Update kustomize-in-kubectl chart for 1.22

Automated go.sum and fmt changes under go 1.16.6

.github/workflows/go.yml

@@ -23,7 +23,7 @@ jobs:
       uses: actions/checkout@v2
 
     - name: Lint
-      run: ./scripts/kyaml-pre-commit.sh
+      run: ./hack/kyaml-pre-commit.sh
       env:
         KUSTOMIZE_DOCKER_E2E: false # don't need to do e2e tests for linting
 
@@ -45,6 +45,10 @@ jobs:
         run: go test -cover ./...
         working-directory: ./kyaml
 
+      - name: Test api
+        run: go test -cover ./... -ldflags "-X sigs.k8s.io/kustomize/api/provenance.version=v444.333.222"
+        working-directory: ./api
+
       - name: Test cmd/config
         run: go test -cover ./...
         working-directory: ./cmd/config
@@ -69,6 +73,10 @@ jobs:
         run: go test -cover ./...
         working-directory: ./kyaml
 
+      - name: Test api
+        run: go test -cover ./... -ldflags "-X sigs.k8s.io/kustomize/api/provenance.version=v444.333.222"
+        working-directory: ./api
+
       - name: Test cmd/config
         run: go test -cover ./...
         working-directory: ./cmd/config
@@ -93,6 +101,11 @@ jobs:
         run: go test -cover ./...
         working-directory: ./kyaml
 
+      # TODO: uncomment once Windows tests are passing.
+      # - name: Test api
+      #   run: go test -cover ./... -ldflags "-X sigs.k8s.io/kustomize/api/provenance.version=v444.333.222"
+      #   working-directory: ./api
+
       - name: Test cmd/config
         run: go test -cover ./...
         working-directory: ./cmd/config

CONTRIBUTING.md

@@ -20,6 +20,20 @@ We have full documentation on how to get started contributing here:
 
 - [Mentoring Initiatives](https://git.k8s.io/community/mentoring) - We have a diverse set of mentorship programs available that are always looking for volunteers!
 
+## Contributor Ladder
+
+Kustomize generally follows the [Kubernetes Community Membership](https://github.com/kubernetes/community/blob/master/community-membership.md) contributor ladder. Roles are as follows:
+
+1. Contributor: Anyone who actively contributes code, issues or reviews to the project. There are no Kustomize-specific requirements for this status. All contributors must [sign the CLA](https://github.com/kubernetes/community/tree/master/contributors/guide#prerequisites).
+1. Member/Reviewer: All Kubernetes-SIGs org members have LGTM rights on the Kustomize repo. There are no Kustomize-specific requirements. Kustomize does not currently have any formal reviewers, but the role will be created if there is interest.
+1. Maintainer/Approver: Highly experienced active reviewer and contributor to Kustomize. Has both LTGM and approval rights on the Kustomize repo, as well as [Github "maintain" rights](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-permission-levels-for-an-organization#repository-access-for-each-permission-level).
+1. Admin/Owner: Maintainer who sets technical direction and makes or approves design decisions for the project. Has LGTM and approval rights on the Kustomize repo as well as [Github "admin" rights](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-permission-levels-for-an-organization#repository-access-for-each-permission-level).
+
+Administrative notes:
+- Maintainers and admins must be added to the appropriate list both [in the Kustomize repo](https://github.com/kubernetes-sigs/kustomize/blob/8049f7b1af52e8a7ec26faf6cf714f560d0043c5/OWNERS_ALIASES) and [in the community repo](https://github.com/kubernetes/org/blob/main/config/kubernetes-sigs/sig-cli/teams.yaml). If this isn't done, the individual in question will lack either PR approval rights (Kustomize list) or the appropriate Github repository permissions (community list).
+- The spec for the OWNERS file is [in the community repo](https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md).
+
+
 ## Contact Information
 
 - [Slack channel](https://kubernetes.slack.com/messages/sig-cli)

Makefile

@@ -131,6 +131,7 @@ pSrc=plugin/builtin
 _builtinplugins = \
 	AnnotationsTransformer.go \
 	ConfigMapGenerator.go \
+	IAMPolicyGenerator.go \
 	HashTransformer.go \
 	ImageTagTransformer.go \
 	LabelTransformer.go \
@@ -158,6 +159,7 @@ builtinplugins = $(patsubst %,$(pGen)/%,$(_builtinplugins))
 # that file, will be recreated.
 $(pGen)/AnnotationsTransformer.go: $(pSrc)/annotationstransformer/AnnotationsTransformer.go
 $(pGen)/ConfigMapGenerator.go: $(pSrc)/configmapgenerator/ConfigMapGenerator.go
+$(pGen)/GkeSaGenerator.go: $(pSrc)/gkesagenerator/GkeSaGenerator.go
 $(pGen)/HashTransformer.go: $(pSrc)/hashtransformer/HashTransformer.go
 $(pGen)/ImageTagTransformer.go: $(pSrc)/imagetagtransformer/ImageTagTransformer.go
 $(pGen)/LabelTransformer.go: $(pSrc)/labeltransformer/LabelTransformer.go
@@ -241,10 +243,10 @@ test-unit-kustomize-all: \
 	test-unit-kustomize-plugins
 
 test-unit-cmd-all:
-	./scripts/kyaml-pre-commit.sh
+	./hack/kyaml-pre-commit.sh
 
 test-go-mod:
-	./scripts/check-go-mod.sh
+	./hack/check-go-mod.sh
 
 # Environment variables are defined at
 # https://github.com/kubernetes/test-infra/blob/master/prow/jobs.md#job-environment-variables
@@ -256,7 +258,7 @@ test-multi-module: $(MYGOBIN)/prchecker
 		export REPO_NAME=$(REPO_NAME); \
 		export PULL_NUMBER=$(PULL_NUMBER); \
 		export MODULES=$(MODULES); \
-		./scripts/check-multi-module.sh; \
+		./hack/check-multi-module.sh; \
 	)
 
 .PHONY:

OWNERS_ALIASES

@@ -1,17 +1,16 @@
+# Keep *-admins and *-maintainers list in sync with corresponding lists in
+# https://github.com/kubernetes/org/blob/main/config/kubernetes-sigs/sig-cli/teams.yaml
 aliases:
   kustomize-admins:
+    - knverey
     - monopole
     - pwittrock
   kustomize-maintainers:
-    - droot
     - justinsb
-    - knverey
-    - monopole
     - mortent
     - natasha41575
     - phanimarupaka
-    - pwittrock
     - Shell32-Natsu
-# emeritus
-#    - liujingfang1
-#    - mengqiy
+  emeritus-maintainers:
+    - liujingfang1
+    - mengqiy

README.md

@@ -22,15 +22,22 @@ This tool is sponsored by [sig-cli] ([KEP]).
 
 The kustomize build flow at [v2.0.3] was added
 to [kubectl v1.14][kubectl announcement].  The kustomize
-flow in kubectl has remained frozen at v2.0.3 while work
-to extract kubectl from the k/k repo, and work to remove
-kustomize's dependence on core k/k code ([#2506]) has proceeded.
-The reintegration effort is tracked in [#1500] (and its blocking
-issues).
+flow in kubectl remained frozen at v2.0.3 until kubectl v1.21,
+which [updated it to v4.0.5][kust-in-kubectl update]. It will
+be updated on a regular basis going forward, and such updates
+will be reflected in the Kubernetes release notes.
+
+| Kubectl version | Kustomize version |
+| --- | --- |
+| < v1.14 | n/a |
+| v1.14-v1.20 | v2.0.3 |
+| v1.21 | v4.0.5 |
+| v1.22 | v4.2.0 |
 
 [v2.0.3]: /../../tree/v2.0.3
 [#2506]: https://github.com/kubernetes-sigs/kustomize/issues/2506
 [#1500]: https://github.com/kubernetes-sigs/kustomize/issues/1500
+[kust-in-kubectl update]: https://github.com/kubernetes/kubernetes/blob/4d75a6238a6e330337526e0513e67d02b1940b63/CHANGELOG/CHANGELOG-1.21.md#kustomize-updates-in-kubectl
 
 For examples and guides for using the kubectl integration please
 see the [kubectl book] or the [kubernetes documentation].
@@ -145,7 +152,7 @@ is governed by the [Kubernetes Code of Conduct].
 [`make`]: https://www.gnu.org/software/make
 [`sed`]: https://www.gnu.org/software/sed
 [DAM]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#declarative-application-management
-[KEP]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/0008-kustomize.md
+[KEP]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cli/2377-Kustomize/README.md
 [Kubernetes Code of Conduct]: code-of-conduct.md
 [applied]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#apply
 [base]: https://kubernetes-sigs.github.io/kustomize/api-reference/glossary#base

api/builtins/HelmChartInflationGenerator.go

@@ -280,6 +280,9 @@ func (p *HelmChartInflationGeneratorPlugin) templateCommand() []string {
 		// I've tried placing the flag before and after the name argument.
 		args = append(args, "--generate-name")
 	}
+	if p.IncludeCRDs {
+		args = append(args, "--include-crds")
+	}
 	return args
 }
 

api/builtins/IAMPolicyGenerator.go

@@ -0,0 +1,33 @@
+// Code generated by pluginator on IAMPolicyGenerator; DO NOT EDIT.
+// pluginator {unknown  1970-01-01T00:00:00Z  }
+
+package builtins
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/iampolicygenerator"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
+)
+
+type IAMPolicyGeneratorPlugin struct {
+	types.IAMPolicyGeneratorArgs
+}
+
+func (p *IAMPolicyGeneratorPlugin) Config(h *resmap.PluginHelpers, config []byte) (err error) {
+	p.IAMPolicyGeneratorArgs = types.IAMPolicyGeneratorArgs{}
+	err = yaml.Unmarshal(config, p)
+	return
+}
+
+func (p *IAMPolicyGeneratorPlugin) Generate() (resmap.ResMap, error) {
+	r := resmap.New()
+	err := r.ApplyFilter(iampolicygenerator.Filter{
+		IAMPolicyGenerator: p.IAMPolicyGeneratorArgs,
+	})
+	return r, err
+}
+
+func NewIAMPolicyGeneratorPlugin() resmap.GeneratorPlugin {
+	return &IAMPolicyGeneratorPlugin{}
+}

api/filesys/filesys.go

@@ -0,0 +1,61 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package filesys provides a file system abstraction,
+// a subset of that provided by golang.org/pkg/os,
+// with an on-disk and in-memory representation.
+//
+// Deprecated: use sigs.k8s.io/kustomize/kyaml/filesys instead.
+package filesys
+
+import "sigs.k8s.io/kustomize/kyaml/filesys"
+
+const (
+	// Separator is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.Separator.
+	Separator = filesys.Separator
+	// SelfDir is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.SelfDir.
+	SelfDir = filesys.SelfDir
+	// ParentDir is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.ParentDir.
+	ParentDir = filesys.ParentDir
+)
+
+type (
+	// FileSystem is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.FileSystem.
+	FileSystem = filesys.FileSystem
+	// FileSystemOrOnDisk is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.FileSystemOrOnDisk.
+	FileSystemOrOnDisk = filesys.FileSystemOrOnDisk
+	// ConfirmedDir is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.ConfirmedDir.
+	ConfirmedDir = filesys.ConfirmedDir
+)
+
+// MakeEmptyDirInMemory is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.MakeEmptyDirInMemory.
+func MakeEmptyDirInMemory() FileSystem { return filesys.MakeEmptyDirInMemory() }
+
+// MakeFsInMemory is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.MakeFsInMemory.
+func MakeFsInMemory() FileSystem { return filesys.MakeFsInMemory() }
+
+// MakeFsOnDisk is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.MakeFsOnDisk.
+func MakeFsOnDisk() FileSystem { return filesys.MakeFsOnDisk() }
+
+// NewTmpConfirmedDir is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.NewTmpConfirmedDir.
+func NewTmpConfirmedDir() (filesys.ConfirmedDir, error) { return filesys.NewTmpConfirmedDir() }
+
+// RootedPath is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.RootedPath.
+func RootedPath(elem ...string) string { return filesys.RootedPath(elem...) }
+
+// StripTrailingSeps is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.StripTrailingSeps.
+func StripTrailingSeps(s string) string { return filesys.StripTrailingSeps(s) }
+
+// StripLeadingSeps is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.StripLeadingSeps.
+func StripLeadingSeps(s string) string { return filesys.StripLeadingSeps(s) }
+
+// PathSplit is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.PathSplit.
+func PathSplit(incoming string) []string { return filesys.PathSplit(incoming) }
+
+// PathJoin is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.PathJoin.
+func PathJoin(incoming []string) string { return filesys.PathJoin(incoming) }
+
+// InsertPathPart is deprecated, use sigs.k8s.io/kustomize/kyaml/filesys.InsertPathPart.
+func InsertPathPart(path string, pos int, part string) string {
+	return filesys.InsertPathPart(path, pos, part)
+}

api/filesys/filesystem.go

@@ -1,50 +0,0 @@
-// Copyright 2019 The Kubernetes Authors.
-// SPDX-License-Identifier: Apache-2.0
-
-// Package filesys provides a file system abstraction layer.
-package filesys
-
-import (
-	"path/filepath"
-)
-
-const (
-	Separator = string(filepath.Separator)
-	SelfDir   = "."
-	ParentDir = ".."
-)
-
-// FileSystem groups basic os filesystem methods.
-// It's supposed be functional subset of https://golang.org/pkg/os
-type FileSystem interface {
-	// Create a file.
-	Create(path string) (File, error)
-	// MkDir makes a directory.
-	Mkdir(path string) error
-	// MkDirAll makes a directory path, creating intervening directories.
-	MkdirAll(path string) error
-	// RemoveAll removes path and any children it contains.
-	RemoveAll(path string) error
-	// Open opens the named file for reading.
-	Open(path string) (File, error)
-	// IsDir returns true if the path is a directory.
-	IsDir(path string) bool
-	// CleanedAbs converts the given path into a
-	// directory and a file name, where the directory
-	// is represented as a ConfirmedDir and all that implies.
-	// If the entire path is a directory, the file component
-	// is an empty string.
-	CleanedAbs(path string) (ConfirmedDir, string, error)
-	// Exists is true if the path exists in the file system.
-	Exists(path string) bool
-	// Glob returns the list of matching files,
-	// emulating https://golang.org/pkg/path/filepath/#Glob
-	Glob(pattern string) ([]string, error)
-	// ReadFile returns the contents of the file at the given path.
-	ReadFile(path string) ([]byte, error)
-	// WriteFile writes the data to a file at the given path,
-	// overwriting anything that's already there.
-	WriteFile(path string, data []byte) error
-	// Walk walks the file system with the given WalkFunc.
-	Walk(path string, walkFn filepath.WalkFunc) error
-}

api/filters/doc.go

@@ -0,0 +1,5 @@
+package filters
+
+// Package filters collects various implementations
+// sigs.k8s.io/kustomize/kyaml/kio.Filter used by kustomize
+// transformers to modify kubernetes objects.

api/filters/fieldspec/fieldspec.go

@@ -49,7 +49,7 @@ func (fltr Filter) Filter(obj *yaml.RNode) (*yaml.RNode, error) {
 	if match := isMatchGVK(fltr.FieldSpec, obj); !match {
 		return obj, nil
 	}
-	fltr.path = utils.PathSplitter(fltr.FieldSpec.Path)
+	fltr.path = utils.PathSplitter(fltr.FieldSpec.Path, "/")
 	if err := fltr.filter(obj); err != nil {
 		s, _ := obj.String()
 		return nil, errors.WrapPrefixf(err,

api/filters/iampolicygenerator/doc.go

@@ -0,0 +1,3 @@
+// Package gkesagenerator contains a kio.Filter that that generates a
+// iampolicy-related resources for a given cloud provider
+package iampolicygenerator

api/filters/iampolicygenerator/example_test.go

@@ -0,0 +1,46 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package iampolicygenerator
+
+import (
+	"log"
+	"os"
+
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+func ExampleFilter() {
+	f := Filter{}
+	var err = yaml.Unmarshal([]byte(`
+cloud: gke
+kubernetesService: 
+  namespace: k8s-namespace
+  name: k8s-sa-name
+serviceAccount:
+  name: gsa-name
+  projectId: project-id
+`), &f)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = kio.Pipeline{
+		Inputs:  []kio.Reader{},
+		Filters: []kio.Filter{f},
+		Outputs: []kio.Writer{kio.ByteWriter{Writer: os.Stdout}},
+	}.Execute()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Output:
+	// apiVersion: v1
+	// kind: ServiceAccount
+	// metadata:
+	//   annotations:
+	//     iam.gke.io/gcp-service-account: gsa-name@project-id.iam.gserviceaccount.com
+	//   name: k8s-sa-name
+	//   namespace: k8s-namespace
+}

api/filters/iampolicygenerator/iampolicygenerator.go

@@ -0,0 +1,55 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package iampolicygenerator
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+type Filter struct {
+	IAMPolicyGenerator types.IAMPolicyGeneratorArgs `json:",inline,omitempty" yaml:",inline,omitempty"`
+}
+
+// Filter adds a GKE service account object to nodes
+func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
+	switch f.IAMPolicyGenerator.Cloud {
+	case types.GKE:
+		IAMPolicyResources, err := f.generateGkeIAMPolicyResources()
+		if err != nil {
+			return nil, err
+		}
+		nodes = append(nodes, IAMPolicyResources...)
+	default:
+		return nil, fmt.Errorf("cloud provider %s not supported yet", f.IAMPolicyGenerator.Cloud)
+	}
+	return nodes, nil
+}
+
+func (f Filter) generateGkeIAMPolicyResources() ([]*yaml.RNode, error) {
+	var result []*yaml.RNode
+	input := fmt.Sprintf(`
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: %s@%s.iam.gserviceaccount.com
+  name: %s
+`, f.IAMPolicyGenerator.ServiceAccount.Name,
+		f.IAMPolicyGenerator.ProjectId,
+		f.IAMPolicyGenerator.KubernetesService.Name)
+
+	if f.IAMPolicyGenerator.Namespace != "" {
+		input = input + fmt.Sprintf("\n  namespace: %s", f.IAMPolicyGenerator.Namespace)
+	}
+
+	sa, err := yaml.Parse(input)
+	if err != nil {
+		return nil, err
+	}
+
+	return append(result, sa), nil
+}

api/filters/iampolicygenerator/iampolicygenerator_test.go

@@ -0,0 +1,75 @@
+// Copyright 2021 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package iampolicygenerator
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	filtertest "sigs.k8s.io/kustomize/api/testutils/filtertest"
+	"sigs.k8s.io/kustomize/api/types"
+)
+
+func TestFilter(t *testing.T) {
+	testCases := map[string]struct {
+		args     types.IAMPolicyGeneratorArgs
+		expected string
+	}{
+		"with namespace": {
+			args: types.IAMPolicyGeneratorArgs{
+				Cloud: types.GKE,
+				KubernetesService: types.KubernetesService{
+					Namespace: "k8s-namespace",
+					Name:      "k8s-sa-name",
+				},
+				ServiceAccount: types.ServiceAccount{
+					Name:      "gsa-name",
+					ProjectId: "project-id",
+				},
+			},
+			expected: `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: gsa-name@project-id.iam.gserviceaccount.com
+  name: k8s-sa-name
+  namespace: k8s-namespace
+`,
+		},
+		"without namespace": {
+			args: types.IAMPolicyGeneratorArgs{
+				Cloud: types.GKE,
+				KubernetesService: types.KubernetesService{
+					Name: "k8s-sa-name",
+				},
+				ServiceAccount: types.ServiceAccount{
+					Name:      "gsa-name",
+					ProjectId: "project-id",
+				},
+			},
+			expected: `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: gsa-name@project-id.iam.gserviceaccount.com
+  name: k8s-sa-name
+`,
+		},
+	}
+
+	for tn, tc := range testCases {
+		t.Run(tn, func(t *testing.T) {
+			f := Filter{
+				IAMPolicyGenerator: tc.args,
+			}
+			actual := filtertest.RunFilter(t, "", f)
+			if !assert.Equal(t, strings.TrimSpace(tc.expected), strings.TrimSpace(actual)) {
+				t.FailNow()
+			}
+		})
+	}
+}

api/filters/imagetag/legacy.go

@@ -4,6 +4,7 @@
 package imagetag
 
 import (
+	"sigs.k8s.io/kustomize/api/internal/utils"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/kio"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
@@ -74,7 +75,7 @@ func (f findFieldsFilter) walk(node *yaml.RNode) error {
 				return err
 			}
 			key := n.Key.YNode().Value
-			if contains(f.fields, key) {
+			if utils.StringSliceContains(f.fields, key) {
 				return f.fieldCallback(n.Value)
 			}
 			return nil
@@ -87,15 +88,6 @@ func (f findFieldsFilter) walk(node *yaml.RNode) error {
 	return nil
 }
 
