName))
+			if err != nil {
+				return
+			}
 		}
 	}
 	return nil

api/internal/accumulator/loadconfigfromcrds_test.go

@@ -7,13 +7,13 @@ import (
 	"reflect"
 	"testing"
 
-	"sigs.k8s.io/kustomize/api/filesys"
-	"sigs.k8s.io/kustomize/api/loader"
-
+	"github.com/stretchr/testify/require"
 	. "sigs.k8s.io/kustomize/api/internal/accumulator"
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
-	"sigs.k8s.io/kustomize/api/resid"
+	"sigs.k8s.io/kustomize/api/loader"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+	"sigs.k8s.io/kustomize/kyaml/resid"
 )
 
 // This defines two CRD's:  Bee and MyKind.
@@ -140,21 +140,19 @@ func TestLoadCRDs(t *testing.T) {
 	nbrs := []builtinconfig.NameBackReferences{
 		{
 			Gvk: resid.Gvk{Kind: "Secret", Version: "v1"},
-			FieldSpecs: []types.FieldSpec{
+			Referrers: []types.FieldSpec{
 				{
-					CreateIfNotPresent: false,
-					Gvk:                resid.Gvk{Kind: "MyKind"},
-					Path:               "spec/secretRef/name",
+					Gvk:  resid.Gvk{Kind: "MyKind"},
+					Path: "spec/secretRef/name",
 				},
 			},
 		},
 		{
 			Gvk: resid.Gvk{Kind: "Bee", Version: "v1beta1"},
-			FieldSpecs: []types.FieldSpec{
+			Referrers: []types.FieldSpec{
 				{
-					CreateIfNotPresent: false,
-					Gvk:                resid.Gvk{Kind: "MyKind"},
-					Path:               "spec/beeRef/name",
+					Gvk:  resid.Gvk{Kind: "MyKind"},
+					Path: "spec/beeRef/name",
 				},
 			},
 		},
@@ -165,16 +163,13 @@ func TestLoadCRDs(t *testing.T) {
 	}
 
 	fSys := filesys.MakeFsInMemory()
-	fSys.WriteFile("/testpath/crd.json", []byte(crdContent))
+	err := fSys.WriteFile("/testpath/crd.json", []byte(crdContent))
+	require.NoError(t, err)
 	ldr, err := loader.NewLoader(loader.RestrictionRootOnly, "/testpath", fSys)
-	if err != nil {
-		t.Fatalf("unexpected error:%v", err)
-	}
+	require.NoError(t, err)
 
 	actualTc, err := LoadConfigFromCRDs(ldr, []string{"crd.json"})
-	if err != nil {
-		t.Fatalf("unexpected error:%v", err)
-	}
+	require.NoError(t, err)
 	if !reflect.DeepEqual(actualTc, expectedTc) {
 		t.Fatalf("expected\n %v\n but got\n %v\n", expectedTc, actualTc)
 	}

api/internal/accumulator/namereferencetransformer.go

@@ -4,19 +4,26 @@
 package accumulator
 
 import (
+	"fmt"
 	"log"
 
 	"sigs.k8s.io/kustomize/api/filters/nameref"
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
 	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/kyaml/resid"
 )
 
 type nameReferenceTransformer struct {
 	backRefs []builtinconfig.NameBackReferences
 }
 
+const doDebug = false
+
 var _ resmap.Transformer = &nameReferenceTransformer{}
 
+type filterMap map[*resource.Resource][]nameref.Filter
+
 // newNameReferenceTransformer constructs a nameReferenceTransformer
 // with a given slice of NameBackReferences.
 func newNameReferenceTransformer(
@@ -29,16 +36,67 @@ func newNameReferenceTransformer(
 
 // Transform updates name references in resource A that
 // refer to resource B, given that B's name may have
-// changed.  A is the referrer, B is the referralTarget.
+// changed.
 //
 // For example, a HorizontalPodAutoscaler (HPA)
 // necessarily refers to a Deployment, the thing that
-// the HPA scales. The Deployment's name might change
-// (e.g. prefix added), and the reference in the HPA
-// has to be fixed.
+// an HPA scales. In this case:
 //
-// In the outer loop over the ResMap below, say we
-// encounter a specific HPA. Then, in scanning the set
+//   - the HPA instance is the Referrer,
+//   - the Deployment instance is the ReferralTarget.
+//
+// If the Deployment's name changes, e.g. a prefix is added,
+// then the HPA's reference to the Deployment must be fixed.
+//
+func (t *nameReferenceTransformer) Transform(m resmap.ResMap) error {
+	fMap := t.determineFilters(m.Resources())
+	debug(fMap)
+	for r, fList := range fMap {
+		c, err := m.SubsetThatCouldBeReferencedByResource(r)
+		if err != nil {
+			return err
+		}
+		for _, f := range fList {
+			f.Referrer = r
+			f.ReferralCandidates = c
+			if err := f.Referrer.ApplyFilter(f); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func debug(fMap filterMap) {
+	if !doDebug {
+		return
+	}
+	fmt.Printf("filterMap has %d entries:\n", len(fMap))
+	rCount := 0
+	for r, fList := range fMap {
+		yml, _ := r.AsYAML()
+		rCount++
+		fmt.Printf(`
+---- %3d. possible referrer -------------
+%s
+---------`, rCount, string(yml),
+		)
+		for i, f := range fList {
+			fmt.Printf(`
+%3d/%3d update: %s
+          from: %s
+`, rCount, i+1, f.NameFieldToUpdate.Path, f.ReferralTarget,
+			)
+		}
+	}
+}
+
+// Produce a map from referrer resources that might need to be fixed
+// to filters that might fix them.  The keys to this map are potential
+// referrers, so won't include resources like ConfigMap or Secret.
+//
+// In the inner loop over the resources below, say we
+// encounter an HPA instance. Then, in scanning the set
 // of all known backrefs, we encounter an entry like
 //
 //   - kind: Deployment
@@ -48,64 +106,60 @@ func newNameReferenceTransformer(
 //
 // This entry says that an HPA, via its
 // 'spec/scaleTargetRef/name' field, may refer to a
-// Deployment.  This match to HPA means we may need to
-// modify the value in its 'spec/scaleTargetRef/name'
-// field, by searching for the thing it refers to,
-// and getting its new name.
+// Deployment.
 //
-// As a filter, and search optimization, we compute a
-// subset of all resources that the HPA could refer to,
-// by excluding objects from other namespaces, and
-// excluding objects that don't have the same prefix-
-// suffix mods as the HPA.
-//
-// We look in this subset for all Deployment objects
-// with a resId that has a Name matching the field value
-// present in the HPA.  If no match do nothing; if more
-// than one match, it's an error.
-//
-// We overwrite the HPA name field with the value found
-// in the Deployment's name field (the name in the raw
-// object - the modified name - not the unmodified name
-// in the Deployment's resId).
-//
-// This process assumes that the name stored in a ResId
-// (the ResMap key) isn't modified by name transformers.
-// Name transformers should only modify the name in the
-// body of the resource object (the value in the ResMap).
-//
-func (t *nameReferenceTransformer) Transform(m resmap.ResMap) error {
-	// TODO: Too much looping, here and in transitive calls.
-	for _, referrer := range m.Resources() {
-		var candidates resmap.ResMap
-		for _, referralTarget := range t.backRefs {
-			for _, fSpec := range referralTarget.FieldSpecs {
-				if referrer.OrgId().IsSelected(&fSpec.Gvk) {
-					if candidates == nil {
-						// This excludes objects from other namespaces.
-						// In most realistic uses, it returns all elements of m,
-						// (since they're all in the same namespace).
-						candidates = m.SubsetThatCouldBeReferencedByResource(referrer)
-					}
-					// One way to get here is with, say, a referrer that's an
-					// HPA, and a target that's a Deployment (one of the
-					// Deployment's fieldSpecs selects an HPA).  Now we look
-					// through the candidates to see if one is a Deployment
-					// (the target), and if so, get the Deployment's name and
-					// write it into the referrer, at the field specfied in
-					// fSpec.
-					err := referrer.ApplyFilter(nameref.Filter{
-						Referrer:           referrer,
-						NameFieldToUpdate:  fSpec,
-						ReferralTarget:     referralTarget.Gvk,
-						ReferralCandidates: candidates,
-					})
-					if err != nil {
-						return err
+// This means that a filter will need to hunt for the right Deployment,
+// obtain it's new name, and write that name into the HPA's
+// 'spec/scaleTargetRef/name' field. Return a filter that can do that.
+func (t *nameReferenceTransformer) determineFilters(
+	resources []*resource.Resource) (fMap filterMap) {
+
+	// We cache the resource OrgId values because they don't change and otherwise are very visible in a memory pprof
+	resourceOrgIds := make([]resid.ResId, len(resources))
+	for i, resource := range resources {
+		resourceOrgIds[i] = resource.OrgId()
+	}
+
+	fMap = make(filterMap)
+	for _, backReference := range t.backRefs {
+		for _, referrerSpec := range backReference.Referrers {
+			for i, res := range resources {
+				if resourceOrgIds[i].IsSelected(&referrerSpec.Gvk) {
+					// If this is true, the res might be a referrer, and if
+					// so, the name reference it holds might need an update.
+					if resHasField(res, referrerSpec.Path) {
+						// Optimization - the referrer has the field
+						// that might need updating.
+						fMap[res] = append(fMap[res], nameref.Filter{
+							// Name field to write in the Referrer.
+							// If the path specified here isn't found in
+							// the Referrer, nothing happens (no error,
+							// no field creation).
+							NameFieldToUpdate: referrerSpec,
+							// Specification of object class to read from.
+							// Always read from metadata/name field.
+							ReferralTarget: backReference.Gvk,
+						})
 					}
 				}
 			}
 		}
 	}
-	return nil
+	return fMap
+}
+
+// TODO: check res for field existence here to avoid extra work.
+// res.GetFieldValue, which uses yaml.Lookup under the hood, doesn't know
+// how to parse fieldspec-style paths that make no distinction
+// between maps and sequences.  This means it cannot lookup commonly
+// used "indeterminate" paths like
+//    spec/containers/env/valueFrom/configMapKeyRef/name
+// ('containers' is a list, not a map).
+// However, the fieldspec filter does know how to handle this;
+// extract that code and call it here?
+func resHasField(res *resource.Resource, path string) bool {
+	return true
+	// fld := strings.Join(utils.PathSplitter(path), ".")
+	// _, e := res.GetFieldValue(fld)
+	// return e == nil
 }

api/internal/accumulator/namereferencetransformer_test.go

@@ -9,11 +9,13 @@ import (
 
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
 	"sigs.k8s.io/kustomize/api/provider"
-	"sigs.k8s.io/kustomize/api/resid"
 	"sigs.k8s.io/kustomize/api/resmap"
 	resmaptest_test "sigs.k8s.io/kustomize/api/testutils/resmaptest"
+	"sigs.k8s.io/kustomize/kyaml/resid"
 )
 
+const notEqualErrFmt = "expected (self) doesn't match actual (other): %v"
+
 func TestNameReferenceHappyRun(t *testing.T) {
 	m := resmaptest_test.NewRmBuilderDefault(t).AddWithName(
 		"cm1",
@@ -470,7 +472,7 @@ func TestNameReferenceHappyRun(t *testing.T) {
 	}
 
 	if err = expected.ErrorIfNotEqualLists(m); err != nil {
-		t.Fatalf("actual doesn't match expected: %v", err)
+		t.Fatalf(notEqualErrFmt, err)
 	}
 }
 
@@ -518,7 +520,10 @@ func TestNameReferenceUnhappyRun(t *testing.T) {
 						},
 					},
 				}).ResMap(),
-			expectedErr: "cannot find field 'name' in node"},
+			expectedErr: `updating name reference in 'rules/resourceNames' field of 'ClusterRole.v1.rbac.authorization.k8s.io/cr.[noNs]': ` +
+				`considering field 'rules/resourceNames' of object ClusterRole.v1.rbac.authorization.k8s.io/cr.[noNs]: visit traversal on ` +
+				`path: [resourceNames]: path config error; no 'name' field in node`,
+		},
 	}
 
 	nrt := newNameReferenceTransformer(builtinconfig.MakeDefaultConfig().NameReference)
@@ -529,7 +534,7 @@ func TestNameReferenceUnhappyRun(t *testing.T) {
 		}
 
 		if !strings.Contains(err.Error(), test.expectedErr) {
-			t.Fatalf("Incorrect error.\nExpected: %s, but got %v",
+			t.Fatalf("Incorrect error.\nExpected:\n %s\nGot:\n%v",
 				test.expectedErr, err)
 		}
 	}
@@ -587,7 +592,7 @@ func TestNameReferencePersistentVolumeHappyRun(t *testing.T) {
 	v2.AppendRefBy(c2.CurId())
 
 	if err := m1.ErrorIfNotEqualLists(m2); err != nil {
-		t.Fatalf("actual doesn't match expected: %v", err)
+		t.Fatalf(notEqualErrFmt, err)
 	}
 }
 
@@ -723,7 +728,7 @@ func TestNameReferenceNamespace(t *testing.T) {
 
 	m.RemoveBuildAnnotations()
 	if err = expected.ErrorIfNotEqualLists(m); err != nil {
-		t.Fatalf("actual doesn't match expected: %v", err)
+		t.Fatalf(notEqualErrFmt, err)
 	}
 }
 
@@ -871,9 +876,9 @@ func TestNameReferenceClusterWide(t *testing.T) {
 			}).ResMap()
 
 	clusterRoleId := resid.NewResId(
-		resid.Gvk{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: "ClusterRole"}, modifiedname)
+		resid.NewGvk("rbac.authorization.k8s.io", "v1", "ClusterRole"), modifiedname)
 	clusterRoleBindingId := resid.NewResId(
-		resid.Gvk{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: "ClusterRoleBinding"}, modifiedname)
+		resid.NewGvk("rbac.authorization.k8s.io", "v1", "ClusterRoleBinding"), modifiedname)
 	clusterRole, _ := expected.GetByCurrentId(clusterRoleId)
 	clusterRole.AppendRefBy(clusterRoleBindingId)
 
