Merge pull request #5475 from koba1t/pinToKyaml

Update kyaml to v0.16.0

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,68 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
-title: ""
-labels:
-  - kind/bug
-assignees: ""
----
-
-<!--
-Please read this page: https://kubectl.docs.kubernetes.io/contributing/kustomize/bugs/ before
-filing a bug
--->
-
-<!-- Feel free to skip the sections if they are not applicable. -->
-
-**Describe the bug**
-
-<!-- A clear and concise description of what the bug is. -->
-
-**Files that can reproduce the issue**
-
-<!--
-We cannot figure out or fix the issue if we don't know how to reproduce. Please
-provide a minimum set of files that can reproduce the issue. You can paste the
-file contents here or provide a link to a tarball or git repo.
-
-Example:
-
-kustomization.yaml
-
-```
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-...
-```
-
-resources.yaml
-
-```
-apiVersion: v1
-kind: Deployment
-...
-```
-
-...
--->
-
-**Expected output**
-
-<!-- What's the expected output? -->
-
-**Actual output**
-
-<!-- What's the actual output? -->
-
-**Kustomize version**
-
-<!-- Please use the latest version when it's possible. -->
-
-**Platform**
-
-<!-- Linux/macOS/Windows? -->
-
-**Additional context**
-
-<!-- Add any other context about the problem here. -->

.github/ISSUE_TEMPLATE/bug_report.yaml

@@ -0,0 +1,87 @@
+name: Bug report
+description: File a bug report
+labels: ["kind/bug"]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: What happened?
+      description: |
+        Please provide as much info as possible. Not doing so may result in your bug not being addressed in a timely manner.
+        If this matter is security related, please disclose it privately via https://kubernetes.io/security
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: What did you expect to happen?
+    validations:
+      required: true
+
+  - type: textarea
+    id: repro-files
+    attributes:
+      label: How can we reproduce it (as minimally and precisely as possible)?
+      description: Please provide a minimum set of files that can reproduce the issue. You can paste the file contents here or provide a link to a tarball or git repo. Even better, submit a tests case in the api/krusty package! For more information on how to do that, see https://kubectl.docs.kubernetes.io/contributing/kustomize/bugs/.
+      value: | 
+        ```yaml
+        # kustomization.yaml
+        apiVersion: kustomize.config.k8s.io/v1beta1
+        kind: Kustomization
+        resources:
+        - resources.yaml
+        ```
+    
+        ```yaml
+        # resources.yaml
+        apiVersion: v1
+        kind: ConfigMap
+        metadata:
+          name: test-object
+        data:
+          placeholder: data
+        ```
+    validations:
+      required: true  
+  - type: textarea
+    id: expected-output
+    attributes:
+      label: Expected output
+      description: If you are able to provide reproduction files, please include the output you expect here.
+      value: | 
+        ```yaml
+
+        ```
+    validations:
+      required: false
+  - type: textarea
+    id: actual-output
+    attributes:
+      label: Actual output
+      description: If you are able to provide reproduction files, please include the output they currently produce here.
+      value: | 
+        ```yaml
+
+        ```
+    validations:
+      required: false
+  - type: input
+    id: kustomize-version
+    attributes:
+      label: Kustomize version
+      description: Please use the latest version whenever possible.
+      placeholder: What version of Kustomize are you using?
+    validations:
+      required: true
+  - type: dropdown
+    id: os
+    attributes:
+      label: Operating system
+      options:
+        - Linux
+        - MacOS
+        - Windows
+        - Other
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yaml

@@ -1 +0,0 @@
-blank_issues_enabled: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,6 @@
+contact_links:
+  - name: Support request
+    url: https://discuss.kubernetes.io
+    about: |
+      Please do not submit support requests or questions as issues. 
+      Ask your question in the Kubernetes Community Forums, or in the #kustomize channel on Kubernetes Slack (https://slack.k8s.io).

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,26 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-title: ""
-labels:
-  - kind/feature
-assignees: ""
----
-
-<!-- Feel free to skip the sections if they are not applicable. -->
-
-**Is your feature request related to a problem? Please describe.**
-
-<!-- A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] -->
-
-**Describe the solution you'd like**
-
-<!-- A clear and concise description of what you want to happen. -->
-
-**Describe alternatives you've considered**
-
-<!-- A clear and concise description of any alternative solutions or features you've considered. -->
-
-**Additional context**
-
-<!-- Add any other context or screenshots about the feature request here. -->

.github/ISSUE_TEMPLATE/feature_request.yaml

@@ -0,0 +1,64 @@
+name: Feature request
+description: Propose an enhancement to Kustomize
+labels: kind/feature
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Small, straightforward enhancements can be proposed in regular GitHub issues using the template below. As a rule of thumb, the enhancement should be resolvable in a single PR that is at most size L. Anything more involved requires a mini (in-repo) enhancement proposal, and features with implications for kubectl require a full [KEP](https://github.com/kubernetes/enhancements). 
+         
+        For more information on the Kustomize enhancement process, see: https://github.com/kubernetes-sigs/kustomize/tree/master/proposals.      
+         
+        When in doubt, go ahead and fill out the template below; the maintainers will let you know if a KEP is required.
+
+  - type: checkboxes
+    attributes:
+      label: Eschewed features
+      description: Some features are out of scope for Kustomize because they are incompatible with its foundational design principles. Please review the [Eschewed Features](https://kubectl.docs.kubernetes.io/faq/kustomize/eschewedfeatures/) documentation before submitting your feature request.
+      options:
+      - label: This issue is not requesting templating, unstuctured edits, build-time side-effects from args or env vars, or any other eschewed feature.
+        required: true
+
+  - type: textarea
+    id: feature-description
+    attributes:
+      label: What would you like to have added?
+    validations:
+      required: true
+
+  - type: textarea
+    id: rationale
+    attributes:
+      label: Why is this needed?
+    validations:
+      required: true
+      
+  - type: textarea
+    id: current-alternatives
+    attributes:
+      label: Can you accomplish the motivating task without this feature, and if so, how?
+    validations:
+      required: true      
+      
+      
+  - type: textarea
+    id: design-alternatives
+    attributes:
+      label: What other solutions have you considered?
+    validations:
+      required: true        
+
+  - type: textarea
+    id: additional-info
+    attributes:
+      label: Anything else we should know?
+    validations:
+      required: false
+      
+  - type: checkboxes
+    attributes:
+      label: Feature ownership
+      description: The Kustomize project, like many areas of Kubernetes, currently lacks enough contributors to adequately respond to all proposals that have merit. Offering to build and support the feature yourself can help get traction for your request.
+      options:
+      - label: I am interested in contributing this feature myself! 🎉
+        required: false

.github/ISSUE_TEMPLATE/question.md

@@ -1,9 +0,0 @@
----
-name: Question
-about: Ask a question about the kustomize
-title: "[Question]"
-labels: ""
-assignees: ""
----
-
-<!-- Please describe your question here -->

.github/dependabot.yml

@@ -4,3 +4,11 @@ updates:
   directory: "/"
   schedule:
       interval: "weekly"
+
+- package-ecosystem: gomod
+  directory: "/"
+  schedule:
+    interval: "weekly"
+  open-pull-requests-limit: 10
+  vulnerability-alerts:
+    enabled: true

.github/workflows/apidiff.yml

@@ -0,0 +1,36 @@
+name: APIDiff
+
+# Trigger the workflow on pull requests and direct pushes to any branch
+on:
+  push:
+  pull_request:
+
+jobs:
+  go-apidiff:
+    name: Verify API differences
+    runs-on: ubuntu-latest
+    # Pull requests from different repository only trigger this checks
+    if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository)
+    steps:
+      - name: Clone the code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: go.work
+      - name: Execute go-apidiff
+        uses: joelanford/go-apidiff@v0.7.0
+        with:
+          compare-imports: true
+          print-compatible: true
+      - name: Report failure
+        uses: nashmaniac/create-issue-action@v1.2
+        # Only report failures of pushes (PRs have are visible through the Checks section) to the default branch
+        if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/master'
+        with:
+          title: 🐛 go-apidiff failed for ${{ github.sha }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          labels: kind/bug
+          body: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

.github/workflows/go.yml

@@ -10,26 +10,21 @@ permissions:
   contents: read
 
 jobs:
-
   lint:
     name: Lint
     runs-on: [ubuntu-latest]
     steps:
-
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
     - name: Set up Go 1.x
       uses: actions/setup-go@v3
       with:
-        go-version: ^1.18
+        go-version-file: go.work
       id: go
-
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-
     - name: Lint
       run: make lint
-
     - name: Verify boilerplate
       run: make check-license
 
@@ -37,66 +32,56 @@ jobs:
     name: Test Linux
     runs-on: [ubuntu-latest]
     steps:
-
-      - name: Set up Go 1.x
-        uses: actions/setup-go@v3
-        with:
-          go-version: ^1.18
-        id: go
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
-
-      - name: Test all modules
-        run: make test-unit-non-plugin
-        env:
-          KUSTOMIZE_DOCKER_E2E: true
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v4
+    - name: Set up Go 1.x
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.work
+      id: go
+    - name: Test all modules
+      run: make test-unit-non-plugin
+      env:
+        KUSTOMIZE_DOCKER_E2E: true
 
   test-macos:
     name: Test MacOS
     runs-on: [macos-latest]
     steps:
-
-      - name: Set up Go 1.x
-        uses: actions/setup-go@v3
-        with:
-          go-version: ^1.18
-        id: go
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
-
-      - name: Test all modules
-        run: make test-unit-non-plugin
-        env:
-          KUSTOMIZE_DOCKER_E2E: false # docker not installed on mac
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v4
+    - name: Set up Go 1.x
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.work
+      id: go
+    - name: Test all modules
+      run: make test-unit-non-plugin
+      env:
+        KUSTOMIZE_DOCKER_E2E: false # docker not installed on mac
 
   test-windows:
     name: Test Windows
     runs-on: [windows-latest]
     steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v4
+    - name: Set up Go 1.x
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.work
+      id: go
+    - name: Test kyaml
+      run: go test -cover ./...
+      working-directory: ./kyaml
+    - name: Test cmd/config
+      run: go test -cover ./...
+      working-directory: ./cmd/config
+      env:
+        KUSTOMIZE_DOCKER_E2E: false # docker on windows not working well yet
 
-      - name: Set up Go 1.x
-        uses: actions/setup-go@v3
-        with:
-          go-version: ^1.18
-        id: go
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
-
-      - name: Test kyaml
-        run: go test -cover ./...
-        working-directory: ./kyaml
-
-      - name: Test cmd/config
-        run: go test -cover ./...
-        working-directory: ./cmd/config
-        env:
-          KUSTOMIZE_DOCKER_E2E: false # docker on windows not working well yet
-
-      # TODO (#4001): replace specific modules above with this once Windows tests are passing.
-      #- name: Test all modules
-      #  run: make test-unit-non-plugin
-      #  env:
-      #    KUSTOMIZE_DOCKER_E2E: false # docker on windows not working well yet
+    # TODO (#4001): replace specific modules above with this once Windows tests are passing.
+    #- name: Test all modules
+    #  run: make test-unit-non-plugin
+    #  env:
+    #    KUSTOMIZE_DOCKER_E2E: false # docker on windows not working well yet

.github/workflows/release.yaml

@@ -0,0 +1,27 @@
+name: release
+
+on:
+  push:
+    tags:
+      - kyaml/v*
+      - cmd/config/v*
+      - api/v*
+      - kustomize/v*
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Set up Go 1.x
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.work
+      id: go
+    - run: ./releasing/create-release.sh "${tag}"
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        tag: ${{ github.ref_name }}

.golangci.yml

@@ -3,91 +3,38 @@
 
 run:
   deadline: 5m
+  go: '1.20'
 
 linters:
-  # please, do not use `enable-all`: it's deprecated and will be removed soon.
-  # inverted configuration with `enable-all` and `disable` is not scalable during updates of golangci-lint
-  disable-all: true
-  enable:
-    - asciicheck
-    - bidichk
-    - bodyclose
-    - contextcheck
-#    - cyclop
+  enable-all: true
+  disable:
+    - cyclop
+    - exhaustivestruct
+    - forbidigo
+    - funlen
+    - gci
+    - gocognit
+    - godot
+    - godox
+    - goerr113
+    - gofumpt
+    - ifshort # too many false positives
+    - ireturn
+    - nilnil
+    - nlreturn
+    - noctx
+    - paralleltest
+    - stylecheck
+    - varnamelen
+    - wsl
+    - exhaustruct
     - deadcode
-    - depguard
-    - dogsled
-    - dupl
-    - durationcheck
-    - errcheck
-    - errname
-    - errorlint
-    - exhaustive
-#    - exhaustivestruct
-    - exportloopref
-#    - forbidigo
-    - forcetypeassert
-#    - funlen
-#    - gci
-    - gochecknoglobals
-    - gochecknoinits
-#    - gocognit
-    - goconst
-    - gocritic
-    - gocyclo
-#    - godot
-#    - godox
-#    - goerr113
-    - gofmt
-#    - gofumpt
-    - goheader
-    - goimports
-    - gomnd
-    - gomoddirectives
-    - gomodguard
-    - goprintffuncname
-    - gosec
-    - gosimple
-    - govet
-#    - ifshort # too many false positives
-    - importas
-    - ineffassign
-#    - ireturn
-    - lll
-    - makezero
-    - misspell
-    - nakedret
-    - nestif
-    - nilerr
-#    - nilnil
-#    - nlreturn
-#    - noctx
-    - nolintlint
-#    - paralleltest
-    - prealloc
-    - predeclared
-    - promlinter
-    - revive
-    - rowserrcheck
-    - sqlclosecheck
-    - staticcheck
-    - structcheck
-#    - stylecheck
-    - tagliatelle
-    - tenv
-    - testpackage
-    - thelper
-    - tparallel
-    - typecheck
-    - unconvert
-    - unparam
-    - unused
-    - varcheck
-#    - varnamelen
-    - wastedassign
-    - whitespace
-    - wrapcheck
-#    - wsl
+    - scopelint
+    - nonamedreturns
+    - golint
+    - maintidx
+    - nosnakecase
+    - testpackage # it's better to keep tests in the same package for now because kustomize does open box testing
 
 linters-settings:
   dupl:
@@ -102,14 +49,15 @@ linters-settings:
       arguments:
       - [ "ID", "API", "JSON" ] # AllowList
       - [ ] # DenyList
+  gomnd:
+    ignored-functions:
+    - os.WriteFile
+    - make
   gomoddirectives:
     replace-local: true
   gosec:
     config:
       G306: "0644"
-  gomnd:
-     ignored-functions:
-     - ioutil.WriteFile
   wrapcheck:
     ignoreSigs:
       # defaults

CONTRIBUTING.md

@@ -13,6 +13,7 @@
 [CNCF Code of Conduct]: https://github.com/cncf/foundation/blob/master/code-of-conduct.md
 [Kubernetes Community Membership]: https://github.com/kubernetes/community/blob/master/community-membership.md
 
+[Kustomize Architecture]: ARCHITECTURE.md
 [Contribution Guide]: https://kubectl.docs.kubernetes.io/contributing/kustomize/
 [MacOS Dev Guide]: https://kubectl.docs.kubernetes.io/contributing/kustomize/mac/
 [Windows Dev Guide]: https://kubectl.docs.kubernetes.io/contributing/kustomize/windows/
@@ -25,13 +26,88 @@ _As contributors and maintainers of this project, and in the interest of fosteri
 
 ## Getting Started
 
-Dev guides:
+### Forking Kustomize and Working Locally
+The Kustomize project uses a "Fork and Pull" workflow that is standard to GitHub. In git terms, your personal fork is referred to as the "origin" and the actual project's git repository is called "upstream". To keep your personal branch (origin) up to date with the project (upstream), it must be configured within your local working copy.
 