-func contains(slice []string, str string) bool {
-	for _, s := range slice {
-		if s == str {
-			return true
-		}
-	}
-	return false
-}
-
 func checkImageTagsFn(imageTag types.Image) fieldCallback {
 	return func(node *yaml.RNode) error {
 		if node.YNode().Kind != yaml.SequenceNode {

api/filters/replacement/replacement.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"strings"
 
+	"sigs.k8s.io/kustomize/api/internal/utils"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/resid"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
@@ -43,11 +44,17 @@ func applyReplacement(nodes []*yaml.RNode, value *yaml.RNode, targets []*types.T
 			t.FieldPaths = []string{types.DefaultReplacementFieldPath}
 		}
 		for _, n := range nodes {
-			id := makeResId(n)
-			if id.IsSelectedBy(t.Select.ResId) && !rejectId(t.Reject, id) {
-				err := applyToNode(n, value, t)
-				if err != nil {
-					return nil, err
+			ids, err := utils.MakeResIds(n)
+			if err != nil {
+				return nil, err
+			}
+			for _, id := range ids {
+				if id.IsSelectedBy(t.Select.ResId) && !rejectId(t.Reject, &id) {
+					err := applyToNode(n, value, t)
+					if err != nil {
+						return nil, err
+					}
+					break
 				}
 			}
 		}
@@ -66,7 +73,7 @@ func rejectId(rejects []*types.Selector, id *resid.ResId) bool {
 
 func applyToNode(node *yaml.RNode, value *yaml.RNode, target *types.TargetSelector) error {
 	for _, fp := range target.FieldPaths {
-		fieldPath := strings.Split(fp, ".")
+		fieldPath := utils.SmarterPathSplitter(fp, ".")
 		var t *yaml.RNode
 		var err error
 		if target.Options != nil && target.Options.Create {
@@ -87,12 +94,11 @@ func applyToNode(node *yaml.RNode, value *yaml.RNode, target *types.TargetSelect
 }
 
 func setTargetValue(options *types.FieldOptions, t *yaml.RNode, value *yaml.RNode) error {
+	value = value.Copy()
 	if options != nil && options.Delimiter != "" {
-
 		if t.YNode().Kind != yaml.ScalarNode {
 			return fmt.Errorf("delimiter option can only be used with scalar nodes")
 		}
-
 		tv := strings.Split(t.YNode().Value, options.Delimiter)
 		v := yaml.GetValue(value)
 		// TODO: Add a way to remove an element
@@ -119,7 +125,7 @@ func getReplacement(nodes []*yaml.RNode, r *types.Replacement) (*yaml.RNode, err
 	if r.Source.FieldPath == "" {
 		r.Source.FieldPath = types.DefaultReplacementFieldPath
 	}
-	fieldPath := strings.Split(r.Source.FieldPath, ".")
+	fieldPath := utils.SmarterPathSplitter(r.Source.FieldPath, ".")
 
 	rn, err := source.Pipe(yaml.Lookup(fieldPath...))
 	if err != nil {
@@ -152,12 +158,19 @@ func getRefinedValue(options *types.FieldOptions, rn *yaml.RNode) (*yaml.RNode,
 func selectSourceNode(nodes []*yaml.RNode, selector *types.SourceSelector) (*yaml.RNode, error) {
 	var matches []*yaml.RNode
 	for _, n := range nodes {
-		if makeResId(n).IsSelectedBy(selector.ResId) {
-			if len(matches) > 0 {
-				return nil, fmt.Errorf(
-					"multiple matches for selector %s", selector)
+		ids, err := utils.MakeResIds(n)
+		if err != nil {
+			return nil, err
+		}
+		for _, id := range ids {
+			if id.IsSelectedBy(selector.ResId) {
+				if len(matches) > 0 {
+					return nil, fmt.Errorf(
+						"multiple matches for selector %s", selector)
+				}
+				matches = append(matches, n)
+				break
 			}
-			matches = append(matches, n)
 		}
 	}
 	if len(matches) == 0 {
@@ -165,17 +178,3 @@ func selectSourceNode(nodes []*yaml.RNode, selector *types.SourceSelector) (*yam
 	}
 	return matches[0], nil
 }
-
-// makeResId makes a ResId from an RNode.
-func makeResId(n *yaml.RNode) *resid.ResId {
-	apiVersion := n.Field(yaml.APIVersionField)
-	var group, version string
-	if apiVersion != nil {
-		group, version = resid.ParseGroupVersion(yaml.GetValue(apiVersion.Value))
-	}
-	return &resid.ResId{
-		Gvk:       resid.Gvk{Group: group, Version: version, Kind: n.GetKind()},
-		Name:      n.GetName(),
-		Namespace: n.GetNamespace(),
-	}
-}

api/filters/replacement/replacement_test.go

@@ -1338,6 +1338,224 @@ spec:
 `,
 			expectedErr: "delimiter option can only be used with scalar nodes",
 		},
+		"mapping value contains '.' character": {
+			input: `apiVersion: v1
+kind: Custom
+metadata:
+  name: custom
+  annotations:
+    a.b.c/d-e: source
+    f.g.h/i-j: target
+`,
+			replacements: `replacements:
+- source:
+    name: custom
+    fieldPath: metadata.annotations.[a.b.c/d-e]
+  targets:
+  - select:
+      name: custom
+    fieldPaths: 
+    - metadata.annotations.[f.g.h/i-j]
+`,
+			expected: `apiVersion: v1
+kind: Custom
+metadata:
+  name: custom
+  annotations:
+    a.b.c/d-e: source
+    f.g.h/i-j: source
+`,
+		},
+		"list index contains '.' character": {
+			input: `apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: source
+data:
+  value: example
+---
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: some-secret
+spec:
+  backendType: secretsManager
+  data:
+    - key: some-prefix-replaceme
+      name: .first
+      version: latest
+      property: first
+    - key: some-prefix-replaceme
+      name: second
+      version: latest
+      property: second
+`,
+			replacements: `replacements:
+- source:
+    kind: ConfigMap
+    version: v1
+    name: source
+    fieldPath: data.value
+  targets:
+  - select:
+      group: kubernetes-client.io
+      version: v1
+      kind: ExternalSecret
+      name: some-secret
+    fieldPaths:
+    - spec.data.[name=.first].key
+    - spec.data.[name=second].key
+    options:
+      delimiter: "-"
+      index: 2
+`,
+			expected: `apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: source
+data:
+  value: example
+---
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: some-secret
+spec:
+  backendType: secretsManager
+  data:
+  - key: some-prefix-example
+    name: .first
+    version: latest
+    property: first
+  - key: some-prefix-example
+    name: second
+    version: latest
+    property: second`,
+		},
+		"multiple field paths in target": {
+			input: `apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: source
+data:
+  value: example
+---
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: some-secret
+spec:
+  backendType: secretsManager
+  data:
+    - key: some-prefix-replaceme
+      name: first
+      version: latest
+      property: first
+    - key: some-prefix-replaceme
+      name: second
+      version: latest
+      property: second
+    - key: some-prefix-replaceme
+      name: third
+      version: latest
+      property: third
+`,
+			replacements: `replacements:
+- source:
+    kind: ConfigMap
+    version: v1
+    name: source
+    fieldPath: data.value
+  targets:
+  - select:
+      group: kubernetes-client.io
+      version: v1
+      kind: ExternalSecret
+      name: some-secret
+    fieldPaths:
+    - spec.data.0.key
+    - spec.data.1.key
+    - spec.data.2.key
+    options:
+      delimiter: "-"
+      index: 2
+`,
+			expected: `apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: source
+data:
+  value: example
+---
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: some-secret
+spec:
+  backendType: secretsManager
+  data:
+  - key: some-prefix-example
+    name: first
+    version: latest
+    property: first
+  - key: some-prefix-example
+    name: second
+    version: latest
+    property: second
+  - key: some-prefix-example
+    name: third
+    version: latest
+    property: third
+`,
+		},
+		"using a previous ID": {
+			input: `apiVersion: v1
+kind: Deployment
+metadata:
+  name: pre-deploy
+  annotations: 
+    internal.config.kubernetes.io/previousNames: deploy,deploy
+    internal.config.kubernetes.io/previousKinds: CronJob,Deployment
+    internal.config.kubernetes.io/previousNamespaces: default,default
+spec:
+  template:
+    spec:
+      containers:
+      - image: nginx:1.7.9
+        name: nginx-tagged
+      - image: postgres:1.8.0
+        name: postgresdb
+`,
+			replacements: `replacements:
+- source:
+    kind: CronJob
+    name: deploy
+    fieldPath: spec.template.spec.containers.0.image
+  targets:
+  - select:
+      kind: Deployment
+      name: deploy
+    fieldPaths: 
+    - spec.template.spec.containers.1.image
+`,
+			expected: `apiVersion: v1
+kind: Deployment
+metadata:
+  name: pre-deploy
+  annotations:
+    internal.config.kubernetes.io/previousNames: deploy,deploy
+    internal.config.kubernetes.io/previousKinds: CronJob,Deployment
+    internal.config.kubernetes.io/previousNamespaces: default,default
+spec:
+  template:
+    spec:
+      containers:
+      - image: nginx:1.7.9
+        name: nginx-tagged
+      - image: nginx:1.7.9
+        name: postgresdb
+`,
+		},
 	}
 
 	for tn, tc := range testCases {
@@ -1353,7 +1571,7 @@ spec:
 					t.Errorf("unexpected error: %s\n", err.Error())
 					t.FailNow()
 				}
-				if !assert.Equal(t, tc.expectedErr, err.Error()) {
+				if !assert.Contains(t, err.Error(), tc.expectedErr) {
 					t.FailNow()
 				}
 			}

api/filters/valueadd/valueadd.go

@@ -6,7 +6,7 @@ package valueadd
 import (
 	"strings"
 
-	"sigs.k8s.io/kustomize/api/filesys"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 	"sigs.k8s.io/kustomize/kyaml/kio"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )

api/go.mod

@@ -3,7 +3,7 @@ module sigs.k8s.io/kustomize/api
 go 1.16
 
 require (
-	github.com/evanphx/json-patch v4.5.0+incompatible
+	github.com/evanphx/json-patch v4.11.0+incompatible
 	github.com/go-errors/errors v1.0.1
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/imdario/mergo v0.3.5
@@ -11,10 +11,8 @@ require (
 	github.com/stretchr/testify v1.5.1
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e
-	sigs.k8s.io/kustomize/kyaml v0.10.19
+	sigs.k8s.io/kustomize/kyaml v0.11.0
 	sigs.k8s.io/yaml v1.2.0
 )
 
-replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c
-
 replace sigs.k8s.io/kustomize/kyaml => ../kyaml

api/go.sum

@@ -30,8 +30,8 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZm
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/evanphx/json-patch v4.5.0+incompatible h1:ouOWdg56aJriqS0huScTkVXPC5IcNrDCXZ6OoTAWu7M=
-github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch v4.11.0+incompatible h1:glyUF9yIYtMHzn8xaKw5rMhdWcwsYV8dZHIq5567/xs=
+github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w=
@@ -217,8 +217,7 @@ gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=

api/internal/accumulator/loadconfigfromcrds.go

@@ -9,10 +9,10 @@ import (
 
 	"github.com/pkg/errors"
 	"k8s.io/kube-openapi/pkg/validation/spec"
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/ifc"
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 	"sigs.k8s.io/kustomize/kyaml/resid"
 	"sigs.k8s.io/yaml"
 )
@@ -178,9 +178,12 @@ func loadCrdIntoConfig(
 			}
 		}
 		if property.Ref.GetURL() != nil {
-			loadCrdIntoConfig(
+			err = loadCrdIntoConfig(
 				theConfig, theGvk, theMap,
 				property.Ref.String(), append(path, propName))
+			if err != nil {
+				return
+			}
 		}
 	}
 	return nil

api/internal/accumulator/loadconfigfromcrds_test.go

@@ -7,11 +7,12 @@ import (
 	"reflect"
 	"testing"
 
-	"sigs.k8s.io/kustomize/api/filesys"
+	"github.com/stretchr/testify/require"
 	. "sigs.k8s.io/kustomize/api/internal/accumulator"
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
 	"sigs.k8s.io/kustomize/api/loader"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 	"sigs.k8s.io/kustomize/kyaml/resid"
 )
 
@@ -162,16 +163,13 @@ func TestLoadCRDs(t *testing.T) {
 	}
 
 	fSys := filesys.MakeFsInMemory()
-	fSys.WriteFile("/testpath/crd.json", []byte(crdContent))
+	err := fSys.WriteFile("/testpath/crd.json", []byte(crdContent))
+	require.NoError(t, err)
 	ldr, err := loader.NewLoader(loader.RestrictionRootOnly, "/testpath", fSys)
-	if err != nil {
-		t.Fatalf("unexpected error:%v", err)
-	}
+	require.NoError(t, err)
 
 	actualTc, err := LoadConfigFromCRDs(ldr, []string{"crd.json"})
-	if err != nil {
-		t.Fatalf("unexpected error:%v", err)
-	}
+	require.NoError(t, err)
 	if !reflect.DeepEqual(actualTc, expectedTc) {
 		t.Fatalf("expected\n %v\n but got\n %v\n", expectedTc, actualTc)
 	}

api/internal/accumulator/namereferencetransformer_test.go

@@ -897,7 +897,9 @@ func TestNameReferenceClusterWide(t *testing.T) {
 		t.Fatalf("unexpected error: %v", err)
 	}
 
+	expected.RemoveBuildAnnotations()
 	m.RemoveBuildAnnotations()
+
 	if err = expected.ErrorIfNotEqualLists(m); err != nil {
 		t.Fatalf(notEqualErrFmt, err)
 	}

api/internal/accumulator/resaccumulator_test.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/stretchr/testify/require"
 	. "sigs.k8s.io/kustomize/api/internal/accumulator"
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
 	"sigs.k8s.io/kustomize/api/provider"
@@ -224,20 +225,26 @@ func TestResolveVarConflicts(t *testing.T) {
 	// create accumulators holding apparently conflicting vars that are not
 	// actually in conflict because they point to the same concrete value.
 	rm0 := resmap.New()
-	rm0.Append(rf.FromMap(fooAws))
+	err := rm0.Append(rf.FromMap(fooAws))
+	require.NoError(t, err)
 	ac0 := MakeEmptyAccumulator()
-	ac0.AppendAll(rm0)
-	ac0.MergeVars([]types.Var{varFoo})
+	err = ac0.AppendAll(rm0)
+	require.NoError(t, err)
+	err = ac0.MergeVars([]types.Var{varFoo})
+	require.NoError(t, err)
 
 	rm1 := resmap.New()
-	rm1.Append(rf.FromMap(barAws))
+	err = rm1.Append(rf.FromMap(barAws))
+	require.NoError(t, err)
 	ac1 := MakeEmptyAccumulator()
-	ac1.AppendAll(rm1)
-	ac1.MergeVars([]types.Var{varBar})
+	err = ac1.AppendAll(rm1)
+	require.NoError(t, err)
+	err = ac1.MergeVars([]types.Var{varBar})
+	require.NoError(t, err)
 
 	// validate that two vars of the same name which reference the same concrete
 	// value do not produce a conflict.
-	err := ac0.MergeAccumulator(ac1)
+	err = ac0.MergeAccumulator(ac1)
 	if err == nil {
 		t.Fatalf("see bug gh-1600")
 	}
@@ -246,10 +253,13 @@ func TestResolveVarConflicts(t *testing.T) {
 	// two above (because it contains a variable whose name is used in the other
 	// accumulators AND whose concrete values are different).
 	rm2 := resmap.New()
-	rm2.Append(rf.FromMap(barGcp))
+	err = rm2.Append(rf.FromMap(barGcp))
+	require.NoError(t, err)
 	ac2 := MakeEmptyAccumulator()
-	ac2.AppendAll(rm2)
-	ac2.MergeVars([]types.Var{varBar})
+	err = ac2.AppendAll(rm2)
+	require.NoError(t, err)
+	err = ac2.MergeVars([]types.Var{varBar})
+	require.NoError(t, err)
 	err = ac1.MergeAccumulator(ac2)
 	if err == nil {
 		t.Fatalf("dupe vars w/ different concrete values should conflict")
@@ -352,10 +362,10 @@ func TestResolveVarsWithNoambiguation(t *testing.T) {
 			"metadata": map[string]interface{}{
 				"name": "sub-backendOne",
 				"annotations": map[string]interface{}{
-					"config.kubernetes.io/previousKinds":      "Service",
-					"config.kubernetes.io/previousNames":      "backendOne",
-					"config.kubernetes.io/previousNamespaces": "default",
-					"config.kubernetes.io/prefixes":           "sub-",
+					"internal.config.kubernetes.io/previousKinds":      "Service",
+					"internal.config.kubernetes.io/previousNames":      "backendOne",
+					"internal.config.kubernetes.io/previousNamespaces": "default",
+					"internal.config.kubernetes.io/prefixes":           "sub-",
 				},
 			}}).ResMap()
 

api/internal/generators/configmap.go

@@ -40,7 +40,13 @@ func MakeConfigMap(
 	if err = rn.LoadMapIntoConfigMapData(m); err != nil {
 		return nil, err
 	}
-	copyLabelsAndAnnotations(rn, args.Options)
-	setImmutable(rn, args.Options)
+	err = copyLabelsAndAnnotations(rn, args.Options)
+	if err != nil {
+		return nil, err
+	}
+	err = setImmutable(rn, args.Options)
+	if err != nil {
+		return nil, err
+	}
 	return rn, nil
 }

api/internal/generators/configmap_test.go

@@ -8,12 +8,12 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"sigs.k8s.io/kustomize/api/filesys"
 	. "sigs.k8s.io/kustomize/api/internal/generators"
 	"sigs.k8s.io/kustomize/api/kv"
 	"sigs.k8s.io/kustomize/api/loader"
 	valtest_test "sigs.k8s.io/kustomize/api/testutils/valtest"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 var binaryHello = []byte{

api/internal/generators/secret_test.go

@@ -8,12 +8,12 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"sigs.k8s.io/kustomize/api/filesys"
 	. "sigs.k8s.io/kustomize/api/internal/generators"
 	"sigs.k8s.io/kustomize/api/kv"
 	"sigs.k8s.io/kustomize/api/loader"
 	valtest_test "sigs.k8s.io/kustomize/api/testutils/valtest"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 func TestMakeSecret(t *testing.T) {

api/internal/git/cloner.go

@@ -4,7 +4,7 @@
 package git
 
 import (
-	"sigs.k8s.io/kustomize/api/filesys"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 // Cloner is a function that can clone a git repo.

api/internal/git/gitrunner.go

@@ -8,8 +8,8 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/internal/utils"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 // gitRunner runs the external git binary.

api/internal/git/repospec.go

@@ -11,7 +11,7 @@ import (
 	"strings"
 	"time"
 