@@ -883,9 +888,11 @@ func TestNameReferenceClusterWide(t *testing.T) {
 		t.Fatalf("unexpected error: %v", err)
 	}
 
+	expected.RemoveBuildAnnotations()
 	m.RemoveBuildAnnotations()
+
 	if err = expected.ErrorIfNotEqualLists(m); err != nil {
-		t.Fatalf("actual doesn't match expected: %v", err)
+		t.Fatalf(notEqualErrFmt, err)
 	}
 }
 
@@ -998,9 +1005,11 @@ func TestNameReferenceNamespaceTransformation(t *testing.T) {
 			}).ResMap()
 
 	clusterRoleId := resid.NewResId(
-		resid.Gvk{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: "ClusterRole"}, modifiedname)
+		resid.NewGvk("rbac.authorization.k8s.io", "v1", "ClusterRole"),
+		modifiedname)
 	clusterRoleBindingId := resid.NewResId(
-		resid.Gvk{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: "ClusterRoleBinding"}, modifiedname)
+		resid.NewGvk("rbac.authorization.k8s.io", "v1", "ClusterRoleBinding"),
+		modifiedname)
 	clusterRole, _ := expected.GetByCurrentId(clusterRoleId)
 	clusterRole.AppendRefBy(clusterRoleBindingId)
 
@@ -1012,7 +1021,7 @@ func TestNameReferenceNamespaceTransformation(t *testing.T) {
 
 	m.RemoveBuildAnnotations()
 	if err = expected.ErrorIfNotEqualLists(m); err != nil {
-		t.Fatalf("actual doesn't match expected: %v", err)
+		t.Fatalf(notEqualErrFmt, err)
 	}
 }
 
@@ -1049,6 +1058,6 @@ func TestNameReferenceCandidateSelection(t *testing.T) {
 
 	m.RemoveBuildAnnotations()
 	if err = expected.ErrorIfNotEqualLists(m); err != nil {
-		t.Fatalf("actual doesn't match expected: %v", err)
+		t.Fatalf(notEqualErrFmt, err)
 	}
 }

api/internal/accumulator/refvartransformer_test.go

@@ -7,11 +7,10 @@ import (
 	"reflect"
 	"testing"
 
-	"sigs.k8s.io/kustomize/api/konfig"
-	"sigs.k8s.io/kustomize/api/resid"
 	"sigs.k8s.io/kustomize/api/resmap"
 	resmaptest_test "sigs.k8s.io/kustomize/api/testutils/resmaptest"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/resid"
 )
 
 func TestRefVarTransformer(t *testing.T) {
@@ -24,14 +23,12 @@ func TestRefVarTransformer(t *testing.T) {
 		res    resmap.ResMap
 		unused []string
 	}
-	testCases := []struct {
-		description string
-		given       given
-		expected    expected
-		errMessage  string
+	testCases := map[string]struct {
+		given      given
+		expected   expected
+		errMessage string
 	}{
-		{
-			description: "var replacement in map[string]",
+		"var replacement in map[string]": {
 			given: given{
 				varMap: map[string]interface{}{
 					"FOO": "replacementForFoo",
@@ -106,8 +103,7 @@ func TestRefVarTransformer(t *testing.T) {
 				unused: []string{"BAR"},
 			},
 		},
-		{
-			description: "var replacement panic in map[string]",
+		"var replacement panic in map[string]": {
 			given: given{
 				varMap: map[string]interface{}{},
 				fs: []types.FieldSpec{
@@ -124,22 +120,9 @@ func TestRefVarTransformer(t *testing.T) {
 							"slice": []interface{}{5}, // noticeably *not* a []string
 						}}).ResMap(),
 			},
-			// TODO(#3304): DECISION - kyaml better; not a bug.
-			errMessage: konfig.IfApiMachineryElseKyaml(
-				`obj '{"apiVersion": "v1", "data": {"slice": [5]}, "kind": "ConfigMap", "metadata": {"name": "cm1"}}
-' at path 'data/slice': invalid value type expect a string`,
-				`obj 'apiVersion: v1
-data:
-  slice:
-  - 5
-kind: ConfigMap
-metadata:
-  name: cm1
-' at path 'data/slice': invalid value type expect a string`,
-			),
+			errMessage: `considering field 'data/slice' of object ConfigMap.v1.[noGrp]/cm1.[noNs]: invalid value type expect a string`,
 		},
-		{
-			description: "var replacement in nil",
+		"var replacement in nil": {
 			given: given{
 				varMap: map[string]interface{}{},
 				fs: []types.FieldSpec{
@@ -171,20 +154,18 @@ metadata:
 		},
 	}
 
-	for _, tc := range testCases {
-		t.Run(tc.description, func(t *testing.T) {
-			// arrange
+	for tn, tc := range testCases {
+		t.Run(tn, func(t *testing.T) {
 			tr := newRefVarTransformer(tc.given.varMap, tc.given.fs)
-
-			// act
 			err := tr.Transform(tc.given.res)
-
-			// assert
 			if tc.errMessage != "" {
 				if err == nil {
 					t.Fatalf("missing expected error %v", tc.errMessage)
 				} else if err.Error() != tc.errMessage {
-					t.Fatalf("actual error doesn't match expected error: \nACTUAL: %v\nEXPECTED: %v", err.Error(), tc.errMessage)
+					t.Fatalf(`actual error doesn't match expected error:
+ACTUAL: %v
+EXPECTED: %v`,
+						err.Error(), tc.errMessage)
 				}
 			} else {
 				if err != nil {
@@ -194,7 +175,13 @@ metadata:
 				a, e := tc.given.res, tc.expected.res
 				if !reflect.DeepEqual(a, e) {
 					err = e.ErrorIfNotEqualLists(a)
-					t.Fatalf("actual doesn't match expected: \nACTUAL:\n%v\nEXPECTED:\n%v\nERR: %v", a, e, err)
+					t.Fatalf(`actual doesn't match expected:
+ACTUAL:
+%v
+EXPECTED:
+%v
+ERR: %v`,
+						a, e, err)
 				}
 			}
 		})

api/internal/accumulator/resaccumulator.go

@@ -9,9 +9,9 @@ import (
 	"strings"
 
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
-	"sigs.k8s.io/kustomize/api/resid"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/resid"
 )
 
 // ResAccumulator accumulates resources and the rules
@@ -72,12 +72,12 @@ func (ra *ResAccumulator) MergeVars(incoming []types.Var) error {
 	for _, v := range incoming {
 		targetId := resid.NewResIdWithNamespace(v.ObjRef.GVK(), v.ObjRef.Name, v.ObjRef.Namespace)
 		idMatcher := targetId.GvknEquals
-		if targetId.Namespace != "" || !targetId.IsNamespaceableKind() {
+		if targetId.Namespace != "" || targetId.IsClusterScoped() {
 			// Preserve backward compatibility. An empty namespace means
 			// wildcard search on the namespace hence we still use GvknEquals
 			idMatcher = targetId.Equals
 		}
-		matched := ra.resMap.GetMatchingResourcesByOriginalId(idMatcher)
+		matched := ra.resMap.GetMatchingResourcesByAnyId(idMatcher)
 		if len(matched) > 1 {
 			return fmt.Errorf(
 				"found %d resId matches for var %s "+
@@ -107,6 +107,7 @@ func (ra *ResAccumulator) findVarValueFromResources(v types.Var) (interface{}, e
 	for _, res := range ra.resMap.Resources() {
 		for _, varName := range res.GetRefVarNames() {
 			if varName == v.Name {
+				//nolint: staticcheck
 				s, err := res.GetFieldValue(v.FieldRef.FieldPath)
 				if err != nil {
 					return "", fmt.Errorf(
@@ -167,3 +168,23 @@ func (ra *ResAccumulator) FixBackReferences() (err error) {
 	return ra.Transform(
 		newNameReferenceTransformer(ra.tConfig.NameReference))
 }
+
+// Intersection drops the resources which "other" does not have.
+func (ra *ResAccumulator) Intersection(other resmap.ResMap) error {
+	for _, curId := range ra.resMap.AllIds() {
+		toDelete := true
+		for _, otherId := range other.AllIds() {
+			if otherId == curId {
+				toDelete = false
+				break
+			}
+		}
+		if toDelete {
+			err := ra.resMap.Remove(curId)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}

api/internal/accumulator/resaccumulator_test.go

@@ -10,14 +10,15 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/stretchr/testify/require"
 	. "sigs.k8s.io/kustomize/api/internal/accumulator"
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
 	"sigs.k8s.io/kustomize/api/provider"
-	"sigs.k8s.io/kustomize/api/resid"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
 	resmaptest_test "sigs.k8s.io/kustomize/api/testutils/resmaptest"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/resid"
 )
 
 func makeResAccumulator(t *testing.T) *ResAccumulator {
@@ -224,20 +225,26 @@ func TestResolveVarConflicts(t *testing.T) {
 	// create accumulators holding apparently conflicting vars that are not
 	// actually in conflict because they point to the same concrete value.
 	rm0 := resmap.New()
-	rm0.Append(rf.FromMap(fooAws))
+	err := rm0.Append(rf.FromMap(fooAws))
+	require.NoError(t, err)
 	ac0 := MakeEmptyAccumulator()
-	ac0.AppendAll(rm0)
-	ac0.MergeVars([]types.Var{varFoo})
+	err = ac0.AppendAll(rm0)
+	require.NoError(t, err)
+	err = ac0.MergeVars([]types.Var{varFoo})
+	require.NoError(t, err)
 
 	rm1 := resmap.New()
-	rm1.Append(rf.FromMap(barAws))
+	err = rm1.Append(rf.FromMap(barAws))
+	require.NoError(t, err)
 	ac1 := MakeEmptyAccumulator()
-	ac1.AppendAll(rm1)
-	ac1.MergeVars([]types.Var{varBar})
+	err = ac1.AppendAll(rm1)
+	require.NoError(t, err)
+	err = ac1.MergeVars([]types.Var{varBar})
+	require.NoError(t, err)
 
 	// validate that two vars of the same name which reference the same concrete
 	// value do not produce a conflict.
-	err := ac0.MergeAccumulator(ac1)
+	err = ac0.MergeAccumulator(ac1)
 	if err == nil {
 		t.Fatalf("see bug gh-1600")
 	}
@@ -246,10 +253,13 @@ func TestResolveVarConflicts(t *testing.T) {
 	// two above (because it contains a variable whose name is used in the other
 	// accumulators AND whose concrete values are different).
 	rm2 := resmap.New()
-	rm2.Append(rf.FromMap(barGcp))
+	err = rm2.Append(rf.FromMap(barGcp))
+	require.NoError(t, err)
 	ac2 := MakeEmptyAccumulator()
-	ac2.AppendAll(rm2)
-	ac2.MergeVars([]types.Var{varBar})
+	err = ac2.AppendAll(rm2)
+	require.NoError(t, err)
+	err = ac2.MergeVars([]types.Var{varBar})
+	require.NoError(t, err)
 	err = ac1.MergeAccumulator(ac2)
 	if err == nil {
 		t.Fatalf("dupe vars w/ different concrete values should conflict")
@@ -344,20 +354,21 @@ func TestResolveVarsWithNoambiguation(t *testing.T) {
 					},
 				},
 			}}).
+		// Make it seem like this resource
+		// went through a prefix transformer.
 		Add(map[string]interface{}{
 			"apiVersion": "v1",
 			"kind":       "Service",
 			"metadata": map[string]interface{}{
-				"name": "backendOne",
+				"name": "sub-backendOne",
+				"annotations": map[string]interface{}{
+					"internal.config.kubernetes.io/previousKinds":      "Service",
+					"internal.config.kubernetes.io/previousNames":      "backendOne",
+					"internal.config.kubernetes.io/previousNamespaces": "default",
+					"internal.config.kubernetes.io/prefixes":           "sub-",
+				},
 			}}).ResMap()
 
-	// Make it seem like this resource
-	// went through a prefix transformer.
-	r := m.GetByIndex(1)
-	r.AddNamePrefix("sub-")
-	r.SetName("sub-backendOne")
-	r.SetOriginalName("backendOne", true)
-
 	err = ra2.AppendAll(m)
 	if err != nil {
 		t.Fatalf("unexpected err: %v", err)
@@ -399,7 +410,8 @@ func find(name string, resMap resmap.ResMap) *resource.Resource {
 func getCommand(r *resource.Resource) string {
 	var m map[string]interface{}
 	var c []interface{}
-	m, _ = r.Map()["spec"].(map[string]interface{})
+	resourceMap, _ := r.Map()
+	m, _ = resourceMap["spec"].(map[string]interface{})
 	m, _ = m["template"].(map[string]interface{})
 	m, _ = m["spec"].(map[string]interface{})
 	c, _ = m["containers"].([]interface{})

api/internal/builtins/AnnotationsTransformer.go

@@ -27,16 +27,10 @@ func (p *AnnotationsTransformerPlugin) Transform(m resmap.ResMap) error {
 	if len(p.Annotations) == 0 {
 		return nil
 	}
-	for _, r := range m.Resources() {
-		err := r.ApplyFilter(annotations.Filter{
-			Annotations: p.Annotations,
-			FsSlice:     p.FieldSpecs,
-		})
-		if err != nil {
-			return err
-		}
-	}
-	return nil
+	return m.ApplyFilter(annotations.Filter{
+		Annotations: p.Annotations,
+		FsSlice:     p.FieldSpecs,
+	})
 }
 
 func NewAnnotationsTransformerPlugin() resmap.TransformerPlugin {

api/internal/builtins/HashTransformer.go

@@ -11,7 +11,7 @@ import (
 )
 
 type HashTransformerPlugin struct {
-	hasher ifc.KunstructuredHasher
+	hasher ifc.KustHasher
 }
 