-- [Contribution Guide]
-- [MacOS Dev Guide]
-- [Windows Dev Guide]
+### Create a fork in GitHub
+1. Visit https://github.com/kubernetes-sigs/kustomize
+2. Click the `Fork` button on the top right
 
-General resources for contributors:
+### Clone the repository
+```bash
+# Clone your repository fork from the previous step
+git clone --recurse-submodules git@github.com:<your github username>/kustomize.git
+cd kustomize
+
+# Configure upstream
+git remote add upstream https://github.com/kubernetes-sigs/kustomize
+git remote set-url --push upstream no_push
+
+# Review git configuration
+git remote -v
+```
+
+### Create a working branch
+```bash
+# Fetch changes from upstream master
+cd kustomize
+git fetch upstream
+git checkout master
+git rebase upstream/master
+
+# Create your working branch
+git checkout -b myfeature
+```
+
+### Sync your working branch
+You will need to periodically fetch changes from the `upstream` repository to keep your working branch in sync.
+```bash
+cd kustomize
+git fetch upstream
+git checkout myfeature
+git rebase upstream/master
+```
+
+### Push to GitHub
+When your changes are ready for review, push your working branch to your fork on GitHub.
+```bash
+cd kustomize
+git push origin myfeature
+```
+
+### Create a Pull Request
+1. Visit your fork at `https://github.com/<user>/kustomize`
+2. Click the **Compare & Pull Request** button next to your `myfeature` branch.
+3. Check out the pull request [process](https://github.com/kubernetes/community/blob/master/contributors/guide/pull-requests.md) for more details and advice.
+
+If you ran `git push` in the previous step, GitHub will return a useful link to create a Pull Request.
+
+
+### Build Kustomize
+The [Kustomize Architecture] document describes the respository organization and the kustomize build process.
+```bash
+# For go version >= 1.13
+unset GOPATH
+unset GO111MODULES
+
+# Build kustomize binary and install in go bin path
+cd kustomize
+make kustomize
+
+# Run unit tests
+make test-unit-all
+
+# Run linter
+make lint
+
+# Test examples against HEAD
+make test-examples-kustomize-against-HEAD
+
+# Run your development version
+~/go/bin/kustomize version
+```
+
+### General resources for contributors
 
 - [Contributor License Agreement] - Kubernetes projects require that you sign a Contributor License Agreement (CLA) before we can accept your pull requests.
 - [Kubernetes Contributor Guide] - Main contributor documentation.
@@ -59,12 +135,144 @@ Kustomize follows the [Kubernetes Community Membership] contributor ladder. Role
 
 The kyaml module within the Kustomize repo has additional owners following the same ladder.
 
-Administrative notes:
+For the kustomize project, we have defined some specific guidelines on each step of the ladder:
+
+To reach reviewer status, you must:
+- Have been actively involved in kustomize for 3+ months
+- Review at least 8 PRs that have been driven through to completion (see the reviewer guide below)
+- Author at least 5 PRs that have been approved and merged
+- Be a member of the kubernetes-sigs org. This should not be a blocker though, as once you meet the requirements for reviewer here,
+the existing kustomize maintainers will be happy to sponsor your request to join the kubernetes-sigs org.
+- Once you have met the above requirements, you may submit a PR adding yourself to the kustomize reviewers list, with links to your
+contributions in the description.
+
+To reach approver status, you must:
+- Meet all the requirements of a reviewer
+- Have been actively involved in kustomize for 6+ months
+- Review at least 15 PRs that have been driven through to completion (see the reviewer guide below)
+- Authored PRs meeting *either* of the following requirements:
+  - 15 PRs that have been approved and merged
+  - *OR* 10 PRs that have been approved and merged where some were more difficult, required greater thought/design,
+or built up to larger features/long-term goals.
+- File 3 issues. This can be any number of things, including but not limited to:
+  - Bugs with kustomize usage that you've found
+  - CI or release improvements
+  - Creating subtasks of a larger feature or project that you are in charge of.
+  - Long term improvements for the health of the project
+- Triage at least 10 untriaged issues, including at least 1 feature request. The kustomize bug scrub is a great place to get practice with doing this, but you can
+also follow the triage guide below to get started on your own.
+- Demonstrate deeper understanding of kustomize goals. This can take many forms and is a bit subjective, but here are a few examples:
+  - saying no to an eschewed feature, instead recommending an alternative solution that is more aligned with the declarative configuration model
+  - active participation in discussion on a feature request issue
+  - filing an issue describing a long term problem and solution aligned with kustomize goals, for example: https://github.com/kubernetes-sigs/kustomize/issues/5140
+  - writing up KEPs for features that will improve the kustomize workflow while being aligned with kustomize goals, for example: https://github.com/kubernetes-sigs/kustomize/pull/4558
+- Regularly interact with the existing kustomize maintainers, with clear communication about what you are working on or planning to work on. The kustomize
+maintainers should know who you are and be familiar with your contributions.
+- If you meet *most* of the above requirements while going above and beyond in a few areas, we will still consider your request to become an approver even
+if you are missing one or two of the requirements. Please contact the maintainers directly to ask about getting approver status if you fall into this category.
+- Otherwise, once you meet all the above requirements, you may:
+  - request to be added to the kustomize maintainer meeting that occurs each week with the kustomize PMs.
+  - submit a PR adding yourself to the kustomize approvers list, with links to your contributions in the description.
+
+To reach owner status, you must:
+- Meet all the requirements of an approver
+- Have been actively involved with kustomize for 1+ year
+- Assisted the current owner in driving the roadmap. This can be explicit or implicit help, such as:
+  - Editing the roadmap directly
+  - Reviewing the roadmap
+  - Providing suggestions for issues or prioritization in meetings that indirectly influence the roadmap
+- Regularly triage issues and attend the kustomize bug scrub
+- Regularly review PRs (1-2 a week)
+- Periodically lead the kustomize bug scrub
+- Periodically release kustomize (ensuring that there are no release blockers and that release notes are clean)
+- Be the primary owner or point of contact for a particular project or area of code
+- Ideally, there should be 2-3 owners at a time. Reach out to the current owners if you are interested in ownership. These
+requirements are not strict and evaluation is somewhat subjective.
+
+## Reviewer guide
+Please watch this talk on how to review code from Tim Hockin: https://www.youtube.com/watch?v=OZVv7-o8i40
+
+For reviewing PRs in kustomize, we have some specific guidelines:
+- If the PR is introducing a new feature:
+  - *It must be implementing an issue that has already been triage/accepted or
+a KEP that has been approved.* If it is not, then request the PR author to first file an issue.
+  - The PR must include thorough tests for the new feature, including unit and integration tests
+  - The code must be clean and readable, with thought given to how we will maintain the code in the future
+  - If the feature requires being broken up into multiple PRs to ease review, the feature should not be exposed to users
+    until the feature is completed in the last PR. For example, while we were building `kustomize localize`, we
+    built the feature almost entirely under the `api` module as a library with all the needed tests. There was no way
+    for users to invoke the localize code until the last PR that actually exposed the `kustomize localize` command in the
+    kustomize binary. This allowed us to continue development of `kustomize localize` without blocking kustomize releases.
+    If this type of development is not possible, then new features requiring multiple PRs should be
+    developed in their own feature branch.
+- If the PR is introducing a bug fix:
+  - If the PR is not fixing an issue that has already been triage/accepted, follow the triage guide below on bug
+    fixes to decide if this is a PR we want to accept.
+  - The PR should have two distinct commits:
+    - The first commit should add a test demonstrating incorrect behavior
+    - The second commit should include the bug fix
+    - Some sample PRs:
+      - https://github.com/kubernetes-sigs/kustomize/pull/5263/commits
+      - https://github.com/kubernetes-sigs/kustomize/pull/3931/commits
+    - The regression test is absolutely required, and we cannot accept bug fixes without tests.
+- If the PR is introducing a performance improvement:
+  - The PR description should give an indication of how much the performance is being improved and how we
+    can measure it - benchmark tests are fantastic.
+- Other PRs (documentation, CI improvements, etc.) should be reviewed based on your best judgment.
+
+## Triage guide
+The possible triage labels are listed here: https://github.com/kubernetes-sigs/kustomize/labels?q=triage.
+
+Triaging a feature request means:
+- Understand what the user is asking for, and their use case.
+- Verify that it is not an [eschewed feature](https://kubectl.docs.kubernetes.io/faq/kustomize/eschewedfeatures/#build-time-side-effects-from-cli-args-or-env-variables)
+- Verify that it is not a duplicate issue.
+- Look into workarounds. Is there another way that the user can achieve their use case with existing features?
+- If you are new to this role, prior to leaving a comment on the issue, please bring it to weekly standup
+for group discussion to make sure that we are all on the same page.
+- Once you feel ready, you can label it with a triage label. Here's an [example](https://github.com/kubernetes-sigs/kustomize/issues/5049). You can also
+look at other feature request issues to see how they were triaged and resolved. There are a few different triage labels that you can use, you can see the
+full list [here](https://github.com/kubernetes-sigs/kustomize/labels?q=triage).
+
+Triaging a bug means:
+- First, verify that you can reproduce the issue. If you cannot reproduce the issue or need more information to give
+it a go, triage it accordingly.
+- Try to understand if this is really a bug or if this is intended behavior from kustomize. If it seems like intended
+behavior, do your best to explain to the user why this is the case.
+- If it seems to be a genuine bug, you can /triage accept the issue. In addition, investigate if there are workarounds or
+alternative solutions for the user that they can try until the issue gets resolved.
+
+The triage party for kustomize is here https://cli.triage.k8s.io/s/kustomize and can be a easy way to
+find issues that have not been triaged yet.
+
+## Project/Product Managers
+
+Kustomize will have opportunities to join in a project/product manager role. You can reach out to
+the existing kustomize maintainers if you are interested in this type of role. Project management work
+can greatly help supplement your contributions as you climb from reviewer to approver
+to owner.
+
+Expectations for this role are:
+
+- Triage 1 feature request each week, and bring it to weekly stand-up for discussion. Feature
+requests are issues labeled kind/feature, and you can find them [here](https://github.com/kubernetes-sigs/kustomize/issues?q=is%3Aissue+is%3Aopen+kind+feature+label%3Akind%2Ffeature).
+Please view the above triage guide for details on how to approach feature request triage.
+- Monitor the kustomize Slack channel and try to help users if you can. It is a pretty
+active channel, so responding to 4-5 users per week is sufficient even if some
+questions go unanswered. If there is an interesting topic or a recurring problem that many
+users are having, please bring it up in weekly stand-up.
+- Keeping track of a queue of backlog issues or PRs that are not being actively looked at in any existing project board.
+- Organizing or reorganizing project tracking boards when it makes sense.
+
+You will also be asked to help with roadmap planning, deprecation communication, prioritization,
+and doing research on kustomize usage when appropriate, though these responsibilities will occur less
+frequently.
+
+## Administrative notes:
 
 - The [OWNERS file spec] is a useful resources in making changes.
 - Maintainers and admins must be added to the appropriate lists in both [Kustomize OWNERS_ALIASES] and [SIG-CLI Teams]. If this isn't done, the individual in question will lack either PR approval rights (Kustomize list) or the appropriate Github repository permissions (community list).
 
-
 ## Contact Information
 
 - [Slack channel]

Makefile

@@ -3,7 +3,7 @@
 #
 # Makefile for kustomize CLI and API.
 
-LATEST_V4_RELEASE=v4.5.5
+LATEST_RELEASE=v5.2.1
 
 SHELL := /usr/bin/env bash
 GOOS = $(shell go env GOOS)
@@ -75,7 +75,8 @@ $(MYGOBIN)/pluginator:
 # Build from local source.
 $(MYGOBIN)/kustomize: build-kustomize-api
 	cd kustomize; \
-	go install .
+	go install -ldflags "-X sigs.k8s.io/kustomize/api/provenance.buildDate=$(shell date -u +'%Y-%m-%dT%H:%M:%SZ')" \
+	.
 
 kustomize: $(MYGOBIN)/kustomize
 
@@ -100,18 +101,21 @@ verify-kustomize-repo: \
 	build-non-plugin-all \
 	test-go-mod \
 	test-examples-kustomize-against-HEAD \
-	test-examples-kustomize-against-v4-release
+	test-examples-kustomize-against-latest-release
 
 # The following target referenced by a file in
 # https://github.com/kubernetes/test-infra/tree/master/config/jobs/kubernetes-sigs/kustomize
 .PHONY: prow-presubmit-check
 prow-presubmit-check: \
 	install-tools \
+	workspace-sync \
+	generate-kustomize-builtin-plugins \
+	builtin-plugins-diff \
 	test-unit-kustomize-plugins \
 	test-go-mod \
 	build-non-plugin-all \
 	test-examples-kustomize-against-HEAD \
-	test-examples-kustomize-against-v4-release
+	test-examples-kustomize-against-latest-release
 
 .PHONY: license
 license: $(MYGOBIN)/addlicense
@@ -125,6 +129,14 @@ check-license: $(MYGOBIN)/addlicense
 lint: $(MYGOBIN)/golangci-lint $(MYGOBIN)/goimports $(builtinplugins)
 	./hack/for-each-module.sh "make lint"
 
+.PHONY: apidiff
+apidiff: go-apidiff ## Run the go-apidiff to verify any API differences compared with origin/master
+	$(GOBIN)/go-apidiff master --compare-imports --print-compatible --repo-path=.
+
+.PHONY: go-apidiff
+go-apidiff:
+	go install github.com/joelanford/go-apidiff@v0.6.0
+
 .PHONY: test-unit-all
 test-unit-all: \
 	test-unit-non-plugin \
@@ -133,11 +145,11 @@ test-unit-all: \
 # This target is used by our Github Actions CI to run unit tests for all non-plugin modules in multiple GOOS environments.
 .PHONY: test-unit-non-plugin
 test-unit-non-plugin:
-	./hack/for-each-module.sh "make test" "./plugin/*" 15
+	./hack/for-each-module.sh "make test" "./plugin/*" 19
 
 .PHONY: build-non-plugin-all
 build-non-plugin-all:
-	./hack/for-each-module.sh "make build" "./plugin/*" 15
+	./hack/for-each-module.sh "make build" "./plugin/*" 19
 
 .PHONY: test-unit-kustomize-plugins
 test-unit-kustomize-plugins:
@@ -152,7 +164,7 @@ functions-examples-all:
 	done
 
 test-go-mod:
-	./hack/for-each-module.sh "go list -m -json all > /dev/null && go mod tidy -v"
+	./hack/for-each-module.sh "go mod tidy -v"
 
 .PHONY:
 verify-kustomize-e2e: $(MYGOBIN)/mdrip $(MYGOBIN)/kind
@@ -169,10 +181,15 @@ test-examples-kustomize-against-HEAD: $(MYGOBIN)/kustomize $(MYGOBIN)/mdrip
 	./hack/testExamplesAgainstKustomize.sh HEAD
 
 .PHONY:
-test-examples-kustomize-against-v4-release: $(MYGOBIN)/mdrip
-	./hack/testExamplesAgainstKustomize.sh v4@$(LATEST_V4_RELEASE)
-
+test-examples-kustomize-against-latest-release: $(MYGOBIN)/mdrip
+	./hack/testExamplesAgainstKustomize.sh v5@$(LATEST_RELEASE)
 
+# Pushes dependencies in the go.work file back to go.mod files of each workspace module.
+.PHONY: workspace-sync
+workspace-sync:
+	go work sync
+	./hack/doGoMod.sh tidy
+	
 # --- Cleanup targets ---
 .PHONY: clean
 clean: clean-kustomize-external-go-plugin uninstall-tools

Makefile-modules.mk

@@ -14,6 +14,7 @@ include $(KUSTOMIZE_ROOT)/Makefile-tools.mk
 .PHONY: lint test fix fmt tidy vet build
 
 lint: $(MYGOBIN)/golangci-lint
+	$(MYGOBIN)/golangci-lint cache clean # Workaround for https://github.com/golangci/golangci-lint/issues/3228
 	$(MYGOBIN)/golangci-lint \
 	  -c $$KUSTOMIZE_ROOT/.golangci.yml \
 	  --path-prefix $(shell pwd | sed -E 's|(.*\/kustomize)/(.*)|\2|') \