-	"sigs.k8s.io/kustomize/api/filesys"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 // Used as a temporary non-empty occupant of the cloneDir
@@ -125,7 +125,7 @@ func parseGitUrl(n string) (
 		index := strings.Index(n, gitSuffix)
 		orgRepo = n[0:index]
 		n = n[index+len(gitSuffix):]
-		if n[0] == '/' {
+		if len(n) > 0 && n[0] == '/' {
 			n = n[1:]
 		}
 		path, gitRef, gitTimeout, gitSubmodules = peelQuery(n)

api/internal/git/repospec_test.go

@@ -35,7 +35,6 @@ var hostNamesRawAndNormalized = [][]string{
 	{"git::https://git.example.com/", "https://git.example.com/"},
 	{"git@github.com:", "git@github.com:"},
 	{"git@github.com/", "git@github.com:"},
-	{"git@gitlab2.sqtools.ru:10022/", "git@gitlab2.sqtools.ru:10022/"},
 }
 
 func makeUrl(hostFmt, orgRepo, path, href string) string {
@@ -183,6 +182,12 @@ func TestNewRepoSpecFromUrl_CloneSpecs(t *testing.T) {
 			absPath:   notCloned.String(),
 			ref:       "",
 		},
+		"t12": {
+			input:     "https://bitbucket.example.com/scm/project/repository.git",
+			cloneSpec: "https://bitbucket.example.com/scm/project/repository.git",
+			absPath:   notCloned.String(),
+			ref:       "",
+		},
 	}
 	for tn, tc := range testcases {
 		t.Run(tn, func(t *testing.T) {

api/internal/plugins/builtinconfig/loaddefaultconfig_test.go

@@ -7,9 +7,9 @@ import (
 	"reflect"
 	"testing"
 
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/loader"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 	"sigs.k8s.io/kustomize/kyaml/resid"
 )
 

api/internal/plugins/builtinhelpers/builtinplugintype_string.go

@@ -11,25 +11,26 @@ func _() {
 	_ = x[Unknown-0]
 	_ = x[AnnotationsTransformer-1]
 	_ = x[ConfigMapGenerator-2]
-	_ = x[HashTransformer-3]
-	_ = x[ImageTagTransformer-4]
-	_ = x[LabelTransformer-5]
-	_ = x[LegacyOrderTransformer-6]
-	_ = x[NamespaceTransformer-7]
-	_ = x[PatchJson6902Transformer-8]
-	_ = x[PatchStrategicMergeTransformer-9]
-	_ = x[PatchTransformer-10]
-	_ = x[PrefixSuffixTransformer-11]
-	_ = x[ReplicaCountTransformer-12]
-	_ = x[SecretGenerator-13]
-	_ = x[ValueAddTransformer-14]
-	_ = x[HelmChartInflationGenerator-15]
-	_ = x[ReplacementTransformer-16]
+	_ = x[IAMPolicyGenerator-3]
+	_ = x[HashTransformer-4]
+	_ = x[ImageTagTransformer-5]
+	_ = x[LabelTransformer-6]
+	_ = x[LegacyOrderTransformer-7]
+	_ = x[NamespaceTransformer-8]
+	_ = x[PatchJson6902Transformer-9]
+	_ = x[PatchStrategicMergeTransformer-10]
+	_ = x[PatchTransformer-11]
+	_ = x[PrefixSuffixTransformer-12]
+	_ = x[ReplicaCountTransformer-13]
+	_ = x[SecretGenerator-14]
+	_ = x[ValueAddTransformer-15]
+	_ = x[HelmChartInflationGenerator-16]
+	_ = x[ReplacementTransformer-17]
 }
 
-const _BuiltinPluginType_name = "UnknownAnnotationsTransformerConfigMapGeneratorHashTransformerImageTagTransformerLabelTransformerLegacyOrderTransformerNamespaceTransformerPatchJson6902TransformerPatchStrategicMergeTransformerPatchTransformerPrefixSuffixTransformerReplicaCountTransformerSecretGeneratorValueAddTransformerHelmChartInflationGeneratorReplacementTransformer"
+const _BuiltinPluginType_name = "UnknownAnnotationsTransformerConfigMapGeneratorIAMPolicyGeneratorHashTransformerImageTagTransformerLabelTransformerLegacyOrderTransformerNamespaceTransformerPatchJson6902TransformerPatchStrategicMergeTransformerPatchTransformerPrefixSuffixTransformerReplicaCountTransformerSecretGeneratorValueAddTransformerHelmChartInflationGeneratorReplacementTransformer"
 
-var _BuiltinPluginType_index = [...]uint16{0, 7, 29, 47, 62, 81, 97, 119, 139, 163, 193, 209, 232, 255, 270, 289, 316, 338}
+var _BuiltinPluginType_index = [...]uint16{0, 7, 29, 47, 65, 80, 99, 115, 137, 157, 181, 211, 227, 250, 273, 288, 307, 334, 356}
 
 func (i BuiltinPluginType) String() string {
 	if i < 0 || i >= BuiltinPluginType(len(_BuiltinPluginType_index)-1) {

api/internal/plugins/builtinhelpers/builtins.go

@@ -15,6 +15,7 @@ const (
 	Unknown BuiltinPluginType = iota
 	AnnotationsTransformer
 	ConfigMapGenerator
+	IAMPolicyGenerator
 	HashTransformer
 	ImageTagTransformer
 	LabelTransformer
@@ -58,6 +59,7 @@ func GetBuiltinPluginType(n string) BuiltinPluginType {
 
 var GeneratorFactories = map[BuiltinPluginType]func() resmap.GeneratorPlugin{
 	ConfigMapGenerator:          builtins.NewConfigMapGeneratorPlugin,
+	IAMPolicyGenerator:          builtins.NewIAMPolicyGeneratorPlugin,
 	SecretGenerator:             builtins.NewSecretGeneratorPlugin,
 	HelmChartInflationGenerator: builtins.NewHelmChartInflationGeneratorPlugin,
 }

api/internal/plugins/compiler/compiler_test.go

@@ -7,9 +7,9 @@ import (
 	"path/filepath"
 	"testing"
 
-	"sigs.k8s.io/kustomize/api/filesys"
 	. "sigs.k8s.io/kustomize/api/internal/plugins/compiler"
 	"sigs.k8s.io/kustomize/api/internal/plugins/utils"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 // Regression coverage over compiler behavior.

api/internal/plugins/doc.go

@@ -94,9 +94,6 @@ TO GENERATE CODE
   cd $repo/plugin/builtin
   go generate ./...
 
-See scripts/kyaml-pre-commit.sh for canonical way
-to execute the above.
-
 This creates
 
   $repo/api/plugins/builtins/SecretGenerator.go

api/internal/plugins/execplugin/execplugin.go

@@ -89,7 +89,10 @@ type argsConfig struct {
 
 func (p *ExecPlugin) processOptionalArgsFields() error {
 	var c argsConfig
-	yaml.Unmarshal(p.cfg, &c)
+	err := yaml.Unmarshal(p.cfg, &c)
+	if err != nil {
+		return err
+	}
 	if c.ArgsOneLiner != "" {
 		p.args, _ = shlex.Split(c.ArgsOneLiner)
 	}

api/internal/plugins/execplugin/execplugin_test.go

@@ -9,7 +9,7 @@ import (
 	"strings"
 	"testing"
 
-	"sigs.k8s.io/kustomize/api/filesys"
+	"github.com/stretchr/testify/require"
 	. "sigs.k8s.io/kustomize/api/internal/plugins/execplugin"
 	pLdr "sigs.k8s.io/kustomize/api/internal/plugins/loader"
 	"sigs.k8s.io/kustomize/api/internal/plugins/utils"
@@ -17,15 +17,17 @@ import (
 	"sigs.k8s.io/kustomize/api/provider"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 func TestExecPluginConfig(t *testing.T) {
 	fSys := filesys.MakeFsInMemory()
-	fSys.WriteFile("sed-input.txt", []byte(`
+	err := fSys.WriteFile("sed-input.txt", []byte(`
 s/$FOO/foo/g
 s/$BAR/bar baz/g
  \ \ \ 
 `))
+	require.NoError(t, err)
 	ldr, err := fLdr.NewLoader(
 		fLdr.RestrictionRootOnly, filesys.Separator, fSys)
 	if err != nil {
@@ -62,9 +64,10 @@ s/$BAR/bar baz/g
 	if err != nil {
 		t.Fatalf("unexpected err: %v", err)
 	}
-	p.Config(
+	err = p.Config(
 		resmap.NewPluginHelpers(ldr, pvd.GetFieldValidator(), rf, pc),
 		yaml)
+	require.NoError(t, err)
 
 	expected := "someteam.example.com/v1/sedtransformer/SedTransformer"
 	if !strings.HasSuffix(p.Path(), expected) {

api/internal/plugins/fnplugin/fnplugin.go

@@ -78,6 +78,7 @@ func NewFnPlugin(o *types.FnPluginLoadingOptions) *FnPlugin {
 			EnableExec:     o.EnableExec,
 			StorageMounts:  toStorageMounts(o.Mounts),
 			Env:            o.Env,
+			AsCurrentUser:  o.AsCurrentUser,
 		},
 	}
 }

api/internal/plugins/loader/loader.go

@@ -13,7 +13,6 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/ifc"
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers"
 	"sigs.k8s.io/kustomize/api/internal/plugins/execplugin"
@@ -23,6 +22,7 @@ import (
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 	"sigs.k8s.io/kustomize/kyaml/resid"
 )
 

api/internal/plugins/loader/loader_test.go

@@ -6,7 +6,6 @@ package loader_test
 import (
 	"testing"
 
-	"sigs.k8s.io/kustomize/api/filesys"
 	. "sigs.k8s.io/kustomize/api/internal/plugins/loader"
 	"sigs.k8s.io/kustomize/api/loader"
 	"sigs.k8s.io/kustomize/api/provider"
@@ -14,6 +13,7 @@ import (
 	kusttest_test "sigs.k8s.io/kustomize/api/testutils/kusttest"
 	valtest_test "sigs.k8s.io/kustomize/api/testutils/valtest"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 const (

api/internal/plugins/utils/utils.go

@@ -12,11 +12,11 @@ import (
 	"strconv"
 	"time"
 
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/konfig"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 	"sigs.k8s.io/yaml"
 )
 
@@ -192,7 +192,9 @@ func UpdateResMapValues(pluginName string, h *resmap.PluginHelpers, output []byt
 	for _, id := range rm.AllIds() {
 		newIdx, _ := newMap.GetIndexOfCurrentId(id)
 		if newIdx == -1 {
-			rm.Remove(id)
+			if err = rm.Remove(id); err != nil {
+				return err
+			}
 		}
 	}
 

api/internal/plugins/utils/utils_test.go

@@ -10,12 +10,13 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"sigs.k8s.io/kustomize/api/filesys"
+	"github.com/stretchr/testify/require"
 	"sigs.k8s.io/kustomize/api/konfig"
 	"sigs.k8s.io/kustomize/api/provider"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 func TestDeterminePluginSrcRoot(t *testing.T) {
@@ -86,8 +87,10 @@ func TestUpdateResourceOptions(t *testing.T) {
 	}
 	for i, c := range cases {
 		name := fmt.Sprintf("test%d", i)
-		in.Append(makeConfigMap(rf, name, c.behavior, c.hashValue))
-		expected.Append(makeConfigMapOptions(rf, name, c.behavior, !c.needsHash))
+		err := in.Append(makeConfigMap(rf, name, c.behavior, c.hashValue))
+		require.NoError(t, err)
+		err = expected.Append(makeConfigMapOptions(rf, name, c.behavior, !c.needsHash))
+		require.NoError(t, err)
 	}
 	actual, err := UpdateResourceOptions(in)
 	assert.NoError(t, err)
@@ -105,10 +108,9 @@ func TestUpdateResourceOptionsWithInvalidHashAnnotationValues(t *testing.T) {
 	for i, c := range cases {
 		name := fmt.Sprintf("test%d", i)
 		in := resmap.New()
-		in.Append(makeConfigMap(rf, name, "", &c))
-		_, err := UpdateResourceOptions(in)
-		if err == nil {
-			t.Errorf("expected error from value %q", c)
-		}
+		err := in.Append(makeConfigMap(rf, name, "", &c))
+		require.NoError(t, err)
+		_, err = UpdateResourceOptions(in)
+		require.Error(t, err)
 	}
 }

api/internal/target/kusttarget_test.go

@@ -255,5 +255,5 @@ metadata:
 	actual.RemoveBuildAnnotations()
 	actYaml, err := actual.AsYaml()
 	assert.NoError(t, err)
-	assert.Equal(t, expYaml, actYaml)
+	assert.Equal(t, string(expYaml), string(actYaml))
 }

api/internal/target/maker_test.go

@@ -6,7 +6,6 @@ package target_test
 import (
 	"testing"
 
-	"sigs.k8s.io/kustomize/api/filesys"
 	pLdr "sigs.k8s.io/kustomize/api/internal/plugins/loader"
 	"sigs.k8s.io/kustomize/api/internal/target"
 	fLdr "sigs.k8s.io/kustomize/api/loader"
@@ -14,6 +13,7 @@ import (
 	"sigs.k8s.io/kustomize/api/resmap"
 	valtest_test "sigs.k8s.io/kustomize/api/testutils/valtest"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 func makeAndLoadKustTarget(

api/internal/utils/makeResIds.go

@@ -0,0 +1,81 @@
+package utils
+
+import (
+	"fmt"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/konfig"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+const (
+	BuildAnnotationPreviousKinds      = konfig.ConfigAnnoDomain + "/previousKinds"
+	BuildAnnotationPreviousNames      = konfig.ConfigAnnoDomain + "/previousNames"
+	BuildAnnotationPreviousNamespaces = konfig.ConfigAnnoDomain + "/previousNamespaces"
+	BuildAnnotationPrefixes           = konfig.ConfigAnnoDomain + "/prefixes"
+	BuildAnnotationSuffixes           = konfig.ConfigAnnoDomain + "/suffixes"
+	BuildAnnotationsRefBy             = konfig.ConfigAnnoDomain + "/refBy"
+	BuildAnnotationsGenOptions        = konfig.ConfigAnnoDomain + "/generatorOptions"
+
+	// the following are only for patches, to specify whether they can change names
+	// and kinds of their targets
+	BuildAnnotationAllowNameChange = konfig.ConfigAnnoDomain + "/allowNameChange"
+	BuildAnnotationAllowKindChange = konfig.ConfigAnnoDomain + "/allowKindChange"
+	Allowed                        = "allowed"
+)
+
+// MakeResIds returns all of an RNode's current and previous Ids
+func MakeResIds(n *yaml.RNode) ([]resid.ResId, error) {
+	var result []resid.ResId
+	apiVersion := n.Field(yaml.APIVersionField)
+	var group, version string
+	if apiVersion != nil {
+		group, version = resid.ParseGroupVersion(yaml.GetValue(apiVersion.Value))
+	}
+	result = append(result, resid.NewResIdWithNamespace(
+		resid.Gvk{Group: group, Version: version, Kind: n.GetKind()}, n.GetName(), n.GetNamespace()),
+	)
+	prevIds, err := PrevIds(n)
+	if err != nil {
+		return nil, err
+	}
+	result = append(result, prevIds...)
+	return result, nil
+}
+
+// PrevIds returns all of an RNode's previous Ids
+func PrevIds(n *yaml.RNode) ([]resid.ResId, error) {
+	var ids []resid.ResId
+	// TODO: merge previous names and namespaces into one list of
+	//     pairs on one annotation so there is no chance of error
+	annotations := n.GetAnnotations()
+	if _, ok := annotations[BuildAnnotationPreviousNames]; !ok {
+		return nil, nil
+	}
+	names := strings.Split(annotations[BuildAnnotationPreviousNames], ",")
+	ns := strings.Split(annotations[BuildAnnotationPreviousNamespaces], ",")
+	kinds := strings.Split(annotations[BuildAnnotationPreviousKinds], ",")
+	// This should never happen
+	if len(names) != len(ns) || len(names) != len(kinds) {
+		return nil, fmt.Errorf(
+			"number of previous names, " +
+				"number of previous namespaces, " +
+				"number of previous kinds not equal")
+	}
+	for i := range names {
+		meta, err := n.GetMeta()
+		if err != nil {
+			return nil, err
+		}
+		group, version := resid.ParseGroupVersion(meta.APIVersion)
+		gvk := resid.Gvk{
+			Group:   group,
+			Version: version,
+			Kind:    kinds[i],
+		}
+		ids = append(ids, resid.NewResIdWithNamespace(
+			gvk, names[i], ns[i]))
+	}
+	return ids, nil
+}

api/internal/utils/pathsplitter.go

@@ -5,18 +5,60 @@ package utils
 
 import "strings"
 
-// PathSplitter splits a slash delimited string, permitting escaped slashes.
-func PathSplitter(path string) []string {
-	ps := strings.Split(path, "/")
+// TODO: Move these to kyaml
+
+// PathSplitter splits a delimited string, permitting escaped delimiters.
+func PathSplitter(path string, delimiter string) []string {
+	ps := strings.Split(path, delimiter)
 	var res []string
 	res = append(res, ps[0])
 	for i := 1; i < len(ps); i++ {
 		last := len(res) - 1
 		if strings.HasSuffix(res[last], `\`) {
-			res[last] = strings.TrimSuffix(res[last], `\`) + "/" + ps[i]
+			res[last] = strings.TrimSuffix(res[last], `\`) + delimiter + ps[i]
 		} else {
 			res = append(res, ps[i])
 		}
 	}
 	return res
 }
+
+// SmarterPathSplitter splits a path, retaining bracketed elements.
+// If the element is a list entry identifier (defined by the '='),
+// it will retain the brackets.
+// E.g. "[name=com.foo.someapp]" survives as one thing after splitting
+// "spec.template.spec.containers.[name=com.foo.someapp].image"
+// See kyaml/yaml/match.go for use of list entry identifiers.
+// If the element is a mapping entry identifier, it will remove the
+// brackets.
+// E.g. "a.b.c" survives as one thing after splitting
+// "metadata.annotations.[a.b.c]
+// This function uses `PathSplitter`, so it also respects escaped delimiters.
+func SmarterPathSplitter(path string, delimiter string) []string {
+	var result []string
+	split := PathSplitter(path, delimiter)
+
+	for i := 0; i < len(split); i++ {
+		elem := split[i]
+		if strings.HasPrefix(elem, "[") && !strings.HasSuffix(elem, "]") {
+			// continue until we find the matching "]"
+			bracketed := []string{elem}
+			for i < len(split)-1 {
+				i++
+				bracketed = append(bracketed, split[i])
+				if strings.HasSuffix(split[i], "]") {
+					break
+				}
+			}
+			bracketedStr := strings.Join(bracketed, delimiter)
+			if strings.Contains(bracketedStr, "=") {
+				result = append(result, bracketedStr)
+			} else {
+				result = append(result, strings.Trim(bracketedStr, "[]"))
+			}
+		} else {
+			result = append(result, elem)
+		}
+	}
+	return result
+}

api/internal/utils/pathsplitter_test.go

@@ -44,6 +44,51 @@ func TestPathSplitter(t *testing.T) {
 				"nginx.ingress.kubernetes.io/auth-secret"},
 		},
 	} {
-		assert.Equal(t, tc.exp, PathSplitter(tc.path))
+		assert.Equal(t, tc.exp, PathSplitter(tc.path, "/"))
+	}
+}
+
+func TestSmarterPathSplitter(t *testing.T) {
+	testCases := map[string]struct {
+		input    string
+		expected []string
+	}{
+		"simple": {
+			input:    "spec.replicas",
+			expected: []string{"spec", "replicas"},
+		},
+		"sequence": {
+			input:    "spec.data.[name=first].key",
+			expected: []string{"spec", "data", "[name=first]", "key"},
+		},
+		"key, value with . prefix": {
+			input:    "spec.data.[.name=.first].key",
+			expected: []string{"spec", "data", "[.name=.first]", "key"},
+		},
+		"key, value with . suffix": {
+			input:    "spec.data.[name.=first.].key",
+			expected: []string{"spec", "data", "[name.=first.]", "key"},
+		},
+		"multiple '.' in value": {
+			input:    "spec.data.[name=f.i.r.s.t.].key",
+			expected: []string{"spec", "data", "[name=f.i.r.s.t.]", "key"},
+		},
+		"with escaped delimiter": {
+			input:    `spec\.replicas`,
+			expected: []string{`spec.replicas`},
+		},
+		"unmatched bracket": {
+			input:    "spec.data.[name=f.i.[r.s.t..key",
+			expected: []string{"spec", "data", "[name=f.i.[r.s.t..key"},
+		},
+		"mapping value with .": {
+			input:    "metadata.annotations.[a.b.c/d.e.f-g.]",
+			expected: []string{"metadata", "annotations", "a.b.c/d.e.f-g."},
+		},
+	}
+	for tn, tc := range testCases {
+		t.Run(tn, func(t *testing.T) {
+			assert.Equal(t, tc.expected, SmarterPathSplitter(tc.input, "."))
+		})
 	}
 }