 func (p *HashTransformerPlugin) Config(
@@ -24,11 +24,11 @@ func (p *HashTransformerPlugin) Config(
 func (p *HashTransformerPlugin) Transform(m resmap.ResMap) error {
 	for _, res := range m.Resources() {
 		if res.NeedHashSuffix() {
-			h, err := p.hasher.Hash(res)
+			h, err := res.Hash(p.hasher)
 			if err != nil {
 				return err
 			}
-			res.SetOriginalName(res.GetName(), false)
+			res.StorePreviousId()
 			res.SetName(fmt.Sprintf("%s-%s", res.GetName(), h))
 		}
 	}

api/internal/builtins/HelmChartInflationGenerator.go

@@ -0,0 +1,339 @@
+// Code generated by pluginator on HelmChartInflationGenerator; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
+package builtins
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/imdario/mergo"
+	"github.com/pkg/errors"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
+)
+
+// HelmChartInflationGeneratorPlugin is a plugin to generate resources
+// from a remote or local helm chart.
+type HelmChartInflationGeneratorPlugin struct {
+	h *resmap.PluginHelpers
+	types.HelmGlobals
+	types.HelmChart
+	tmpDir string
+}
+
+var KustomizePlugin HelmChartInflationGeneratorPlugin
+
+const (
+	valuesMergeOptionMerge    = "merge"
+	valuesMergeOptionOverride = "override"
+	valuesMergeOptionReplace  = "replace"
+)
+
+var legalMergeOptions = []string{
+	valuesMergeOptionMerge,
+	valuesMergeOptionOverride,
+	valuesMergeOptionReplace,
+}
+
+// Config uses the input plugin configurations `config` to setup the generator
+// options
+func (p *HelmChartInflationGeneratorPlugin) Config(
+	h *resmap.PluginHelpers, config []byte) (err error) {
+	if h.GeneralConfig() == nil {
+		return fmt.Errorf("unable to access general config")
+	}
+	if !h.GeneralConfig().HelmConfig.Enabled {
+		return fmt.Errorf("must specify --enable-helm")
+	}
+	if h.GeneralConfig().HelmConfig.Command == "" {
+		return fmt.Errorf("must specify --helm-command")
+	}
+	p.h = h
+	if err = yaml.Unmarshal(config, p); err != nil {
+		return
+	}
+	return p.validateArgs()
+}
+
+// This uses the real file system since tmpDir may be used
+// by the helm subprocess.  Cannot use a chroot jail or fake
+// filesystem since we allow the user to use previously
+// downloaded charts.  This is safe since this plugin is
+// owned by kustomize.
+func (p *HelmChartInflationGeneratorPlugin) establishTmpDir() (err error) {
+	if p.tmpDir != "" {
+		// already done.
+		return nil
+	}
+	p.tmpDir, err = ioutil.TempDir("", "kustomize-helm-")
+	return err
+}
+
+func (p *HelmChartInflationGeneratorPlugin) validateArgs() (err error) {
+	if p.Name == "" {
+		return fmt.Errorf("chart name cannot be empty")
+	}
+
+	// ChartHome might be consulted by the plugin (to read
+	// values files below it), so it must be located under
+	// the loader root (unless root restrictions are
+	// disabled, in which case this can be an absolute path).
+	if p.ChartHome == "" {
+		p.ChartHome = "charts"
+	}
+
+	// The ValuesFile may be consulted by the plugin, so it must
+	// be under the loader root (unless root restrictions are
+	// disabled).
+	if p.ValuesFile == "" {
+		p.ValuesFile = filepath.Join(p.ChartHome, p.Name, "values.yaml")
+	}
+
+	if err = p.errIfIllegalValuesMerge(); err != nil {
+		return err
+	}
+
+	// ConfigHome is not loaded by the plugin, and can be located anywhere.
+	if p.ConfigHome == "" {
+		if err = p.establishTmpDir(); err != nil {
+			return errors.Wrap(
+				err, "unable to create tmp dir for HELM_CONFIG_HOME")
+		}
+		p.ConfigHome = filepath.Join(p.tmpDir, "helm")
+	}
+	return nil
+}
+
+func (p *HelmChartInflationGeneratorPlugin) errIfIllegalValuesMerge() error {
+	if p.ValuesMerge == "" {
+		// Use the default.
+		p.ValuesMerge = valuesMergeOptionOverride
+		return nil
+	}
+	for _, opt := range legalMergeOptions {
+		if p.ValuesMerge == opt {
+			return nil
+		}
+	}
+	return fmt.Errorf("valuesMerge must be one of %v", legalMergeOptions)
+}
+
+func (p *HelmChartInflationGeneratorPlugin) absChartHome() string {
+	if filepath.IsAbs(p.ChartHome) {
+		return p.ChartHome
+	}
+	return filepath.Join(p.h.Loader().Root(), p.ChartHome)
+}
+
+func (p *HelmChartInflationGeneratorPlugin) runHelmCommand(
+	args []string) ([]byte, error) {
+	stdout := new(bytes.Buffer)
+	stderr := new(bytes.Buffer)
+	cmd := exec.Command(p.h.GeneralConfig().HelmConfig.Command, args...)
+	cmd.Stdout = stdout
+	cmd.Stderr = stderr
+	env := []string{
+		fmt.Sprintf("HELM_CONFIG_HOME=%s", p.ConfigHome),
+		fmt.Sprintf("HELM_CACHE_HOME=%s/.cache", p.ConfigHome),
+		fmt.Sprintf("HELM_DATA_HOME=%s/.data", p.ConfigHome)}
+	cmd.Env = append(os.Environ(), env...)
+	err := cmd.Run()
+	if err != nil {
+		helm := p.h.GeneralConfig().HelmConfig.Command
+		err = errors.Wrap(
+			fmt.Errorf(
+				"unable to run: '%s %s' with env=%s (is '%s' installed?)",
+				helm, strings.Join(args, " "), env, helm),
+			stderr.String(),
+		)
+	}
+	return stdout.Bytes(), err
+}
+
+// createNewMergedValuesFile replaces/merges original values file with ValuesInline.
+func (p *HelmChartInflationGeneratorPlugin) createNewMergedValuesFile() (
+	path string, err error) {
+	if p.ValuesMerge == valuesMergeOptionMerge ||
+		p.ValuesMerge == valuesMergeOptionOverride {
+		if err = p.replaceValuesInline(); err != nil {
+			return "", err
+		}
+	}
+	var b []byte
+	b, err = yaml.Marshal(p.ValuesInline)
+	if err != nil {
+		return "", err
+	}
+	return p.writeValuesBytes(b)
+}
+
+func (p *HelmChartInflationGeneratorPlugin) replaceValuesInline() error {
+	pValues, err := p.h.Loader().Load(p.ValuesFile)
+	if err != nil {
+		return err
+	}
+	chValues := make(map[string]interface{})
+	if err = yaml.Unmarshal(pValues, &chValues); err != nil {
+		return err
+	}
+	switch p.ValuesMerge {
+	case valuesMergeOptionOverride:
+		err = mergo.Merge(
+			&chValues, p.ValuesInline, mergo.WithOverride)
+	case valuesMergeOptionMerge:
+		err = mergo.Merge(&chValues, p.ValuesInline)
+	}
+	p.ValuesInline = chValues
+	return err
+}
+
+// copyValuesFile to avoid branching.  TODO: get rid of this.
+func (p *HelmChartInflationGeneratorPlugin) copyValuesFile() (string, error) {
+	b, err := p.h.Loader().Load(p.ValuesFile)
+	if err != nil {
+		return "", err
+	}
+	return p.writeValuesBytes(b)
+}
+
+// Write a absolute path file in the tmp file system.
+func (p *HelmChartInflationGeneratorPlugin) writeValuesBytes(
+	b []byte) (string, error) {
+	if err := p.establishTmpDir(); err != nil {
+		return "", fmt.Errorf("cannot create tmp dir to write helm values")
+	}
+	path := filepath.Join(p.tmpDir, p.Name+"-kustomize-values.yaml")
+	return path, ioutil.WriteFile(path, b, 0644)
+}
+
+func (p *HelmChartInflationGeneratorPlugin) cleanup() {
+	if p.tmpDir != "" {
+		os.RemoveAll(p.tmpDir)
+	}
+}
+
+// Generate implements generator
+func (p *HelmChartInflationGeneratorPlugin) Generate() (rm resmap.ResMap, err error) {
+	defer p.cleanup()
+	if err = p.checkHelmVersion(); err != nil {
+		return nil, err
+	}
+	if path, exists := p.chartExistsLocally(); !exists {
+		if p.Repo == "" {
+			return nil, fmt.Errorf(
+				"no repo specified for pull, no chart found at '%s'", path)
+		}
+		if _, err := p.runHelmCommand(p.pullCommand()); err != nil {
+			return nil, err
+		}
+	}
+	if len(p.ValuesInline) > 0 {
+		p.ValuesFile, err = p.createNewMergedValuesFile()
+	} else {
+		p.ValuesFile, err = p.copyValuesFile()
+	}
+	if err != nil {
+		return nil, err
+	}
+	var stdout []byte
+	stdout, err = p.runHelmCommand(p.templateCommand())
+	if err != nil {
+		return nil, err
+	}
+
+	rm, err = p.h.ResmapFactory().NewResMapFromBytes(stdout)
+	if err == nil {
+		return rm, nil
+	}
+	// try to remove the contents before first "---" because
+	// helm may produce messages to stdout before it
+	stdoutStr := string(stdout)
+	if idx := strings.Index(stdoutStr, "---"); idx != -1 {
+		return p.h.ResmapFactory().NewResMapFromBytes([]byte(stdoutStr[idx:]))
+	}
+	return nil, err
+}
+
+func (p *HelmChartInflationGeneratorPlugin) templateCommand() []string {
+	args := []string{"template"}
+	if p.ReleaseName != "" {
+		args = append(args, p.ReleaseName)
+	}
+	if p.Namespace != "" {
+		args = append(args, "--namespace", p.Namespace)
+	}
+	args = append(args, filepath.Join(p.absChartHome(), p.Name))
+	if p.ValuesFile != "" {
+		args = append(args, "--values", p.ValuesFile)
+	}
+	if p.ReleaseName == "" {
+		// AFAICT, this doesn't work as intended due to a bug in helm.
+		// See https://github.com/helm/helm/issues/6019
+		// I've tried placing the flag before and after the name argument.
+		args = append(args, "--generate-name")
+	}
+	if p.IncludeCRDs {
+		args = append(args, "--include-crds")
+	}
+	return args
+}
+
+func (p *HelmChartInflationGeneratorPlugin) pullCommand() []string {
+	args := []string{
+		"pull",
+		"--untar",
+		"--untardir", p.absChartHome(),
+		"--repo", p.Repo,
+		p.Name}
+	if p.Version != "" {
+		args = append(args, "--version", p.Version)
+	}
+	return args
+}
+
+// chartExistsLocally will return true if the chart does exist in
+// local chart home.
+func (p *HelmChartInflationGeneratorPlugin) chartExistsLocally() (string, bool) {
+	path := filepath.Join(p.absChartHome(), p.Name)
+	s, err := os.Stat(path)
+	if err != nil {
+		return "", false
+	}
+	return path, s.IsDir()
+}
+
+// checkHelmVersion will return an error if the helm version is not V3
+func (p *HelmChartInflationGeneratorPlugin) checkHelmVersion() error {
+	stdout, err := p.runHelmCommand([]string{"version", "-c", "--short"})
+	if err != nil {
+		return err
+	}
+	r, err := regexp.Compile(`v?\d+(\.\d+)+`)
+	if err != nil {
+		return err
+	}
+	v := r.FindString(string(stdout))
+	if v == "" {
+		return fmt.Errorf("cannot find version string in %s", string(stdout))
+	}
+	if v[0] == 'v' {
+		v = v[1:]
+	}
+	majorVersion := strings.Split(v, ".")[0]
+	if majorVersion != "3" {
+		return fmt.Errorf("this plugin requires helm V3 but got v%s", v)
+	}
+	return nil
+}
+
+func NewHelmChartInflationGeneratorPlugin() resmap.GeneratorPlugin {
+	return &HelmChartInflationGeneratorPlugin{}
+}

api/internal/builtins/IAMPolicyGenerator.go

@@ -0,0 +1,33 @@
+// Code generated by pluginator on IAMPolicyGenerator; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
+package builtins
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/iampolicygenerator"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
+)
+
+type IAMPolicyGeneratorPlugin struct {
+	types.IAMPolicyGeneratorArgs
+}
+
+func (p *IAMPolicyGeneratorPlugin) Config(h *resmap.PluginHelpers, config []byte) (err error) {
+	p.IAMPolicyGeneratorArgs = types.IAMPolicyGeneratorArgs{}
+	err = yaml.Unmarshal(config, p)
+	return
+}
+
+func (p *IAMPolicyGeneratorPlugin) Generate() (resmap.ResMap, error) {
+	r := resmap.New()
+	err := r.ApplyFilter(iampolicygenerator.Filter{
+		IAMPolicyGenerator: p.IAMPolicyGeneratorArgs,
+	})
+	return r, err
+}
+
+func NewIAMPolicyGeneratorPlugin() resmap.GeneratorPlugin {
+	return &IAMPolicyGeneratorPlugin{}
+}

api/internal/builtins/ImageTagTransformer.go

@@ -0,0 +1,41 @@
+// Code generated by pluginator on ImageTagTransformer; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
+package builtins
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/imagetag"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
+)
+
+// Find matching image declarations and replace
+// the name, tag and/or digest.
+type ImageTagTransformerPlugin struct {
+	ImageTag   types.Image       `json:"imageTag,omitempty" yaml:"imageTag,omitempty"`
+	FieldSpecs []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+}
+
+func (p *ImageTagTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, c []byte) (err error) {
+	p.ImageTag = types.Image{}
+	p.FieldSpecs = nil
+	return yaml.Unmarshal(c, p)
+}
+
+func (p *ImageTagTransformerPlugin) Transform(m resmap.ResMap) error {
+	if err := m.ApplyFilter(imagetag.LegacyFilter{
+		ImageTag: p.ImageTag,
+	}); err != nil {
+		return err
+	}
+	return m.ApplyFilter(imagetag.Filter{
+		ImageTag: p.ImageTag,
+		FsSlice:  p.FieldSpecs,
+	})
+}
+
+func NewImageTagTransformerPlugin() resmap.TransformerPlugin {
+	return &ImageTagTransformerPlugin{}
+}

api/internal/builtins/LabelTransformer.go

@@ -27,16 +27,10 @@ func (p *LabelTransformerPlugin) Transform(m resmap.ResMap) error {
 	if len(p.Labels) == 0 {
 		return nil
 	}
-	for _, r := range m.Resources() {
-		err := r.ApplyFilter(labels.Filter{
-			Labels:  p.Labels,
-			FsSlice: p.FieldSpecs,
-		})
-		if err != nil {
-			return err
-		}
-	}
-	return nil
+	return m.ApplyFilter(labels.Filter{
+		Labels:  p.Labels,
+		FsSlice: p.FieldSpecs,
+	})
 }
 
 func NewLabelTransformerPlugin() resmap.TransformerPlugin {

api/internal/builtins/NamespaceTransformer.go

@@ -30,16 +30,15 @@ func (p *NamespaceTransformerPlugin) Transform(m resmap.ResMap) error {
 		return nil
 	}
 	for _, r := range m.Resources() {
-		if r.IsEmpty() {
+		if r.IsNilOrEmpty() {
 			// Don't mutate empty objects?
 			continue
 		}
-		r.SetOriginalNs(r.GetNamespace(), false)
-		err := r.ApplyFilter(namespace.Filter{
+		r.StorePreviousId()
+		if err := r.ApplyFilter(namespace.Filter{
 			Namespace: p.Namespace,
 			FsSlice:   p.FieldSpecs,
-		})
-		if err != nil {
+		}); err != nil {
 			return err
 		}
 		matches := m.GetMatchingResourcesByCurrentId(r.CurId().Equals)

api/internal/builtins/PatchJson6902Transformer.go

@@ -12,6 +12,7 @@ import (
 	"sigs.k8s.io/kustomize/api/ifc"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
 	"sigs.k8s.io/yaml"
 )
 