Makefile-plugins.mk

@@ -34,7 +34,7 @@ _builtinplugins = \
 	HashTransformer.go \
 	ImageTagTransformer.go \
 	LabelTransformer.go \
-	LegacyOrderTransformer.go \
+	SortOrderTransformer.go \
 	NamespaceTransformer.go \
 	PatchJson6902Transformer.go \
 	PatchStrategicMergeTransformer.go \
@@ -63,7 +63,7 @@ $(pGen)/GkeSaGenerator.go: $(pSrc)/gkesagenerator/GkeSaGenerator.go
 $(pGen)/HashTransformer.go: $(pSrc)/hashtransformer/HashTransformer.go
 $(pGen)/ImageTagTransformer.go: $(pSrc)/imagetagtransformer/ImageTagTransformer.go
 $(pGen)/LabelTransformer.go: $(pSrc)/labeltransformer/LabelTransformer.go
-$(pGen)/LegacyOrderTransformer.go: $(pSrc)/legacyordertransformer/LegacyOrderTransformer.go
+$(pGen)/SortOrderTransformer.go: $(pSrc)/sortordertransformer/SortOrderTransformer.go
 $(pGen)/NamespaceTransformer.go: $(pSrc)/namespacetransformer/NamespaceTransformer.go
 $(pGen)/PatchJson6902Transformer.go: $(pSrc)/patchjson6902transformer/PatchJson6902Transformer.go
 $(pGen)/PatchStrategicMergeTransformer.go: $(pSrc)/patchstrategicmergetransformer/PatchStrategicMergeTransformer.go
@@ -79,7 +79,7 @@ $(pGen)/HelmChartInflationGenerator.go: $(pSrc)/helmchartinflationgenerator/Helm
 # The (verbose but portable) Makefile way to convert to lowercase.
 toLowerCase = $(subst A,a,$(subst B,b,$(subst C,c,$(subst D,d,$(subst E,e,$(subst F,f,$(subst G,g,$(subst H,h,$(subst I,i,$(subst J,j,$(subst K,k,$(subst L,l,$(subst M,m,$(subst N,n,$(subst O,o,$(subst P,p,$(subst Q,q,$(subst R,r,$(subst S,s,$(subst T,t,$(subst U,u,$(subst V,v,$(subst W,w,$(subst X,x,$(subst Y,y,$(subst Z,z,$1))))))))))))))))))))))))))
 
-$(pGen)/%.go: $(MYGOBIN)/pluginator
+$(pGen)/%.go: $(MYGOBIN)/pluginator $(MYGOBIN)/goimports
 	@echo "generating $*"
 	( \
 		set -e; \
@@ -89,9 +89,27 @@ $(pGen)/%.go: $(MYGOBIN)/pluginator
 		$(MYGOBIN)/goimports -w $*.go \
 	)
 
-# Target is for debugging.
+# Generate builtin plugins
 .PHONY: generate-kustomize-builtin-plugins
-generate-kustomize-builtin-plugins: $(builtinplugins)
+generate-kustomize-builtin-plugins: $(builtplugins)
+	for plugin in $(abspath $(wildcard $(pSrc)/*)); do \
+		echo "generating $${plugin} ..."; \
+		set -e; \
+		cd $${plugin}; \
+		go generate pluginator .; \
+	done
+
+# Check for diff by comparing current revision of generated plugins on HEAD and newly generated plugins on local branch, 
+# If diff is found, throw error code 1
+.PHONY: builtin-plugins-diff
+builtin-plugins-diff: $(builtplugins)
+	for file in $(abspath $(builtinplugins)); do \
+		echo "Checking for diff... $${file}" ; \
+		set -e ; \
+		if [ "`git diff $${file} | wc -c`" -gt 0 ]; then\
+			echo "Error(1): diff found on $${file}"; exit 1; \
+		fi \
+	done
 
 .PHONY: build-kustomize-external-go-plugin
 build-kustomize-external-go-plugin:

Makefile-tools.mk

@@ -1,6 +1,8 @@
 # Copyright 2022 The Kubernetes Authors.
 # SPDX-License-Identifier: Apache-2.0
 
+GOLANGCI_LINT_VERSION=v1.51.2
+
 MYGOBIN = $(shell go env GOBIN)
 ifeq ($(MYGOBIN),)
 MYGOBIN = $(shell go env GOPATH)/bin
@@ -28,7 +30,7 @@ uninstall-out-of-tree-tools:
 	rm -f $(MYGOBIN)/stringer
 
 $(MYGOBIN)/golangci-lint:
-	go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.46.2
+	go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION)
 
 $(MYGOBIN)/mdrip:
 	go install github.com/monopole/mdrip@v1.0.2
@@ -45,9 +47,6 @@ $(MYGOBIN)/mdtogo:
 $(MYGOBIN)/addlicense:
 	go install github.com/google/addlicense@latest
 
-$(MYGOBIN)/statik:
-	go install github.com/rakyll/statik@latest
-
 $(MYGOBIN)/goreleaser:
 	go install github.com/goreleaser/goreleaser@v0.179.0 # https://github.com/kubernetes-sigs/kustomize/issues/4542
 
@@ -95,7 +94,7 @@ $(MYGOBIN)/helmV3:
 	( \
 		set -e; \
 		d=$(shell mktemp -d); cd $$d; \
-		tgzFile=helm-v3.6.3-$(GOOS)-$(GOARCH).tar.gz; \
+		tgzFile=helm-v3.10.2-$(GOOS)-$(GOARCH).tar.gz; \
 		wget https://get.helm.sh/$$tgzFile; \
 		tar -xvzf $$tgzFile; \
 		mv $(GOOS)-$(GOARCH)/helm $(MYGOBIN)/helmV3; \

OWNERS

@@ -1,6 +1,5 @@
 # See https://github.com/kubernetes/community/blob/master/community-membership.md
 approvers:
   - kustomize-approvers
-
 reviewers:
   - kustomize-reviewers

OWNERS_ALIASES

@@ -7,23 +7,23 @@ aliases:
   kustomize-approvers:
     - knverey
     - natasha41575
+    - annasong20
+    - koba1t
   kustomize-reviewers:
     - knverey
     - natasha41575
     - yuwenma
-
-  kyaml-approvers:
-    - mengqiy
-    - mortent
-    - phanimarupaka
-  kyaml-reviewers:
-    - mengqiy
-    - mortent
-    - phanimarupaka
-
-  emeritus-approvers:
-    - liujingfang1
-    - Shell32-Natsu
-    - justinsb
-    - monopole
-    - pwittrock
+    - annasong20
+    - koba1t
+    - stormqueen1990
+    - varshaprasad96
+    - ncapps
+  #  emeritus:
+  #    - liujingfang1
+  #    - Shell32-Natsu
+  #    - justinsb
+  #    - monopole
+  #    - pwittrock
+  #    - mengqiy
+  #    - mortent
+  #    - phanimarupaka

README.md

@@ -20,6 +20,14 @@ This tool is sponsored by [sig-cli] ([KEP]).
 
 ## kubectl integration
 
+To find the kustomize version embedded in recent versions of kubectl, run `kubectl version`:
+
+```sh
+> kubectl version --short --client
+Client Version: v1.26.0
+Kustomize Version: v4.5.7
+```
+
 The kustomize build flow at [v2.0.3] was added
 to [kubectl v1.14][kubectl announcement].  The kustomize
 flow in kubectl remained frozen at v2.0.3 until kubectl v1.21,
@@ -28,11 +36,16 @@ be updated on a regular basis going forward, and such updates
 will be reflected in the Kubernetes release notes.
 
 | Kubectl version | Kustomize version |
-| --- | --- |
-| < v1.14 | n/a |
-| v1.14-v1.20 | v2.0.3 |
-| v1.21 | v4.0.5 |
-| v1.22 | v4.2.0 |
+| --------------- | ----------------- |
+| < v1.14         | n/a               |
+| v1.14-v1.20     | v2.0.3            |
+| v1.21           | v4.0.5            |
+| v1.22           | v4.2.0            |
+| v1.23           | v4.4.1            |
+| v1.24           | v4.5.4            |
+| v1.25           | v4.5.7            |
+| v1.26           | v4.5.7            |
+| v1.27           | v5.0.1            |
 
 [v2.0.3]: https://github.com/kubernetes-sigs/kustomize/releases/tag/v2.0.3
 [#2506]: https://github.com/kubernetes-sigs/kustomize/issues/2506
@@ -55,7 +68,37 @@ This file should declare those resources, and any
 customization to apply to them, e.g. _add a common
 label_.
 
-![base image][imageBase]
+```
+
+base: kustomization + resources
+
+kustomization.yaml                                      deployment.yaml                                                 service.yaml
++---------------------------------------------+         +-------------------------------------------------------+       +-----------------------------------+
+| apiVersion: kustomize.config.k8s.io/v1beta1 |         | apiVersion: apps/v1                                   |       | apiVersion: v1                    |
+| kind: Kustomization                         |         | kind: Deployment                                      |       | kind: Service                     |
+| commonLabels:                               |         | metadata:                                             |       | metadata:                         |
+|   app: myapp                                |         |   name: myapp                                         |       |   name: myapp                     |
+| resources:                                  |         | spec:                                                 |       | spec:                             |
+|   - deployment.yaml                         |         |   selector:                                           |       |   selector:                       |
+|   - service.yaml                            |         |     matchLabels:                                      |       |     app: myapp                    |
+| configMapGenerator:                         |         |       app: myapp                                      |       |   ports:                          |
+|   - name: myapp-map                         |         |   template:                                           |       |     - port: 6060                  |
+|     literals:                               |         |     metadata:                                         |       |       targetPort: 6060            |
+|       - KEY=value                           |         |       labels:                                         |       +-----------------------------------+
++---------------------------------------------+         |         app: myapp                                    |
+                                                        |     spec:                                             |
+                                                        |       containers:                                     |
+                                                        |         - name: myapp                                 |
+                                                        |           image: myapp                                |
+                                                        |           resources:                                  |
+                                                        |             limits:                                   |
+                                                        |               memory: "128Mi"                         |
+                                                        |               cpu: "500m"                             |
+                                                        |           ports:                                      |
+                                                        |             - containerPort: 6060                     |
+                                                        +-------------------------------------------------------+
+
+```
 
 File structure:
 
@@ -91,20 +134,41 @@ Manage traditional [variants] of a configuration - like
 _development_, _staging_ and _production_ - using
 [overlays] that modify a common [base].
 
-![overlay image][imageOverlay]
+```
+
+overlay: kustomization + patches
+
+kustomization.yaml                                      replica_count.yaml                      cpu_count.yaml
++-----------------------------------------------+       +-------------------------------+       +------------------------------------------+
+| apiVersion: kustomize.config.k8s.io/v1beta1   |       | apiVersion: apps/v1           |       | apiVersion: apps/v1                      |
+| kind: Kustomization                           |       | kind: Deployment              |       | kind: Deployment                         |
+| commonLabels:                                 |       | metadata:                     |       | metadata:                                |  
+|   variant: prod                               |       |   name: myapp                 |       |   name: myapp                            |
+| resources:                                    |       | spec:                         |       | spec:                                    |
+|   - ../../base                                |       |   replicas: 80                |       |  template:                               |
+| patches:                                      |       +-------------------------------+       |     spec:                                |
+|   - path: replica_count.yaml                  |                                               |       containers:                        |
+|   - path: cpu_count.yaml                      |                                               |         - name: myapp                    |  
++-----------------------------------------------+                                               |           resources:                     |
+                                                                                                |             limits:                      |
+                                                                                                |               memory: "128Mi"            |
+                                                                                                |               cpu: "7000m"               |
+                                                                                                +------------------------------------------+
+```
+
 
 File structure:
 > ```
 > ~/someApp
 > ├── base
-> │   ├── deployment.yaml
-> │   ├── kustomization.yaml
-> │   └── service.yaml
+> │   ├── deployment.yaml
+> │   ├── kustomization.yaml
+> │   └── service.yaml
 > └── overlays
 >     ├── development
->     │   ├── cpu_count.yaml
->     │   ├── kustomization.yaml
->     │   └── replica_count.yaml
+>     │   ├── cpu_count.yaml
+>     │   ├── kustomization.yaml
+>     │   └── replica_count.yaml
 >     └── production
 >         ├── cpu_count.yaml
 >         ├── kustomization.yaml
@@ -158,8 +222,6 @@ is governed by the [Kubernetes Code of Conduct].
 [applied]: https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#apply
 [base]: https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#base
 [declarative configuration]: https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#declarative-application-management
-[imageBase]: images/base.jpg
-[imageOverlay]: images/overlay.jpg
 [kubectl announcement]: https://kubernetes.io/blog/2019/03/25/kubernetes-1-14-release-announcement
 [kubernetes documentation]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/
 [kubernetes style]: https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#kubernetes-style-object

ROADMAP.md

@@ -1,112 +1,185 @@
-# Kustomize roadmap 2022
+# Kustomize roadmap 2023-2024
 
-Presented at the [January 26, 2022, SIG-CLI meeting](https://youtu.be/l2plzJ9MRlk?t=1321)
+This document describes the items that we hope to make progress on over the next
+1 year (H2 2023 and H1 2024). Take this roadmap as more of what we hope to achieve
+rather than what we promise to achieve, as some items in this doc are highly dependent
+on the success that we have on-ramping new contributors to the project, and other
+items will depend on external contributions, which can vary.
 
-kustomize maintainers: @knverey, @natasha41575
+If you are interested in contributing to a particular area, you can look through
+the project board for that area and assign yourself to one of the issues. It is
+recommended to start with smaller issues to ramp up on the project before starting
+to tackle larger issues.
 
-[Objective: Improve contributor community](#objective-improve-contributor-community)
+Project boards:
+https://github.com/orgs/kubernetes-sigs/projects/50
+https://github.com/orgs/kubernetes-sigs/projects/51
+https://github.com/orgs/kubernetes-sigs/projects/52
+https://github.com/orgs/kubernetes-sigs/projects/53
+https://github.com/orgs/kubernetes-sigs/projects/54
 
-[Objective: Improve end-user experience](#objective-improve-end-user-experience)
+## Kustomize contributors (at time of writing):
 
-[Objective: Improve extension experience](#objective-improve-extension-experience)
+kustomize owner: @natasha41575
 
-## Objective: Improve contributor community
+kustomize maintainers: @annasong20, @koba1t
 
-**_WHO: End user who also contributes source code._**
-
-Top priority:
-
-- Kustomization v1 (also end-user impact) ([PROJECT](https://github.com/kubernetes-sigs/kustomize/projects/12))
-  - Remove the following fields:
-    - [vars](https://github.com/kubernetes-sigs/kustomize/issues/2052)
-    - [patchesJson6902, patchesStrategicMerge (consolidate on \`patches)](https://github.com/kubernetes-sigs/kustomize/issues/4376)
-    - [helmChartInflationGenerator, helmCharts, helmGlobals](https://github.com/kubernetes-sigs/kustomize/issues/4401)
-    - all long-deprecated fields in Kustomization v1 such as \`bases\` and those being accommodate by kustomize edit \[[see code snippet](https://github.com/kubernetes-sigs/kustomize/blob/ee4b7847f0beb6c0d2070673b10f23f7b3e92e82/api/types/fix.go#L15)\]
-  - Ensure that \`kustomize edit fix\` handles migrations for all those, and that anything it changes is not still present in v1.
-  - [Add reorder field](https://github.com/kubernetes-sigs/kustomize/issues/3913). Default should be FIFO and legacy should also be supported (could add alphabetic and custom sort support eventually). Replaces -reorder flag.
-  - [Reconcile openapi and crds field](https://github.com/kubernetes-sigs/kustomize/issues/3944)
-  - [Consider deprecating configurations field](https://github.com/kubernetes-sigs/kustomize/issues/3945) (old, pre-plugin, pre-openapi global configuration)
-  - [Add a field to enable the managedby label](https://github.com/kubernetes-sigs/kustomize/issues/4047)
-
-Second priority:
-
-- Improve contributor documentation
-  - [Instructions to upgrade kustomize-in-kubectl](https://github.com/kubernetes-sigs/kustomize/issues/3951)
-
-Also very valuable to the project:
-
-- [Improve the release process](https://github.com/kubernetes-sigs/kustomize/issues/3952) to support regular biweekly releases [PROJECT](https://github.com/kubernetes-sigs/kustomize/projects/7)
-- Release sigs.k8s.io/kustomize/api v1.0.0 [PROJECT](https://github.com/kubernetes-sigs/kustomize/projects/5)
-  - [Reduce the public surface of the API module](https://github.com/kubernetes-sigs/kustomize/issues/3942)
-  - [Vendor all transitive deps](https://github.com/kubernetes-sigs/kustomize/issues/3706). Since kustomize is in kubectl, we must do as kubectl does to manage deps, exposing new transitive deps in code review.
-- Project administration
-  - [Rename master branch to main](https://github.com/kubernetes-sigs/kustomize/issues/3954)
+kustomize contributors: @varshaprasad96
 