api/internal/utils/stringslice.go

@@ -0,0 +1,44 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package utils
+
+// StringSliceIndex returns the index of the str, else -1.
+func StringSliceIndex(slice []string, str string) int {
+	for i := range slice {
+		if slice[i] == str {
+			return i
+		}
+	}
+	return -1
+}
+
+// StringSliceContains returns true if the slice has the string.
+func StringSliceContains(slice []string, str string) bool {
+	for _, s := range slice {
+		if s == str {
+			return true
+		}
+	}
+	return false
+}
+
+// SameEndingSubSlice returns true if the slices end the same way, e.g.
+// {"a", "b", "c"}, {"b", "c"} => true
+// {"a", "b", "c"}, {"a", "b"} => false
+// If one slice is empty and the other is not, return false.
+func SameEndingSubSlice(shortest, longest []string) bool {
+	if len(shortest) > len(longest) {
+		longest, shortest = shortest, longest
+	}
+	diff := len(longest) - len(shortest)
+	if len(shortest) == 0 {
+		return diff == 0
+	}
+	for i := len(shortest) - 1; i >= 0; i-- {
+		if longest[i+diff] != shortest[i] {
+			return false
+		}
+	}
+	return true
+}

api/internal/utils/stringslice_test.go

@@ -0,0 +1,37 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package utils_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	. "sigs.k8s.io/kustomize/api/internal/utils"
+)
+
+func TestStringSliceIndex(t *testing.T) {
+	assert.Equal(t, 0, StringSliceIndex([]string{"a", "b"}, "a"))
+	assert.Equal(t, 1, StringSliceIndex([]string{"a", "b"}, "b"))
+	assert.Equal(t, -1, StringSliceIndex([]string{"a", "b"}, "c"))
+	assert.Equal(t, -1, StringSliceIndex([]string{}, "c"))
+}
+
+func TestStringSliceContains(t *testing.T) {
+	assert.True(t, StringSliceContains([]string{"a", "b"}, "a"))
+	assert.True(t, StringSliceContains([]string{"a", "b"}, "b"))
+	assert.False(t, StringSliceContains([]string{"a", "b"}, "c"))
+	assert.False(t, StringSliceContains([]string{}, "c"))
+}
+
+func TestSameEndingSubarray(t *testing.T) {
+	assert.True(t, SameEndingSubSlice([]string{"", "a", "b"}, []string{"a", "b"}))
+	assert.True(t, SameEndingSubSlice([]string{"a", "b", ""}, []string{"b", ""}))
+	assert.True(t, SameEndingSubSlice([]string{"a", "b"}, []string{"a", "b"}))
+	assert.True(t, SameEndingSubSlice([]string{"a", "b"}, []string{"b"}))
+	assert.True(t, SameEndingSubSlice([]string{"b"}, []string{"a", "b"}))
+	assert.True(t, SameEndingSubSlice([]string{}, []string{}))
+	assert.False(t, SameEndingSubSlice([]string{"a", "b"}, []string{"b", "a"}))
+	assert.False(t, SameEndingSubSlice([]string{"a", "b"}, []string{}))
+	assert.False(t, SameEndingSubSlice([]string{"a", "b"}, []string{""}))
+}

api/konfig/builtinpluginconsts/namereference.go

@@ -3,9 +3,6 @@
 
 package builtinpluginconsts
 
-// TODO: rename 'fieldSpecs' to 'referrers' for clarity.
-// This will, however, break anyone using a custom config.
-
 const (
 	nameReferenceFieldSpecs = `
 nameReference:

api/konfig/doc.go

@@ -2,5 +2,6 @@
 // SPDX-License-Identifier: Apache-2.0
 
 // Package konfig provides configuration methods and constants
-// for the kustomize API.
+// for the kustomize API, e.g. the set of file names to look for
+// to identify a kustomization root.
 package konfig

api/konfig/general.go

@@ -31,11 +31,12 @@ const (
 	// A program name, for use in help, finding the XDG_CONFIG_DIR, etc.
 	ProgramName = "kustomize"
 
-	// ConfigAnnoDomain is configuration-related annotation namespace.
-	ConfigAnnoDomain = "config.kubernetes.io"
+	// ConfigAnnoDomain is internal configuration-related annotation namespace.
+	// See https://github.com/kubernetes-sigs/kustomize/blob/master/cmd/config/docs/api-conventions/functions-spec.md.
+	ConfigAnnoDomain = "internal.config.kubernetes.io"
 
 	// If a resource has this annotation, kustomize will drop it.
-	IgnoredByKustomizeAnnotation = ConfigAnnoDomain + "/local-config"
+	IgnoredByKustomizeAnnotation = "config.kubernetes.io/local-config"
 
 	// Label key that indicates the resources are built from Kustomize
 	ManagedbyLabelKey = "app.kubernetes.io/managed-by"

api/konfig/plugins.go

@@ -8,8 +8,8 @@ import (
 	"path/filepath"
 	"runtime"
 
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 const (

api/konfig/plugins_test.go

@@ -9,20 +9,20 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-
-	"sigs.k8s.io/kustomize/api/filesys"
+	"github.com/stretchr/testify/require"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 func TestDefaultAbsPluginHome_NoKustomizePluginHomeEnv(t *testing.T) {
 	fSys := filesys.MakeFsInMemory()
 	keep, isSet := os.LookupEnv(KustomizePluginHomeEnv)
 	if isSet {
-		_ = os.Unsetenv(KustomizePluginHomeEnv)
+		unsetenv(t, KustomizePluginHomeEnv)
 	}
 	_, err := DefaultAbsPluginHome(fSys)
 	if isSet {
-		os.Setenv(KustomizePluginHomeEnv, keep)
+		setenv(t, KustomizePluginHomeEnv, keep)
 	}
 	if err == nil {
 		t.Fatalf("expected err")
@@ -43,13 +43,13 @@ func TestDefaultAbsPluginHome_NoKustomizePluginHomeEnv(t *testing.T) {
 
 func TestDefaultAbsPluginHome_EmptyKustomizePluginHomeEnv(t *testing.T) {
 	keep, isSet := os.LookupEnv(KustomizePluginHomeEnv)
-	os.Setenv(KustomizePluginHomeEnv, "")
+	setenv(t, KustomizePluginHomeEnv, "")
 
 	_, err := DefaultAbsPluginHome(filesys.MakeFsInMemory())
 	if !isSet {
-		_ = os.Unsetenv(KustomizePluginHomeEnv)
+		unsetenv(t, KustomizePluginHomeEnv)
 	} else {
-		_ = os.Setenv(KustomizePluginHomeEnv, keep)
+		setenv(t, KustomizePluginHomeEnv, keep)
 	}
 	if err == nil {
 		t.Fatalf("expected err")
@@ -65,16 +65,15 @@ func TestDefaultAbsPluginHome_WithKustomizePluginHomeEnv(t *testing.T) {
 	keep, isSet := os.LookupEnv(KustomizePluginHomeEnv)
 	if !isSet {
 		keep = "whatever"
-		os.Setenv(KustomizePluginHomeEnv, keep)
+		setenv(t, KustomizePluginHomeEnv, keep)
 	}
-	fSys.Mkdir(keep)
+	err := fSys.Mkdir(keep)
+	require.NoError(t, err)
 	h, err := DefaultAbsPluginHome(fSys)
 	if !isSet {
-		_ = os.Unsetenv(KustomizePluginHomeEnv)
-	}
-	if err != nil {
-		t.Fatalf("unexpected err: %v", err)
+		unsetenv(t, KustomizePluginHomeEnv)
 	}
+	require.NoError(t, err)
 	if h != keep {
 		t.Fatalf("unexpected config dir: %s", h)
 	}
@@ -85,13 +84,14 @@ func TestDefaultAbsPluginHomeWithXdg(t *testing.T) {
 	keep, isSet := os.LookupEnv(XdgConfigHomeEnv)
 	if !isSet {
 		keep = "whatever"
-		os.Setenv(XdgConfigHomeEnv, keep)
+		setenv(t, XdgConfigHomeEnv, keep)
 	}
 	configDir := filepath.Join(keep, ProgramName, RelPluginHome)
-	fSys.Mkdir(configDir)
+	err := fSys.Mkdir(configDir)
+	require.NoError(t, err)
 	h, err := DefaultAbsPluginHome(fSys)
 	if !isSet {
-		_ = os.Unsetenv(XdgConfigHomeEnv)
+		unsetenv(t, XdgConfigHomeEnv)
 	}
 	if err != nil {
 		t.Fatalf("unexpected err: %v", err)
@@ -105,11 +105,11 @@ func TestDefaultAbsPluginHomeNoConfig(t *testing.T) {
 	fSys := filesys.MakeFsInMemory()
 	keep, isSet := os.LookupEnv(XdgConfigHomeEnv)
 	if isSet {
-		_ = os.Unsetenv(XdgConfigHomeEnv)
+		unsetenv(t, XdgConfigHomeEnv)
 	}
 	_, err := DefaultAbsPluginHome(fSys)
 	if isSet {
-		os.Setenv(XdgConfigHomeEnv, keep)
+		setenv(t, XdgConfigHomeEnv, keep)
 	}
 	if err == nil {
 		t.Fatalf("expected err")
@@ -121,13 +121,13 @@ func TestDefaultAbsPluginHomeNoConfig(t *testing.T) {
 
 func TestDefaultAbsPluginHomeEmptyXdgConfig(t *testing.T) {
 	keep, isSet := os.LookupEnv(XdgConfigHomeEnv)
-	os.Setenv(XdgConfigHomeEnv, "")
+	setenv(t, XdgConfigHomeEnv, "")
 	if isSet {
-		_ = os.Unsetenv(XdgConfigHomeEnv)
+		unsetenv(t, XdgConfigHomeEnv)
 	}
 	_, err := DefaultAbsPluginHome(filesys.MakeFsInMemory())
 	if isSet {
-		os.Setenv(XdgConfigHomeEnv, keep)
+		setenv(t, XdgConfigHomeEnv, keep)
 	}
 	if err == nil {
 		t.Fatalf("expected err")
@@ -142,14 +142,16 @@ func TestDefaultAbsPluginHomeNoXdgWithDotConfig(t *testing.T) {
 	fSys := filesys.MakeFsInMemory()
 	configDir := filepath.Join(
 		HomeDir(), XdgConfigHomeEnvDefault, ProgramName, RelPluginHome)
-	fSys.Mkdir(configDir)
+	err := fSys.Mkdir(configDir)
+	require.NoError(t, err)
 	keep, isSet := os.LookupEnv(XdgConfigHomeEnv)
 	if isSet {
-		_ = os.Unsetenv(XdgConfigHomeEnv)
+		unsetenv(t, XdgConfigHomeEnv)
 	}
-	s, _ := DefaultAbsPluginHome(fSys)
+	s, err := DefaultAbsPluginHome(fSys)
+	require.NoError(t, err)
 	if isSet {
-		os.Setenv(XdgConfigHomeEnv, keep)
+		setenv(t, XdgConfigHomeEnv, keep)
 	}
 	if s != configDir {
 		t.Fatalf("unexpected config dir: %s", s)
@@ -160,16 +162,26 @@ func TestDefaultAbsPluginHomeNoXdgJustHomeDir(t *testing.T) {
 	fSys := filesys.MakeFsInMemory()
 	configDir := filepath.Join(
 		HomeDir(), ProgramName, RelPluginHome)
-	fSys.Mkdir(configDir)
+	err := fSys.Mkdir(configDir)
+	require.NoError(t, err)
 	keep, isSet := os.LookupEnv(XdgConfigHomeEnv)
 	if isSet {
-		_ = os.Unsetenv(XdgConfigHomeEnv)
+		unsetenv(t, XdgConfigHomeEnv)
 	}
-	s, _ := DefaultAbsPluginHome(fSys)
+	s, err := DefaultAbsPluginHome(fSys)
+	require.NoError(t, err)
 	if isSet {
-		os.Setenv(XdgConfigHomeEnv, keep)
+		setenv(t, XdgConfigHomeEnv, keep)
 	}
 	if s != configDir {
 		t.Fatalf("unexpected config dir: %s", s)
 	}
 }
+
+func setenv(t *testing.T, key, value string) {
+	require.NoError(t, os.Setenv(key, value))
+}
+
+func unsetenv(t *testing.T, key string) {
+	require.NoError(t, os.Unsetenv(key))
+}

api/krusty/iampolicygenerator_test.go

@@ -0,0 +1,124 @@
+package krusty_test
+
+import (
+	"testing"
+
+	kusttest_test "sigs.k8s.io/kustomize/api/testutils/kusttest"
+)
+
+func TestGkeGenerator(t *testing.T) {
+	th := kusttest_test.MakeEnhancedHarness(t)
+	defer th.Reset()
+
+	th.WriteK(".", `
+generators:
+- |-
+  apiVersion: builtin
+  kind: IAMPolicyGenerator
+  metadata:
+    name: my-gke-generator
+  cloud: gke
+  kubernetesService:
+    name: k8s-sa-name
+  serviceAccount:
+    name: gsa-name
+    projectId: project-id
+`)
+	expected := `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: gsa-name@project-id.iam.gserviceaccount.com
+  name: k8s-sa-name
+`
+	m := th.Run(".", th.MakeDefaultOptions())
+	th.AssertActualEqualsExpected(m, expected)
+}
+
+func TestGkeGeneratorWithNamespace(t *testing.T) {
+	th := kusttest_test.MakeEnhancedHarness(t)
+	defer th.Reset()
+
+	th.WriteK(".", `
+generators:
+- |-
+  apiVersion: builtin
+  kind: IAMPolicyGenerator
+  metadata:
+    name: my-gke-generator
+  cloud: gke
+  kubernetesService: 
+    namespace: k8s-namespace
+    name: k8s-sa-name
+  serviceAccount:
+    name: gsa-name
+    projectId: project-id
+`)
+	expected := `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: gsa-name@project-id.iam.gserviceaccount.com
+  name: k8s-sa-name
+  namespace: k8s-namespace
+`
+	m := th.Run(".", th.MakeDefaultOptions())
+	th.AssertActualEqualsExpected(m, expected)
+}
+
+func TestGkeGeneratorWithTwo(t *testing.T) {
+	th := kusttest_test.MakeEnhancedHarness(t)
+	defer th.Reset()
+
+	th.WriteK(".", `
+generators:
+- gkegenerator1.yaml
+- gkegenerator2.yaml
+`)
+
+	th.WriteF("gkegenerator1.yaml", `
+apiVersion: builtin
+kind: IAMPolicyGenerator
+metadata:
+  name: my-gke-generator1
+cloud: gke
+kubernetesService: 
+  namespace: k8s-namespace-1
+  name: k8s-sa-name-1
+serviceAccount:
+  name: gsa-name-1
+  projectId: project-id-1
+`)
+	th.WriteF("gkegenerator2.yaml", `
+apiVersion: builtin
+kind: IAMPolicyGenerator
+metadata:
+  name: my-gke-generator2
+cloud: gke
+kubernetesService:
+  name: k8s-sa-name-2
+serviceAccount:
+  name: gsa-name-2
+  projectId: project-id-2
+`)
+	expected := `
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: gsa-name-1@project-id-1.iam.gserviceaccount.com
+  name: k8s-sa-name-1
+  namespace: k8s-namespace-1
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: gsa-name-2@project-id-2.iam.gserviceaccount.com
+  name: k8s-sa-name-2
+`
+	m := th.Run(".", th.MakeDefaultOptions())
+	th.AssertActualEqualsExpected(m, expected)
+}

api/krusty/kustomizer.go

@@ -8,7 +8,6 @@ import (
 	"path/filepath"
 
 	"sigs.k8s.io/kustomize/api/builtins"
-	"sigs.k8s.io/kustomize/api/filesys"
 	pLdr "sigs.k8s.io/kustomize/api/internal/plugins/loader"
 	"sigs.k8s.io/kustomize/api/internal/target"
 	"sigs.k8s.io/kustomize/api/konfig"
@@ -17,6 +16,7 @@ import (
 	"sigs.k8s.io/kustomize/api/provider"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 	"sigs.k8s.io/kustomize/kyaml/openapi"
 )
 
@@ -90,19 +90,25 @@ func (b *Kustomizer) Run(
 		return nil, err
 	}
 	if b.options.DoLegacyResourceSort {
-		builtins.NewLegacyOrderTransformerPlugin().Transform(m)
+		err = builtins.NewLegacyOrderTransformerPlugin().Transform(m)
+		if err != nil {
+			return nil, err
+		}
 	}
 	if b.options.AddManagedbyLabel {
 		t := builtins.LabelTransformerPlugin{
 			Labels: map[string]string{
-				konfig.ManagedbyLabelKey: fmt.Sprintf(
-					"kustomize-%s", provenance.GetProvenance().Semver())},
+				konfig.ManagedbyLabelKey: fmt.Sprintf("kustomize-%s", provenance.GetProvenance().Semver()),
+			},
 			FieldSpecs: []types.FieldSpec{{
 				Path:               "metadata/labels",
 				CreateIfNotPresent: true,
 			}},
 		}
-		t.Transform(m)
+		err = t.Transform(m)
+		if err != nil {
+			return nil, err
+		}
 	}
 	m.RemoveBuildAnnotations()
 	return m, nil

api/krusty/kustomizer_test.go

@@ -7,8 +7,8 @@ import (
 	"strings"
 	"testing"
 
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/krusty"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 // A simple usage example to shows what happens when

api/krusty/multiplepatch_test.go

@@ -6,9 +6,319 @@ package krusty_test
 import (
 	"testing"
 
+	"github.com/stretchr/testify/assert"
+
 	kusttest_test "sigs.k8s.io/kustomize/api/testutils/kusttest"
 )
 