@@ -78,12 +79,23 @@ func (p *PatchJson6902TransformerPlugin) Transform(m resmap.ResMap) error {
 		return err
 	}
 	for _, res := range resources {
+		internalAnnotations := kioutil.GetInternalAnnotations(&res.RNode)
+
 		err = res.ApplyFilter(patchjson6902.Filter{
 			Patch: p.JsonOp,
 		})
 		if err != nil {
 			return err
 		}
+
+		annotations := res.GetAnnotations()
+		for key, value := range internalAnnotations {
+			annotations[key] = value
+		}
+		err = res.SetAnnotations(annotations)
+		if err != nil {
+			return err
+		}
 	}
 	return nil
 }

api/internal/builtins/PatchStrategicMergeTransformer.go

@@ -28,46 +28,48 @@ func (p *PatchStrategicMergeTransformerPlugin) Config(
 		return fmt.Errorf("empty file path and empty patch content")
 	}
 	if len(p.Paths) != 0 {
-		for _, onePath := range p.Paths {
-			// The following oddly attempts to interpret a path string as an
-			// actual patch (instead of as a path to a file containing a patch).
-			// All tests pass if this code is commented out.  This code should
-			// be deleted; the user should use the Patches field which
-			// exists for this purpose (inline patch declaration).
-			res, err := h.ResmapFactory().RF().SliceFromBytes([]byte(onePath))
-			if err == nil {
-				p.loadedPatches = append(p.loadedPatches, res...)
-				continue
-			}
-			res, err = h.ResmapFactory().RF().SliceFromPatches(
-				h.Loader(), []types.PatchStrategicMerge{onePath})
-			if err != nil {
-				return err
-			}
-			p.loadedPatches = append(p.loadedPatches, res...)
-		}
-	}
-	if p.Patches != "" {
-		res, err := h.ResmapFactory().RF().SliceFromBytes([]byte(p.Patches))
+		patches, err := loadFromPaths(h, p.Paths)
 		if err != nil {
 			return err
 		}
-		p.loadedPatches = append(p.loadedPatches, res...)
+		p.loadedPatches = append(p.loadedPatches, patches...)
+	}
+	if p.Patches != "" {
+		patches, err := h.ResmapFactory().RF().SliceFromBytes([]byte(p.Patches))
+		if err != nil {
+			return err
+		}
+		p.loadedPatches = append(p.loadedPatches, patches...)
 	}
-
 	if len(p.loadedPatches) == 0 {
 		return fmt.Errorf(
 			"patch appears to be empty; files=%v, Patch=%s", p.Paths, p.Patches)
 	}
-	// Merge the patches, looking for conflicts.
-	m, err := h.ResmapFactory().ConflatePatches(p.loadedPatches)
-	if err != nil {
-		return err
-	}
-	p.loadedPatches = m.Resources()
 	return nil
 }
 
+func loadFromPaths(
+	h *resmap.PluginHelpers,
+	paths []types.PatchStrategicMerge) (
+	result []*resource.Resource, err error) {
+	var patches []*resource.Resource
+	for _, path := range paths {
+		// For legacy reasons, attempt to treat the path string as
+		// actual patch content.
+		patches, err = h.ResmapFactory().RF().SliceFromBytes([]byte(path))
+		if err != nil {
+			// Failing that, treat it as a file path.
+			patches, err = h.ResmapFactory().RF().SliceFromPatches(
+				h.Loader(), []types.PatchStrategicMerge{path})
+			if err != nil {
+				return
+			}
+		}
+		result = append(result, patches...)
+	}
+	return
+}
+
 func (p *PatchStrategicMergeTransformerPlugin) Transform(m resmap.ResMap) error {
 	for _, patch := range p.loadedPatches {
 		target, err := m.GetById(patch.OrgId())

api/internal/builtins/PatchTransformer.go

@@ -12,6 +12,7 @@ import (
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
 	"sigs.k8s.io/yaml"
 )
 
@@ -21,6 +22,7 @@ type PatchTransformerPlugin struct {
 	Path         string          `json:"path,omitempty" yaml:"path,omitempty"`
 	Patch        string          `json:"patch,omitempty" yaml:"patch,omitempty"`
 	Target       *types.Selector `json:"target,omitempty" yaml:"target,omitempty"`
+	Options      map[string]bool `json:"options,omitempty" yaml:"options,omitempty"`
 }
 
 func (p *PatchTransformerPlugin) Config(
@@ -60,6 +62,12 @@ func (p *PatchTransformerPlugin) Config(
 	}
 	if errSM == nil {
 		p.loadedPatch = patchSM
+		if p.Options["allowNameChange"] {
+			p.loadedPatch.AllowNameChange()
+		}
+		if p.Options["allowKindChange"] {
+			p.loadedPatch.AllowKindChange()
+		}
 	} else {
 		p.decodedPatch = patchJson
 	}
@@ -69,10 +77,9 @@ func (p *PatchTransformerPlugin) Config(
 func (p *PatchTransformerPlugin) Transform(m resmap.ResMap) error {
 	if p.loadedPatch == nil {
 		return p.transformJson6902(m, p.decodedPatch)
-	} else {
-		// The patch was a strategic merge patch
-		return p.transformStrategicMerge(m, p.loadedPatch)
 	}
+	// The patch was a strategic merge patch
+	return p.transformStrategicMerge(m, p.loadedPatch)
 }
 
 // transformStrategicMerge applies the provided strategic merge patch
@@ -104,13 +111,20 @@ func (p *PatchTransformerPlugin) transformJson6902(m resmap.ResMap, patch jsonpa
 		return err
 	}
 	for _, res := range resources {
-		res.SetOriginalName(res.GetName(), false)
+		res.StorePreviousId()
+		internalAnnotations := kioutil.GetInternalAnnotations(&res.RNode)
 		err = res.ApplyFilter(patchjson6902.Filter{
 			Patch: p.Patch,
 		})
 		if err != nil {
 			return err
 		}
+
+		annotations := res.GetAnnotations()
+		for key, value := range internalAnnotations {
+			annotations[key] = value
+		}
+		err = res.SetAnnotations(annotations)
 	}
 	return nil
 }

api/internal/builtins/PrefixTransformer.go

@@ -0,0 +1,95 @@
+// Code generated by pluginator on PrefixTransformer; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
+package builtins
+
+import (
+	"errors"
+
+	"sigs.k8s.io/kustomize/api/filters/prefix"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Add the given prefix to the field
+type PrefixTransformerPlugin struct {
+	Prefix     string        `json:"prefix,omitempty" yaml:"prefix,omitempty"`
+	FieldSpecs types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+}
+
+var prefixFieldSpecsToSkip = types.FsSlice{
+	{Gvk: resid.Gvk{Kind: "CustomResourceDefinition"}},
+	{Gvk: resid.Gvk{Group: "apiregistration.k8s.io", Kind: "APIService"}},
+	{Gvk: resid.Gvk{Kind: "Namespace"}},
+}
+
+func (p *PrefixTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, c []byte) (err error) {
+	p.Prefix = ""
+	p.FieldSpecs = nil
+	err = yaml.Unmarshal(c, p)
+	if err != nil {
+		return
+	}
+	if p.FieldSpecs == nil {
+		return errors.New("fieldSpecs is not expected to be nil")
+	}
+	return
+}
+
+func (p *PrefixTransformerPlugin) Transform(m resmap.ResMap) error {
+	// Even if the Prefix is empty we want to proceed with the
+	// transformation. This allows to add contextual information
+	// to the resources (AddNamePrefix).
+	for _, r := range m.Resources() {
+		// TODO: move this test into the filter (i.e. make a better filter)
+		if p.shouldSkip(r.OrgId()) {
+			continue
+		}
+		id := r.OrgId()
+		// current default configuration contains
+		// only one entry: "metadata/name" with no GVK
+		for _, fs := range p.FieldSpecs {
+			// TODO: this is redundant to filter (but needed for now)
+			if !id.IsSelected(&fs.Gvk) {
+				continue
+			}
+			// TODO: move this test into the filter.
+			if fs.Path == "metadata/name" {
+				// "metadata/name" is the only field.
+				// this will add a prefix to the resource
+				// even if it is empty
+
+				r.AddNamePrefix(p.Prefix)
+				if p.Prefix != "" {
+					// TODO: There are multiple transformers that can change a resource's name, and each makes a call to
+					// StorePreviousID(). We should make it so that we only call StorePreviousID once per kustomization layer
+					// to avoid storing intermediate names between transformations, to prevent intermediate name conflicts.
+					r.StorePreviousId()
+				}
+			}
+			if err := r.ApplyFilter(prefix.Filter{
+				Prefix:    p.Prefix,
+				FieldSpec: fs,
+			}); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (p *PrefixTransformerPlugin) shouldSkip(id resid.ResId) bool {
+	for _, path := range prefixFieldSpecsToSkip {
+		if id.IsSelected(&path.Gvk) {
+			return true
+		}
+	}
+	return false
+}
+
+func NewPrefixTransformerPlugin() resmap.TransformerPlugin {
+	return &PrefixTransformerPlugin{}
+}

api/internal/builtins/ReplacementTransformer.go

@@ -0,0 +1,59 @@
+// Code generated by pluginator on ReplacementTransformer; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
+package builtins
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/api/filters/replacement"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
+)
+
+// Replace values in targets with values from a source
+type ReplacementTransformerPlugin struct {
+	ReplacementList []types.ReplacementField `json:"replacements,omitempty" yaml:"replacements,omitempty"`
+	Replacements    []types.Replacement      `json:"omitempty" yaml:"omitempty"`
+}
+
+func (p *ReplacementTransformerPlugin) Config(
+	h *resmap.PluginHelpers, c []byte) (err error) {
+	p.ReplacementList = []types.ReplacementField{}
+	if err := yaml.Unmarshal(c, p); err != nil {
+		return err
+	}
+
+	for _, r := range p.ReplacementList {
+		if r.Path != "" && (r.Source != nil || len(r.Targets) != 0) {
+			return fmt.Errorf("cannot specify both path and inline replacement")
+		}
+		if r.Path != "" {
+			// load the replacement from the path
+			content, err := h.Loader().Load(r.Path)
+			if err != nil {
+				return err
+			}
+			repl := types.Replacement{}
+			if err := yaml.Unmarshal(content, &repl); err != nil {
+				return err
+			}
+			p.Replacements = append(p.Replacements, repl)
+		} else {
+			// replacement information is already loaded
+			p.Replacements = append(p.Replacements, r.Replacement)
+		}
+	}
+	return nil
+}
+
+func (p *ReplacementTransformerPlugin) Transform(m resmap.ResMap) (err error) {
+	return m.ApplyFilter(replacement.Filter{
+		Replacements: p.Replacements,
+	})
+}
+
+func NewReplacementTransformerPlugin() resmap.TransformerPlugin {
+	return &ReplacementTransformerPlugin{}
+}

api/internal/builtins/ReplicaCountTransformer.go

@@ -7,9 +7,9 @@ import (
 	"fmt"
 
 	"sigs.k8s.io/kustomize/api/filters/replicacount"
-	"sigs.k8s.io/kustomize/api/resid"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/resid"
 	"sigs.k8s.io/yaml"
 )
 