 
+# H2 2023
 
-## Objective: Improve end-user experience
+## Goal: Create kustomize leadership and contributor playbooks
 
-**_WHO: End user that wants kustomize build artifacts (binaries, containers)._**
+Contributors: natasha41575, annasong20
 
-Top priorities:
+Priority: High
 
-- Bug fixes:
-  - Fix bugs in basic anchor support: [issue query](https://github.com/kubernetes-sigs/kustomize/issues?q=is%3Aopen+is%3Aissue+label%3Aarea%2Fanchors)
-  - integer keys support: [#3446](https://github.com/kubernetes-sigs/kustomize/issues/3446)
-  - kyaml not respecting \`$patch replace|retainKeys\`: [#2037](https://github.com/kubernetes-sigs/kustomize/issues/2037)
-  - kustomize removing quotes from namespace field values: [#4146](https://github.com/kubernetes-sigs/kustomize/issues/4146)
-  - Kustomize doesn’t support metadata.generateName: [#641](https://github.com/kubernetes-sigs/kustomize/issues/641)
-- Send kustomize CLI version number into kubectl ([kubectl issue](https://github.com/kubernetes/kubectl/issues/797) / [kustomize issue](https://github.com/kubernetes-sigs/kustomize/issues/1424))
-- Kustomize performance investigations/improvements [PROJECT](https://github.com/kubernetes-sigs/kustomize/projects/13)
-- [Support generic resource references in name reference tracking](https://github.com/kubernetes-sigs/kustomize/issues/3418)
-- [KEP 4267: retain the resource origin and transformer data in annotations](https://github.com/kubernetes-sigs/kustomize/pull/4267)
+Effort: Medium
 
-Secondary priorities:
+In the past, when the leads stopped contributing (for various reasons, not covered here)
+in various kubernetes projects, it left a wide hole that few could easily fill,
+leaving the remaining leads in a bad position and the project understaffed. We should assume
+that we will need to onboard new maintainers in the future, and should have playbooks
+for doing so. As we grow the contributor base in kustomize, we will build these playbooks for
+those who are contributing and those who are looking to grow into kustomize leaders.
+To ensure the long term health and stability of the project, we should have:
 
-- kustomize cli v5 ([PROJECT](https://github.com/kubernetes-sigs/kustomize/projects/14))
-  - [Drop the --reorder flag](https://github.com/kubernetes-sigs/kustomize/issues/3947)
-  - [Graduate cfg read-only commands out of alpha](https://github.com/kubernetes-sigs/kustomize/issues/4090).
-  - [Drop the –enable-managedby-label](https://github.com/kubernetes-sigs/kustomize/issues/4047)
-  - Drop old plugin-related fields in favor of [the Catalog-style fields](https://github.com/kubernetes/enhancements/tree/master/keps/sig-cli/2906-kustomize-function-catalog).
-  - [Drop the helm flags](https://github.com/kubernetes-sigs/kustomize/issues/4401)
-- [Confusion around namespace replacement](https://github.com/kubernetes-sigs/kustomize/issues/880).
+- On-boarding guides for new contributors
+- Clear guidelines for how to climb the kustomize ladder from contributor to approver to owner
+- A plan (maybe a schedule) for future kustomize cohorts
+- A succession plan, in case the current kustomize leads ever decide to step down
 
-Also very valuable to the project:
+## Goal: Onboard 2-5 new contributors to kustomize
 
-- [Overinclusion of root directory error in error messages](https://github.com/kubernetes-sigs/kustomize/issues/4348)
-- [Add kustomize localize command](https://github.com/kubernetes-sigs/kustomize/issues/3980)
-- [Fix Windows support in test suite](https://github.com/kubernetes-sigs/kustomize/issues/4001)
-- Improve end-user documentation [PROJECT](https://github.com/kubernetes-sigs/kustomize/projects/9)
+Contributors: natasha41575, annasong20, koba1t
 
+Priority: High
 
-## Objective: Improve extension experience
+Effort: High
 
-**_WHO: Plugin developers: end users who extend kustomize, but don’t think about internals._**
+In order to make progress on kustomize goals in the future, we need to increase the
+level of staffing on kustomize. We should leverage community contributions to keep kustomize
+healthy and making progress.
 
-This objective is described in detail in the [Kustomize Plugin Graduation KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-cli/2953-kustomize-plugin-graduation) / [PROJECT](https://github.com/kubernetes-sigs/kustomize/projects/15) .
+The primary means in which we will try to find new kustomize contributors is through the new kustomize
+maintainer training cohort. We will lead a group of ~20 kubernetes community members through a 3-6 month
+training program, involving talk sessions, bug scrubs, issue triage, PR reviews, and coding projects for
+each member.
 
-Top priorities:
+See [our call for help](https://groups.google.com/a/kubernetes.io/g/dev/c/M5OphEVsv5o/m/zc6G4H15AAAJ) for more
+specific details about the program.
 
-- Fix core usability issues with KRM Function extensions:
-  - [Better errors for function config failures](https://github.com/kubernetes-sigs/kustomize/issues/4398)
-  - [Container KRM Mounts are not mounting via function parameters](https://github.com/kubernetes-sigs/kustomize/issues/4290)
-  - [Resolution of local file references in extensions transformer configuration](https://github.com/kubernetes-sigs/kustomize/issues/4154)
-  - [Do not silently ignore plugins when config has typo](https://github.com/kubernetes-sigs/kustomize/issues/4399)
-  - [KRM Exec Function can't locate executable when referencing a base](https://github.com/kubernetes-sigs/kustomize/issues/4347)
-- Once core usability issues are fixed, [deprecate legacy exec and Go plugin support](https://github.com/kubernetes/enhancements/tree/master/keps/sig-cli/2953-kustomize-plugin-graduation)
-- [Catalog KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-cli/2906-kustomize-function-catalog)
+The effort from existing kustomize maintainers here will be to:
+- Organize the cohort, so that each cohort member feels productive and understands what they should work on
+- Align motivation of the cohort members with the work that we assign to them.
+- Review PRs from cohort members in a timely manner.
+- Be the point(s) of contact for questions/escalations
+- Lead weekly stand-ups and monthly bug scrubs
 
-Secondary priorities:
+At the end of all this, if we have a small team of contributors to kustomize, who understand its founding
+philosophy and intentions, we should be able to keep the project up to date.
 
-- [Remove Starlark support](https://github.com/kubernetes-sigs/kustomize/issues/4349)
-- [Composition KEP](https://github.com/kubernetes/enhancements/pull/2300). The implementation is complete in [#4223](https://github.com/kubernetes-sigs/kustomize/pull/4323), but depends on:
-  - [Convert resources and components to be backed by a reusable generator](https://github.com/kubernetes-sigs/kustomize/issues/4402)
-  - [Enable explicitly invoked transformers to use default fieldSpecs](https://github.com/kubernetes-sigs/kustomize/issues/4404)
-  - [Enable built-in generators to be used in the transformers field ](https://github.com/kubernetes-sigs/kustomize/issues/4403)
+## Goal: Improve kustomize extensibility through KRM functions and CRD support
 
+Contributors: koba1t, varshaprasad96, external contributors
 
-Also very valuable to the project:
+Priority: High
 
-- [Improve docs for kyaml libraries](https://github.com/kubernetes-sigs/kustomize/issues/3950), especially by adding examples.
-- [Create a reserved field for plugin runtime information](https://github.com/kubernetes-sigs/kustomize/issues/4405)
-- [Develop new standard process for implementing builtin transformers](https://github.com/kubernetes-sigs/kustomize/issues/4400)
+Effort: High
+
+Project board: https://github.com/orgs/kubernetes-sigs/projects/53/views/1
+
+For a long time, we have supported KRM functions as the proper way to implement custom generators and transformers.
+However, due to limited staffing, we have been unable to drive this feature out of alpha in kustomize. The two
+main features which we hope to make progress on are Composition and Catalog, two long-standing proposals for which
+numerous users have been waiting for a long time. There are several open issues
+regarding KRM functions where our long-term answer has been these two features, but users have been hearing about them
+for over a year without seeing any progress. If we can implement them, they will vastly improve usability and security
+of KRM functions.
+
+One item that falls under this category that does not currently have a contributor is improving CRD support.
+Currently, it is difficult to use CRDs properly, as there are three different fields (configurations, openapi, and crds)
+where users have to input their CRD configuration. We need to consolidate these fields into one easy to use feature to
+support CRDs. If you are interested in putting together a design proposal for how to tackle this task, please reach
+out to the kustomize maintainers.
+
+# H1 2024
+
+## Goal: Improve the kustomize documentation
+
+Contributors: annasong20, external contributions
+
+Priority: High
+
+Effort: High
+
+Project board: https://github.com/orgs/kubernetes-sigs/projects/50
+
+The kustomize documentation is currently fragmented, out of date, and lacks examples to fully understand its value.
+We have had a "docs project" for a long time; we need to prioritize implementing it so that the documentation is in
+one place, easy to find, and helps new users get started more easily. Some outcomes from this project should be:
+
+- A single, unified website hosted on kustomize.io
+- Updated information architecture, and a plan to keep it up to date
+- End to end examples of using kustomize, including complex use cases
+
+## Goal: Fix core usability bugs in kustomize
+
+Contributors: external contributions
+
+Priority: High
+
+Effort: High
+
+Project board: https://github.com/orgs/kubernetes-sigs/projects/51
+
+There are several core usability issues that block some users from adopting kustomize features or in
+some base block users from using kustomize entirely. These issues range from small bugs with workable but
+inconvenient workarounds, to enormous feature gaps.
+
+As part of this goal, we should work toward reducing the number of such issues that we have, making
+kustomize work more smoothly and predictably, and be usable for a larger range of users.
+
+There are a lot of important issues in this project, but the biggest and highest priority one is that
+kustomize doesn't currently support metadata.GenerateName. Unfortunately, we don't currently have anyone
+actively working on this issue, we would need an external contributor to reach out to the kustomize
+maintainers to pick it up.
+
+## Goal: Improve kustomize CI, release, & security patch processes
+
+Contributors: external contributions
+
+Priority: Medium
+
+Effort: High
+
+Project board: https://github.com/orgs/kubernetes-sigs/projects/54
+
+The kustomize release process is currently done on-demand and is strictly linear. This means that if we find a CVE,
+we are forced to release the next version of kustomize ASAP, and we are required to release every PR that has merged
+since the last release. This can put us in a sticky situation if we have a breaking change that we are
+not ready to release yet, but we need a patch quickly.
+
+We should try to improve the kustomize release process so that we can release frequently, reliably, and with some
+flexibility. The outcome of this effort should be:
+
+- kustomize is released on a regular cadence (biweekly or monthly)
+- kustomize is able to separate patch and feature releases, so that we can fix CVEs without needing to release
+everything that we have in flight
+- We can detect and fix CVEs early
+
+## Goal: Take long-standing alpha commands out of alpha
+
+Contributors: external contributions
+
+Priority: Medium
+
+Effort: Medium
+
+Project board: https://github.com/orgs/kubernetes-sigs/projects/52
+
+There are several commands in kustomize that have been alpha for a long time, including the cfg command group and
+localize. Moving them forward can indicate good health of a project and these commands are useful to many users.
+Some of these projects can be good starter issues for new contributors to have an easier onramp while others will
+require more effort and thought.

SECURITY_CONTACTS

@@ -9,7 +9,7 @@
 #
 # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
 # INSTRUCTIONS AT https://kubernetes.io/security/
-
-monopole
-Liujingfang1
-pwittrock
+eddiezane
+KnVerey
+natasha41575
+soltysh

api/Makefile

@@ -4,11 +4,10 @@
 include ../Makefile-modules.mk
 
 test:
-	go test -v -timeout 45m -cover ./... -ldflags "-X sigs.k8s.io/kustomize/api/provenance.version=v444.333.222"
-	cd krusty/openapitests; OPENAPI_TEST=true go test -v -timeout 45m -p 1 -cover ./...
+	go test -v -timeout 45m -cover ./... -ldflags "-X sigs.k8s.io/kustomize/api/provenance.buildDate=2023-01-31T23:38:41Z -X sigs.k8s.io/kustomize/api/provenance.version=(test)"
 
 build:
-	go build -ldflags "-X sigs.k8s.io/kustomize/api/provenance.version=v444.333.222" ./...
+	go build -ldflags "-X sigs.k8s.io/kustomize/api/provenance.buildDate=$(shell date -u +"%Y-%m-%dT%H:%M:%SZ")" ./...
 
 generate: $(MYGOBIN)/k8scopy $(MYGOBIN)/stringer
 	go generate ./...

api/builtins/builtins.go

@@ -16,7 +16,6 @@ type (
 	IAMPolicyGeneratorPlugin             = internal.IAMPolicyGeneratorPlugin
 	ImageTagTransformerPlugin            = internal.ImageTagTransformerPlugin
 	LabelTransformerPlugin               = internal.LabelTransformerPlugin
-	LegacyOrderTransformerPlugin         = internal.LegacyOrderTransformerPlugin
 	NamespaceTransformerPlugin           = internal.NamespaceTransformerPlugin
 	PatchJson6902TransformerPlugin       = internal.PatchJson6902TransformerPlugin
 	PatchStrategicMergeTransformerPlugin = internal.PatchStrategicMergeTransformerPlugin
@@ -37,7 +36,6 @@ var (
 	NewIAMPolicyGeneratorPlugin             = internal.NewIAMPolicyGeneratorPlugin
 	NewImageTagTransformerPlugin            = internal.NewImageTagTransformerPlugin
 	NewLabelTransformerPlugin               = internal.NewLabelTransformerPlugin
-	NewLegacyOrderTransformerPlugin         = internal.NewLegacyOrderTransformerPlugin
 	NewNamespaceTransformerPlugin           = internal.NewNamespaceTransformerPlugin
 	NewPatchJson6902TransformerPlugin       = internal.NewPatchJson6902TransformerPlugin
 	NewPatchStrategicMergeTransformerPlugin = internal.NewPatchStrategicMergeTransformerPlugin

api/filters/filtersutil/setters_test.go

@@ -102,5 +102,7 @@ func TestTrackableSetter_SetEntryIfEmpty_BadInputNodeKind(t *testing.T) {
 	fn := filtersutil.TrackableSetter{}.SetEntryIfEmpty("foo", "false", yaml.NodeTagBool)
 	rn := yaml.NewListRNode("nope")
 	rn.AppendToFieldPath("dummy", "path")
-	assert.EqualError(t, fn(rn), "wrong Node Kind for dummy.path expected: MappingNode was SequenceNode: value: {- nope}")
+	assert.EqualError(t, fn(rn), `wrong node kind: expected MappingNode but got SequenceNode: node contents:
+- nope
+`)
 }

api/filters/imagetag/updater.go

@@ -6,7 +6,7 @@ package imagetag
 import (
 	"sigs.k8s.io/kustomize/api/filters/filtersutil"
 