+func TestPatchesInOneFile(t *testing.T) {
+	th := kusttest_test.MakeHarness(t)
+	th.WriteK("base", `
+resources:
+- namespace.yaml
+- deployment-controller-manager.yaml
+- deployment-audit-manager.yaml
+`)
+	th.WriteF("base/namespace.yaml", `
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    control-plane: controller-manager
+    admission.gatekeeper.sh/ignore: no-self-managing
+  name: system
+`)
+	th.WriteF("base/deployment-controller-manager.yaml", `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+  labels:
+    control-plane: controller-manager
+    gatekeeper.sh/operation: webhook
+spec:
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+      gatekeeper.sh/operation: webhook
+  replicas: 3
+  template:
+    metadata:
+      annotations:
+        container.seccomp.security.alpha.kubernetes.io/manager: runtime/default
+      labels:
+        control-plane: controller-manager
+        gatekeeper.sh/operation: webhook
+    spec:
+      containers:
+        - command:
+            - /manager
+          args:
+            - "--port=8443"
+            - "--logtostderr"
+            - "--exempt-namespace=gatekeeper-system"
+            - "--operation=webhook"
+          image: openpolicyagent/gatekeeper:v3.4.0
+          imagePullPolicy: Always
+          name: manager
+      terminationGracePeriodSeconds: 60
+      nodeSelector:
+        kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
+`)
+	th.WriteF("base/deployment-audit-manager.yaml", `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: audit
+  namespace: system
+  labels:
+    control-plane: audit-controller
+    gatekeeper.sh/operation: audit
+spec:
+  selector:
+    matchLabels:
+      control-plane: audit-controller
+      gatekeeper.sh/operation: audit
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        control-plane: audit-controller
+        gatekeeper.sh/operation: audit
+      annotations:
+        container.seccomp.security.alpha.kubernetes.io/manager: runtime/default
+    spec:
+      automountServiceAccountToken: true
+      containers:
+        - args:
+            - --operation=audit
+            - --operation=status
+            - --logtostderr
+          command:
+            - /manager
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          image: openpolicyagent/gatekeeper:v3.4.0
+          imagePullPolicy: Always
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 9090
+          name: manager
+      serviceAccountName: gatekeeper-admin
+      terminationGracePeriodSeconds: 60
+      nodeSelector:
+        kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
+`)
+	const imagePatchAuditManager = `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: audit
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - image: AUDIT_IMAGE
+        name: manager
+        args:
+        - --port=8443
+        - --logtostderr
+        - --emit-admission-events
+        - --exempt-namespace=gatekeeper-system
+        - --operation=webhook
+        - --disable-opa-builtin=http.send
+`
+	const imagePatchControllerManager = `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - image: CONTROLLER_IMAGE
+        name: manager
+        args:
+        - --emit-audit-events
+        - --operation=audit
+        - --operation=status
+        - --logtostderr
+`
+	th.WriteF(
+		"overlay/image_patch_audit_manager.yaml",
+		imagePatchAuditManager)
+	th.WriteF(
+		"overlay/image_patch_controller_manager.yaml",
+		imagePatchControllerManager)
+	const expected = `
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    admission.gatekeeper.sh/ignore: no-self-managing
+    control-plane: controller-manager
+  name: system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    control-plane: controller-manager
+    gatekeeper.sh/operation: webhook
+  name: controller-manager
+  namespace: system
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+      gatekeeper.sh/operation: webhook
+  template:
+    metadata:
+      annotations:
+        container.seccomp.security.alpha.kubernetes.io/manager: runtime/default
+      labels:
+        control-plane: controller-manager
+        gatekeeper.sh/operation: webhook
+    spec:
+      containers:
+      - args:
+        - --emit-audit-events
+        - --operation=audit
+        - --operation=status
+        - --logtostderr
+        command:
+        - /manager
+        image: CONTROLLER_IMAGE
+        imagePullPolicy: Always
+        name: manager
+      nodeSelector:
+        kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
+      terminationGracePeriodSeconds: 60
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    control-plane: audit-controller
+    gatekeeper.sh/operation: audit
+  name: audit
+  namespace: system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      control-plane: audit-controller
+      gatekeeper.sh/operation: audit
+  template:
+    metadata:
+      annotations:
+        container.seccomp.security.alpha.kubernetes.io/manager: runtime/default
+      labels:
+        control-plane: audit-controller
+        gatekeeper.sh/operation: audit
+    spec:
+      automountServiceAccountToken: true
+      containers:
+      - args:
+        - --port=8443
+        - --logtostderr
+        - --emit-admission-events
+        - --exempt-namespace=gatekeeper-system
+        - --operation=webhook
+        - --disable-opa-builtin=http.send
+        command:
+        - /manager
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        image: AUDIT_IMAGE
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 9090
+        name: manager
+      nodeSelector:
+        kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
+      serviceAccountName: gatekeeper-admin
+      terminationGracePeriodSeconds: 60
+`
+	// Technique 1: "patchesStrategicMerge:" field, two patch files.
+	th.WriteK("overlay", `
+resources:
+- ../base
+patchesStrategicMerge:
+- image_patch_controller_manager.yaml
+- image_patch_audit_manager.yaml
+`)
+	m := th.Run("overlay", th.MakeDefaultOptions())
+	th.AssertActualEqualsExpected(m, expected)
+
+	// Technique 2: "patches:" field, two patch files.
+	th.WriteK("overlay", `
+resources:
+- ../base
+patches:
+- path: image_patch_controller_manager.yaml
+- path: image_patch_audit_manager.yaml
+`)
+	m = th.Run("overlay", th.MakeDefaultOptions())
+	th.AssertActualEqualsExpected(m, expected)
+
+	// Technique 3: "patchesStrategicMerge:" field, one patch file.
+	th.WriteK("overlay", `
+resources:
+- ../base
+patchesStrategicMerge:
+- twoPatchesInOneFile.yaml
+`)
+	th.WriteF(
+		"overlay/twoPatchesInOneFile.yaml",
+		imagePatchAuditManager+"\n---\n"+imagePatchControllerManager)
+	m = th.Run("overlay", th.MakeDefaultOptions())
+	th.AssertActualEqualsExpected(m, expected)
+
+	// Technique 4: "patches:" field, one patch file.  Fails.
+	th.WriteK("overlay", `
+resources:
+- ../base
+patches:
+- path: twoPatchesInOneFile.yaml
+`)
+	err := th.RunWithErr("overlay", th.MakeDefaultOptions())
+	assert.Error(t, err)
+	// This should fail, because the semantics of the `patches` field.
+	// That field allows specific patch targeting to a list of targets,
+	// while the `patchesStrategicMerge` field accepts patches that
+	// implicitly identify their targets via GVKN.
+	assert.Contains(t, err.Error(), "unable to parse SM or JSON patch from ")
+}
+
 func TestRemoveEmptyDirWithNullFieldInSmp(t *testing.T) {
 	th := kusttest_test.MakeHarness(t)
 	th.WriteK(".", `

api/krusty/openapicustomschema_test.go

@@ -17,6 +17,11 @@ func writeTestSchema(th kusttest_test.Harness, filepath string) {
 	th.WriteF(filepath+"mycrd_schema.json", string(bytes))
 }
 
+func writeTestSchemaYaml(th kusttest_test.Harness, filepath string) {
+	bytes, _ := ioutil.ReadFile("testdata/customschema.yaml")
+	th.WriteF(filepath+"mycrd_schema.yaml", string(bytes))
+}
+
 func writeCustomResource(th kusttest_test.Harness, filepath string) {
 	th.WriteF(filepath, `
 apiVersion: example.com/v1alpha1
@@ -103,6 +108,21 @@ openapi:
 	th.AssertActualEqualsExpected(m, patchedCustomResource)
 }
 
+func TestCustomOpenApiFieldYaml(t *testing.T) {
+	th := kusttest_test.MakeHarness(t)
+	th.WriteK(".", `
+resources:
+- mycrd.yaml
+openapi:
+  path: mycrd_schema.yaml
+`+customSchemaPatch)
+	writeCustomResource(th, "mycrd.yaml")
+	writeTestSchemaYaml(th, "./")
+	openapi.ResetOpenAPI()
+	m := th.Run(".", th.MakeDefaultOptions())
+	th.AssertActualEqualsExpected(m, patchedCustomResource)
+}
+
 // Error if user tries to specify both builtin version
 // and custom schema
 func TestCustomOpenApiFieldBothPathAndVersion(t *testing.T) {

api/krusty/pluginenv_test.go

@@ -9,9 +9,9 @@ import (
 	"path/filepath"
 	"testing"
 
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/konfig"
 	kusttest_test "sigs.k8s.io/kustomize/api/testutils/kusttest"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 // The PrintPluginEnv plugin is a toy plugin that emits

api/krusty/remoteload_test.go

@@ -7,9 +7,9 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/internal/utils"
 	"sigs.k8s.io/kustomize/api/krusty"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 func TestRemoteLoad(t *testing.T) {

api/krusty/replacementtransformer_test.go

@@ -261,3 +261,224 @@ spec:
         name: nginx
 `)
 }
+
+func TestReplacementTransformerWithOriginalName(t *testing.T) {
+	th := kusttest_test.MakeEnhancedHarness(t)
+	defer th.Reset()
+
+	th.WriteF("base/deployments.yaml", `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: target
+spec:
+  template:
+    spec:
+      containers:
+      - image: nginx:oldtag
+        name: nginx
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: source
+spec:
+  template:
+    spec:
+      containers:
+      - image: nginx:newtag
+        name: nginx
+`)
+	th.WriteK("base", `
+resources:
+- deployments.yaml
+`)
+	th.WriteK("overlay", `
+namePrefix: prefix1-
+resources:
+- ../base
+`)
+
+	th.WriteK(".", `
+namePrefix: prefix2-
+resources:
+- overlay
+replacements:
+- path: replacement.yaml
+`)
+	th.WriteF("replacement.yaml", `
+source:
+  name: source
+  fieldPath: spec.template.spec.containers.0.image
+targets:
+- select:
+    name: prefix1-target
+  fieldPaths:
+  - spec.template.spec.containers.[name=nginx].image
+`)
+
+	m := th.Run(".", th.MakeDefaultOptions())
+	th.AssertActualEqualsExpected(m, `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: prefix2-prefix1-target
+spec:
+  template:
+    spec:
+      containers:
+      - image: nginx:newtag
+        name: nginx
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: prefix2-prefix1-source
+spec:
+  template:
+    spec:
+      containers:
+      - image: nginx:newtag
+        name: nginx
+`)
+}
+
+// TODO: Address namePrefix in overlay not applying to replacement targets
+// The property `data.blue-name` should end up being `overlay-blue` instead of `blue`
+// https://github.com/kubernetes-sigs/kustomize/issues/4034
+func TestReplacementTransformerWithNamePrefixOverlay(t *testing.T) {
+	th := kusttest_test.MakeEnhancedHarness(t)
+	defer th.Reset()
+
+	th.WriteK("base", `
+generatorOptions:
+ disableNameSuffixHash: true
+configMapGenerator:
+- name: blue
+- name: red
+replacements:
+- source:
+    kind: ConfigMap
+    name: blue
+    fieldPath: metadata.name
+  targets:
+  - select:
+      name: red
+    fieldPaths:
+    - data.blue-name
+    options:
+      create: true
+`)
+
+	th.WriteK(".", `
+namePrefix: overlay-
+resources:
+- base
+`)
+	m := th.Run(".", th.MakeDefaultOptions())
+	th.AssertActualEqualsExpected(m, `
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: overlay-blue
+---
+apiVersion: v1
+data:
+  blue-name: blue
+kind: ConfigMap
+metadata:
+  name: overlay-red
+`)
+}
+
+// TODO: Address namespace in overlay not applying to replacement targets
+// The property `data.blue-namespace` should end up being `overlay-namespace` instead of `base-namespace`
+// https://github.com/kubernetes-sigs/kustomize/issues/4034
+func TestReplacementTransformerWithNamespaceOverlay(t *testing.T) {
+	th := kusttest_test.MakeEnhancedHarness(t)
+	defer th.Reset()
+
+	th.WriteK("base", `
+namespace: base-namespace
+generatorOptions:
+ disableNameSuffixHash: true
+configMapGenerator:
+- name: blue
+- name: red
+replacements:
+- source:
+    kind: ConfigMap
+    name: blue
+    fieldPath: metadata.namespace
+  targets:
+  - select:
+      name: red
+    fieldPaths:
+    - data.blue-namespace
+    options:
+      create: true
+`)
+
+	th.WriteK(".", `
+namespace: overlay-namespace
+resources:
+- base
+`)
+	m := th.Run(".", th.MakeDefaultOptions())
+	th.AssertActualEqualsExpected(m, `
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blue
+  namespace: overlay-namespace
+---
+apiVersion: v1
+data:
+  blue-namespace: base-namespace
+kind: ConfigMap
+metadata:
+  name: red
+  namespace: overlay-namespace
+`)
+}
+
+// TODO: Address configMapGenerator suffix not applying to replacement targets
+// The property `data.blue-name` should end up being `blue-6ct58987ht` instead of `blue`
+// https://github.com/kubernetes-sigs/kustomize/issues/4034
+func TestReplacementTransformerWithConfigMapGenerator(t *testing.T) {
+	th := kusttest_test.MakeEnhancedHarness(t)
+	defer th.Reset()
+
+	th.WriteK(".", `
+configMapGenerator:
+- name: blue
+- name: red
+replacements:
+- source:
+    kind: ConfigMap
+    name: blue
+    fieldPath: metadata.name
+  targets:
+  - select:
+      name: red
+    fieldPaths:
+    - data.blue-name
+    options:
+      create: true
+`)
+
+	m := th.Run(".", th.MakeDefaultOptions())
+	th.AssertActualEqualsExpected(m, `
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blue-6ct58987ht
+---
+apiVersion: v1
+data:
+  blue-name: blue
+kind: ConfigMap
+metadata:
+  name: red-dc6gc5btkc
+`)
+}

api/krusty/testdata/customschema.yaml

@@ -0,0 +1,75 @@
+definitions:
+  v1alpha1.MyCRD:
+    properties:
+      apiVersion:
+        type: string
+      kind:
+        type: string
+      metadata:
+        type: object
+      spec:
+        properties:
+          template:
+            "$ref": "#/definitions/io.k8s.api.core.v1.PodTemplateSpec"
+        type: object
+      status:
+        properties:
+          success:
+            type: boolean
+        type: object
+    type: object
+    x-kubernetes-group-version-kind:
+      - group: example.com
+        kind: MyCRD
+        version: v1alpha1
+  io.k8s.api.core.v1.PodTemplateSpec:
+    properties:
+      metadata:
+        "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
+      spec:
+        "$ref": "#/definitions/io.k8s.api.core.v1.PodSpec"
+    type: object
+  io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta:
+    properties:
+      name:
+        type: string
+    type: object
+  io.k8s.api.core.v1.PodSpec:
+    properties:
+      containers:
+        items:
+          "$ref": "#/definitions/io.k8s.api.core.v1.Container"
+        type: array
+        x-kubernetes-patch-merge-key: name
+        x-kubernetes-patch-strategy: merge
+    type: object
+  io.k8s.api.core.v1.Container:
+    properties:
+      command:
+        items:
+          type: string
+        type: array
+      image:
+        type: string
+      name:
+        type: string
+      ports:
+        items:
+          "$ref": "#/definitions/io.k8s.api.core.v1.ContainerPort"
+        type: array
+        x-kubernetes-list-map-keys:
+          - containerPort
+          - protocol
+        x-kubernetes-list-type: map
+        x-kubernetes-patch-merge-key: containerPort
+        x-kubernetes-patch-strategy: merge
+    type: object
+  io.k8s.api.core.v1.ContainerPort:
+    properties:
+      containerPort:
+        type: integer
+      name:
+        type: string
+      protocol:
+        type: string
+    type: object

api/kv/kv_test.go

@@ -7,10 +7,11 @@ import (
 	"reflect"
 	"testing"
 
-	"sigs.k8s.io/kustomize/api/filesys"
+	"github.com/stretchr/testify/require"
 	ldr "sigs.k8s.io/kustomize/api/loader"
 	valtest_test "sigs.k8s.io/kustomize/api/testutils/valtest"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 func makeKvLoader(fSys filesys.FileSystem) *loader {
@@ -83,7 +84,8 @@ func TestKeyValuesFromFileSources(t *testing.T) {
 	}
 
 	fSys := filesys.MakeFsInMemory()
-	fSys.WriteFile("/files/app-init.ini", []byte("FOO=bar"))
+	err := fSys.WriteFile("/files/app-init.ini", []byte("FOO=bar"))
+	require.NoError(t, err)
 	kvl := makeKvLoader(fSys)
 	for _, tc := range tests {
 		kvs, err := kvl.keyValuesFromFileSources(tc.sources)

api/loader/fileloader.go

@@ -12,9 +12,9 @@ import (
 	"path/filepath"
 	"strings"
 
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/ifc"
 	"sigs.k8s.io/kustomize/api/internal/git"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 // fileLoader is a kustomization's interface to files.

api/loader/fileloader_test.go

@@ -14,10 +14,10 @@ import (
 	"strings"
 	"testing"
 
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/ifc"
 	"sigs.k8s.io/kustomize/api/internal/git"
 	"sigs.k8s.io/kustomize/api/konfig"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 type testData struct {

api/loader/loader.go

@@ -5,9 +5,9 @@
 package loader
 
 import (
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/ifc"
 	"sigs.k8s.io/kustomize/api/internal/git"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 // NewLoader returns a Loader pointed at the given target.

api/loader/loadrestrictions.go

@@ -6,7 +6,7 @@ package loader
 import (
 	"fmt"
 
-	"sigs.k8s.io/kustomize/api/filesys"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 type LoadRestrictorFunc func(

api/loader/loadrestrictions_test.go

@@ -8,7 +8,7 @@ import (
 	"strings"
 	"testing"
 
-	"sigs.k8s.io/kustomize/api/filesys"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 func TestRestrictionNone(t *testing.T) {

api/resmap/factory_test.go

@@ -8,7 +8,6 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/ifc"
 	"sigs.k8s.io/kustomize/api/kv"
 	"sigs.k8s.io/kustomize/api/loader"
@@ -16,6 +15,7 @@ import (
 	resmaptest_test "sigs.k8s.io/kustomize/api/testutils/resmaptest"
 	valtest_test "sigs.k8s.io/kustomize/api/testutils/valtest"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
@@ -219,8 +219,10 @@ BAR=baz
 		}
 		r, err := rmF.NewResMapFromConfigMapArgs(kvLdr, tc.input)
 		assert.NoError(t, err, tc.description)
+		r.RemoveBuildAnnotations()
 		rYaml, err := r.AsYaml()
 		assert.NoError(t, err, tc.description)
+		tc.expected.RemoveBuildAnnotations()
 		expYaml, err := tc.expected.AsYaml()
 		assert.NoError(t, err, tc.description)
 		assert.Equal(t, expYaml, rYaml)
@@ -252,6 +254,7 @@ func TestNewResMapFromSecretArgs(t *testing.T) {
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
+	actual.RemoveBuildAnnotations()
 	actYaml, err := actual.AsYaml()
 	assert.NoError(t, err)
 

api/resmap/reswrangler_test.go

@@ -343,9 +343,9 @@ func TestGetMatchingResourcesByAnyId(t *testing.T) {
 			"metadata": map[string]interface{}{
 				"name": "new-alice",
 				"annotations": map[string]interface{}{
-					"config.kubernetes.io/previousKinds":      "ConfigMap",
-					"config.kubernetes.io/previousNames":      "alice",
-					"config.kubernetes.io/previousNamespaces": "default",
+					"internal.config.kubernetes.io/previousKinds":      "ConfigMap",
+					"internal.config.kubernetes.io/previousNames":      "alice",
+					"internal.config.kubernetes.io/previousNamespaces": "default",
 				},
 			},
 		})
@@ -356,9 +356,9 @@ func TestGetMatchingResourcesByAnyId(t *testing.T) {
 			"metadata": map[string]interface{}{
 				"name": "new-bob",
 				"annotations": map[string]interface{}{
-					"config.kubernetes.io/previousKinds":      "ConfigMap,ConfigMap",
-					"config.kubernetes.io/previousNames":      "bob,bob2",
-					"config.kubernetes.io/previousNamespaces": "default,default",
+					"internal.config.kubernetes.io/previousKinds":      "ConfigMap,ConfigMap",
+					"internal.config.kubernetes.io/previousNames":      "bob,bob2",
+					"internal.config.kubernetes.io/previousNamespaces": "default,default",
 				},
 			},
 		})
@@ -370,9 +370,9 @@ func TestGetMatchingResourcesByAnyId(t *testing.T) {
 				"name":      "new-bob",
 				"namespace": "new-happy",
 				"annotations": map[string]interface{}{
-					"config.kubernetes.io/previousKinds":      "ConfigMap",
-					"config.kubernetes.io/previousNames":      "bob",
-					"config.kubernetes.io/previousNamespaces": "happy",
+					"internal.config.kubernetes.io/previousKinds":      "ConfigMap",
+					"internal.config.kubernetes.io/previousNames":      "bob",
+					"internal.config.kubernetes.io/previousNamespaces": "happy",
 				},
 			},
 		})
@@ -384,9 +384,9 @@ func TestGetMatchingResourcesByAnyId(t *testing.T) {
 				"name":      "charlie",
 				"namespace": "happy",
 				"annotations": map[string]interface{}{
-					"config.kubernetes.io/previousKinds":      "ConfigMap",
-					"config.kubernetes.io/previousNames":      "charlie",
-					"config.kubernetes.io/previousNamespaces": "default",
+					"internal.config.kubernetes.io/previousKinds":      "ConfigMap",
+					"internal.config.kubernetes.io/previousNames":      "charlie",
+					"internal.config.kubernetes.io/previousNamespaces": "default",
 				},
 			},
 		})
@@ -845,6 +845,8 @@ func TestAbsorbAll(t *testing.T) {
 		}))
 	w := makeMap1()
 	assert.NoError(t, w.AbsorbAll(makeMap2(types.BehaviorMerge)))
+	expected.RemoveBuildAnnotations()
+	w.RemoveBuildAnnotations()
 	assert.NoError(t, expected.ErrorIfNotEqualLists(w))
 	w = makeMap1()
 	assert.NoError(t, w.AbsorbAll(nil))
@@ -853,6 +855,7 @@ func TestAbsorbAll(t *testing.T) {
 	w = makeMap1()
 	w2 := makeMap2(types.BehaviorReplace)
 	assert.NoError(t, w.AbsorbAll(w2))
+	w2.RemoveBuildAnnotations()
 	assert.NoError(t, w2.ErrorIfNotEqualLists(w))
 	w = makeMap1()
 	w2 = makeMap2(types.BehaviorUnspecified)

api/resource/factory.go

@@ -22,6 +22,12 @@ import (
 // Factory makes instances of Resource.
 type Factory struct {
 	hasher ifc.KustHasher
+
+	// When set to true, IncludeLocalConfigs indicates
+	// that Factory should include resources with the
+	// annotation 'config.kubernetes.io/local-config'.
+	// By default these resources are ignored.
+	IncludeLocalConfigs bool
 }
 