@@ -31,9 +31,7 @@ func (p *ReplicaCountTransformerPlugin) Transform(m resmap.ResMap) error {
 	found := false
 	for _, fs := range p.FieldSpecs {
 		matcher := p.createMatcher(fs)
-		matchOriginal := m.GetMatchingResourcesByOriginalId(matcher)
-		resList := append(
-			matchOriginal, m.GetMatchingResourcesByCurrentId(matcher)...)
+		resList := m.GetMatchingResourcesByAnyId(matcher)
 		if len(resList) > 0 {
 			found = true
 			for _, r := range resList {

api/internal/builtins/SuffixTransformer.go

@@ -0,0 +1,95 @@
+// Code generated by pluginator on SuffixTransformer; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
+package builtins
+
+import (
+	"errors"
+
+	"sigs.k8s.io/kustomize/api/filters/suffix"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// Add the given suffix to the field
+type SuffixTransformerPlugin struct {
+	Suffix     string        `json:"suffix,omitempty" yaml:"suffix,omitempty"`
+	FieldSpecs types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+}
+
+var suffixFieldSpecsToSkip = types.FsSlice{
+	{Gvk: resid.Gvk{Kind: "CustomResourceDefinition"}},
+	{Gvk: resid.Gvk{Group: "apiregistration.k8s.io", Kind: "APIService"}},
+	{Gvk: resid.Gvk{Kind: "Namespace"}},
+}
+
+func (p *SuffixTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, c []byte) (err error) {
+	p.Suffix = ""
+	p.FieldSpecs = nil
+	err = yaml.Unmarshal(c, p)
+	if err != nil {
+		return
+	}
+	if p.FieldSpecs == nil {
+		return errors.New("fieldSpecs is not expected to be nil")
+	}
+	return
+}
+
+func (p *SuffixTransformerPlugin) Transform(m resmap.ResMap) error {
+	// Even if the Suffix is empty we want to proceed with the
+	// transformation. This allows to add contextual information
+	// to the resources (AddNameSuffix).
+	for _, r := range m.Resources() {
+		// TODO: move this test into the filter (i.e. make a better filter)
+		if p.shouldSkip(r.OrgId()) {
+			continue
+		}
+		id := r.OrgId()
+		// current default configuration contains
+		// only one entry: "metadata/name" with no GVK
+		for _, fs := range p.FieldSpecs {
+			// TODO: this is redundant to filter (but needed for now)
+			if !id.IsSelected(&fs.Gvk) {
+				continue
+			}
+			// TODO: move this test into the filter.
+			if fs.Path == "metadata/name" {
+				// "metadata/name" is the only field.
+				// this will add a suffix to the resource
+				// even if it is empty
+
+				r.AddNameSuffix(p.Suffix)
+				if p.Suffix != "" {
+					// TODO: There are multiple transformers that can change a resource's name, and each makes a call to
+					// StorePreviousID(). We should make it so that we only call StorePreviousID once per kustomization layer
+					// to avoid storing intermediate names between transformations, to prevent intermediate name conflicts.
+					r.StorePreviousId()
+				}
+			}
+			if err := r.ApplyFilter(suffix.Filter{
+				Suffix:    p.Suffix,
+				FieldSpec: fs,
+			}); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (p *SuffixTransformerPlugin) shouldSkip(id resid.ResId) bool {
+	for _, path := range suffixFieldSpecsToSkip {
+		if id.IsSelected(&path.Gvk) {
+			return true
+		}
+	}
+	return false
+}
+
+func NewSuffixTransformerPlugin() resmap.TransformerPlugin {
+	return &SuffixTransformerPlugin{}
+}

api/internal/conflict/factory.go

@@ -1,23 +0,0 @@
-// Copyright 2020 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package conflict
-
-import (
-	"sigs.k8s.io/kustomize/api/resid"
-	"sigs.k8s.io/kustomize/api/resource"
-)
-
-type cdFactory struct{}
-
-var _ resource.ConflictDetectorFactory = &cdFactory{}
-
-// NewFactory returns a new conflict detector factory.
-func NewFactory() resource.ConflictDetectorFactory {
-	return &cdFactory{}
-}
-
-// New returns an instance of smPatchMergeOnlyDetector.
-func (c cdFactory) New(_ resid.Gvk) (resource.ConflictDetector, error) {
-	return &smPatchMergeOnlyDetector{}, nil
-}

api/internal/conflict/smpatchmergeonlydetector.go

@@ -1,33 +0,0 @@
-// Copyright 2020 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-package conflict
-
-import (
-	"sigs.k8s.io/kustomize/api/resource"
-)
-
-// smPatchMergeOnlyDetector ignores conflicts,
-// but does real strategic merge patching.
-// This is part of an effort to eliminate dependence on
-// apimachinery package to allow kustomize integration
-// into kubectl (#2506 and #1500)
-type smPatchMergeOnlyDetector struct{}
-
-var _ resource.ConflictDetector = &smPatchMergeOnlyDetector{}
-
-func (c *smPatchMergeOnlyDetector) HasConflict(
-	_, _ *resource.Resource) (bool, error) {
-	return false, nil
-}
-
-// There's at least one case that doesn't work.  Suppose one has a
-// Deployment with a volume with the bizarre "emptyDir: {}" entry.
-// If you want to get rid of this entry via a patch containing
-// the entry "emptyDir: null", then the following won't work,
-// because null entries are eliminated.
-func (c *smPatchMergeOnlyDetector) MergePatches(
-	r, patch *resource.Resource) (*resource.Resource, error) {
-	err := r.ApplySmPatch(patch)
-	return r, err
-}

api/internal/crawl/README.md

@@ -1,428 +0,0 @@
-## What is this?
-### In short
-Be the GoDoc.org of k8s configuration files.
-
-### More explicitly
-Support k8s document indexing from open-source configurations in order to make
-it easy for people to learn to use a new feature, explore k8s configs in a
-central hub, and see some metrics about kustomize use.
-
-We want people to be able to support three main classes of queries:
-
-1. Structured document queries: how should I use the following fields
-   - Grace periods: `spec:template:spec:terminationGracePeriod`?
-   - Kustomize inline patch: `patches:patch`?
-
-2. Key value queries: how should I use this more specific use case of a
-   structure configuration.
-   - HorizontalPodAutoScalers: `kind=HorizontalPodAutoScaler`?
-   - Patches on StatefulSets: `patches:target:kind=StatefulSet`?
-
-3. Full text search: search the comments and the document text from any
-   type of k8s config file.
-
-## Road map
-There is a lot that can be added in order to improve the state of this
-application. Some more details along with general thoughts and comments can be
-found in the Roadmap.md file in this directory. This README contains only
-what can be considered as mostly complete and iterable parts of this project.
-
-## Running this project
-Everything is configured using kubernetes, so it should be easy for people to
-spin this up on any k8s cluster. Everything should just work (TM).
-
-The config files live in the `config` directory.
-
-```
-config
-├── base
-│   └── kustomization.yaml
-├── crawler
-│   ├── base
-│   │   ├── github_api_secret.txt
-│   │   └── kustomization.yaml
-│   ├── cronjob
-│   │   ├── cronjob.yaml
-│   │   └── kustomization.yaml
-│   └── job
-│       ├── job.yaml
-│       └── kustomization.yaml
-├── elastic
-│   └── ...
-├── redis
-│   ├── document_keystore
-│   │   ├── kustomization.yaml
-│   │   ├── redis.yaml
-│   │   └── service.yaml
-│   └── http_cache
-│       ├── kustomization.yaml
-│       ├── redis.yaml
-│       └── service.yaml
-├── webapp
-│   ├── backend
-│   │   ├── deployment.yaml
-│   │   ├── kustomization.yaml
-│   │   └── service.yaml
-│   └── frontend
-│       ├── deployment.yaml
-│       ├── kustomization.yaml
-│       └── service.yaml
-└── schema_files
-    └── kustomization_index
-        ├── es_index_mappings.json
-        └── es_index_settings.json
-```
-
-To get everything up and running you have to:
-
-1. Get some instance of elasticsearch working... and configure the
-   configmapGenerator in `config/base` to point to the right endpoint(s). The
-   configurations that need this value to be populated are the following:
-    - `config/crawler/cronjob` to run periodic crawls.
-    - `config/crawler/job` to run crawls on demand.
-    - `config/webapp/backend` to run the search server.
-
-2. Configure the elasticsearch indices:
-```
-kustomize build config/schema_files/kustomization_index | kubectl apply -f -
-```
-This will run a `curl` command that reads json data from a ConfigMap. This will
-setup the schema.  If you want to make more complex modifications to the
-schema, you should refer to the elastic docs to figure out whether the mapping
-can be added to the current index, or whether you will need to copy the
-existing index into a different one with the appropriate mappings. Modifications
-can be made by using the elasticsearch go library and writing a simple program,
-or it can be made with any http command to the appropriate server endpoint from
-within the cluster. Unfortunately I did not have the time to write a few helper
-tools for this. Feel free to contact me if you need help with modifying
-elasticsearch configs, I'm by no means an expert, but I can try to help.
-
-3. (Optional) run the redis http chache for the crawler:
-```
-kubectl apply -k config/redis/http_cache
-```
-  This will create a deployment for the cache, and a service. The crawler should
-  be configured to connect to the `http_cache` if it exists, but you can always
-  check the logs to make sure it connects, and that the identifiers match in the
-  crawler configuration and for the service endpoint.
-
-  The please be aware that the cache does not have a persistent volume.
-
-4. Configure the main redis instance:
-```
-kubectl apply -k config/redis/document_keystore
-```
-  This will create a StatefulSet with a volume of 4GiB for a redis instance.
-
-5. Get an access token from GitHub.
-
-To be able to kindly ask GitHub for it's data on k8s config files, you'll need
-to create an access\_token. From my understanding, this is the only way to do
-these code search queries (without first specifying a repository).
-
-To generate a token, go to your GitHub's account in Settings > Developer
-Settings > Personal access tokens. It should look like this.
-
-![GitHub Token 1](
-https://sigs.k8s.io/kustomize/internal/tools/pictures/github_token.png)
-
-From here you want to generate a new token and  have the following
-configuration:
-
-![GitHub Token 1](
-https://sigs.k8s.io/kustomize/internal/tools/pictures/token_config.png)
-
-If you have uses for any other data from this token, (org data, or something
-else) you can pick and choose, but be careful since it can grant this
-application access to your notifications, etc. However, any such extension
-is explicitly a non-goal and would not be maintained by this project.
-
-6. Launch the crawler:
-```
-kustomize build config/crawler/cronjob | kubectl apply -f -
-```
-This will periodically run the crawler every day according to the cron timing
-rules in the cronjob.yaml file.
-
-Instead, to get the crawler running now, you can run:
-```
-kustomize build config/crawler/cronjob | kubectl apply -f -
-```
-which will launch a non-periodic version of the crawler. It will take a few
-minutes for the crawler to split the search, but then config files should
-start to get populated within 20 minutes. It may take a while to do the
-first crawl, since it has to fetch rate-limited endpoints for each new file it
-finds. It should get significantly faster to update in the future.
-
-5. Launch the search backend
-```
-kustomize build config/webapp/backend | kubectl apply -f -
-```
-
-6. Launch the search frontend
-```
-kustomize build config/webapp/frontend | kubectl apply -f -
-```
-
-## Notes about the components
-
-### Elasticsearch
-I will add a basic working setup soon. I just did the lazy thing and used an
-already packaged solution. Most clouds will provide their own elastic
-environments, however, Elasticsearch is also working on their own
-implementation of a
-![k8s operator](https://www.elastic.co/elasticsearch-kubernetes), which might
-be worth checking out. Please note that it comes with its own license
-agreement.
-
-### Redis
-There are two Redis instances that are used in this application.
-
-One of them is configured to have on disk persistence, so make sure to have
-that set up in your kubernetes cluster. Also note that it is running on a
-single master node (i.e. it does not automatically shard keys to multiple head
-nodes as part of a highly available cluster). Since it's storing a sparse
-graph, I can't imagine this being much of an issue, but it's probably worth
-mentioning.
-
-The other Redis instance is running as a HTTP (RFC 7234) cache for etags from
-GitHub (or any other document store from which we could crawl/index). This one
-does not require full persistent storage on disk. The caching strategy is an
-LRU cache which is probably a good starting point. It might be worth it to
-investigate other cache policies, but I think LRU will work well since
-documents may or may not expire anyway, and the amount of memory allocated for
-keys is fairly large, so eviction of frequently used documents seems unlikely
-anyway.
-
-### Nginx + Angular
-There is a Dockerfile included for generating the container image with Nginx
-(using the default package) and adding all of the supporting compiled angular
-files. Any modifications to the code-base should be compatible with this setup,
-so all that's needed is to rebuild the container image, and possibly modify
-the image tags in the k8s file.
-
-### Supporting Go binaries
-There are a few go binaries that each have their own Dockerfile to build
-containers in which to run them on k8s, namely the crawler and the search
-service. Their configurations are not optimal (read: needs to be cleaned up),
-but they are functional.
-
-## Technical details
-
-### Overall design and implementations
-
-There are a few components that are all running together in order to get
-the overall application to work smoothly. This section will provide a brief
-overview of each component with the following sections going into more details.
-
-The overall structure is outlined in the following figure:
-![overview](
-https://github.com/kubernetes-sigs/kustomize/blob/master/api/internal/crawl/pictures/token_config.png)
-
-#### Crawler
-The leftmost component consists of a crawler with an http cache of GitHub
-queries does two things, it first looks at the list of documents in
-elasticsearch and tries to update them. In doing so, it maintains a set of
-newly updated files to exclude them from other parts of the crawl.
-
-To find newly added documents, the crawler crawls any new dependencies
-introduced in the document updating step and it also queries GitHub for the
-most recently indexed kustomization.\* files. Each new file will be processed
-for efficient text queries and put into the document index. Any new dependency
-will also incur more crawl operations. Finally, a graphical
-representation of the documents and their dependencies is built in Redis to be
-used for graph algorithms such as PageRank and component analysis.
-
-#### Data library
-There are a few helper libaries for dealing with Elasticsearch, Redis and
-documents. This is not persistent, nor is it centralized. They act as small
-components that help to package common pieces of code. Eventually it may make
-sense to merge all of it together and make a proper persistent model around
-this while providing an external API for document insertion/deletion. But
-that is definitely out of scope in terms of getting this to run. However
-there are limitations with the current model in terms of minimizing the
-API surface for the different components of the application. For now this
-problem is mostly mitigated by having the query server only connected to
-a data node of the Elasticsearch cluster, but the problem of knowing what
-is accessible and what isn't is left to the programmer instead of being
-clearly and explicitly supported by the API.
-
-#### Server
-Uses the data library to communicate with the data store and answer queries.
-Processes the user entered text queries into somewhat optimized elasticsearch
-queries. Provides a few endpoints to get different metrics and to eventually
-allow for registration of remote repositories.
-
-This application has an exposing service in order to allow users of the
-application access to queries and the results.
-
-#### Nginx + Angular
-Communicates directly with the backend server to forward user queries and
-their results. Presents the results on an interface. It's still pretty simple
-looking but it seems usable (to me).
-
-
-### Crawling GitHub
-With the use of API keys, GitHub allows account owners to search for files
-using their API.
-
-The search endpoints allow for the use of metadata search
-that is fairly useful/powerful. For instance they provide a `filename:` keyword
-that permits us to look for `kustomization.yaml`, `kustomization.yml`, etc.
-This enables the fetching of a list of kustomization documents, from which
-we can get the actual content from another endpoint
-(raw.githubusercontent.com).
-
-However, the search API is fairly limited. There is a restriction to the number
-of documents that can be retrieved from this method. One possible way to
-mitigate this would be to periodically query GitHub for results, sorted by the
-last indexed time. This would allow you to collect most documents from this
-point forwards. The downside to this is that it may require a large number of
-requests to their API since you cannot know when new files will be added.
-Furthermore, there is a possibility that you would not be able to get all of
-files either, depending on the velocity of growth.
-
-The approach that was taken to mitigate this is to use the `filesize:` keyword
-and to shard the search space into contiguous buckets of appropriate size in
-order to get all of the documents. This is fairly efficient, since you can find
-a good enough way to shard the documents in
-`lg(max file size) * number of documents / 1000` API queries. Moreover, since
-queries are paginated with at most 100 results per query, this solution is
-competitive with getting the optimal (non-contiguous) sharding of result sets.
-Furthermore, filesize queries can be cached to minimize the total number of
-queries called to the API in order to shard the search space. This is done by
-querying for file size intervals that always start with 0..X and binary
-searching over the `filesize:` space. This will allow you to reuse a lot of
-queries when you're looking for the next range, since it is upper bounded and
-lower bounded to a smaller number of queries within a range that has also been
-queried. I think this is only true because filesizes are power law distributed,
-so searches will typically require less queries as they progress from left to
-right.
-
-However, this method in no way depends on intervals of the form 0..X, as
-the number of documents in the many intervals of the range search could be
-added together to also make this work. This approach just seemed simpler to
-implement, maintain, and debug so it was preferred.
-
-To get an idea of how efficient this method is, to shard the search space of
-7000 documents, it will only take ~90 API range queries which should only take
-a few minutes. While actually fetching the documents and their relevant
-metadata (creation time, etc.) will take several hours. Furthermore, this
-could be made more efficient if a prior distribution is approximated.
-This prior could be scaled to the number of documents that need to be fetched,
-and then finding a shard that has an adequate number of requests, will only
-take a few queries per shard. It could probably be supported in a constant
-number of size queries if the size of each shard is halved which shouldn't
-have terrible performance impact for the retrieval. However, there where
-more pressing things to implement. I might revisit this later.
-
-### Document Indexing and Processing
-In order to support simple text queries the structured documents must be
-processed in some way that makes searching them easy. The current method
-is to recursively traverse the map of configurations to generate each sub-path
-and each key-value pair for the leaf nodes of the recursion tree.
-
-However, note that this means that a document has to be valid yaml/json
-format in order for indexing to happen. The rest of the document is treated
-as mostly text and uses default text settings from Elasticsearch.
-
-What this means is that for the following yaml document:
-
-```yaml
-resources:
-- service.yaml
-- deployment.yaml
-
-configmapGenerator:
-- name: app-configuration
-  files:
-  - config.yaml
-
-patchesJson6902:
-- target:
-    version: v1
-    kind: StatefulSet
-    name: ss-name
-  path: ss-patch.yaml
-- target:
-    version: v1
-    kind: Deployment
-    name: dep-name
-  path: dep-patch.yaml
-```
-
-the following flattened structure would look like:
-```
-{
-  "identifiers": [
-    "resources",
-    "configmapGenerator",
-    "configmapGenerator:name",
-    "configmapGenerator:files",
-    "patchesJson6902",
-    "patchesJson6902:target",
-    "patchesJson6902:target:version",
-    "patchesJson6902:target:kind",
-    "patchesJson6902:target:name",
-    "patchesJson6902:path",
-  ],
-  "values": [
-    "resources=service.yaml",
-    "resources=deployment.yaml",
-    "configmapGenerator:name=app-configuration",
-    "configmapGenerator:files=config.yaml",
-    "patchesJson6902:target:version=v1",
-    "patchesJson6902:target:kind=StatefulSet",
-    "patchesJson6902:target:name=ss-name",
-    "patchesJson6902:path=ss-patch.yaml",
-    "patchesJson6902:target:kind=Deployment",
-    "patchesJson6902:target:name=dep-name",
-    "patchesJson6902:path=dep-patch.yaml",
-  ],
-  ...
-}
-```
-
-Note that unique paths and values are deduplicated.
-
-On the search side, exact queries will be prioritized, but the document paths
-and key=value pairs will also be analyzed with 3-grams to have some amount of
-fuzzy search. The reason that a Levenshtein-Distance was not used instead, is due
-to searching multiple fields at the same time, which is a use case where
-Elasticsearch does not support proper fuzzy searching.
-
-### Document Search
-Given a text query, each token is considered separately. Each token will be fed
-through a handful of analyzers on the Elasticsearch side, and will be compared
-with the reverse document index of each document fields. It will then determine
-the best matching documents. Text ordering is largely insignificant. This makes
-sense for the structured search, but may leave room for improvement for the
-text only search within the document.
-
-Each token _must_ be matched, so each white space character acts as a
-conjunction of individual queries. There are also ways of telling
-Elasticsearch that some things _should_ match, but I think for now it makes
-more sense to leave it as is.
-
-I think this behavior is sufficient to make the search feel fairly intuitive
-while providing support for fairly complex use cases.
-
-### Metrics Computation
-From the each kustomization document that is indexed, we can find it's
-resources that are publicly available. This includes other kustomizations.
-From this, we can build a directed graph of dependencies and reverse
-dependencies.
-
-This opens up the possibility to add a plethora of graph metrics that can
-give the project maintainers feedback and insight into how people are using
-their tools.
-
-Some of these are useful such as getting an idea for how large the dependency
-graphs actually grow in practice, and can be used to find _popular_
-kustomizations within the corpus. This lends itself to implementing PageRank
-to help bubble up popular results as good search results. I unfortunately
-did not have the time to implement the algorithm, but I do plan to revisit
-this sometime soon to add a few good and efficient implementations of useful
-graph algorithms that would be useful to have. See the Roadmap.md for a more
-complete list of features that could be added and how I think they could be
-implemented.