-	"sigs.k8s.io/kustomize/api/image"
+	"sigs.k8s.io/kustomize/api/internal/image"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )

api/filters/nameref/nameref.go

@@ -7,11 +7,11 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/pkg/errors"
 	"sigs.k8s.io/kustomize/api/filters/fieldspec"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
 	"sigs.k8s.io/kustomize/kyaml/kio"
 	"sigs.k8s.io/kustomize/kyaml/resid"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
@@ -64,7 +64,7 @@ func (f Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
 		FieldSpec: f.NameFieldToUpdate,
 		SetValue:  f.set,
 	}); err != nil {
-		return nil, errors.Wrapf(
+		return nil, errors.WrapPrefixf(
 			err, "updating name reference in '%s' field of '%s'",
 			f.NameFieldToUpdate.Path, f.Referrer.CurId().String())
 	}
@@ -104,7 +104,7 @@ func (f Filter) setMapping(node *yaml.RNode) error {
 	}
 	nameNode, err := node.Pipe(yaml.FieldMatcher{Name: "name"})
 	if err != nil {
-		return errors.Wrap(err, "trying to match 'name' field")
+		return errors.WrapPrefixf(err, "trying to match 'name' field")
 	}
 	if nameNode == nil {
 		// This is a _configuration_ error; the field path
@@ -153,7 +153,7 @@ func (f Filter) filterMapCandidatesByNamespace(
 	node *yaml.RNode) ([]*resource.Resource, error) {
 	namespaceNode, err := node.Pipe(yaml.FieldMatcher{Name: "namespace"})
 	if err != nil {
-		return nil, errors.Wrap(err, "trying to match 'namespace' field")
+		return nil, errors.WrapPrefixf(err, "trying to match 'namespace' field")
 	}
 	if namespaceNode == nil {
 		return f.ReferralCandidates.Resources(), nil

api/filters/namespace/namespace.go

@@ -56,9 +56,11 @@ func (ns Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 
 // Run runs the filter on a single node rather than a slice
 func (ns Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
-	// Special handling for metadata.namespace -- :(
+	// Special handling for metadata.namespace and metadata.name -- :(
 	// never let SetEntry handle metadata.namespace--it will incorrectly include cluster-scoped resources
-	ns.FsSlice = ns.removeMetaNamespaceFieldSpecs(ns.FsSlice)
+	// only update metadata.name if api version is expected one--so-as it leaves other resources of kind namespace alone
+	apiVersion := node.GetApiVersion()
+	ns.FsSlice = ns.removeUnneededMetaFieldSpecs(apiVersion, ns.FsSlice)
 	gvk := resid.GvkFromNode(node)
 	if err := ns.metaNamespaceHack(node, gvk); err != nil {
 		return nil, err
@@ -79,7 +81,11 @@ func (ns Filter) run(node *yaml.RNode) (*yaml.RNode, error) {
 		CreateKind: yaml.ScalarNode, // Namespace is a ScalarNode
 		CreateTag:  yaml.NodeTagString,
 	})
-	return node, err
+	invalidKindErr := &yaml.InvalidNodeKindError{}
+	if err != nil && errors.As(err, &invalidKindErr) && invalidKindErr.ActualNodeKind() != yaml.ScalarNode {
+		return nil, errors.WrapPrefixf(err, "namespace field specs must target scalar nodes")
+	}
+	return node, errors.WrapPrefixf(err, "namespace transformation failed")
 }
 
 // metaNamespaceHack is a hack for implementing the namespace transform
@@ -174,8 +180,7 @@ func setNamespaceField(node *yaml.RNode, setter filtersutil.SetFn) error {
 func (ns Filter) removeRoleBindingSubjectFieldSpecs(fs types.FsSlice) types.FsSlice {
 	var val types.FsSlice
 	for i := range fs {
-		if isRoleBinding(fs[i].Kind) &&
-			(fs[i].Path == subjectsNamespacePath || fs[i].Path == subjectsField) {
+		if isRoleBinding(fs[i].Kind) && fs[i].Path == subjectsNamespacePath {
 			continue
 		}
 		val = append(val, fs[i])
@@ -183,12 +188,15 @@ func (ns Filter) removeRoleBindingSubjectFieldSpecs(fs types.FsSlice) types.FsSl
 	return val
 }
 
-func (ns Filter) removeMetaNamespaceFieldSpecs(fs types.FsSlice) types.FsSlice {
+func (ns Filter) removeUnneededMetaFieldSpecs(apiVersion string, fs types.FsSlice) types.FsSlice {
 	var val types.FsSlice
 	for i := range fs {
 		if fs[i].Path == types.MetadataNamespacePath {
 			continue
 		}
+		if apiVersion != types.MetadataNamespaceApiVersion && fs[i].Path == types.MetadataNamePath {
+			continue
+		}
 		val = append(val, fs[i])
 	}
 	return val

api/filters/patchjson6902/patchjson6902.go

@@ -6,7 +6,7 @@ package patchjson6902
 import (
 	"strings"
 
-	jsonpatch "github.com/evanphx/json-patch"
+	jsonpatch "gopkg.in/evanphx/json-patch.v5"
 	"sigs.k8s.io/kustomize/kyaml/kio"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 	k8syaml "sigs.k8s.io/yaml"

api/filters/patchstrategicmerge/patchstrategicmerge_test.go

@@ -732,6 +732,177 @@ spec:
           protocol: "TCP"
         - containerPort: 8301
           protocol: "UDP"
+`,
+		},
+
+		// Issue #4628
+		"should retain existing null values in targets": {
+			input: `
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: chart
+spec:
+  releaseName: helm-chart
+  timeout: 15m
+  values:
+    chart:
+      replicaCount: null
+      autoscaling: true
+`,
+			patch: yaml.MustParse(`
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: chart
+spec:
+  releaseName: helm-chart
+  timeout: 15m
+  values:
+    deepgram-api:
+      some: value
+`),
+			expected: `
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: chart
+spec:
+  releaseName: helm-chart
+  timeout: 15m
+  values:
+    chart:
+      replicaCount: null
+      autoscaling: true
+    deepgram-api:
+      some: value
+`,
+		},
+
+		// Issue #4928
+		"support numeric keys": {
+			input: `
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blabla
+  namespace: blabla-ns
+data:
+  "6443": "foobar"
+`,
+			patch: yaml.MustParse(`
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blabla
+  namespace: blabla-ns
+data:
+  "6443": "barfoo"
+  "9110": "foo-foo"
+`),
+			expected: `
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blabla
+  namespace: blabla-ns
+data:
+  "6443": "barfoo"
+  "9110": "foo-foo"
+`,
+		},
+
+		"honor different key style one": {
+			input: `
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blabla
+  namespace: blabla-ns
+data:
+  '6443': "foobar"
+`,
+			patch: yaml.MustParse(`
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blabla
+  namespace: blabla-ns
+data:
+  "6443": "barfoo"
+  9110: "foo-foo"
+`),
+			expected: `
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blabla
+  namespace: blabla-ns
+data:
+  '6443': "barfoo"
+  9110: "foo-foo"
+`,
+		},
+
+		"honor different key style two": {
+			input: `
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blabla
+  namespace: blabla-ns
+data:
+  "6443": "foobar"
+`,
+			patch: yaml.MustParse(`
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blabla
+  namespace: blabla-ns
+data:
+  "6443": "barfoo"
+  '9110': "foo-foo"
+`),
+			expected: `
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blabla
+  namespace: blabla-ns
+data:
+  "6443": "barfoo"
+  '9110': "foo-foo"
+`,
+		},
+
+		"different key types": {
+			input: `
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blabla
+  namespace: blabla-ns
+data:
+  "6443": "key-string-double-quoted"
+`,
+			patch: yaml.MustParse(`
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blabla
+  namespace: blabla-ns
+data:
+  6443: "key-int"
+`),
+			expected: `
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blabla
+  namespace: blabla-ns
+data:
+  "6443": "key-int"
 `,
 		},
 	}

api/filters/replacement/replacement.go

@@ -4,13 +4,13 @@
 package replacement
 
 import (
-	"errors"
 	"fmt"
 	"strings"
 
 	"sigs.k8s.io/kustomize/api/internal/utils"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
 	"sigs.k8s.io/kustomize/kyaml/resid"
 	kyaml_utils "sigs.k8s.io/kustomize/kyaml/utils"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
@@ -105,7 +105,7 @@ func getRefinedValue(options *types.FieldOptions, rn *yaml.RNode) (*yaml.RNode,
 func applyReplacement(nodes []*yaml.RNode, value *yaml.RNode, targetSelectors []*types.TargetSelector) ([]*yaml.RNode, error) {
 	for _, selector := range targetSelectors {
 		if selector.Select == nil {
-			return nil, errors.New("target must specify resources to select")
+			return nil, errors.Errorf("target must specify resources to select")
 		}
 		if len(selector.FieldPaths) == 0 {
 			selector.FieldPaths = []string{types.DefaultReplacementFieldPath}
@@ -126,8 +126,8 @@ func applyReplacement(nodes []*yaml.RNode, value *yaml.RNode, targetSelectors []
 			}
 
 			// filter targets by matching resource IDs
-			for i, id := range ids {
-				if id.IsSelectedBy(selector.Select.ResId) && !rejectId(selector.Reject, &ids[i]) {
+			for _, id := range ids {
+				if id.IsSelectedBy(selector.Select.ResId) && !containsRejectId(selector.Reject, ids) {
 					err := copyValueToTarget(possibleTarget, value, selector)
 					if err != nil {
 						return nil, err
@@ -168,10 +168,15 @@ func matchesAnnoAndLabelSelector(n *yaml.RNode, selector *types.Selector) (bool,
 	return annoMatch && labelMatch, nil
 }
 
-func rejectId(rejects []*types.Selector, id *resid.ResId) bool {
+func containsRejectId(rejects []*types.Selector, ids []resid.ResId) bool {
 	for _, r := range rejects {
-		if !r.ResId.IsEmpty() && id.IsSelectedBy(r.ResId) {
-			return true
+		if r.ResId.IsEmpty() {
+			continue
+		}
+		for _, id := range ids {
+			if id.IsSelectedBy(r.ResId) {
+				return true
+			}
 		}
 	}
 	return false
@@ -179,29 +184,22 @@ func rejectId(rejects []*types.Selector, id *resid.ResId) bool {
 
 func copyValueToTarget(target *yaml.RNode, value *yaml.RNode, selector *types.TargetSelector) error {
 	for _, fp := range selector.FieldPaths {
-		fieldPath := kyaml_utils.SmarterPathSplitter(fp, ".")
-		create, err := shouldCreateField(selector.Options, fieldPath)
-		if err != nil {
-			return err
+		createKind := yaml.Kind(0) // do not create
+		if selector.Options != nil && selector.Options.Create {
+			createKind = value.YNode().Kind
 		}
-
-		var targetFields []*yaml.RNode
-		if create {
-			createdField, createErr := target.Pipe(yaml.LookupCreate(value.YNode().Kind, fieldPath...))
-			if createErr != nil {
-				return fmt.Errorf("error creating replacement node: %w", createErr)
-			}
-			targetFields = append(targetFields, createdField)
-		} else {
-			// may return multiple fields, always wrapped in a sequence node
-			foundFieldSequence, lookupErr := target.Pipe(&yaml.PathMatcher{Path: fieldPath})
-			if lookupErr != nil {
-				return fmt.Errorf("error finding field in replacement target: %w", lookupErr)
-			}
-			targetFields, err = foundFieldSequence.Elements()
-			if err != nil {
-				return fmt.Errorf("error fetching elements in replacement target: %w", err)
-			}
+		targetFieldList, err := target.Pipe(&yaml.PathMatcher{
+			Path:   kyaml_utils.SmarterPathSplitter(fp, "."),
+			Create: createKind})
+		if err != nil {
+			return errors.WrapPrefixf(err, fieldRetrievalError(fp, createKind != 0))
+		}
+		targetFields, err := targetFieldList.Elements()
+		if err != nil {
+			return errors.WrapPrefixf(err, fieldRetrievalError(fp, createKind != 0))
+		}
+		if len(targetFields) == 0 {
+			return errors.Errorf(fieldRetrievalError(fp, createKind != 0))
 		}
 
 		for _, t := range targetFields {
@@ -209,11 +207,17 @@ func copyValueToTarget(target *yaml.RNode, value *yaml.RNode, selector *types.Ta
 				return err
 			}
 		}
-
 	}
 	return nil
 }
 
+func fieldRetrievalError(fieldPath string, isCreate bool) string {
+	if isCreate {
+		return fmt.Sprintf("unable to find or create field %q in replacement target", fieldPath)
+	}
+	return fmt.Sprintf("unable to find field %q in replacement target", fieldPath)
+}
+
 func setFieldValue(options *types.FieldOptions, targetField *yaml.RNode, value *yaml.RNode) error {
 	value = value.Copy()
 	if options != nil && options.Delimiter != "" {
@@ -243,16 +247,3 @@ func setFieldValue(options *types.FieldOptions, targetField *yaml.RNode, value *
 
 	return nil
 }
-
-func shouldCreateField(options *types.FieldOptions, fieldPath []string) (bool, error) {
-	if options == nil || !options.Create {
-		return false, nil
-	}
-	// create option is not supported in a wildcard matching
-	for _, f := range fieldPath {
-		if f == "*" {
-			return false, fmt.Errorf("cannot support create option in a multi-value target")
-		}
-	}
-	return true, nil
-}