 // NewFactory makes an instance of Factory.
@@ -69,7 +75,9 @@ func (rf *Factory) makeOne(rn *yaml.RNode, o *types.GenArgs) *Resource {
 	if o == nil {
 		o = types.NewGenArgs(nil)
 	}
-	return &Resource{RNode: *rn, options: o}
+	resource := &Resource{RNode: *rn}
+	resource.SetOptions(o)
+	return resource
 }
 
 // SliceFromPatches returns a slice of resources given a patch path
@@ -221,13 +229,15 @@ func (rf *Factory) shouldIgnore(n *yaml.RNode) (bool, error) {
 	if n.IsNilOrEmpty() {
 		return true, nil
 	}
-	md, err := n.GetValidatedMetadata()
-	if err != nil {
-		return true, err
-	}
-	_, ignore := md.ObjectMeta.Annotations[konfig.IgnoredByKustomizeAnnotation]
-	if ignore {
-		return true, nil
+	if !rf.IncludeLocalConfigs {
+		md, err := n.GetValidatedMetadata()
+		if err != nil {
+			return true, err
+		}
+		_, ignore := md.ObjectMeta.Annotations[konfig.IgnoredByKustomizeAnnotation]
+		if ignore {
+			return true, nil
+		}
 	}
 	if foundNil, path := n.HasNilEntryInList(); foundNil {
 		return true, fmt.Errorf("empty item at %v in object %v", path, n)

api/resource/factory_test.go

@@ -9,10 +9,10 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/loader"
 	. "sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 func TestSliceFromBytes(t *testing.T) {

api/resource/resource.go

@@ -4,14 +4,13 @@
 package resource
 
 import (
-	"errors"
 	"fmt"
 	"log"
 	"strings"
 
 	"sigs.k8s.io/kustomize/api/filters/patchstrategicmerge"
 	"sigs.k8s.io/kustomize/api/ifc"
-	"sigs.k8s.io/kustomize/api/konfig"
+	"sigs.k8s.io/kustomize/api/internal/utils"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/kio"
 	"sigs.k8s.io/kustomize/kyaml/resid"
@@ -23,33 +22,19 @@ import (
 // paired with metadata used by kustomize.
 type Resource struct {
 	kyaml.RNode
-	options     *types.GenArgs
-	refBy       []resid.ResId
 	refVarNames []string
 }
 
-const (
-	buildAnnotationPreviousKinds      = konfig.ConfigAnnoDomain + "/previousKinds"
-	buildAnnotationPreviousNames      = konfig.ConfigAnnoDomain + "/previousNames"
-	buildAnnotationPrefixes           = konfig.ConfigAnnoDomain + "/prefixes"
-	buildAnnotationSuffixes           = konfig.ConfigAnnoDomain + "/suffixes"
-	buildAnnotationPreviousNamespaces = konfig.ConfigAnnoDomain + "/previousNamespaces"
-
-	// the following are only for patches, to specify whether they can change names
-	// and kinds of their targets
-	buildAnnotationAllowNameChange = konfig.ConfigAnnoDomain + "/allowNameChange"
-	buildAnnotationAllowKindChange = konfig.ConfigAnnoDomain + "/allowKindChange"
-	allowed                        = "allowed"
-)
-
-var buildAnnotations = []string{
-	buildAnnotationPreviousKinds,
-	buildAnnotationPreviousNames,
-	buildAnnotationPrefixes,
-	buildAnnotationSuffixes,
-	buildAnnotationPreviousNamespaces,
-	buildAnnotationAllowNameChange,
-	buildAnnotationAllowKindChange,
+var BuildAnnotations = []string{
+	utils.BuildAnnotationPreviousKinds,
+	utils.BuildAnnotationPreviousNames,
+	utils.BuildAnnotationPrefixes,
+	utils.BuildAnnotationSuffixes,
+	utils.BuildAnnotationPreviousNamespaces,
+	utils.BuildAnnotationAllowNameChange,
+	utils.BuildAnnotationAllowKindChange,
+	utils.BuildAnnotationsRefBy,
+	utils.BuildAnnotationsGenOptions,
 }
 
 func (r *Resource) ResetRNode(incoming *Resource) {
@@ -95,6 +80,8 @@ func (r *Resource) DeepCopy() *Resource {
 // CopyMergeMetaDataFieldsFrom copies everything but the non-metadata in
 // the resource.
 // TODO: move to RNode, use GetMeta to improve performance.
+// TODO: make a version of mergeStringMaps that is build-annotation aware
+//   to avoid repeatedly setting refby and genargs annotations
 // Must remove the kustomize bit at the end.
 func (r *Resource) CopyMergeMetaDataFieldsFrom(other *Resource) error {
 	if err := r.SetLabels(
@@ -102,7 +89,7 @@ func (r *Resource) CopyMergeMetaDataFieldsFrom(other *Resource) error {
 		return fmt.Errorf("copyMerge cannot set labels - %w", err)
 	}
 	if err := r.SetAnnotations(
-		mergeStringMaps(other.GetAnnotations(), r.GetAnnotations())); err != nil {
+		mergeStringMapsWithBuildAnnotations(other.GetAnnotations(), r.GetAnnotations())); err != nil {
 		return fmt.Errorf("copyMerge cannot set annotations - %w", err)
 	}
 	if err := r.SetName(other.GetName()); err != nil {
@@ -116,8 +103,6 @@ func (r *Resource) CopyMergeMetaDataFieldsFrom(other *Resource) error {
 }
 
 func (r *Resource) copyKustomizeSpecificFields(other *Resource) {
-	r.options = other.options
-	r.refBy = other.copyRefBy()
 	r.refVarNames = copyStringSlice(other.refVarNames)
 }
 
@@ -159,10 +144,10 @@ func (r *Resource) ErrIfNotEquals(o *Resource) error {
 func (r *Resource) ReferencesEqual(other *Resource) bool {
 	setSelf := make(map[resid.ResId]bool)
 	setOther := make(map[resid.ResId]bool)
-	for _, ref := range other.refBy {
+	for _, ref := range other.GetRefBy() {
 		setOther[ref] = true
 	}
-	for _, ref := range r.refBy {
+	for _, ref := range r.GetRefBy() {
 		if _, ok := setOther[ref]; !ok {
 			return false
 		}
@@ -171,15 +156,6 @@ func (r *Resource) ReferencesEqual(other *Resource) bool {
 	return len(setSelf) == len(setOther)
 }
 
-func (r *Resource) copyRefBy() []resid.ResId {
-	if r.refBy == nil {
-		return nil
-	}
-	s := make([]resid.ResId, len(r.refBy))
-	copy(s, r.refBy)
-	return s
-}
-
 func copyStringSlice(s []string) []string {
 	if s == nil {
 		return nil
@@ -191,12 +167,12 @@ func copyStringSlice(s []string) []string {
 
 // Implements ResCtx AddNamePrefix
 func (r *Resource) AddNamePrefix(p string) {
-	r.appendCsvAnnotation(buildAnnotationPrefixes, p)
+	r.appendCsvAnnotation(utils.BuildAnnotationPrefixes, p)
 }
 
 // Implements ResCtx AddNameSuffix
 func (r *Resource) AddNameSuffix(s string) {
-	r.appendCsvAnnotation(buildAnnotationSuffixes, s)
+	r.appendCsvAnnotation(utils.BuildAnnotationSuffixes, s)
 }
 
 func (r *Resource) appendCsvAnnotation(name, value string) {
@@ -214,30 +190,14 @@ func (r *Resource) appendCsvAnnotation(name, value string) {
 	}
 }
 
-func SameEndingSubarray(shortest, longest []string) bool {
-	if len(shortest) > len(longest) {
-		longest, shortest = shortest, longest
-	}
-	diff := len(longest) - len(shortest)
-	if len(shortest) == 0 {
-		return diff == 0
-	}
-	for i := len(shortest) - 1; i >= 0; i-- {
-		if longest[i+diff] != shortest[i] {
-			return false
-		}
-	}
-	return true
-}
-
 // Implements ResCtx GetNamePrefixes
 func (r *Resource) GetNamePrefixes() []string {
-	return r.getCsvAnnotation(buildAnnotationPrefixes)
+	return r.getCsvAnnotation(utils.BuildAnnotationPrefixes)
 }
 
 // Implements ResCtx GetNameSuffixes
 func (r *Resource) GetNameSuffixes() []string {
-	return r.getCsvAnnotation(buildAnnotationSuffixes)
+	return r.getCsvAnnotation(utils.BuildAnnotationSuffixes)
 }
 
 func (r *Resource) getCsvAnnotation(name string) []string {
@@ -252,7 +212,8 @@ func (r *Resource) getCsvAnnotation(name string) []string {
 // as OutermostPrefixSuffix but performs a deeper comparison
 // of the suffix and prefix slices.
 func (r *Resource) PrefixesSuffixesEquals(o ResCtx) bool {
-	return SameEndingSubarray(r.GetNamePrefixes(), o.GetNamePrefixes()) && SameEndingSubarray(r.GetNameSuffixes(), o.GetNameSuffixes())
+	return utils.SameEndingSubSlice(r.GetNamePrefixes(), o.GetNamePrefixes()) &&
+		utils.SameEndingSubSlice(r.GetNameSuffixes(), o.GetNameSuffixes())
 }
 
 // RemoveBuildAnnotations removes annotations created by the build process.
@@ -263,7 +224,7 @@ func (r *Resource) RemoveBuildAnnotations() {
 	if len(annotations) == 0 {
 		return
 	}
-	for _, a := range buildAnnotations {
+	for _, a := range BuildAnnotations {
 		delete(annotations, a)
 	}
 	if err := r.SetAnnotations(annotations); err != nil {
@@ -272,16 +233,16 @@ func (r *Resource) RemoveBuildAnnotations() {
 }
 
 func (r *Resource) setPreviousId(ns string, n string, k string) *Resource {
-	r.appendCsvAnnotation(buildAnnotationPreviousNames, n)
-	r.appendCsvAnnotation(buildAnnotationPreviousNamespaces, ns)
-	r.appendCsvAnnotation(buildAnnotationPreviousKinds, k)
+	r.appendCsvAnnotation(utils.BuildAnnotationPreviousNames, n)
+	r.appendCsvAnnotation(utils.BuildAnnotationPreviousNamespaces, ns)
+	r.appendCsvAnnotation(utils.BuildAnnotationPreviousKinds, k)
 	return r
 }
 
 // AllowNameChange allows name changes to the resource.
 func (r *Resource) AllowNameChange() {
 	annotations := r.GetAnnotations()
-	annotations[buildAnnotationAllowNameChange] = allowed
+	annotations[utils.BuildAnnotationAllowNameChange] = utils.Allowed
 	if err := r.SetAnnotations(annotations); err != nil {
 		panic(err)
 	}
@@ -289,14 +250,14 @@ func (r *Resource) AllowNameChange() {
 
 func (r *Resource) NameChangeAllowed() bool {
 	annotations := r.GetAnnotations()
-	v, ok := annotations[buildAnnotationAllowNameChange]
-	return ok && v == allowed
+	v, ok := annotations[utils.BuildAnnotationAllowNameChange]
+	return ok && v == utils.Allowed
 }
 
 // AllowKindChange allows kind changes to the resource.
 func (r *Resource) AllowKindChange() {
 	annotations := r.GetAnnotations()
-	annotations[buildAnnotationAllowKindChange] = allowed
+	annotations[utils.BuildAnnotationAllowKindChange] = utils.Allowed
 	if err := r.SetAnnotations(annotations); err != nil {
 		panic(err)
 	}
@@ -304,8 +265,8 @@ func (r *Resource) AllowKindChange() {
 
 func (r *Resource) KindChangeAllowed() bool {
 	annotations := r.GetAnnotations()
-	v, ok := annotations[buildAnnotationAllowKindChange]
-	return ok && v == allowed
+	v, ok := annotations[utils.BuildAnnotationAllowKindChange]
+	return ok && v == utils.Allowed
 }
 
 // String returns resource as JSON.
@@ -314,7 +275,7 @@ func (r *Resource) String() string {
 	if err != nil {
 		return "<" + err.Error() + ">"
 	}
-	return strings.TrimSpace(string(bs)) + r.options.String()
+	return strings.TrimSpace(string(bs))
 }
 
 // AsYAML returns the resource in Yaml form.
@@ -336,20 +297,43 @@ func (r *Resource) MustYaml() string {
 	return string(yml)
 }
 
+func (r *Resource) getGenArgs() *types.GenArgs {
+	annotations := r.GetAnnotations()
+	if genOptsAnno, ok := annotations[utils.BuildAnnotationsGenOptions]; ok {
+		var genOpts types.GeneratorArgs
+		yaml.Unmarshal([]byte(genOptsAnno), &genOpts)
+		return types.NewGenArgs(&genOpts)
+	}
+	return nil
+}
+
 // SetOptions updates the generator options for the resource.
 func (r *Resource) SetOptions(o *types.GenArgs) {
-	r.options = o
+	annotations := r.GetAnnotations()
+	if o.IsNilOrEmpty() {
+		if len(annotations) == 0 {
+			return
+		}
+		if o == nil {
+			delete(annotations, utils.BuildAnnotationsGenOptions)
+		}
+	} else {
+		b, _ := o.AsYaml()
+		annotations[utils.BuildAnnotationsGenOptions] = string(b)
+	}
+	r.SetAnnotations(annotations)
 }
 
 // Behavior returns the behavior for the resource.
 func (r *Resource) Behavior() types.GenerationBehavior {
-	return r.options.Behavior()
+	return r.getGenArgs().Behavior()
 }
 
 // NeedHashSuffix returns true if a resource content
 // hash should be appended to the name of the resource.
 func (r *Resource) NeedHashSuffix() bool {
-	return r.options != nil && r.options.ShouldAddHashSuffixToName()
+	options := r.getGenArgs()
+	return options != nil && options.ShouldAddHashSuffixToName()
 }
 
 // OrgId returns the original, immutable ResId for the resource.
@@ -369,26 +353,12 @@ func (r *Resource) OrgId() resid.ResId {
 // The returned array does not include the resource's current
 // ID. If there are no previous IDs, this will return nil.
 func (r *Resource) PrevIds() []resid.ResId {
-	var ids []resid.ResId
-	// TODO: merge previous names and namespaces into one list of
-	//     pairs on one annotation so there is no chance of error
-	names := r.getCsvAnnotation(buildAnnotationPreviousNames)
-	ns := r.getCsvAnnotation(buildAnnotationPreviousNamespaces)
-	kinds := r.getCsvAnnotation(buildAnnotationPreviousKinds)
-	if len(names) != len(ns) || len(names) != len(kinds) {
-		panic(errors.New(
-			"number of previous names, " +
-				"number of previous namespaces, " +
-				"number of previous kinds not equal"))
+	prevIds, err := utils.PrevIds(&r.RNode)
+	if err != nil {
+		// this should never happen
+		panic(err)
 	}
-	for i := range names {
-		k := kinds[i]
-		gvk := r.GetGvk()
-		gvk.Kind = k
-		ids = append(ids, resid.NewResIdWithNamespace(
-			gvk, names[i], ns[i]))
-	}
-	return ids
+	return prevIds
 }
 
 // StorePreviousId stores the resource's current ID via build annotations.
@@ -407,12 +377,18 @@ func (r *Resource) CurId() resid.ResId {
 
 // GetRefBy returns the ResIds that referred to current resource
 func (r *Resource) GetRefBy() []resid.ResId {
-	return r.refBy
+	var resIds []resid.ResId
+	asStrings := r.getCsvAnnotation(utils.BuildAnnotationsRefBy)
+	for _, s := range asStrings {
+		resIds = append(resIds, resid.FromString(s))
+	}
+	return resIds
 }
 
 // AppendRefBy appends a ResId into the refBy list
-func (r *Resource) AppendRefBy(id resid.ResId) {
-	r.refBy = append(r.refBy, id)
+// Using any type except fmt.Stringer here results in a compilation error
+func (r *Resource) AppendRefBy(id fmt.Stringer) {
+	r.appendCsvAnnotation(utils.BuildAnnotationsRefBy, id.String())
 }
 
 // GetRefVarNames returns vars that refer to current resource
@@ -468,3 +444,17 @@ func mergeStringMaps(maps ...map[string]string) map[string]string {
 	}
 	return result
 }
+
+func mergeStringMapsWithBuildAnnotations(maps ...map[string]string) map[string]string {
+	result := mergeStringMaps(maps...)
+	for i := range BuildAnnotations {
+		if len(maps) > 0 {
+			if v, ok := maps[0][BuildAnnotations[i]]; ok {
+				result[BuildAnnotations[i]] = v
+				continue
+			}
+		}
+		delete(result, BuildAnnotations[i])
+	}
+	return result
+}

api/resource/resource_test.go

@@ -9,6 +9,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"sigs.k8s.io/kustomize/api/internal/utils"
 	"sigs.k8s.io/kustomize/api/provider"
 	. "sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/api/types"
@@ -27,10 +28,10 @@ var testConfigMap = factory.FromMap(
 		},
 	})
 
-const genArgOptions = "{nsfx:false,beh:unspecified}"
-
 //nolint:gosec
 const configMapAsString = `{"apiVersion":"v1","kind":"ConfigMap","metadata":{"name":"winnie","namespace":"hundred-acre-wood"}}`
+const configMapAsStringWithOptions = `{"apiVersion":"v1","kind":"ConfigMap","metadata":{"annotations":` +
+	`{"internal.config.kubernetes.io/generatorOptions":"{}\n"},"name":"winnie","namespace":"hundred-acre-wood"}}`
 
 var testDeployment = factory.FromMap(
 	map[string]interface{}{
@@ -42,6 +43,8 @@ var testDeployment = factory.FromMap(
 	})
 
 const deploymentAsString = `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"pooh"}}`
+const deploymentAsStringWithOptions = `{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":` +
+	`{"internal.config.kubernetes.io/generatorOptions":"{}\n"},"name":"pooh"}}`
 
 func TestAsYAML(t *testing.T) {
 	expected := `apiVersion: apps/v1
@@ -65,17 +68,37 @@ func TestResourceString(t *testing.T) {
 	}{
 		{
 			in: testConfigMap,
-			s:  configMapAsString + genArgOptions,
+			s:  configMapAsString,
 		},
 		{
 			in: testDeployment,
-			s:  deploymentAsString + genArgOptions,
+			s:  deploymentAsString,
 		},
 	}
 	for _, test := range tests {
-		if test.in.String() != test.s {
-			t.Fatalf("Expected %s == %s", test.in.String(), test.s)
-		}
+		assert.Equal(t, test.in.String(), test.s)
+	}
+}
+
+func TestResourceStringWithOptionsAnnotations(t *testing.T) {
+	tests := []struct {
+		in *Resource
+		s  string
+	}{
+		{
+			in: testConfigMap,
+			s:  configMapAsStringWithOptions,
+		},
+		{
+			in: testDeployment,
+			s:  deploymentAsStringWithOptions,
+		},
+	}
+	for _, test := range tests {
+		args := &types.GeneratorArgs{}
+		options := types.NewGenArgs(args)
+		test.in.SetOptions(options)
+		assert.Equal(t, test.in.String(), test.s)
 	}
 }
 