api/internal/crawl/ROADMAP.md

@@ -1,176 +0,0 @@
-# Road map and comments about this work
-
-From working on this project, here is a collection of thoughts and suggestions
-for future improvements. For any questions about this, or to request help do
-not hesitate to contact @damienr74 on GitHub, my email should be listed.
-
-I think this project has the potential for the K8s community to promote best
-practices. If this becomes popular, It could become easier to find
-*subjectively good* configurations. This can act as a way to guide newcomers
-to k8s config features that are easy to maintain, practical, and tested in some
-real world environment. However, a lot of work remains to be made if this is
-to happen. Extracting and ranking semantic-level information from the open
-source configuration files, is definitely not trivial, and will require a lot of
-though and consideration from the experts and the patterns that successful k8s
-project follow. This, is outside of my scope having little to no experience with
-k8s other than working on this project; however, if you have ideas I can
-probably suggest approaches in order to implement it, having worked a lot on
-this project.
-
-### Improving configuration files and container configs
-I did not have a lot of time to refactor the images to use configmaps for
-everything. This is a good thing to improve, should be fairly easy. Another
-thing that could make the user experience of launcing this could be to make all
-of the go utilities be subcommands to the same binary/container image. This
-would reduce the number of things that would have to be rebuilt, in order to get
-it running, and it would make the application (and its components) more self
-contained. (also has some disadvantages, so I'll let someone else decide.
-
-### Adding graph metrics
-From the Redis graph representation, we are able to run a multitude of graph
-algorithms (not all of which are implemented).
-
-The simplest one would be to run kruskal's algorithm to find connected
-components, and to compute graph metrics on each component. Here are some of the
-metrics that may be useful:
-
-+ Average size and histograms of the sizes of each components.
-
-+ Average size and histograms of the node with the highest in degree (rdeps) of
-  each component.
-
-+ Average size and histograms of the number of repositories in a connected
-  component.
-
-+ Any other metric that may be helpful to measure the scale of the kustomize
-  import graph.
-
-Another cool thing that may be helpful, would be to output the graph
-representation of deps/rdeps. This should be fairly easy to do with graphviz/dot
-so if anyone really wants this, I (damienr74) should be able to do it. Feel free
-to send me an email or to @ mention me in an issue.
-
-Note: dfs could also be used to find connected components, but I think union
-find is preferable, since the results can be stored and modified very
-efficiently. The only challenging part would be to implement deleting of edges
-and nodes from a component efficiently, but I know it is possible to support
-these operations with a union find structure.
-
-### Implementing PageRank
-The graph is set up to be able to efficiently compute PageRank since the edge
-weights are real valued, and the graph representation is sparse which means that
-it will fit in the memory of a single machine which will make the processing
-much more efficient.
-
-It could also be implemented as a Redis script, but I feel like there's
-something fundamentally wrong with implementing PageRank in lua. :P
-
-### Implement feature tracking
-Each day, when the crawler finds and indexes these structured documents,
-it should insert aggregate data to a separate index. This data could look like the
-following:
-
-```
-{
-  "kind": "kustomization",
-  "added_identifiers": [
-    {
-      "identifier": "some:new:k8s:feature",
-      "addedIn": [
-        "docID1",
-        "docID100",
-        "docID45",
-        ...
-      ],
-    },
-    {
-      "identifier": "another:k8s:feature",
-      "documents": [
-        ...
-      ],
-    },
-    ...
-  ]
-
-  "removed_identifiers": [
-    {
-      "identifier": "some:deprecated:field",
-      "documents": [
-        ...
-      ]
-    }
-  ]
-}
-```
-
-This would make it fairly easy to get deep insight into:
-- the speed at which things can effectively be deprecated.
-- how many people are migrating to current best practices.
-- how many documents get updated frequently/rarely.
-- detailed cross sections of growth/regression over conjunctions of features.
-- a world of possibilities.
-
-This is also something that I would be interested to work on sometime soon, so
-feel free to contact me (damienr74) or ask questions about this.
-
-As needed, it could be a good idea to also aggregate past data with a larger
-granularity. for instance each month, the past 30 days can be aggregated into
-weekish durations, And every year these weekly aggregations can be converted
-into monthly summaries depending on how much data this ends up being, and how
-much you want to pay for the storage of this data.
-
-Another cool way to compress this data would be to dynamically compress this
-data into a logarithmic number of buckets with decreasing granularity. But it
-seems like overkill for the amount of data that we'd likely get.
-
-### The UI probably needs a lot of work
-I'm not much of a UI/UX person and have little to no experience in developing
-these types of applications. If anyone with Angular experience wants to dive in
-and completely restructure the app to make the UI/UX/Code health better that
-would be greatly appreciated.
-
-### Query tuning probably still has to be adjusted
-I'm also not an expert in Elasticsearch. From what I could read in the docs,
-I think I've made sane decisions in converting user queries into meaningful
-Elasticsearch queries, but I'm sure there are a lot of improvements that remain
-to be done in order to get more accurate results.
-
-
-### Some other signals that indicate the presence of a good configuration file
-There are lots of heuristics that could be used to achieve this. Here are a
-couple in no particular order:
-
-+ Penalize for the number of yaml `---` document splits. I'm not sure what the
-  general consensus is, but I think it's better to separate them, since it
-  makes git commits less noisy, it's a trivial transformation, and it makes
-  config files smaller. However, I can understand the argument that its somewhat
-  practical to keep an overall view of the configurations together (maybe).
-
-+ Penalize the number of unique identifiers in a structured document. I think
-  this makes sense, since we don't want to have someone game the search engine
-  to match documents with every possible path from the k8s docs. PageRank might
-  help with this to some extent, but with a small corpus it would be fairly easy
-  to game.
-
-+ Assign weights to the usefulness of certain fields. It would be good to
-  promote documents that use `keyRefFromConfigMap`, liveness probes, etc.
-
-These are the main ones I can think of, but I'm sure there are a *ton* of
-ways to achieve this.
-
-If the corpus gets large enough, we might even be able to use *blockchains*,
-*machine learning*, and maybe even self-driving cars.
-
-### Add more support for indexing of other k8s/kustomize related data
-One thing that jumps to mind is the use of kustomize plugins. They are easy
-to track since they all have an unused global variable: `var KustomizePluggin`
-it would be easy to run the pluginator command and generate godocs for each
-go file with this unique identifier.
-
-For the sake of completeness, here is the full GitHub query that we can use to
-find these:
-`api.github.com/search/code?q=var+KustomizePlugin+extension%3A.go&access_token=access_token`
-
-Godoc will not show much, since most packages will be using package main, but
-using pluginator we can make it a properly named package such that Godoc would
-actually generate the relevant documentation.