api/filters/replacement/replacement_test.go

@@ -9,7 +9,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	filtertest "sigs.k8s.io/kustomize/api/testutils/filtertest"
-	"sigs.k8s.io/yaml"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
 func TestFilter(t *testing.T) {
@@ -1198,11 +1198,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: deploy1
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: deploy2
 `,
 			replacements: `replacements:
 - source:
@@ -1216,15 +1211,6 @@ metadata:
     - spec.template.spec.containers
     options:
       create: true
-- source:
-    kind: Pod
-    name: pod
-    fieldPath: spec.containers
-  targets:
-  - select:
-      name: deploy2
-    fieldPaths:
-    - spec.template.spec.containers
 `,
 			expected: `apiVersion: v1
 kind: Pod
@@ -1245,11 +1231,6 @@ spec:
       containers:
       - image: busybox
         name: myapp-container
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: deploy2
 `,
 		},
 		"complex type with delimiter in source": {
@@ -1498,6 +1479,85 @@ spec:
           value: sample-deploy
         - name: foo
           value: bar
+      - image: nginx
+        name: sidecar
+        env:
+        - name: deployment-name
+          value: sample-deploy`,
+		},
+		"one replacements target should create multiple values": {
+			input: `apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: sample-deploy
+  name: sample-deploy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: sample-deploy
+  template:
+    metadata:
+      labels:
+        app: sample-deploy
+    spec:
+      containers:
+      - image: other
+        name: do-not-modify-me
+        env:
+        - name: foo
+          value: bar
+      - image: nginx
+        name: main
+        env:
+        - name: foo
+          value: bar
+      - image: nginx
+        name: sidecar
+`,
+			replacements: `replacements:
+- source:
+    kind: Deployment
+    name: sample-deploy
+    fieldPath: metadata.name
+  targets:
+  - select:
+      kind: Deployment
+    options:
+      create: true
+    fieldPaths:
+    - spec.template.spec.containers.[image=nginx].env.[name=deployment-name].value
+`,
+			expected: `apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: sample-deploy
+  name: sample-deploy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: sample-deploy
+  template:
+    metadata:
+      labels:
+        app: sample-deploy
+    spec:
+      containers:
+      - image: other
+        name: do-not-modify-me
+        env:
+        - name: foo
+          value: bar
+      - image: nginx
+        name: main
+        env:
+        - name: foo
+          value: bar
+        - name: deployment-name
+          value: sample-deploy
       - image: nginx
         name: sidecar
         env:
@@ -1671,7 +1731,110 @@ spec:
     options:
       create: true
 `,
-			expectedErr: "cannot support create option in a multi-value target",
+			expected: `apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: sample-deploy
+  name: sample-deploy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: sample-deploy
+  template:
+    metadata:
+      labels:
+        app: sample-deploy
+    spec:
+      containers:
+      - image: nginx
+        name: main
+        env:
+        - name: other-env
+          value: YYYYY
+        - name: deployment-name
+          value: sample-deploy
+`,
+		},
+		"Issue 1493: wildcard to create or replace field in all containers in all workloads": {
+			input: `apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: policy
+data:
+  restart: OnFailure
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod1
+spec:
+  containers:
+  - image: nginx
+    name: main
+  - image: nginx
+    name: sidecar
+    imagePullPolicy: Always
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod2
+spec:
+  containers:
+  - image: nginx
+    name: main
+    imagePullPolicy: Always
+  - image: nginx
+    name: sidecar
+`,
+			replacements: `replacements:
+- source:
+    kind: ConfigMap
+    name: policy
+    fieldPath: data.restart
+  targets:
+  - select:
+      kind: Pod
+    fieldPaths:
+    - spec.containers.*.imagePullPolicy
+    options:
+      create: true
+`,
+			expected: `apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: policy
+data:
+  restart: OnFailure
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod1
+spec:
+  containers:
+  - image: nginx
+    name: main
+    imagePullPolicy: OnFailure
+  - image: nginx
+    name: sidecar
+    imagePullPolicy: OnFailure
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod2
+spec:
+  containers:
+  - image: nginx
+    name: main
+    imagePullPolicy: OnFailure
+  - image: nginx
+    name: sidecar
+    imagePullPolicy: OnFailure
+`,
 		},
 		"multiple field paths in target": {
 			input: `apiVersion: v1
@@ -2416,6 +2579,257 @@ spec:
   restartPolicy: new
 `,
 		},
+		"issue4761 - path not in target with create: true": {
+			input: `
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: request-id
+spec:
+  configPatches:
+    - applyTo: NETWORK_FILTER
+    - applyTo: NETWORK_FILTER
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-version
+  annotations:
+    config.kubernetes.io/local-config: true
+data:
+  ISTIO_REGEX: '^1\.14.*'
+`,
+			replacements: `
+replacements:
+  - source:
+      kind: ConfigMap
+      name: istio-version
+      fieldPath: data.ISTIO_REGEX
+    targets:
+      - select:
+          kind: EnvoyFilter
+        fieldPaths:
+          - spec.configPatches.0.match.proxy.proxyVersion
+          - spec.configPatches.1.match.proxy.proxyVersion
+          - spec.configPatches.2.match.proxy.proxyVersion
+          - spec.configPatches.3.match.proxy.proxyVersion
+        options:
+          create: true
+`,
+			expected: `
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: request-id
+spec:
+  configPatches:
+  - applyTo: NETWORK_FILTER
+    match:
+      proxy:
+        proxyVersion: ^1\.14.*
+  - applyTo: NETWORK_FILTER
+    match:
+      proxy:
+        proxyVersion: ^1\.14.*
+  - match:
+      proxy:
+        proxyVersion: ^1\.14.*
+  - match:
+      proxy:
+        proxyVersion: ^1\.14.*
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-version
+  annotations:
+    config.kubernetes.io/local-config: true
+data:
+  ISTIO_REGEX: '^1\.14.*'
+`,
+		},
+		"issue4761 - path not in target with create: false": {
+			input: `
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: request-id
+spec:
+  configPatches:
+    - applyTo: NETWORK_FILTER
+    - applyTo: NETWORK_FILTER
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-version
+  annotations:
+    config.kubernetes.io/local-config: true
+data:
+  ISTIO_REGEX: '^1\.14.*'
+`,
+			replacements: `
+replacements:
+  - source:
+      kind: ConfigMap
+      name: istio-version
+      fieldPath: data.ISTIO_REGEX
+    targets:
+      - select:
+          kind: EnvoyFilter
+        fieldPaths:
+          - spec.configPatches.0.match.proxy.proxyVersion
+          - spec.configPatches.1.match.proxy.proxyVersion
+          - spec.configPatches.2.match.proxy.proxyVersion
+          - spec.configPatches.3.match.proxy.proxyVersion
+        options:
+          create: false
+`,
+			expectedErr: "unable to find field \"spec.configPatches.0.match.proxy.proxyVersion\" in replacement target",
+		},
+		"issue4761 - wildcard solution": {
+			input: `
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: request-id
+spec:
+  configPatches:
+    - applyTo: NETWORK_FILTER
+    - applyTo: NETWORK_FILTER
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-version
+  annotations:
+    config.kubernetes.io/local-config: true
+data:
+  ISTIO_REGEX: '^1\.14.*'
+`,
+			replacements: `
+replacements:
+  - source:
+      kind: ConfigMap
+      name: istio-version
+      fieldPath: data.ISTIO_REGEX
+    targets:
+      - select:
+          kind: EnvoyFilter
+        fieldPaths:
+          - spec.configPatches.*.match.proxy.proxyVersion
+        options:
+          create: true
+`,
+			expected: `
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: request-id
+spec:
+  configPatches:
+  - applyTo: NETWORK_FILTER
+    match:
+      proxy:
+        proxyVersion: ^1\.14.*
+  - applyTo: NETWORK_FILTER
+    match:
+      proxy:
+        proxyVersion: ^1\.14.*
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-version
+  annotations:
+    config.kubernetes.io/local-config: true
+data:
+  ISTIO_REGEX: '^1\.14.*'
+`,
+		},
+		"append to sequence using index": {
+			input: `apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: myingress
+spec:
+  rules:
+    - host: myingress.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: my-svc
+                port:
+                  number: 80
+`,
+			replacements: `replacements:
+  - source:
+      kind: Ingress
+      name: myingress
+      fieldPath: spec.rules.0.host
+    targets:
+      - select:
+          kind: Ingress
+          name: myingress
+        fieldPaths:
+          - spec.tls.0.hosts.0
+          - spec.tls.0.secretName          
+        options:
+          create: true
+`,
+			expected: `apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: myingress
+spec:
+  rules:
+  - host: myingress.example.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: my-svc
+            port:
+              number: 80
+  tls:
+  - hosts:
+    - myingress.example.com
+    secretName: myingress.example.com`,
+		},
+		"fail to append to sequence using a distant index": {
+			input: `apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: myingress
+spec:
+  rules:
+    - host: myingress.example.com
+`,
+			replacements: `replacements:
+  - source:
+      kind: Ingress
+      name: myingress
+      fieldPath: spec.rules.0.host
+    targets:
+      - select:
+          kind: Ingress
+          name: myingress
+        fieldPaths:
+          - spec.tls.5.hosts.5
+          - spec.tls.5.secretName
+        options:
+          create: true
+`,
+			expectedErr: "unable to find or create field \"spec.tls.5.hosts.5\" in replacement target: index 5 specified but only 0 elements found",
+		},
 	}
 
 	for tn, tc := range testCases {

api/go.mod

@@ -1,38 +1,37 @@
 module sigs.k8s.io/kustomize/api
 
-go 1.18
+go 1.20
 
 require (
-	github.com/evanphx/json-patch v4.11.0+incompatible
-	github.com/go-errors/errors v1.0.1
+	github.com/go-errors/errors v1.4.2
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
-	github.com/imdario/mergo v0.3.6
-	github.com/pkg/errors v0.9.1
-	github.com/stretchr/testify v1.7.0
-	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/kube-openapi v0.0.0-20220401212409-b28bf2818661
-	sigs.k8s.io/kustomize/kyaml v0.13.8
-	sigs.k8s.io/yaml v1.2.0
+	github.com/imdario/mergo v0.3.13
+	github.com/stretchr/testify v1.8.1
+	go.uber.org/goleak v1.3.0
+	gopkg.in/evanphx/json-patch.v5 v5.6.0
+	k8s.io/kube-openapi v0.0.0-20230601164746-7562a1006961
+	sigs.k8s.io/kustomize/kyaml v0.16.0
+	sigs.k8s.io/yaml v1.4.0
 )
 
 require (
-	github.com/PuerkitoBio/purell v1.1.1 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.19.5 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/gnostic v0.5.7-v3refs // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/xlab/treeprint v1.1.0 // indirect
+	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/xlab/treeprint v1.2.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
-	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
-	golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect
-	golang.org/x/text v0.3.7 // indirect
-	google.golang.org/protobuf v1.28.0 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	google.golang.org/protobuf v1.30.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

api/go.sum

@@ -1,216 +1,92 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
-github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI=
-github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
-github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/evanphx/json-patch v4.11.0+incompatible h1:glyUF9yIYtMHzn8xaKw5rMhdWcwsYV8dZHIq5567/xs=
-github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w=
-github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
-github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
-github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY=
-github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
-github.com/go-openapi/jsonreference v0.19.5 h1:1WJP/wi4OjB4iV8KVbH73rQaoialJrqv8gitZLxGLtM=
-github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg=
-github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng=
-github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
+github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
+github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54=
-github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
+github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
-github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
-github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
-github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
-github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk=
+github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA=
-github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0=
 github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4=
-github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
 github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
-github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
+github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/xlab/treeprint v1.1.0 h1:G/1DjNkPpfZCFt9CSh6b5/nY4VimlbHF3Rh4obvtzDk=
-github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
+github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
 go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc=
 go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk=
-golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM=
-golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
-google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
+google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/evanphx/json-patch.v5 v5.6.0 h1:BMT6KIwBD9CaU91PJCZIe46bDmBWa9ynTQgJIOpfQBk=
+gopkg.in/evanphx/json-patch.v5 v5.6.0/go.mod h1:/kvTRh1TVm5wuM6OkHxqXtE/1nUZZpihg29RtuIyfvk=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
-k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
-k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
-k8s.io/kube-openapi v0.0.0-20220401212409-b28bf2818661 h1:nqYOUleKLC/0P1zbU29F5q6aoezM6MOAVz+iyfQbZ5M=
-k8s.io/kube-openapi v0.0.0-20220401212409-b28bf2818661/go.mod h1:daOouuuwd9JXpv1L7Y34iV3yf6nxzipkKMWWlqlvK9M=
-k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-sigs.k8s.io/kustomize/kyaml v0.13.8 h1:L4dSaDb6dL5mzv0UWSrUw8bskcEW+EnNtIObT5BoRsU=
-sigs.k8s.io/kustomize/kyaml v0.13.8/go.mod h1:QsRbD0/KcU+wdk0/L0fIp2KLnohkVzs6fQ85/nOXac4=
-sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
-sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
-sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
+gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/kube-openapi v0.0.0-20230601164746-7562a1006961 h1:pqRVJGQJz6oeZby8qmPKXYIBjyrcv7EHCe/33UkZMYA=
+k8s.io/kube-openapi v0.0.0-20230601164746-7562a1006961/go.mod h1:l8HTwL5fqnlns4jOveW1L75eo7R9KFHxiE0bsPGy428=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/kustomize/kyaml v0.16.0 h1:6J33uKSoATlKZH16unr2XOhDI+otoe2sR3M8PDzW3K0=
+sigs.k8s.io/kustomize/kyaml v0.16.0/go.mod h1:xOK/7i+vmE14N2FdFyugIshB8eF6ALpy7jI87Q2nRh4=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

api/ifc/ifc.go

@@ -28,12 +28,20 @@ type KvLoader interface {
 
 // Loader interface exposes methods to read bytes.
 type Loader interface {
+
+	// Repo returns the repo location if this Loader was created from a url
+	// or the empty string otherwise.
+	Repo() string
+
 	// Root returns the root location for this Loader.
 	Root() string
+
 	// New returns Loader located at newRoot.
 	New(newRoot string) (Loader, error)
+
 	// Load returns the bytes read from the location or an error.
 	Load(location string) ([]byte, error)
+
 	// Cleanup cleans the loader
 	Cleanup() error
 }

api/internal/accumulator/loadconfigfromcrds.go

@@ -7,11 +7,11 @@ import (
 	"encoding/json"
 	"strings"
 
-	"github.com/pkg/errors"
 	"k8s.io/kube-openapi/pkg/validation/spec"
 	"sigs.k8s.io/kustomize/api/ifc"
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
 	"sigs.k8s.io/kustomize/kyaml/filesys"
 	"sigs.k8s.io/kustomize/kyaml/resid"
 	"sigs.k8s.io/yaml"
@@ -39,7 +39,7 @@ func LoadConfigFromCRDs(
 		}
 		m, err := makeNameToApiMap(content)
 		if err != nil {
-			return nil, errors.Wrapf(err, "unable to parse open API definition from '%s'", path)
+			return nil, errors.WrapPrefixf(err, "unable to parse open API definition from '%s'", path)
 		}
 		otherTc, err := makeConfigFromApiMap(m)
 		if err != nil {

api/internal/accumulator/loadconfigfromcrds_test.go

@@ -9,8 +9,8 @@ import (
 
 	"github.com/stretchr/testify/require"
 	. "sigs.k8s.io/kustomize/api/internal/accumulator"
+	"sigs.k8s.io/kustomize/api/internal/loader"
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
-	"sigs.k8s.io/kustomize/api/loader"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/filesys"
 	"sigs.k8s.io/kustomize/kyaml/resid"

api/internal/accumulator/resaccumulator.go

@@ -170,9 +170,10 @@ func (ra *ResAccumulator) FixBackReferences() (err error) {
 
 // Intersection drops the resources which "other" does not have.
 func (ra *ResAccumulator) Intersection(other resmap.ResMap) error {
+	otherIds := other.AllIds()
 	for _, curId := range ra.resMap.AllIds() {
 		toDelete := true
-		for _, otherId := range other.AllIds() {
+		for _, otherId := range otherIds {
 			if otherId == curId {
 				toDelete = false
 				break

api/internal/builtins/AnnotationsTransformer.go

@@ -1,5 +1,5 @@
 // Code generated by pluginator on AnnotationsTransformer; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
+// pluginator {(devel)  unknown   }
 
 package builtins
 

api/internal/builtins/ConfigMapGenerator.go

@@ -1,5 +1,5 @@
 // Code generated by pluginator on ConfigMapGenerator; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
+// pluginator {(devel)  unknown   }
 
 package builtins
 

api/internal/builtins/HashTransformer.go

@@ -1,5 +1,5 @@
 // Code generated by pluginator on HashTransformer; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
+// pluginator {(devel)  unknown   }
 
 package builtins
 

api/internal/builtins/HelmChartInflationGenerator.go

@@ -1,12 +1,11 @@
 // Code generated by pluginator on HelmChartInflationGenerator; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
+// pluginator {(devel)  unknown   }
 
 package builtins
 
 import (
 	"bytes"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -14,14 +13,14 @@ import (
 	"strings"
 
 	"github.com/imdario/mergo"
-	"github.com/pkg/errors"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/kio"
 	"sigs.k8s.io/yaml"
 )
 
-// HelmChartInflationGeneratorPlugin is a plugin to generate resources
-// from a remote or local helm chart.
+// Generate resources from a remote or local helm chart.
 type HelmChartInflationGeneratorPlugin struct {
 	h *resmap.PluginHelpers
 	types.HelmGlobals
@@ -29,8 +28,6 @@ type HelmChartInflationGeneratorPlugin struct {
 	tmpDir string
 }
 
-var KustomizePlugin HelmChartInflationGeneratorPlugin
-
 const (
 	valuesMergeOptionMerge    = "merge"
 	valuesMergeOptionOverride = "override"
@@ -56,6 +53,15 @@ func (p *HelmChartInflationGeneratorPlugin) Config(
 	if h.GeneralConfig().HelmConfig.Command == "" {
 		return fmt.Errorf("must specify --helm-command")
 	}
+
+	// CLI args takes precedence
+	if h.GeneralConfig().HelmConfig.KubeVersion != "" {
+		p.HelmChart.KubeVersion = h.GeneralConfig().HelmConfig.KubeVersion
+	}
+	if len(h.GeneralConfig().HelmConfig.ApiVersions) != 0 {
+		p.HelmChart.ApiVersions = h.GeneralConfig().HelmConfig.ApiVersions
+	}
+
 	p.h = h
 	if err = yaml.Unmarshal(config, p); err != nil {
 		return
@@ -73,7 +79,7 @@ func (p *HelmChartInflationGeneratorPlugin) establishTmpDir() (err error) {
 		// already done.
 		return nil
 	}
-	p.tmpDir, err = ioutil.TempDir("", "kustomize-helm-")
+	p.tmpDir, err = os.MkdirTemp("", "kustomize-helm-")
 	return err
 }
 
@@ -87,14 +93,22 @@ func (p *HelmChartInflationGeneratorPlugin) validateArgs() (err error) {
 	// the loader root (unless root restrictions are
 	// disabled, in which case this can be an absolute path).
 	if p.ChartHome == "" {
-		p.ChartHome = "charts"
+		p.ChartHome = types.HelmDefaultHome
 	}
 