@@ -716,9 +739,9 @@ metadata:
 kind: Secret
 metadata:
   annotations:
-    config.kubernetes.io/previousKinds: Secret
-    config.kubernetes.io/previousNames: oldName
-    config.kubernetes.io/previousNamespaces: default
+    internal.config.kubernetes.io/previousKinds: Secret
+    internal.config.kubernetes.io/previousNames: oldName
+    internal.config.kubernetes.io/previousNamespaces: default
   name: newName
 `,
 		},
@@ -728,9 +751,9 @@ metadata:
 kind: Secret
 metadata:
   annotations:
-    config.kubernetes.io/previousKinds: Secret
-    config.kubernetes.io/previousNames: oldName
-    config.kubernetes.io/previousNamespaces: default
+    internal.config.kubernetes.io/previousKinds: Secret
+    internal.config.kubernetes.io/previousNames: oldName
+    internal.config.kubernetes.io/previousNamespaces: default
   name: oldName2
 `,
 			newName: "newName",
@@ -739,9 +762,9 @@ metadata:
 kind: Secret
 metadata:
   annotations:
-    config.kubernetes.io/previousKinds: Secret,Secret
-    config.kubernetes.io/previousNames: oldName,oldName2
-    config.kubernetes.io/previousNamespaces: default,default
+    internal.config.kubernetes.io/previousKinds: Secret,Secret
+    internal.config.kubernetes.io/previousNames: oldName,oldName2
+    internal.config.kubernetes.io/previousNamespaces: default,default
   name: newName
 `,
 		},
@@ -751,9 +774,9 @@ metadata:
 kind: Secret
 metadata:
   annotations:
-    config.kubernetes.io/previousKinds: Secret
-    config.kubernetes.io/previousNames: oldName
-    config.kubernetes.io/previousNamespaces: default
+    internal.config.kubernetes.io/previousKinds: Secret
+    internal.config.kubernetes.io/previousNames: oldName
+    internal.config.kubernetes.io/previousNamespaces: default
   name: oldName2
   namespace: oldNamespace
 `,
@@ -763,9 +786,9 @@ metadata:
 kind: Secret
 metadata:
   annotations:
-    config.kubernetes.io/previousKinds: Secret,Secret
-    config.kubernetes.io/previousNames: oldName,oldName2
-    config.kubernetes.io/previousNamespaces: default,oldNamespace
+    internal.config.kubernetes.io/previousKinds: Secret,Secret
+    internal.config.kubernetes.io/previousNames: oldName,oldName2
+    internal.config.kubernetes.io/previousNamespaces: default,oldNamespace
   name: newName
   namespace: newNamespace
 `,
@@ -813,9 +836,9 @@ metadata:
 kind: Secret
 metadata:
   annotations:
-    config.kubernetes.io/previousKinds: Secret
-    config.kubernetes.io/previousNames: oldName
-    config.kubernetes.io/previousNamespaces: default
+    internal.config.kubernetes.io/previousKinds: Secret
+    internal.config.kubernetes.io/previousNames: oldName
+    internal.config.kubernetes.io/previousNamespaces: default
   name: newName
 `,
 			expected: []resid.ResId{
@@ -832,9 +855,9 @@ metadata:
 kind: Secret
 metadata:
   annotations:
-    config.kubernetes.io/previousKinds: Secret,Secret
-    config.kubernetes.io/previousNames: oldName,oldName2
-    config.kubernetes.io/previousNamespaces: default,oldNamespace
+    internal.config.kubernetes.io/previousKinds: Secret,Secret
+    internal.config.kubernetes.io/previousNames: oldName,oldName2
+    internal.config.kubernetes.io/previousNamespaces: default,oldNamespace
   name: newName
   namespace: newNamespace
 `,
@@ -1077,7 +1100,7 @@ func TestSameEndingSubarray(t *testing.T) {
 	for n := range testCases {
 		tc := testCases[n]
 		t.Run(n, func(t *testing.T) {
-			assert.Equal(t, tc.expected, SameEndingSubarray(tc.a, tc.b))
+			assert.Equal(t, tc.expected, utils.SameEndingSubSlice(tc.a, tc.b))
 		})
 	}
 }
@@ -1132,3 +1155,73 @@ spec:
 		t.Fatalf("expected '%s', got '%s'", expected, actual)
 	}
 }
+
+func TestRefBy(t *testing.T) {
+	r, err := factory.FromBytes([]byte(`
+apiVersion: v1
+kind: Deployment
+metadata:
+  name: clown
+spec:
+  numReplicas: 1
+`))
+	assert.NoError(t, err)
+	r.AppendRefBy(resid.FromString("gr1_ver1_knd1|ns1|name1"))
+	assert.Equal(t, r.RNode.MustString(), `apiVersion: v1
+kind: Deployment
+metadata:
+  name: clown
+  annotations:
+    internal.config.kubernetes.io/refBy: gr1_ver1_knd1|ns1|name1
+spec:
+  numReplicas: 1
+`)
+	assert.Equal(t, r.GetRefBy(), []resid.ResId{resid.FromString("gr1_ver1_knd1|ns1|name1")})
+
+	r.AppendRefBy(resid.FromString("gr2_ver2_knd2|ns2|name2"))
+	assert.Equal(t, r.RNode.MustString(), `apiVersion: v1
+kind: Deployment
+metadata:
+  name: clown
+  annotations:
+    internal.config.kubernetes.io/refBy: gr1_ver1_knd1|ns1|name1,gr2_ver2_knd2|ns2|name2
+spec:
+  numReplicas: 1
+`)
+	assert.Equal(t, r.GetRefBy(), []resid.ResId{
+		resid.FromString("gr1_ver1_knd1|ns1|name1"),
+		resid.FromString("gr2_ver2_knd2|ns2|name2"),
+	})
+}
+
+func TestOptions(t *testing.T) {
+	r, err := factory.FromBytes([]byte(`
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: example-configmap-test
+`))
+	assert.NoError(t, err)
+
+	args := &types.GeneratorArgs{
+		Behavior: "merge",
+		Options: &types.GeneratorOptions{
+			DisableNameSuffixHash: true,
+		},
+	}
+
+	options := types.NewGenArgs(args)
+	r.SetOptions(options)
+	assert.Equal(t, r.RNode.MustString(), `apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: example-configmap-test
+  annotations:
+    internal.config.kubernetes.io/generatorOptions: |
+      behavior: merge
+      options:
+        disableNameSuffixHash: true
+`)
+	assert.Equal(t, r.Behavior(), types.BehaviorMerge)
+	assert.Equal(t, r.NeedHashSuffix(), !args.Options.DisableNameSuffixHash)
+}

api/testutils/kusttest/harness.go

@@ -7,12 +7,12 @@ import (
 	"path/filepath"
 	"testing"
 
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/konfig"
 	"sigs.k8s.io/kustomize/api/konfig/builtinpluginconsts"
 	"sigs.k8s.io/kustomize/api/krusty"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 // Harness manages a test environment.

api/testutils/kusttest/harnessenhanced.go

@@ -11,7 +11,6 @@ import (
 	"strings"
 	"testing"
 
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/ifc"
 	pLdr "sigs.k8s.io/kustomize/api/internal/plugins/loader"
 	"sigs.k8s.io/kustomize/api/konfig"
@@ -20,6 +19,7 @@ import (
 	"sigs.k8s.io/kustomize/api/resmap"
 	valtest_test "sigs.k8s.io/kustomize/api/testutils/valtest"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 // HarnessEnhanced manages a full plugin environment for tests.
@@ -148,6 +148,13 @@ func (th *HarnessEnhanced) ResetLoaderRoot(root string) {
 }
 
 func (th *HarnessEnhanced) LoadAndRunGenerator(
+	config string) resmap.ResMap {
+	rm := th.LoadAndRunGeneratorWithBuildAnnotations(config)
+	rm.RemoveBuildAnnotations()
+	return rm
+}
+
+func (th *HarnessEnhanced) LoadAndRunGeneratorWithBuildAnnotations(
 	config string) resmap.ResMap {
 	res, err := th.rf.RF().FromBytes([]byte(config))
 	if err != nil {
@@ -162,7 +169,6 @@ func (th *HarnessEnhanced) LoadAndRunGenerator(
 	if err != nil {
 		th.t.Fatalf("generate err: %v", err)
 	}
-	rm.RemoveBuildAnnotations()
 	return rm
 }
 

api/testutils/kusttest/plugintestenv.go

@@ -7,10 +7,10 @@ import (
 	"os"
 	"testing"
 
-	"sigs.k8s.io/kustomize/api/filesys"
 	"sigs.k8s.io/kustomize/api/internal/plugins/compiler"
 	"sigs.k8s.io/kustomize/api/internal/plugins/utils"
 	"sigs.k8s.io/kustomize/api/konfig"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 // pluginTestEnv manages compiling plugins for tests.

api/types/genargs.go

@@ -6,6 +6,8 @@ package types
 import (
 	"strconv"
 	"strings"
+
+	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
 // GenArgs is a facade over GeneratorArgs, exposing a few readonly properties.
@@ -39,8 +41,21 @@ func (g *GenArgs) ShouldAddHashSuffixToName() bool {
 
 // Behavior returns Behavior field of GeneratorArgs
 func (g *GenArgs) Behavior() GenerationBehavior {
-	if g.args == nil {
+	if g == nil || g.args == nil {
 		return BehaviorUnspecified
 	}
 	return NewGenerationBehavior(g.args.Behavior)
 }
+
+// IsNilOrEmpty returns true if g is nil or if the args are empty
+func (g *GenArgs) IsNilOrEmpty() bool {
+	return g == nil || g.args == nil
+}
+
+// AsYaml returns a yaml marshalling of the underlying Genargs
+func (g *GenArgs) AsYaml() ([]byte, error) {
+	if g == nil {
+		return yaml.Marshal(nil)
+	}
+	return yaml.Marshal(g.args)
+}

api/types/helmchartargs.go

@@ -68,6 +68,10 @@ type HelmChart struct {
 	// Legal values: 'merge', 'override', 'replace'.
 	// Defaults to 'override'.
 	ValuesMerge string `json:"valuesMerge,omitempty" yaml:"valuesMerge,omitempty"`
+
+	// IncludeCRDs specifies if Helm should also generate CustomResourceDefinitions.
+	// Defaults to 'false'.
+	IncludeCRDs bool `json:"includeCRDs,omitempty" yaml:"includeCRDs,omitempty"`
 }
 
 // HelmChartArgs contains arguments to helm.

api/types/iampolicygenerator.go

@@ -0,0 +1,36 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package types
+
+type Cloud string
+
+const GKE Cloud = "gke"
+
+// IAMPolicyGeneratorArgs contains arguments to generate a GKE service account resource.
+type IAMPolicyGeneratorArgs struct {
+	// which cloud provider to generate for (e.g. "gke")
+	Cloud `json:"cloud" yaml:"cloud"`
+
+	// information about the kubernetes cluster for this object
+	KubernetesService `json:"kubernetesService" yaml:"kubernetesService"`
+
+	// information about the service account and project
+	ServiceAccount `json:"serviceAccount" yaml:"serviceAccount"`
+}
+
+type KubernetesService struct {
+	// the name used for the Kubernetes service account
+	Name string `json:"name" yaml:"name"`
+
+	// the name of the Kubernetes namespace for this object
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+}
+
+type ServiceAccount struct {
+	// the name of the new cloud provider service account
+	Name string `json:"name" yaml:"name"`
+
+	// The ID of the project
+	ProjectId string `json:"projectId" yaml:"projectId"`
+}

api/types/pluginrestrictions.go

@@ -42,7 +42,7 @@ const (
 	BploLoadFromFileSys
 )
 
-// FnPluginLoadingOptions set way functions-based pluing are restricted
+// FnPluginLoadingOptions set way functions-based plugins are restricted
 type FnPluginLoadingOptions struct {
 	// Allow to run executables
 	EnableExec bool
@@ -55,4 +55,6 @@ type FnPluginLoadingOptions struct {
 	Mounts []string
 	// list of env variables to pass to fn
 	Env []string
+	// Run as uid and gid of the command executor
+	AsCurrentUser bool
 }

api/types/replacement.go

@@ -28,10 +28,10 @@ type SourceSelector struct {
 	resid.ResId `json:",inline,omitempty" yaml:",inline,omitempty"`
 
 	// Structured field path expected in the allowed object.
-	FieldPath string `json:"fieldPath" yaml:"fieldPath"`
+	FieldPath string `json:"fieldPath,omitempty" yaml:"fieldPath,omitempty"`
 
 	// Used to refine the interpretation of the field.
-	Options *FieldOptions `json:"options" yaml:"options"`
+	Options *FieldOptions `json:"options,omitempty" yaml:"options,omitempty"`
 }
 
 func (s *SourceSelector) String() string {
@@ -54,34 +54,34 @@ type TargetSelector struct {
 	Select *Selector `json:"select" yaml:"select"`
 
 	// From the allowed set, remove objects that match this.
-	Reject []*Selector `json:"reject" yaml:"reject"`
+	Reject []*Selector `json:"reject,omitempty" yaml:"reject,omitempty"`
 
 	// Structured field paths expected in each allowed object.
-	FieldPaths []string `json:"fieldPaths" yaml:"fieldPaths"`
+	FieldPaths []string `json:"fieldPaths,omitempty" yaml:"fieldPaths,omitempty"`
 
 	// Used to refine the interpretation of the field.
-	Options *FieldOptions `json:"options" yaml:"options"`
+	Options *FieldOptions `json:"options,omitempty" yaml:"options,omitempty"`
 }
 
 // FieldOptions refine the interpretation of FieldPaths.
 type FieldOptions struct {
 	// Used to split/join the field.
-	Delimiter string `json:"delimiter" yaml:"delimiter"`
+	Delimiter string `json:"delimiter,omitempty" yaml:"delimiter,omitempty"`
 
 	// Which position in the split to consider.
-	Index int `json:"index" yaml:"index"`
+	Index int `json:"index,omitempty" yaml:"index,omitempty"`
 
 	// TODO (#3492): Implement use of this option
 	// None, Base64, URL, Hex, etc
-	Encoding string `json:"encoding" yaml:"encoding"`
+	Encoding string `json:"encoding,omitempty" yaml:"encoding,omitempty"`
 
 	// If field missing, add it.
-	Create bool `json:"create" yaml:"create"`
+	Create bool `json:"create,omitempty" yaml:"create,omitempty"`
 }
 
 func (fo *FieldOptions) String() string {
-	if fo == nil || fo.Delimiter == "" {
+	if fo == nil || (fo.Delimiter == "" && !fo.Create) {
 		return ""
 	}
-	return fmt.Sprintf("%s(%d)", fo.Delimiter, fo.Index)
+	return fmt.Sprintf("%s(%d), create=%t", fo.Delimiter, fo.Index, fo.Create)
 }

api/types/selector.go

@@ -28,6 +28,10 @@ type Selector struct {
 	LabelSelector string `json:"labelSelector,omitempty" yaml:"labelSelector,omitempty"`
 }
 
+func (s *Selector) Copy() Selector {
+	return *s
+}
+
 func (s *Selector) String() string {
 	return fmt.Sprintf(
 		"%s:a=%s:l=%s", s.ResId, s.AnnotationSelector, s.LabelSelector)

cmd/config/completion/completion.go

@@ -17,17 +17,18 @@ func NewCommand() *cobra.Command {
 		DisableFlagsInUseLine: true,
 		ValidArgs:             []string{"bash", "zsh", "fish", "powershell"},
 		Args:                  cobra.ExactValidArgs(1),
-		Run: func(cmd *cobra.Command, args []string) {
+		RunE: func(cmd *cobra.Command, args []string) error {
 			switch args[0] {
 			case "bash":
-				cmd.Root().GenBashCompletion(os.Stdout)
+				return cmd.Root().GenBashCompletion(os.Stdout)
 			case "zsh":
-				cmd.Root().GenZshCompletion(os.Stdout)
+				return cmd.Root().GenZshCompletion(os.Stdout)
 			case "fish":
-				cmd.Root().GenFishCompletion(os.Stdout, true)
+				return cmd.Root().GenFishCompletion(os.Stdout, true)
 			case "powershell":
-				cmd.Root().GenPowerShellCompletion(os.Stdout)
+				return cmd.Root().GenPowerShellCompletion(os.Stdout)
 			}
+			return nil
 		},
 	}
 }

cmd/config/docs/api-conventions/config-io.md

@@ -1,65 +0,0 @@
-# Configuration IO API Semantics
-
-Resource Configuration may be read / written from / to sources such as directories,
-stdin|out or network. Tools may be composed using pipes such that the tools writing
-Resource Configuration may be a different tool from the one that read the configuration.
-In order for tools to be composed in this way, while preserving origin information --
-such as the original file, index, etc.:
-
-Tools **SHOULD** insert the following annotations when reading from sources,
-and **SHOULD** delete the annotations when writing to sinks.
-
-### `config.kubernetes.io/path`
-
-Records the slash-delimited, OS-agnostic, relative file path to a Resource.
-
-This annotation **SHOULD** be set when reading Resources from files.
-It **SHOULD** be unset when writing Resources to files.
-When writing Resources to a directory, the Resource **SHOULD** be written to the corresponding
-path relative to that directory.
-
-Example:
-
-```yaml
-metadata:
-  annotations:
-    config.kubernetes.io/path: "relative/file/path.yaml"
-```
-
-### `config.kubernetes.io/index`
-
-Records the index of a Resource in file. In a multi-object YAML file, Resources are separated
-by three dashes (`---`), and the index represents the position of the Resource starting from zero.
-
-This annotation **SHOULD** be set when reading Resources from files.
-It **SHOULD** be unset when writing Resources to files.
-When writing multiple Resources to the same file, the Resource **SHOULD** be written in the
-relative order matching the index.
-
-When this annotation is not specified, it implies a value of `0`.
-
-Example:
-
-```yaml
-metadata:
-  annotations:
-    config.kubernetes.io/path: "relative/file/path.yaml"
-    config.kubernetes.io/index: 2
-```
-
-This represents the third Resource in the file.
-
-### `config.kubernetes.io/local-config`
-
-`config.kubernetes.io/local-config` declares that the configuration is to local tools
-rather than a remote Resource. e.g. The `Kustomization` config in a `kustomization.yaml`
-**SHOULD** contain this annotation so that tools know it is not intended to be sent to
-the Kubernetes api server.
-
-Example:
-
-```yaml
-metadata:
-  annotations:
-    config.kubernetes.io/local-config: "true"
-```

cmd/config/docs/api-conventions/functions-spec.md

@@ -1,13 +1,18 @@
-# Configuration Functions Specification
+# KRM Functions Specification
+
+_apiVersion: v1_
+
+## Overview
 
 This document specifies a standard for client-side functions that operate on
-Kubernetes declarative configurations. This standard enables creating
-small, interoperable, and language-independent executable programs packaged as
-containers that can be chained together as part of a configuration management pipeline.
-The end result of such a pipeline are fully rendered configurations that can then be
-applied to a control plane (e.g. Using ‘kubectl apply’ for Kubernetes control plane).
-As such, although this document references Kubernetes Resource Model and API conventions,
-it is completely decoupled from Kubernetes API machinery and does not depend on any
+Kubernetes declarative configurations referred to as _KRM Functions_. This
+standard enables creating small, interoperable, and language-independent
+executable programs packaged as containers that can be chained together as part
+of a configuration management pipeline. The end result of such a pipeline are
+fully rendered configurations that can then be applied to a control plane (e.g.
+Using ‘kubectl apply’ for Kubernetes control plane). As such, although this
+document references Kubernetes Resource Model and API conventions, it is
+completely decoupled from Kubernetes API machinery and does not depend on any
 in-cluster components.
 
 This document references terms described in [Kubernetes API Conventions][1].
@@ -18,168 +23,361 @@ interpreted as described in [RFC 2119][2].
 