api/internal/crawl/backend/search_backend.go

@@ -1,195 +0,0 @@
-package server
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"log"
-	"net/http"
-	"os"
-	"strconv"
-	"strings"
-
-	"github.com/gorilla/mux"
-	"github.com/rs/cors"
-
-	"sigs.k8s.io/kustomize/api/internal/crawl/index"
-)
-
-type kustomizeSearch struct {
-	ctx context.Context
-	// Eventually pIndex *index.PlugginIndex
-	idx    *index.KustomizeIndex
-	router *mux.Router
-	log    *log.Logger
-}
-
-// New server. Creating a server does not launch it. To launch simply:
-//	srv, _ := NewKustomizeSearch(context.Backgroud())
-//	err := srv.Serve()
-//	if err != nil {
-//		// Handle server issues.
-//	}
-//
-// The server has three enpoints, two of which are functional:
-//
-// /search: processes the ?q= parameter for a text query and
-// returns a list of 10 resutls starting from the ?from= value provided,
-// with the default being zero.
-//
-// /metrics: returns overall metrics about the files indexed. Returns
-// timeseries data for kustomization files, and returns breakdown of file
-// counts by their 'kind' fields
-//
-// /register: not implemented, but meant as an endpoint for adding new
-// kustomization files to the corpus.
-func NewKustomizeSearch(ctx context.Context) (*kustomizeSearch, error) {
-	idx, err := index.NewKustomizeIndex(ctx, "kustomize")
-	if err != nil {
-		return nil, err
-	}
-
-	ks := &kustomizeSearch{
-		ctx:    ctx,
-		idx:    idx,
-		router: mux.NewRouter(),
-		log: log.New(os.Stdout, "Kustomize server: ",
-			log.LstdFlags|log.Llongfile|log.LUTC),
-	}
-
-	return ks, nil
-}
-
-// Set up common middleware and the routes for the server.
-func (ks *kustomizeSearch) routes() {
-
-	// Setup middleware.
-	ks.router.Use(func(handler http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			w.Header().Set("Content-Type", "application/json")
-			handler.ServeHTTP(w, r)
-		})
-	})
-
-	ks.router.HandleFunc("/liveness", ks.liveness()).Methods(http.MethodGet)
-	ks.router.HandleFunc("/readiness", ks.readiness()).Methods(http.MethodGet)
-	ks.router.HandleFunc("/search", ks.search()).Methods(http.MethodGet)
-	ks.router.HandleFunc("/metrics", ks.metrics()).Methods(http.MethodGet)
-	ks.router.HandleFunc("/register", ks.register()).Methods(http.MethodPost)
-}
-
-// Start listening and serving on the provided port.
-func (ks *kustomizeSearch) Serve(port int) error {
-	ks.routes()
-	handler := cors.Default().Handler(ks.router)
-	s := &http.Server{
-		Addr:    fmt.Sprintf(":%d", port),
-		Handler: handler,
-		// Timeouts/Limits
-	}
-
-	return s.ListenAndServe()
-}
-
-// /liveness endpoint
-func (ks *kustomizeSearch) liveness() http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusOK)
-	}
-}
-
-// /readyness endpoint
-func (ks *kustomizeSearch) readiness() http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		opt := index.KustomizeSearchOptions{}
-		_, err := ks.idx.Search("", opt)
-		if err != nil {
-			http.Error(w,
-				`{ "error": "could not connect to database" }`,
-				http.StatusInternalServerError)
-			return
-		}
-		w.WriteHeader(http.StatusOK)
-	}
-}
-
-// /register endpoint.
-func (ks *kustomizeSearch) register() http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		http.Error(w, "not implemented", http.StatusInternalServerError)
-	}
-}
-
-// /search endpoint.
-func (ks *kustomizeSearch) search() http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		values := r.URL.Query()
-
-		queries := values["q"]
-		ks.log.Println("Query: ", values)
-
-		var from int
-		fromParam := values["from"]
-		if len(fromParam) > 0 {
-			from, _ = strconv.Atoi(fromParam[0])
-			if from < 0 {
-				from = 0
-			}
-		}
-		_, noKinds := values["nokinds"]
-
-		opt := index.KustomizeSearchOptions{
-			SearchOptions: index.SearchOptions{
-				Size: 10,
-				From: from,
-			},
-			KindAggregation: !noKinds,
-		}
-
-		results, err := ks.idx.Search(strings.Join(queries, " "), opt)
-		if err != nil {
-			ks.log.Println("Error: ", err)
-			http.Error(w, fmt.Sprintf(
-				`{ "error": "could not complete the query" }`),
-				http.StatusInternalServerError)
-			return
-		}
-
-		enc := json.NewEncoder(w)
-		setIndent(enc)
-		if err = enc.Encode(results); err != nil {
-			http.Error(w, `{ "error": "failed to send back results" }`,
-				http.StatusInternalServerError)
-			return
-		}
-		return
-	}
-}
-
-// metrics endpoint.
-func (ks *kustomizeSearch) metrics() http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		res, err := ks.idx.Search("", index.KustomizeSearchOptions{
-			KindAggregation:       true,
-			TimeseriesAggregation: true,
-		})
-		if err != nil {
-			http.Error(w, `{ "error": "could not perform the search."}`,
-				http.StatusInternalServerError)
-			return
-		}
-
-		enc := json.NewEncoder(w)
-		setIndent(enc)
-		if err := enc.Encode(res); err != nil {
-			http.Error(w, `{ "error": "could not format return value" }`,
-				http.StatusInternalServerError)
-			return
-		}
-	}
-}
-
-// make json response human readable.
-func setIndent(e *json.Encoder) {
-	e.SetIndent("", "  ")
-}

api/internal/crawl/cmd/backend/Dockerfile

@@ -1,14 +0,0 @@
-FROM golang:1.11 AS build
-
-ARG GO111MODULE=on
-
-WORKDIR /go/src/sigs.k8s.io/kustomize/api/internal/crawl
-COPY . /go/src/sigs.k8s.io/kustomize/api/internal/crawl
-
-RUN go mod download
-RUN CGO_ENABLED=0 go install sigs.k8s.io/kustomize/api/internal/crawl/cmd/backend/
-
-FROM scratch
-COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=build /go/bin/backend /
-ENTRYPOINT ["/backend"]

api/internal/crawl/cmd/backend/main.go

@@ -1,29 +0,0 @@
-package main
-
-import (
-	"context"
-	"log"
-	"os"
-	server "sigs.k8s.io/kustomize/api/internal/crawl/backend"
-	"strconv"
-)
-
-func main() {
-	portStr := os.Getenv("PORT")
-	port, err := strconv.Atoi(portStr)
-	if portStr == "" || err != nil {
-		log.Fatalf("$PORT(%s) must be set to an integer\n", portStr)
-	}
-
-	ctx := context.Background()
-
-	ks, err := server.NewKustomizeSearch(ctx)
-	if err != nil {
-		log.Fatalf("Error creating kustomize server: %v", ks)
-	}
-
-	err = ks.Serve(port)
-	if err != nil {
-		log.Fatalf("Error while running server: %v", err)
-	}
-}

api/internal/crawl/cmd/crawler/Dockerfile

@@ -1,15 +0,0 @@
-FROM golang:1.14 AS build
-
-ARG GO111MODULE=on
-
-WORKDIR /go/src/sigs.k8s.io/kustomize/api/internal/crawl
-COPY . /go/src/sigs.k8s.io/kustomize//api/internal/crawl
-
-RUN go mod download
-RUN CGO_ENABLED=0 go install -v ./cmd/crawler/crawler.go
-
-FROM scratch
-COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=build /go/bin/crawler /
-ENTRYPOINT ["/crawler"]
-CMD []

api/internal/crawl/cmd/crawler/crawler.go

@@ -1,206 +0,0 @@
-package main
-
-import (
-	"context"
-	"flag"
-	"fmt"
-	"log"
-	"net/http"
-	"os"
-	"time"
-
-	"sigs.k8s.io/kustomize/api/internal/crawl/utils"
-
-	"sigs.k8s.io/kustomize/api/internal/crawl/crawler"
-	"sigs.k8s.io/kustomize/api/internal/crawl/crawler/github"
-	"sigs.k8s.io/kustomize/api/internal/crawl/doc"
-	"sigs.k8s.io/kustomize/api/internal/crawl/httpclient"
-	"sigs.k8s.io/kustomize/api/internal/crawl/index"
-
-	"github.com/gomodule/redigo/redis"
-)
-
-const (
-	githubAccessTokenVar = "GITHUB_ACCESS_TOKEN"
-	redisCacheURL        = "REDIS_CACHE_URL"
-	redisKeyURL          = "REDIS_KEY_URL"
-	retryCount           = 3
-)
-
-type CrawlMode int
-
-const (
-	CrawlUnknown CrawlMode = iota
-	// Crawl all the kustomization files in all the repositories of a Github user
-	CrawlUser
-	// Crawl all the kustomization files in a Github repo
-	CrawlRepo
-	// Crawl all the documents in the index
-	CrawlIndex
-	// Crawl all the kustomization files on Github
-	CrawlGithub
-	// Crawl all the documents in the index and crawling all the kustomization files on Github
-	CrawlIndexAndGithub
-)
-
-func NewCrawlMode(s string) CrawlMode {
-	switch s {
-	case "github-user":
-		return CrawlUser
-	case "github-repo":
-		return CrawlRepo
-	case "index+github":
-		return CrawlIndexAndGithub
-	case "index":
-		return CrawlIndex
-	case "github":
-		return CrawlGithub
-	default:
-		return CrawlUnknown
-	}
-}
-
-func main() {
-	indexNamePtr := flag.String(
-		"index", "kustomize", "The name of the ElasticSearch index.")
-	modePtr := flag.String("mode", "index+github",
-		`The crawling mode, which can be one of [github-user, github-repo, index, github, index+github].
-  * github-user: crawl all the kustomization files in all the repositories of a Github user (--github-user must be specified for this mode).
-  * github-repo: crawl all the kustomization files in a Github repository (--github-repo must be specified for this mode).
-  * index: crawl all the documents in the index.
-  * gihub: crawl all the kustomization files on Github.
-  * index+github: crawl all the documents in the index and crawling all the kustomization files on Github.`)
-	githubUserPtr := flag.String("github-user", "",
-		"A github user name (e.g., kubernetes-sigs). This flag is required for the `github-user` mode.")
-	githubRepoPtr := flag.String("github-repo", "",
-		"A github repository name (e.g., kubernetes-sigs/kustomize). This flag is required for the `github-repo` mode.")
-	flag.Parse()
-
-	githubToken := os.Getenv(githubAccessTokenVar)
-	if githubToken == "" {
-		log.Printf("Must set the variable '%s' to make github requests.\n",
-			githubAccessTokenVar)
-		return
-	}
-
-	ctx := context.Background()
-	idx, err := index.NewKustomizeIndex(ctx, *indexNamePtr)
-	if err != nil {
-		log.Printf("Could not create an index: %v\n", err)
-		return
-	}
-
-	cacheURL := os.Getenv(redisCacheURL)
-	cache, err := redis.DialURL(cacheURL)
-	clientCache := &http.Client{}
-	if err != nil {
-		log.Printf("Error: redis could not make a connection: %v\n", err)
-	} else {
-		clientCache = httpclient.NewClient(cache)
-	}
-
-	// docConverter takes in a plain document and processes it for the index.
-	docConverter := func(d *doc.Document) (crawler.CrawledDocument, error) {
-		kdoc := doc.KustomizationDocument{
-			Document: *d,
-		}
-
-		err := kdoc.ParseYAML()
-		return &kdoc, err
-	}
-
-	// Index updates the value in the index.
-	indexFunc := func(cdoc crawler.CrawledDocument, mode index.Mode) error {
-		switch d := cdoc.(type) {
-		case *doc.KustomizationDocument:
-			switch mode {
-			case index.Delete:
-				log.Printf("Deleting: %v", d)
-				return idx.Delete(d.ID())
-			default:
-				log.Printf("Inserting: %v", d)
-				return idx.Put(d.ID(), d)
-			}
-		default:
-			return fmt.Errorf("type %T not supported", d)
-		}
-	}
-
-	// seen tracks the IDs of all the documents in the index and their corresponding file types.
-	// This helps avoid indexing a given document multiple times.
-	seen := utils.NewSeenMap()
-
-	mode := NewCrawlMode(*modePtr)
-
-	ghCrawlerConstructor := func(user, repo string) crawler.Crawler {
-		if user != "" {
-			return github.NewCrawler(githubToken, retryCount, clientCache,
-				github.QueryWith(
-					github.Filename("kustomization.yaml"),
-					github.Filename("kustomization.yml"),
-					github.Filename("kustomization"),
-					github.User(user)),
-			)
-		} else if repo != "" {
-			return github.NewCrawler(githubToken, retryCount, clientCache,
-				github.QueryWith(
-					github.Filename("kustomization.yaml"),
-					github.Filename("kustomization.yml"),
-					github.Filename("kustomization"),
-					github.Repo(repo)),
-			)
-		} else {
-			return github.NewCrawler(githubToken, retryCount, clientCache,
-				github.QueryWith(
-					github.Filename("kustomization.yaml"),
-					github.Filename("kustomization.yml"),
-					github.Filename("kustomization")),
-			)
-		}
-	}
-
-	query := []byte(`{ "query":{ "match_all":{} } }`)
-	it := idx.IterateQuery(query, 10000, 60*time.Second)
-
-	switch mode {
-	case CrawlIndexAndGithub:
-		crawlers := []crawler.Crawler{ghCrawlerConstructor("", "")}
-		crawler.CrawlFromSeedIterator(ctx, it, crawlers, docConverter, indexFunc, seen)
-		crawler.CrawlGithub(ctx, crawlers, docConverter, indexFunc, seen)
-	case CrawlIndex:
-		crawlers := []crawler.Crawler{ghCrawlerConstructor("", "")}
-		crawler.CrawlFromSeedIterator(ctx, it, crawlers, docConverter, indexFunc, seen)
-	case CrawlGithub:
-		crawlers := []crawler.Crawler{ghCrawlerConstructor("", "")}
-		// add all the documents in the index into seen.
-		// this greatly reduces the time overhead of CrawlGithub.
-		for it.Next() {
-			for _, hit := range it.Value().Hits.Hits {
-				d := hit.Document.Document
-				seen.Set(d.ID(), d.FileType)
-			}
-		}
-		if err := it.Err(); err != nil {
-			log.Fatalf("Error iterating the index: %v\n", err)
-		}
-
-		crawler.CrawlGithub(ctx, crawlers, docConverter, indexFunc, seen)
-	case CrawlUser:
-		if *githubUserPtr == "" {
-			flag.Usage()
-			log.Fatalf("Please specify a github user with the github-user flag!")
-		}
-		crawlers := []crawler.Crawler{ghCrawlerConstructor(*githubUserPtr, "")}
-		crawler.CrawlGithub(ctx, crawlers, docConverter, indexFunc, seen)
-	case CrawlRepo:
-		if *githubRepoPtr == "" {
-			flag.Usage()
-			log.Fatalf("Please specify a github repository with the github-repo flag!")
-		}
-		crawlers := []crawler.Crawler{ghCrawlerConstructor("", *githubRepoPtr)}
-		crawler.CrawlGithub(ctx, crawlers, docConverter, indexFunc, seen)
-	case CrawlUnknown:
-		flag.Usage()
-		log.Fatalf("The --mode flag must be one of [github-user, github-repo, index, github, index+github].")
-	}
-}