-	// The ValuesFile may be consulted by the plugin, so it must
+	// The ValuesFile(s) may be consulted by the plugin, so it must
 	// be under the loader root (unless root restrictions are
 	// disabled).
 	if p.ValuesFile == "" {
-		p.ValuesFile = filepath.Join(p.ChartHome, p.Name, "values.yaml")
+		p.ValuesFile = filepath.Join(p.absChartHome(), p.Name, "values.yaml")
+	}
+	for i, file := range p.AdditionalValuesFiles {
+		// use Load() to enforce root restrictions
+		if _, err := p.h.Loader().Load(file); err != nil {
+			return errors.WrapPrefixf(err, "could not load additionalValuesFile")
+		}
+		// the additional values filepaths must be relative to the kust root
+		p.AdditionalValuesFiles[i] = filepath.Join(p.h.Loader().Root(), file)
 	}
 
 	if err = p.errIfIllegalValuesMerge(); err != nil {
@@ -104,7 +118,7 @@ func (p *HelmChartInflationGeneratorPlugin) validateArgs() (err error) {
 	// ConfigHome is not loaded by the plugin, and can be located anywhere.
 	if p.ConfigHome == "" {
 		if err = p.establishTmpDir(); err != nil {
-			return errors.Wrap(
+			return errors.WrapPrefixf(
 				err, "unable to create tmp dir for HELM_CONFIG_HOME")
 		}
 		p.ConfigHome = filepath.Join(p.tmpDir, "helm")
@@ -127,10 +141,17 @@ func (p *HelmChartInflationGeneratorPlugin) errIfIllegalValuesMerge() error {
 }
 
 func (p *HelmChartInflationGeneratorPlugin) absChartHome() string {
+	var chartHome string
 	if filepath.IsAbs(p.ChartHome) {
-		return p.ChartHome
+		chartHome = p.ChartHome
+	} else {
+		chartHome = filepath.Join(p.h.Loader().Root(), p.ChartHome)
 	}
-	return filepath.Join(p.h.Loader().Root(), p.ChartHome)
+
+	if p.Version != "" && p.Repo != "" {
+		return filepath.Join(chartHome, fmt.Sprintf("%s-%s", p.Name, p.Version))
+	}
+	return chartHome
 }
 
 func (p *HelmChartInflationGeneratorPlugin) runHelmCommand(
@@ -148,10 +169,10 @@ func (p *HelmChartInflationGeneratorPlugin) runHelmCommand(
 	err := cmd.Run()
 	if err != nil {
 		helm := p.h.GeneralConfig().HelmConfig.Command
-		err = errors.Wrap(
+		err = errors.WrapPrefixf(
 			fmt.Errorf(
-				"unable to run: '%s %s' with env=%s (is '%s' installed?)",
-				helm, strings.Join(args, " "), env, helm),
+				"unable to run: '%s %s' with env=%s (is '%s' installed?): %w",
+				helm, strings.Join(args, " "), env, helm, err),
 			stderr.String(),
 		)
 	}
@@ -211,7 +232,7 @@ func (p *HelmChartInflationGeneratorPlugin) writeValuesBytes(
 		return "", fmt.Errorf("cannot create tmp dir to write helm values")
 	}
 	path := filepath.Join(p.tmpDir, p.Name+"-kustomize-values.yaml")
-	return path, ioutil.WriteFile(path, b, 0644)
+	return path, errors.WrapPrefixf(os.WriteFile(path, b, 0644), "failed to write values file")
 }
 
 func (p *HelmChartInflationGeneratorPlugin) cleanup() {
@@ -244,46 +265,31 @@ func (p *HelmChartInflationGeneratorPlugin) Generate() (rm resmap.ResMap, err er
 		return nil, err
 	}
 	var stdout []byte
-	stdout, err = p.runHelmCommand(p.templateCommand())
+	stdout, err = p.runHelmCommand(p.AsHelmArgs(p.absChartHome()))
 	if err != nil {
 		return nil, err
 	}
 
-	rm, err = p.h.ResmapFactory().NewResMapFromBytes(stdout)
-	if err == nil {
+	rm, resMapErr := p.h.ResmapFactory().NewResMapFromBytes(stdout)
+	if resMapErr == nil {
 		return rm, nil
 	}
 	// try to remove the contents before first "---" because
 	// helm may produce messages to stdout before it
-	stdoutStr := string(stdout)
-	if idx := strings.Index(stdoutStr, "---"); idx != -1 {
-		return p.h.ResmapFactory().NewResMapFromBytes([]byte(stdoutStr[idx:]))
+	r := &kio.ByteReader{Reader: bytes.NewBufferString(string(stdout)), OmitReaderAnnotations: true}
+	nodes, err := r.Read()
+	if err != nil {
+		return nil, fmt.Errorf("error reading helm output: %w", err)
 	}
-	return nil, err
-}
 
-func (p *HelmChartInflationGeneratorPlugin) templateCommand() []string {
-	args := []string{"template"}
-	if p.ReleaseName != "" {
-		args = append(args, p.ReleaseName)
+	if len(nodes) != 0 {
+		rm, err = p.h.ResmapFactory().NewResMapFromRNodeSlice(nodes)
+		if err != nil {
+			return nil, fmt.Errorf("could not parse rnode slice into resource map: %w", err)
+		}
+		return rm, nil
 	}
-	if p.Namespace != "" {
-		args = append(args, "--namespace", p.Namespace)
-	}
-	args = append(args, filepath.Join(p.absChartHome(), p.Name))
-	if p.ValuesFile != "" {
-		args = append(args, "--values", p.ValuesFile)
-	}
-	if p.ReleaseName == "" {
-		// AFAICT, this doesn't work as intended due to a bug in helm.
-		// See https://github.com/helm/helm/issues/6019
-		// I've tried placing the flag before and after the name argument.
-		args = append(args, "--generate-name")
-	}
-	if p.IncludeCRDs {
-		args = append(args, "--include-crds")
-	}
-	return args
+	return nil, fmt.Errorf("could not parse bytes into resource map: %w", resMapErr)
 }
 
 func (p *HelmChartInflationGeneratorPlugin) pullCommand() []string {
@@ -291,8 +297,18 @@ func (p *HelmChartInflationGeneratorPlugin) pullCommand() []string {
 		"pull",
 		"--untar",
 		"--untardir", p.absChartHome(),
-		"--repo", p.Repo,
-		p.Name}
+	}
+
+	switch {
+	case strings.HasPrefix(p.Repo, "oci://"):
+		args = append(args, strings.TrimSuffix(p.Repo, "/")+"/"+p.Name)
+	case p.Repo != "":
+		args = append(args, "--repo", p.Repo)
+		fallthrough
+	default:
+		args = append(args, p.Name)
+	}
+
 	if p.Version != "" {
 		args = append(args, "--version", p.Version)
 	}

api/internal/builtins/IAMPolicyGenerator.go

@@ -1,5 +1,5 @@
 // Code generated by pluginator on IAMPolicyGenerator; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
+// pluginator {(devel)  unknown   }
 
 package builtins
 

api/internal/builtins/ImageTagTransformer.go

@@ -1,5 +1,5 @@
 // Code generated by pluginator on ImageTagTransformer; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
+// pluginator {(devel)  unknown   }
 
 package builtins
 

api/internal/builtins/LabelTransformer.go

@@ -1,5 +1,5 @@
 // Code generated by pluginator on LabelTransformer; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
+// pluginator {(devel)  unknown   }
 
 package builtins
 

api/internal/builtins/LegacyOrderTransformer.go

@@ -1,46 +0,0 @@
-// Code generated by pluginator on LegacyOrderTransformer; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
-
-package builtins
-
-import (
-	"sort"
-
-	"github.com/pkg/errors"
-	"sigs.k8s.io/kustomize/api/resmap"
-	"sigs.k8s.io/kustomize/api/resource"
-)
-
-// Sort the resources using an ordering defined in the Gvk class.
-// This puts cluster-wide basic resources with no
-// dependencies (like Namespace, StorageClass, etc.)
-// first, and resources with a high number of dependencies
-// (like ValidatingWebhookConfiguration) last.
-type LegacyOrderTransformerPlugin struct{}
-
-// Nothing needed for configuration.
-func (p *LegacyOrderTransformerPlugin) Config(
-	_ *resmap.PluginHelpers, _ []byte) (err error) {
-	return nil
-}
-
-func (p *LegacyOrderTransformerPlugin) Transform(m resmap.ResMap) (err error) {
-	resources := make([]*resource.Resource, m.Size())
-	ids := m.AllIds()
-	sort.Sort(resmap.IdSlice(ids))
-	for i, id := range ids {
-		resources[i], err = m.GetByCurrentId(id)
-		if err != nil {
-			return errors.Wrap(err, "expected match for sorting")
-		}
-	}
-	m.Clear()
-	for _, r := range resources {
-		m.Append(r)
-	}
-	return nil
-}
-
-func NewLegacyOrderTransformerPlugin() resmap.TransformerPlugin {
-	return &LegacyOrderTransformerPlugin{}
-}

api/internal/builtins/NamespaceTransformer.go

@@ -1,5 +1,5 @@
 // Code generated by pluginator on NamespaceTransformer; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
+// pluginator {(devel)  unknown   }
 
 package builtins
 

api/internal/builtins/PatchJson6902Transformer.go

@@ -1,17 +1,17 @@
 // Code generated by pluginator on PatchJson6902Transformer; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
+// pluginator {(devel)  unknown   }
 
 package builtins
 
 import (
 	"fmt"
 
-	jsonpatch "github.com/evanphx/json-patch"
-	"github.com/pkg/errors"
+	jsonpatch "gopkg.in/evanphx/json-patch.v5"
 	"sigs.k8s.io/kustomize/api/filters/patchjson6902"
 	"sigs.k8s.io/kustomize/api/ifc"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
 	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
 	"sigs.k8s.io/yaml"
 )
@@ -61,7 +61,7 @@ func (p *PatchJson6902TransformerPlugin) Config(
 	}
 	p.decodedPatch, err = jsonpatch.DecodePatch([]byte(p.JsonOp))
 	if err != nil {
-		return errors.Wrapf(err, "decoding %s", p.JsonOp)
+		return errors.WrapPrefixf(err, "decoding %s", p.JsonOp)
 	}
 	if len(p.decodedPatch) == 0 {
 		return fmt.Errorf(

api/internal/builtins/PatchStrategicMergeTransformer.go

@@ -1,5 +1,5 @@
 // Code generated by pluginator on PatchStrategicMergeTransformer; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
+// pluginator {(devel)  unknown   }
 
 package builtins
 

api/internal/builtins/PatchTransformer.go

@@ -1,5 +1,5 @@
 // Code generated by pluginator on PatchTransformer; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
+// pluginator {(devel)  unknown   }
 
 package builtins
 
@@ -7,104 +7,123 @@ import (
 	"fmt"
 	"strings"
 
-	jsonpatch "github.com/evanphx/json-patch"
+	jsonpatch "gopkg.in/evanphx/json-patch.v5"
 	"sigs.k8s.io/kustomize/api/filters/patchjson6902"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
 	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
 	"sigs.k8s.io/yaml"
 )
 
 type PatchTransformerPlugin struct {
-	loadedPatch  *resource.Resource
-	decodedPatch jsonpatch.Patch
-	Path         string          `json:"path,omitempty" yaml:"path,omitempty"`
-	Patch        string          `json:"patch,omitempty" yaml:"patch,omitempty"`
-	Target       *types.Selector `json:"target,omitempty" yaml:"target,omitempty"`
-	Options      map[string]bool `json:"options,omitempty" yaml:"options,omitempty"`
+	smPatches   []*resource.Resource // strategic-merge patches
+	jsonPatches jsonpatch.Patch      // json6902 patch
+	// patchText is pure patch text created by Path or Patch
+	patchText string
+	// patchSource is patch source message
+	patchSource string
+	Path        string          `json:"path,omitempty"    yaml:"path,omitempty"`
+	Patch       string          `json:"patch,omitempty"   yaml:"patch,omitempty"`
+	Target      *types.Selector `json:"target,omitempty"  yaml:"target,omitempty"`
+	Options     map[string]bool `json:"options,omitempty" yaml:"options,omitempty"`
 }
 
-func (p *PatchTransformerPlugin) Config(
-	h *resmap.PluginHelpers, c []byte) error {
-	err := yaml.Unmarshal(c, p)
-	if err != nil {
+func (p *PatchTransformerPlugin) Config(h *resmap.PluginHelpers, c []byte) error {
+	if err := yaml.Unmarshal(c, p); err != nil {
 		return err
 	}
+
 	p.Patch = strings.TrimSpace(p.Patch)
-	if p.Patch == "" && p.Path == "" {
-		return fmt.Errorf(
-			"must specify one of patch and path in\n%s", string(c))
-	}
-	if p.Patch != "" && p.Path != "" {
-		return fmt.Errorf(
-			"patch and path can't be set at the same time\n%s", string(c))
-	}
-	if p.Path != "" {
-		loaded, loadErr := h.Loader().Load(p.Path)
-		if loadErr != nil {
-			return loadErr
+	switch {
+	case p.Patch == "" && p.Path == "":
+		return fmt.Errorf("must specify one of patch and path in\n%s", string(c))
+	case p.Patch != "" && p.Path != "":
+		return fmt.Errorf("patch and path can't be set at the same time\n%s", string(c))
+	case p.Patch != "":
+		p.patchText = p.Patch
+		p.patchSource = fmt.Sprintf("[patch: %q]", p.patchText)
+	case p.Path != "":
+		loaded, err := h.Loader().Load(p.Path)
+		if err != nil {
+			return fmt.Errorf("failed to get the patch file from path(%s): %w", p.Path, err)
 		}
-		p.Patch = string(loaded)
+		p.patchText = string(loaded)
+		p.patchSource = fmt.Sprintf("[path: %q]", p.Path)
 	}
 
-	patchSM, errSM := h.ResmapFactory().RF().FromBytes([]byte(p.Patch))
-	patchJson, errJson := jsonPatchFromBytes([]byte(p.Patch))
+	patchesSM, errSM := h.ResmapFactory().RF().SliceFromBytes([]byte(p.patchText))
+	patchesJson, errJson := jsonPatchFromBytes([]byte(p.patchText))
+
 	if (errSM == nil && errJson == nil) ||
-		(patchSM != nil && patchJson != nil) {
+		(patchesSM != nil && patchesJson != nil) {
 		return fmt.Errorf(
-			"illegally qualifies as both an SM and JSON patch: [%v]",
-			p.Patch)
+			"illegally qualifies as both an SM and JSON patch: %s",
+			p.patchSource)
 	}
 	if errSM != nil && errJson != nil {
 		return fmt.Errorf(
-			"unable to parse SM or JSON patch from [%v]", p.Patch)
+			"unable to parse SM or JSON patch from %s", p.patchSource)
 	}
 	if errSM == nil {
-		p.loadedPatch = patchSM
-		if p.Options["allowNameChange"] {
-			p.loadedPatch.AllowNameChange()
-		}
-		if p.Options["allowKindChange"] {
-			p.loadedPatch.AllowKindChange()
+		p.smPatches = patchesSM
+		for _, loadedPatch := range p.smPatches {
+			if p.Options["allowNameChange"] {
+				loadedPatch.AllowNameChange()
+			}
+			if p.Options["allowKindChange"] {
+				loadedPatch.AllowKindChange()
+			}
 		}
 	} else {
-		p.decodedPatch = patchJson
+		p.jsonPatches = patchesJson
 	}
 	return nil
 }
 
 func (p *PatchTransformerPlugin) Transform(m resmap.ResMap) error {
-	if p.loadedPatch == nil {
-		return p.transformJson6902(m, p.decodedPatch)
+	if p.smPatches != nil {
+		return p.transformStrategicMerge(m)
 	}
-	// The patch was a strategic merge patch
-	return p.transformStrategicMerge(m, p.loadedPatch)
+	return p.transformJson6902(m)
 }
 