 ## Use Cases
 
-_Configuration functions_ enable shift-left practices (client-side) through:
+KRM functions enable shift-left practices (client-side) through:
 
 - Pre-commit / delivery validation and linting of configuration
-  - e.g. Fail if any containers don't have PodSecurityPolicy or CPU / Memory limits
-- Implementation of abstractions as client actuated APIs (e.g. templating)
-  - e.g. Create a client-side _"CRD"_ for generating configuration checked into git
-- Aspect Orient configuration / Injection of cross-cutting configuration
-  - e.g. T-Shirt size containers by annotating Resources with `small`, `medium`, `large`
-    and inject the cpu and memory resources into containers accordingly.
-  - e.g. Inject `init` and `side-car` containers into Resources based off of Resource
-    Type, annotations, etc.
+  - e.g. Fail if any containers don't have PodSecurityPolicy or CPU / Memory
+    limits
+- Implementation of abstractions as client actuated APIs
+  - e.g. Create a client-side _"CRD"_ for generating configuration checked into
+    git
+- Injection of cross-cutting configuration
+  - e.g. T-Shirt size containers by annotating resources with `small`, `medium`,
+    `large` and inject the cpu and memory resources into containers accordingly.
+  - e.g. Inject `init` and `side-car` containers into resources based off of
+    resource type, annotations, etc.
 
 Performing these on the client rather than the server enables:
 
 - Configuration to be reviewed prior to being sent to the API server
 - Configuration to be validated as part of the CI/CD pipeline
-- Configuration for Resources to validated holistically rather than individually
-  per-Resource
+- Configuration for resources to validated holistically rather than individually
+  per-resource
   - e.g. ensure the `Service.selector` and `Deployment.spec.template` labels
     match.
-  - e.g. MutatingWebHooks are scoped to a single Resource instance at a time.
+  - e.g. MutatingWebHooks are scoped to a single resource instance at a time.
 - Low-level tweaks to the output of high-level abstractions
-  - e.g. add an `init container` to a client _"CRD"_ Resource after it was generated.
+  - e.g. add an `init container` to a client _"CRD"_ resource after it was
+    generated.
 - Composition and layering of multiple functions together
   - Compose generation, injection, validation together
 
-## Spec
+## Definitions
 
-### Input Type
+- **function:** A containerized program conforming to the spec described in this
+  document.
+- **orchestrator:** A program that invokes the function container, passing
+  arguments and processing its output.
 
-A function MUST accept as input a single [Kubernetes List type][3].
-The `items` field in the input will contain a sequence of [Object types][3].
-A function MAY not support [Simple types][3] and List types.
+## Interface
 
-An example using `v1/ConfigMapList` as input:
+The inter-process communication between the orchestrator and a function works as
+follows:
+
+1. Orchestrator runs the function container and provides the input on `stdin`.
+   The input is a Kubernetes object of kind `ResourceList` as described below.
+2. Function reads the input from `stdin`, performs computations, and provides
+   the output as a `ResourceList` to `stdout`. The function MAY also emit
+   non-structured error message on `stderr`.
+3. Orchestrator uses the `stdout`, `stderr`, and the exit code of the function
+   as it sees fit following to the semantics described below.
+
+### Schema
+
+A function MUST accept input from `stdin` and MUST output to `stdout` a
+Kubernetes object of kind `ResourceList` with the following OpenAPI schema:
 
 ```yaml
-apiVersion: v1
-kind: ConfigMapList
-items:
-  - apiVersion: v1
-    kind: ConfigMap
-    metadata:
-      name: config1
-    data:
-      p1: v1
-      p2: v2
-  - apiVersion: v1
-    kind: ConfigMap
-    metadata:
-      name: config2
+swagger: "2.0"
+info:
+  title: KRM Functions Specification (ResourceList)
+  version: v1
+definitions:
+  ResourceList:
+    type: object
+    description: ResourceList is the input/output wire format for KRM functions.
+    x-kubernetes-group-version-kind:
+      - group: config.kubernetes.io
+        kind: ResourceList
+        version: v1
+      - group: config.kubernetes.io
+        kind: ResourceList
+        version: v1beta1
+    required:
+      - items
+    properties:
+      apiVersion:
+        description: apiVersion of ResourceList
+        type: string
+      kind:
+        description: kind of ResourceList i.e. `ResourceList`
+        type: string
+      items:
+        type: array
+        description: |
+          [input/output]
+          Items is a list of Kubernetes objects: 
+          https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds).
+
+          A function will read this field in the input ResourceList and populate
+          this field in the output ResourceList.
+        items:
+          type: object
+      functionConfig:
+        type: object
+        description: |
+          [input]
+          FunctionConfig is an optional Kubernetes object for passing arguments to a
+          function invocation.
+      results:
+        type: array
+        description: |
+          [output]
+          Results is an optional list that can be used by function to emit results
+          for observability and debugging purposes.
+        items:
+          "$ref": "#/definitions/Result"
+  Result:
+    type: object
+    required:
+      - message
+    properties:
+      message:
+        type: string
+        description: Message is a human readable message.
+      severity:
+        type: string
+        enum:
+          - error
+          - warning
+          - info
+        default: error
+        description: |
+          Severity is the severity of a result:
+
+          "error": indicates an error result.
+          "warning": indicates a warning result.
+          "info": indicates an informational result.
+      resourceRef:
+        type: object
+        description: |
+          ResourceRef is the metadata for referencing a Kubernetes object
+          associated with a result.
+        required:
+          - apiVersion
+          - kind
+          - name
+        properties:
+          apiVersion:
+            description:
+              APIVersion refers to the `apiVersion` field of the object
+              manifest.
+            type: string
+          kind:
+            description: Kind refers to the `kind` field of the object.
+            type: string
+          namespace:
+            description:
+              Namespace refers to the `metadata.namespace` field of the object
+              manifest.
+            type: string
+          name:
+            description:
+              Name refers to the `metadata.name` field of the object manifest.
+            type: string
+      field:
+        type: object
+        description: |
+          Field is the reference to a field in the object.
+          If defined, `ResourceRef` must also be provided.
+        required:
+          - path
+        properties:
+          path:
+            type: string
+            description: |
+              Path is the JSON path of the field
+              e.g. `spec.template.spec.containers[3].resources.limits.cpu`
+          currentValue:
+            description: |
+              CurrrentValue is the current value of the field.
+              Can be any value - string, number, boolean, array or object.
+          proposedValue:
+            description: |
+              PropposedValue is the proposed value of the field to fix an issue.
+              Can be any value - string, number, boolean, array or object.
+      file:
+        type: object
+        description: File references a file containing the resource.
+        required:
+          - path
+        properties:
+          path:
+            type: string
+            description: |
+              Path is the OS agnostic, slash-delimited, relative path.
+              e.g. `some-dir/some-file.yaml`.
+          index:
+            type: number
+            default: 0
+            description: Index of the object in a multi-object YAML file.
+      tags:
+        type: object
+        additionalProperties:
+          type: string
+        description: |
+          Tags is an unstructured key value map stored with a result that may be set
+          by external tools to store and retrieve arbitrary metadata.
+paths: {}
 ```
 
-An example using `v1/List` as input:
+#### Examples
+
+The following is an example input, where the custom resource of kind
+`FulfillmentCenter` is provided as `functionConfig`. The function will operate
+on one resource of kind `Service`.
 
 ```yaml
-apiVersion: v1
-kind: List
-items:
-  - apiVersion: foo-corp.com/v1
-    kind: FulfillmentCenter
-    metadata:
-      name: staging
-    address: "100 Main St."
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRole
-    metadata:
-      name: namespace-reader
-    rules:
-      - resources:
-          - namespaces
-        apiGroups:
-          - ""
-        verbs:
-          - get
-          - watch
-          - list
-```
-
-In addition, a function MUST accept as input a List of kind `ResourceList` where the
-`functionConfig` field, if present, will contain the invocation-specific configuration passed to the function
-by the orchestrator.
-Functions MAY consider this field optional so that they can be triggered in an ad-hoc fashion.
-
-An example using `config.kubernetes.io/v1beta1/ResourceList` as input:
-
-```yaml
-apiVersion: config.kubernetes.io/v1beta1
+apiVersion: config.kubernetes.io/v1
 kind: ResourceList
 functionConfig:
   apiVersion: foo-corp.com/v1
   kind: FulfillmentCenter
   metadata:
     name: staging
-    metadata:
-      annotations:
-        config.kubernetes.io/function: |
-          container:
-            image: gcr.io/example/foo:v1.0.0
   spec:
     address: "100 Main St."
 items:
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRole
+  - apiVersion: v1
+    kind: Service
     metadata:
-      name: namespace-reader
-    rules:
-      - resources:
-          - namespaces
-        apiGroups:
-          - ""
-        verbs:
-          - get
-          - watch
-          - list
+      name: wordpress
+      labels:
+        app: wordpress
+      annotations:
+        config.kubernetes.io/index: "0"
+        config.kubernetes.io/path: "service.yaml"
+    spec: # Example comment
+      type: LoadBalancer
+      selector:
+        app: wordpress
+        tier: frontend
+      ports:
+        - protocol: TCP
+          port: 80
 ```
 
-Here `FulfillmentCenter` kind with name `staging` is passed as the invocation-specific configuration
-to the function.
+The following is an example output containing one result representing a
+validation error:
 
-### Output Type
-
-A function’s output MUST be the same as the input specification above
--- i.e. `ResourceList` or `List`.
-This is necessary to enable chaining two or more functions together in a pipeline.
-The serialization format of the output SHOULD match that of its input on each invocation
--- e.g. if the input was a `ResourceList`, the output should also be a `ResourceList`.
+```yaml
+apiVersion: config.kubernetes.io/v1
+kind: ResourceList
+items:
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      name: wordpress
+      labels:
+        app: wordpress
+      annotations:
+        config.kubernetes.io/index: "0"
+        config.kubernetes.io/path: "service.yaml"
+    spec: # Example comment
+      type: LoadBalancer
+      selector:
+        app: wordpress
+        tier: frontend
+      ports:
+        - protocol: TCP
+          port: 80
+results:
+  - message: "Invalid type. Expected: integer, given: string"
+    severity: error
+    resourceRef:
+      apiVersion: v1
+      kind: Service
+      name: wordpress
+    field:
+      path: spec.ports.0.port
+    file:
+      path: service.yaml
+```
 
 ### Serialization Format
 
 A function MUST support YAML as a serialization format for the input and output.
-A function MUST use utf8 encoding (as YAML is a superset of JSON, JSON will also be supported
-by any conforming function).
-
-### Operations
-
-A function MAY Create, Update, or Delete any number of items in the `items` field and output the
-resultant list.
-
-A function MAY modify annotations with prefix `config.kubernetes.io`, but must be careful about
-doing so since they’re used for orchestration purposes and will likely impact subsequent functions
-in the pipeline.
-
-A function SHOULD preserve comments when input serialization format is YAML.
-This allows for human authoring of configuration to coexist with changes made by functions.
+A function MUST use utf8 encoding (as YAML is a superset of JSON, JSON will also
+be supported by any conforming function).
 
 ### Containerization
 
 A function MUST be implemented as a container.
 
-A function container MUST be capable of running as a non-root user if it does not require
-access to host filesystem or makes network calls.
+A function container MUST be capable of running as a non-root user `nobody` if
+it does not require access to host filesystem.
 
-### stdin/stdout/stderr and Exit Codes
+### stderr
 
-A function MUST accept input from stdin and emit output to stdout.
+Any non-structured error messages MUST be emitted to `stderr`. `stdout` is
+reserved for `ResourceList` as described above.
 
-Any error messages MUST be emitted to stderr.
+### Exit Code
 
-An exit code of zero indicates function execution was successful.
-A non-zero exit code indicates a failure.
+An exit code of zero indicates function execution was successful. A non-zero
+exit code indicates a failure.
 
-[1]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md
+### Operations
+
+A function MAY Create, Update, or Delete any number of items in the `items`
+field and output the resultant list in the corresponding `items` field of the
+output.
+
+A function SHOULD preserve comments when input serialization format is YAML.
+This allows for human authoring of configuration to coexist with changes made by
+functions.
+
+### Internal Annotations
+
+For orchestration purposes, the orchestrator will use a set of annotations,
+referred to as _internal annotations_, on resources in `Resources.items`. These
+annotations are not persisted to resource manifests on the filesystem: The
+orchestrator sets this annotation when reading files from the local filesystem
+and removes the annotation when writing the output of functions back to the
+filesystem.
+
+Annotation prefix `internal.config.kubernetes.io` is reserved for use for
+internal annotations. In general, a function MUST NOT modify these annotations with
+the exception of the specific annotations listed below. This enables orchestrators to add additional internal annotations, without requiring changes to existing functions.
+
+#### `internal.config.kubernetes.io/path`
+
+Records the slash-delimited, OS-agnostic, relative file path to a resource. The
+path is relative to a fix location on the filesystem. Different orchestrator
+implementations can choose different fixed points.
+
+A function SHOULD NOT modify these annotations.
+
+Example:
+
+```yaml
+metadata:
+  annotations:
+    internal.config.kubernetes.io/path: "relative/file/path.yaml"
+```
+
+#### `internal.config.kubernetes.io/index`
+
+Records the index of a Resource in file. In a multi-object YAML file, resources
+are separated by three dashes (`---`), and the index represents the position of
+the Resource starting from zero. When this annotation is not specified, it
+implies a value of `0`.
+
+A function SHOULD NOT modify these annotations.
+
+Example:
+
+```yaml
+metadata:
+  annotations:
+    internal.config.kubernetes.io/path: "relative/file/path.yaml"
+    internal.config.kubernetes.io/index: 2
+```
+
+This represents the third resource in the file.
+
+[1]:
+  https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md
 [2]: https://tools.ietf.org/html/rfc2119
-[3]: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+[3]:
+  https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds

cmd/config/docs/api-conventions/manifest-annotations.md

@@ -0,0 +1,11 @@
+# Manifest Annotations
+
+This document lists the annotations that can be declared in resource manifests.
+
+### `config.kubernetes.io/local-config`
+
+A value of `"true"` for this annotation declares that the resource is only consumed by
+client-side tooling and should not be applied to the API server.
+
+A value of `"false"` can be used to declare that a resource should be applied to
+the API server even when it is assumed to be local.

cmd/config/go.mod

@@ -16,9 +16,7 @@ require (
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/inf.v0 v0.9.1
 	k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e
-	sigs.k8s.io/kustomize/kyaml v0.10.19
+	sigs.k8s.io/kustomize/kyaml v0.11.0
 )
 
-replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c
-
 replace sigs.k8s.io/kustomize/kyaml => ../../kyaml

cmd/config/go.sum

@@ -237,12 +237,14 @@ gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e h1:KLHHjkdQFomZy8+06csTWZ0m1343QqxZhR2LJ1OxCYM=
 k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
+sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=

cmd/config/internal/commands/annotate.go

@@ -21,12 +21,13 @@ import (
 func NewAnnotateRunner(parent string) *AnnotateRunner {
 	r := &AnnotateRunner{}
 	c := &cobra.Command{
-		Use:     "annotate [DIR]",
-		Args:    cobra.MaximumNArgs(1),
-		Short:   commands.AnnotateShort,
-		Long:    commands.AnnotateLong,
-		Example: commands.AnnotateExamples,
-		RunE:    r.runE,
+		Use:        "annotate [DIR]",
+		Args:       cobra.MaximumNArgs(1),
+		Short:      commands.AnnotateShort,
+		Long:       commands.AnnotateLong,
+		Example:    commands.AnnotateExamples,
+		RunE:       r.runE,
+		Deprecated: "use the `commonAnnotations` field in your kustomization file.",
 	}
 	runner.FixDocs(parent, c)
 	r.Command = c
@@ -104,9 +105,9 @@ func (r *AnnotateRunner) ExecuteCmd(w io.Writer, pkgPath string) error {
 			return err
 		}
 		// print error message and continue if there are multiple packages to annotate
-		fmt.Fprintf(w, "%s\n", err.Error())
+		_, _ = fmt.Fprintf(w, "%s\n", err.Error())
 	} else {
-		fmt.Fprint(w, "added annotations in the package\n")
+		_, _ = fmt.Fprint(w, "added annotations in the package\n")
 	}
 	return nil
 }

cmd/config/internal/commands/annotate_test.go

@@ -559,7 +559,7 @@ added annotations in the package
 
 			expected := strings.Replace(test.expected, "${baseDir}", baseDir, -1)
 			expectedNormalized := strings.Replace(expected, "\\", "/", -1)
-			if !assert.Equal(t, expectedNormalized, actualNormalized) {
+			if !assert.Contains(t, actualNormalized, expectedNormalized) {
 				t.FailNow()
 			}
 		})

cmd/config/internal/commands/cmdcreatesetter.go

@@ -32,6 +32,8 @@ func NewCreateSetterRunner(parent string) *CreateSetterRunner {
 		Example: commands.CreateSetterExamples,
 		PreRunE: r.preRunE,
 		RunE:    r.runE,
+		Deprecated: "setter commands will no longer be available in kustomize v5.\n" +
+			"See discussion in https://github.com/kubernetes-sigs/kustomize/issues/3953.",
 	}
 	set.Flags().StringVar(&r.FieldValue, "value", "",
 		"optional flag, alternative to specifying the value as an argument. e.g. used to specify values that start with '-'")

cmd/config/internal/commands/cmdcreatesetter_test.go

@@ -869,7 +869,7 @@ setter with name "namespace" already exists, if you want to modify it, please de
 
 			expected := strings.Replace(test.expected, "${baseDir}", baseDir, -1)
 			expectedNormalized := strings.Replace(expected, "\\", "/", -1)
-			if !assert.Equal(t, expectedNormalized, actualNormalized) {
+			if !assert.Contains(t, actualNormalized, expectedNormalized) {
 				t.FailNow()
 			}
 		})

cmd/config/internal/commands/cmdcreatesubstitution.go

@@ -23,6 +23,8 @@ func NewCreateSubstitutionRunner(parent string) *CreateSubstitutionRunner {
 		Args:   cobra.ExactArgs(2),
 		PreRun: r.preRun,
 		RunE:   r.runE,
+		Deprecated: "imperative substitutions will no longer be available in kustomize v5.\n" +
+			"See discussion in https://github.com/kubernetes-sigs/kustomize/issues/3953.",
 	}
 	cs.Flags().StringVar(&r.CreateSubstitution.FieldName, "field", "",
 		"name of the field to set -- e.g. --field image")

cmd/config/internal/commands/cmdcreatesubstitution_test.go

@@ -506,7 +506,7 @@ created substitution "image-tag"`,
 
 			expected := strings.Replace(test.expected, "${baseDir}", baseDir, -1)
 			expectedNormalized := strings.Replace(expected, "\\", "/", -1)
-			if !assert.Equal(t, strings.TrimSpace(expectedNormalized), strings.TrimSpace(actualNormalized)) {
+			if !assert.Contains(t, strings.TrimSpace(actualNormalized), strings.TrimSpace(expectedNormalized)) {
 				t.FailNow()
 			}
 		})

cmd/config/internal/commands/cmdinit.go

@@ -26,6 +26,8 @@ func GetInitRunner(name string) *InitRunner {
 		Long:    commands.InitLong,
 		Example: commands.InitExamples,
 		RunE:    r.runE,
+		Deprecated: "setter commands and substitutions will no longer be available in kustomize v5.\n" +
+			"See discussion in https://github.com/kubernetes-sigs/kustomize/issues/3953.",
 	}
 	runner.FixDocs(name, c)
 	r.Command = c

cmd/config/internal/commands/cmdlistsetters.go

@@ -31,6 +31,8 @@ func NewListSettersRunner(parent string) *ListSettersRunner {
 		Example: commands.ListSettersExamples,
 		PreRunE: r.preRunE,
 		RunE:    r.runE,
+		Deprecated: "setter commands will no longer be available in kustomize v5.\n" +
+			"See discussion in https://github.com/kubernetes-sigs/kustomize/issues/3953.",
 	}
 	c.Flags().BoolVar(&r.Markdown, "markdown", false,
 		"output as github markdown")