api/internal/crawl/cmd/kustomize_stats/Dockerfile

@@ -1,14 +0,0 @@
-FROM golang:1.11 AS build
-
-ARG GO111MODULE=on
-
-WORKDIR /go/src/sigs.k8s.io/kustomize/api/internal/crawl
-COPY . /go/src/sigs.k8s.io/kustomize/api/internal/crawl
-
-RUN go mod download
-RUN CGO_ENABLED=0 go install ./cmd/kustomize_stats
-
-FROM scratch
-COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=build /go/bin/kustomize_stats /
-ENTRYPOINT ["/kustomize_stats"]

api/internal/crawl/cmd/kustomize_stats/main.go

@@ -1,249 +0,0 @@
-package main
-
-import (
-	"context"
-	"crypto/sha256"
-	"flag"
-	"fmt"
-	"log"
-	"sort"
-	"time"
-
-	"sigs.k8s.io/kustomize/api/internal/crawl/doc"
-
-	"sigs.k8s.io/kustomize/api/internal/crawl/index"
-)
-
-// iterateArr adds each item in arr into countMap.
-func iterateArr(arr []string, countMap map[string]int) {
-	for _, item := range arr {
-		if _, ok := countMap[item]; !ok {
-			countMap[item] = 1
-		} else {
-			countMap[item]++
-		}
-	}
-
-}
-
-// SortMapKeyByValueInt takes a map as its input, sorts its keys according to their values
-// in the map, and outputs the sorted keys as a slice.
-func SortMapKeyByValueInt(m map[string]int) []string {
-	keys := make([]string, 0, len(m))
-	for key := range m {
-		keys = append(keys, key)
-	}
-	// sort keys according to their values in the map m
-	sort.Slice(keys, func(i, j int) bool { return m[keys[i]] > m[keys[j]] })
-	return keys
-}
-
-// SortMapKeyByValue takes a map as its input, sorts its keys according to their values
-// in the map, and outputs the sorted keys as a slice.
-func SortMapKeyByValueLen(m map[string][]string) []string {
-	keys := make([]string, 0, len(m))
-	for key := range m {
-		keys = append(keys, key)
-	}
-	// sort keys according to their values in the map m
-	sort.Slice(keys, func(i, j int) bool { return len(m[keys[i]]) > len(m[keys[j]]) })
-	return keys
-}
-
-func GeneratorOrTransformerStats(docs []*doc.KustomizationDocument) {
-	n := len(docs)
-	if n == 0 {
-		return
-	}
-
-	fileType := docs[0].FileType
-	fmt.Printf("There are totally %d %s files.\n", n, fileType)
-
-	GitRepositorySummary(docs, fileType)
-
-	// key of kindToUrls: a string in the KustomizationDocument.Kinds field
-	// value of kindToUrls: a slice of string urls defining a given kind.
-	kindToUrls := make(map[string][]string)
-
-	for _, d := range docs {
-		url := fmt.Sprintf("%s/blob/%s/%s", d.RepositoryURL, d.DefaultBranch, d.FilePath)
-		for _, kind := range d.Kinds {
-			if _, ok := kindToUrls[kind]; !ok {
-				kindToUrls[kind] = []string{url}
-			} else {
-				kindToUrls[kind] = append(kindToUrls[kind], url)
-			}
-		}
-	}
-	fmt.Printf("There are totally %d kinds of %s\n", len(kindToUrls), fileType)
-	sortedKeys := SortMapKeyByValueLen(kindToUrls)
-	for _, k := range sortedKeys {
-		sort.Strings(kindToUrls[k])
-		fmt.Printf("%s kind %s appears %d times\n", fileType, k, len(kindToUrls[k]))
-		for _, url := range kindToUrls[k] {
-			fmt.Printf("%s\n", url)
-		}
-	}
-}
-
-// GitRepositorySummary counts the distribution of docs:
-// 1) how many git repositories are these docs from?
-// 2) how many docs are from each git repository?
-func GitRepositorySummary(docs []*doc.KustomizationDocument, fileType string) {
-	m := make(map[string]int)
-	for _, d := range docs {
-		if _, ok := m[d.RepositoryURL]; ok {
-			m[d.RepositoryURL]++
-		} else {
-			m[d.RepositoryURL] = 1
-		}
-	}
-	sortedKeys := SortMapKeyByValueInt(m)
-	topN := 10
-	i := 0
-	for _, k := range sortedKeys {
-		if i >= topN {
-			break
-		}
-		fmt.Printf("%d %s are from %s\n", m[k], fileType, k)
-		i++
-	}
-}
-
-func main() {
-	topKindsPtr := flag.Int(
-		"kinds", -1,
-		`the number of kubernetes object kinds to be listed according to their popularities.
-By default, all the kinds will be listed.
-If you only want to list the 10 most popular kinds, set the flag to 10.`)
-	topIdentifiersPtr := flag.Int(
-		"identifiers", -1,
-		`the number of identifiers to be listed according to their popularities.
-By default, all the identifiers will be listed.
-If you only want to list the 10 most popular identifiers, set the flag to 10.`)
-	topKustomizeFeaturesPtr := flag.Int(
-		"kustomize-features", -1,
-		`the number of kustomize features to be listed according to their popularities.
-By default, all the features will be listed.
-If you only want to list the 10 most popular features, set the flag to 10.`)
-	indexNamePtr := flag.String(
-		"index", "kustomize", "The name of the ElasticSearch index.")
-	flag.Parse()
-
-	ctx := context.Background()
-	idx, err := index.NewKustomizeIndex(ctx, *indexNamePtr)
-	if err != nil {
-		log.Fatalf("Could not create an index: %v\n", err)
-	}
-
-	// count tracks the number of documents in the index
-	count := 0
-
-	// kustomizationFilecount tracks the number of kustomization files in the index
-	kustomizationFilecount := 0
-
-	kindsMap := make(map[string]int)
-	identifiersMap := make(map[string]int)
-	kustomizeIdentifiersMap := make(map[string]int)
-
-	// ids tracks the unique IDs of the documents in the index
-	ids := make(map[string]struct{})
-
-	// generatorFiles include all the non-kustomization files whose FileType is generator
-	generatorFiles := make([]*doc.KustomizationDocument, 0)
-
-	// transformersFiles include all the non-kustomization files whose FileType is transformer
-	transformersFiles := make([]*doc.KustomizationDocument, 0)
-
-	checksums := make(map[string]int)
-
-	// get all the documents in the index
-	query := []byte(`{ "query":{ "match_all":{} } }`)
-	it := idx.IterateQuery(query, 10000, 60*time.Second)
-	for it.Next() {
-		for _, hit := range it.Value().Hits.Hits {
-			sum := fmt.Sprintf("%x", sha256.Sum256([]byte(hit.Document.DocumentData)))
-			if _, ok := checksums[sum]; ok {
-				checksums[sum]++
-			} else {
-				checksums[sum] = 1
-			}
-
-			// check whether there is any duplicate IDs in the index
-			if _, ok := ids[hit.ID]; !ok {
-				ids[hit.ID] = struct{}{}
-			} else {
-				log.Printf("Found duplicate ID (%s)\n", hit.ID)
-			}
-
-			count++
-			iterateArr(hit.Document.Kinds, kindsMap)
-			iterateArr(hit.Document.Identifiers, identifiersMap)
-
-			if doc.IsKustomizationFile(hit.Document.FilePath) {
-				kustomizationFilecount++
-				iterateArr(hit.Document.Identifiers, kustomizeIdentifiersMap)
-
-			} else {
-				switch hit.Document.FileType {
-				case "generator":
-					generatorFiles = append(generatorFiles, hit.Document.Copy())
-				case "transformer":
-					transformersFiles = append(transformersFiles, hit.Document.Copy())
-				}
-			}
-		}
-	}
-
-	if err := it.Err(); err != nil {
-		log.Fatalf("Error iterating: %v\n", err)
-	}
-
-	sortedKindsMapKeys := SortMapKeyByValueInt(kindsMap)
-	sortedIdentifiersMapKeys := SortMapKeyByValueInt(identifiersMap)
-	sortedKustomizeIdentifiersMapKeys := SortMapKeyByValueInt(kustomizeIdentifiersMap)
-
-	fmt.Printf(`The count of unique document IDs in the kustomize index: %d
-There are %d documents in the kustomize index.
-%d kinds of kubernetes objects are customized:`, len(ids), count, len(kindsMap))
-	fmt.Printf("\n")
-
-	kindCount := 0
-	for _, key := range sortedKindsMapKeys {
-		if *topKindsPtr < 0 || (*topKindsPtr >= 0 && kindCount < *topKindsPtr) {
-			fmt.Printf("\tkind `%s` is customimzed in %d documents\n", key, kindsMap[key])
-			kindCount++
-		}
-	}
-
-	fmt.Printf("%d kinds of identifiers are found:\n", len(identifiersMap))
-	identifierCount := 0
-	for _, key := range sortedIdentifiersMapKeys {
-		if *topIdentifiersPtr < 0 || (*topIdentifiersPtr >= 0 && identifierCount < *topIdentifiersPtr) {
-			fmt.Printf("\tidentifier `%s` appears in %d documents\n", key, identifiersMap[key])
-			identifierCount++
-		}
-	}
-
-	fmt.Printf(`There are %d kustomization files in the kustomize index.
-%d kinds of kustomize features are found:`, kustomizationFilecount, len(kustomizeIdentifiersMap))
-	fmt.Printf("\n")
-	kustomizeFeatureCount := 0
-	for _, key := range sortedKustomizeIdentifiersMapKeys {
-		if *topKustomizeFeaturesPtr < 0 || (*topKustomizeFeaturesPtr >= 0 && kustomizeFeatureCount < *topKustomizeFeaturesPtr) {
-			fmt.Printf("\tfeature `%s` is used in %d documents\n", key, kustomizeIdentifiersMap[key])
-			kustomizeFeatureCount++
-		}
-	}
-
-	GeneratorOrTransformerStats(generatorFiles)
-	GeneratorOrTransformerStats(transformersFiles)
-
-	fmt.Printf("There are total %d checksums of document contents\n", len(checksums))
-	sortedChecksums := SortMapKeyByValueInt(checksums)
-	sortedChecksums = sortedChecksums[:20]
-	fmt.Printf("The top 20 checksums are:\n")
-	for _, key := range sortedChecksums {
-		fmt.Printf("checksum %s apprears %d\n", key, checksums[key])
-	}
-}

api/internal/crawl/cmd/log-parser/README.md

@@ -1,8 +0,0 @@
-This binary takes as its input a json file including GKE logs (which can be
-[exported](https://cloud.google.com/logging/docs/export/configure_export_v2) into 
-[Cloud Storage](https://cloud.google.com/storage/docs/)), 
-and extracts the `textPayload` field of each log entry.
-
-Here is an log entry example:
-
-{"insertId":"1sxuh4jg5lw6w10","labels":{"compute.googleapis.com/resource_name":"gke-crawler2-default-pool-5e55ea05-gzgv","container.googleapis.com/namespace_name":"default","container.googleapis.com/pod_name":"kustomize-stats-5bczg","container.googleapis.com/stream":"stdout"},"logName":"projects/haiyanmeng-gke-dev/logs/kustomize-stats","receiveTimestamp":"2020-01-06T23:33:07.012831742Z","resource":{"labels":{"cluster_name":"crawler2","container_name":"kustomize-stats","instance_id":"8183086081854184383","namespace_id":"default","pod_id":"kustomize-stats-5bczg","project_id":"haiyanmeng-gke-dev","zone":"us-central1-a"},"type":"container"},"severity":"INFO","textPayload":"The kustomize index already exists\n","timestamp":"2020-01-06T23:32:46.628930547Z"}

api/internal/crawl/cmd/log-parser/kustomize-stats-cmd

@@ -1,7 +0,0 @@
-wget <log-file-url> -O log
-go build .
-./log-parser log >out
-cat out | grep "kind \`" | cut -d\` -f2 | tail -n 50
-cat out | grep "kind \`" | awk '{print $6}' | tail -n 50
-cat out | grep "feature \`" | grep -v "\`resources\`" | grep -v -e "\`apiVersion\`" | grep -v -e "\`apiversion\`" | cut -d\` -f2
-cat out | grep "feature \`" | grep -v "\`resources\`" | grep -v -e "\`apiVersion\`" | grep -v -e "\`apiversion\`" | awk '{print $6}'

api/internal/crawl/cmd/log-parser/main.go

@@ -1,49 +0,0 @@
-package main
-
-import (
-	"bufio"
-	"encoding/json"
-	"fmt"
-	"log"
-	"os"
-)
-
-func main() {
-	if len(os.Args) != 2 {
-		log.Fatalf("The usage of the command is: \n\t%s <log-file.json>", os.Args[0])
-	}
-
-	file, err := os.Open(os.Args[1])
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	closeFile := func(file *os.File) {
-		if err := file.Close(); err != nil {
-			log.Fatal(err)
-		}
-	}
-	defer closeFile(file)
-
-	scanner := bufio.NewScanner(file)
-	for scanner.Scan() {
-		line := scanner.Text()
-
-		var entry interface{}
-		if err := json.Unmarshal([]byte(line), &entry); err != nil {
-			log.Printf("failed to unmarshal a log entry: %s\n", line)
-		}
-
-		m := entry.(map[string]interface{})
-		if payload, ok := m["textPayload"]; ok {
-			// use fmt.Printf here instead of log.Printf to avoid the time and code location info the log package provides
-			fmt.Printf("%s", payload)
-		} else {
-			log.Printf("the log entry does not have the `textPayload` field: %s\n", line)
-		}
-	}
-
-	if err := scanner.Err(); err != nil {
-		log.Fatal(err)
-	}
-}