-// transformStrategicMerge applies the provided strategic merge patch
-// to all the resources in the ResMap that match either the Target or
-// the identifier of the patch.
-func (p *PatchTransformerPlugin) transformStrategicMerge(m resmap.ResMap, patch *resource.Resource) error {
-	if p.Target == nil {
+// transformStrategicMerge applies each loaded strategic merge patch
+// to the resource in the ResMap that matches the identifier of the patch.
+// If only one patch is specified, the Target can be used instead.
+func (p *PatchTransformerPlugin) transformStrategicMerge(m resmap.ResMap) error {
+	if p.Target != nil {
+		if len(p.smPatches) > 1 {
+			// detail: https://github.com/kubernetes-sigs/kustomize/issues/5049#issuecomment-1440604403
+			return fmt.Errorf("Multiple Strategic-Merge Patches in one `patches` entry is not allowed to set `patches.target` field: %s", p.patchSource)
+		}
+
+		// single patch
+		patch := p.smPatches[0]
+		selected, err := m.Select(*p.Target)
+		if err != nil {
+			return fmt.Errorf("unable to find patch target %q in `resources`: %w", p.Target, err)
+		}
+		return errors.Wrap(m.ApplySmPatch(resource.MakeIdSet(selected), patch))
+	}
+
+	for _, patch := range p.smPatches {
 		target, err := m.GetById(patch.OrgId())
 		if err != nil {
-			return err
+			return fmt.Errorf("no resource matches strategic merge patch %q: %w", patch.OrgId(), err)
+		}
+		if err := target.ApplySmPatch(patch); err != nil {
+			return errors.Wrap(err)
 		}
-		return target.ApplySmPatch(patch)
 	}
-	selected, err := m.Select(*p.Target)
-	if err != nil {
-		return err
-	}
-	return m.ApplySmPatch(resource.MakeIdSet(selected), patch)
+	return nil
 }
 
-// transformJson6902 applies the provided json6902 patch
-// to all the resources in the ResMap that match the Target.
-func (p *PatchTransformerPlugin) transformJson6902(m resmap.ResMap, patch jsonpatch.Patch) error {
+// transformJson6902 applies json6902 Patch to all the resources in the ResMap that match Target.
+func (p *PatchTransformerPlugin) transformJson6902(m resmap.ResMap) error {
 	if p.Target == nil {
-		return fmt.Errorf("must specify a target for patch %s", p.Patch)
+		return fmt.Errorf("must specify a target for JSON patch %s", p.patchSource)
 	}
 	resources, err := m.Select(*p.Target)
 	if err != nil {
@@ -114,7 +133,7 @@ func (p *PatchTransformerPlugin) transformJson6902(m resmap.ResMap, patch jsonpa
 		res.StorePreviousId()
 		internalAnnotations := kioutil.GetInternalAnnotations(&res.RNode)
 		err = res.ApplyFilter(patchjson6902.Filter{
-			Patch: p.Patch,
+			Patch: p.patchText,
 		})
 		if err != nil {
 			return err
@@ -129,16 +148,17 @@ func (p *PatchTransformerPlugin) transformJson6902(m resmap.ResMap, patch jsonpa
 	return nil
 }
 
-// jsonPatchFromBytes loads a Json 6902 patch from
-// a bytes input
-func jsonPatchFromBytes(
-	in []byte) (jsonpatch.Patch, error) {
+// jsonPatchFromBytes loads a Json 6902 patch from a bytes input
+func jsonPatchFromBytes(in []byte) (jsonpatch.Patch, error) {
 	ops := string(in)
 	if ops == "" {
 		return nil, fmt.Errorf("empty json patch operations")
 	}
 
 	if ops[0] != '[' {
+		// TODO(5049):
+		//   In the case of multiple yaml documents, return error instead of ignoring all but first.
+		//   Details: https://github.com/kubernetes-sigs/kustomize/pull/5194#discussion_r1256686728
 		jsonOps, err := yaml.YAMLToJSON(in)
 		if err != nil {
 			return nil, err

api/internal/builtins/PrefixTransformer.go

@@ -1,5 +1,5 @@
 // Code generated by pluginator on PrefixTransformer; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
+// pluginator {(devel)  unknown   }
 
 package builtins
 

api/internal/builtins/ReplacementTransformer.go

@@ -1,5 +1,5 @@
 // Code generated by pluginator on ReplacementTransformer; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
+// pluginator {(devel)  unknown   }
 
 package builtins
 

api/internal/builtins/ReplicaCountTransformer.go

@@ -1,5 +1,5 @@
 // Code generated by pluginator on ReplicaCountTransformer; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
+// pluginator {(devel)  unknown   }
 
 package builtins
 

api/internal/builtins/SecretGenerator.go

@@ -1,5 +1,5 @@
 // Code generated by pluginator on SecretGenerator; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
+// pluginator {(devel)  unknown   }
 
 package builtins
 

api/internal/builtins/SortOrderTransformer.go

@@ -0,0 +1,244 @@
+// Code generated by pluginator on SortOrderTransformer; DO NOT EDIT.
+// pluginator {(devel)  unknown   }
+
+package builtins
+
+import (
+	"sort"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/resource"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/yaml"
+)
+
+// Sort the resources using a customizable ordering based of Kind.
+// Defaults to the ordering of the GVK struct, which puts cluster-wide basic
+// resources with no dependencies (like Namespace, StorageClass, etc.) first,
+// and resources with a high number of dependencies
+// (like ValidatingWebhookConfiguration) last.
+type SortOrderTransformerPlugin struct {
+	SortOptions *types.SortOptions `json:"sortOptions,omitempty" yaml:"sortOptions,omitempty"`
+}
+
+func (p *SortOrderTransformerPlugin) Config(
+	_ *resmap.PluginHelpers, c []byte) error {
+	return errors.WrapPrefixf(yaml.Unmarshal(c, p), "Failed to unmarshal SortOrderTransformer config")
+}
+
+func (p *SortOrderTransformerPlugin) applyDefaults() {
+	// Default to FIFO sort, aka no-op.
+	if p.SortOptions == nil {
+		p.SortOptions = &types.SortOptions{
+			Order: types.FIFOSortOrder,
+		}
+	}
+
+	// If legacy sort is selected and no options are given, default to
+	// hardcoded order.
+	if p.SortOptions.Order == types.LegacySortOrder && p.SortOptions.LegacySortOptions == nil {
+		p.SortOptions.LegacySortOptions = &types.LegacySortOptions{
+			OrderFirst: defaultOrderFirst,
+			OrderLast:  defaultOrderLast,
+		}
+	}
+}
+
+func (p *SortOrderTransformerPlugin) validate() error {
+	// Check valid values for SortOrder
+	if p.SortOptions.Order != types.FIFOSortOrder && p.SortOptions.Order != types.LegacySortOrder {
+		return errors.Errorf("the field 'sortOptions.order' must be one of [%s, %s]",
+			types.FIFOSortOrder, types.LegacySortOrder)
+	}
+
+	// Validate that the only options set are the ones corresponding to the
+	// selected sort order.
+	if p.SortOptions.Order == types.FIFOSortOrder &&
+		p.SortOptions.LegacySortOptions != nil {
+		return errors.Errorf("the field 'sortOptions.legacySortOptions' is"+
+			" set but the selected sort order is '%v', not 'legacy'",
+			p.SortOptions.Order)
+	}
+	return nil
+}
+
+func (p *SortOrderTransformerPlugin) Transform(m resmap.ResMap) (err error) {
+	p.applyDefaults()
+	err = p.validate()
+	if err != nil {
+		return err
+	}
+
+	// Sort
+	if p.SortOptions.Order == types.LegacySortOrder {
+		s := newLegacyIDSorter(m.AllIds(), p.SortOptions.LegacySortOptions)
+		sort.Sort(s)
+		err = applyOrdering(m, s.resids)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// applyOrdering takes resources (given in ResMap) and a desired ordering given
+// as a sequence of ResIds, and updates the ResMap's resources to match the
+// ordering.
+func applyOrdering(m resmap.ResMap, ordering []resid.ResId) error {
+	var err error
+	resources := make([]*resource.Resource, m.Size())
+	// Clear and refill with the correct order
+	for i, id := range ordering {
+		resources[i], err = m.GetByCurrentId(id)
+		if err != nil {
+			return errors.WrapPrefixf(err, "expected match for sorting")
+		}
+	}
+	m.Clear()
+	for _, r := range resources {
+		err = m.Append(r)
+		if err != nil {
+			return errors.WrapPrefixf(err, "SortOrderTransformer: Failed to append to resources")
+		}
+	}
+	return nil
+}
+
+// Code for legacy sorting.
+// Legacy sorting is a "fixed" order sorting maintained for backwards
+// compatibility.
+
+// legacyIDSorter sorts resources based on two priority lists:
+// - orderFirst: Resources that should be placed in the start, in the given order.
+// - orderLast: Resources that should be placed in the end, in the given order.
+type legacyIDSorter struct {
+	// resids only stores the metadata of the object. This is an optimization as
+	// it's expensive to compute these again and again during ordering.
+	resids     []resid.ResId
+	typeOrders map[string]int
+}
+
+func newLegacyIDSorter(
+	resids []resid.ResId,
+	options *types.LegacySortOptions) *legacyIDSorter {
+	// Precalculate a resource ranking based on the priority lists.
+	var typeOrders = func() map[string]int {
+		m := map[string]int{}
+		for i, n := range options.OrderFirst {
+			m[n] = -len(options.OrderFirst) + i
+		}
+		for i, n := range options.OrderLast {
+			m[n] = 1 + i
+		}
+		return m
+	}()
+	return &legacyIDSorter{
+		resids:     resids,
+		typeOrders: typeOrders,
+	}
+}
+
+var _ sort.Interface = legacyIDSorter{}
+
+func (a legacyIDSorter) Len() int { return len(a.resids) }
+func (a legacyIDSorter) Swap(i, j int) {
+	a.resids[i], a.resids[j] = a.resids[j], a.resids[i]
+}
+func (a legacyIDSorter) Less(i, j int) bool {
+	if !a.resids[i].Gvk.Equals(a.resids[j].Gvk) {
+		return gvkLessThan(a.resids[i].Gvk, a.resids[j].Gvk, a.typeOrders)
+	}
+	return legacyResIDSortString(a.resids[i]) < legacyResIDSortString(a.resids[j])
+}
+
+func gvkLessThan(gvk1, gvk2 resid.Gvk, typeOrders map[string]int) bool {
+	index1 := typeOrders[gvk1.Kind]
+	index2 := typeOrders[gvk2.Kind]
+	if index1 != index2 {
+		return index1 < index2
+	}
+	return legacyGVKSortString(gvk1) < legacyGVKSortString(gvk2)
+}
+
+// legacyGVKSortString returns a string representation of given GVK used for
+// stable sorting.
+func legacyGVKSortString(x resid.Gvk) string {
+	legacyNoGroup := "~G"
+	legacyNoVersion := "~V"
+	legacyNoKind := "~K"
+	legacyFieldSeparator := "_"
+
+	g := x.Group
+	if g == "" {
+		g = legacyNoGroup
+	}
+	v := x.Version
+	if v == "" {
+		v = legacyNoVersion
+	}
+	k := x.Kind
+	if k == "" {
+		k = legacyNoKind
+	}
+	return strings.Join([]string{g, v, k}, legacyFieldSeparator)
+}
+
+// legacyResIDSortString returns a string representation of given ResID used for
+// stable sorting.
+func legacyResIDSortString(id resid.ResId) string {
+	legacyNoNamespace := "~X"
+	legacyNoName := "~N"
+	legacySeparator := "|"
+
+	ns := id.Namespace
+	if ns == "" {
+		ns = legacyNoNamespace
+	}
+	nm := id.Name
+	if nm == "" {
+		nm = legacyNoName
+	}
+	return strings.Join(
+		[]string{id.Gvk.String(), ns, nm}, legacySeparator)
+}
+
+// DO NOT CHANGE!
+// Final legacy ordering provided as a default by kustomize.
+// Originally an attempt to apply resources in the correct order, an effort
+// which later proved impossible as not all types are known beforehand.
+// See: https://github.com/kubernetes-sigs/kustomize/issues/3913
+var defaultOrderFirst = []string{ //nolint:gochecknoglobals
+	"Namespace",
+	"ResourceQuota",
+	"StorageClass",
+	"CustomResourceDefinition",
+	"ServiceAccount",
+	"PodSecurityPolicy",
+	"Role",
+	"ClusterRole",
+	"RoleBinding",
+	"ClusterRoleBinding",
+	"ConfigMap",
+	"Secret",
+	"Endpoints",
+	"Service",
+	"LimitRange",
+	"PriorityClass",
+	"PersistentVolume",
+	"PersistentVolumeClaim",
+	"Deployment",
+	"StatefulSet",
+	"CronJob",
+	"PodDisruptionBudget",
+}
+var defaultOrderLast = []string{ //nolint:gochecknoglobals
+	"MutatingWebhookConfiguration",
+	"ValidatingWebhookConfiguration",
+}
+
+func NewSortOrderTransformerPlugin() resmap.TransformerPlugin {
+	return &SortOrderTransformerPlugin{}
+}

api/internal/builtins/SuffixTransformer.go

@@ -1,5 +1,5 @@
 // Code generated by pluginator on SuffixTransformer; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
+// pluginator {(devel)  unknown   }
 
 package builtins
 

api/internal/builtins/ValueAddTransformer.go

@@ -1,5 +1,5 @@
 // Code generated by pluginator on ValueAddTransformer; DO NOT EDIT.
-// pluginator {unknown  1970-01-01T00:00:00Z  }
+// pluginator {(devel)  unknown   }
 
 package builtins
 

api/internal/generators/configmap_test.go

@@ -10,7 +10,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	. "sigs.k8s.io/kustomize/api/internal/generators"
 	"sigs.k8s.io/kustomize/api/kv"
-	"sigs.k8s.io/kustomize/api/loader"
+	"sigs.k8s.io/kustomize/api/pkg/loader"
 	valtest_test "sigs.k8s.io/kustomize/api/testutils/valtest"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/filesys"

api/internal/generators/secret_test.go

@@ -10,7 +10,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	. "sigs.k8s.io/kustomize/api/internal/generators"
 	"sigs.k8s.io/kustomize/api/kv"
-	"sigs.k8s.io/kustomize/api/loader"
+	"sigs.k8s.io/kustomize/api/pkg/loader"
 	valtest_test "sigs.k8s.io/kustomize/api/testutils/valtest"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/filesys"

api/internal/generators/utils.go

@@ -5,6 +5,8 @@ package generators
 
 import (
 	"fmt"
+	"path"
+	"strings"
 
 	"github.com/go-errors/errors"
 	"sigs.k8s.io/kustomize/api/ifc"
@@ -95,3 +97,28 @@ func setImmutable(
 
 	return nil
 }
+
+// ParseFileSource parses the source given.
+//
+// Acceptable formats include:
+//  1. source-path: the basename will become the key name
+//  2. source-name=source-path: the source-name will become the key name and
+//     source-path is the path to the key file.
+//
+// Key names cannot include '='.
+func ParseFileSource(source string) (keyName, filePath string, err error) {
+	numSeparators := strings.Count(source, "=")
+	switch {
+	case numSeparators == 0:
+		return path.Base(source), source, nil
+	case numSeparators == 1 && strings.HasPrefix(source, "="):
+		return "", "", errors.Errorf("missing key name for file path %q in source %q", strings.TrimPrefix(source, "="), source)
+	case numSeparators == 1 && strings.HasSuffix(source, "="):
+		return "", "", errors.Errorf("missing file path for key name %q in source %q", strings.TrimSuffix(source, "="), source)
+	case numSeparators > 1:
+		return "", "", errors.Errorf("source %q key name or file path contains '='", source)
+	default:
+		components := strings.Split(source, "=")
+		return components[0], components[1], nil
+	}
+}

api/internal/generators/utils_test.go

@@ -0,0 +1,51 @@
+// Copyright 2020 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package generators_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	. "sigs.k8s.io/kustomize/api/internal/generators"
+)
+
+func TestParseFileSource(t *testing.T) {
+	tests := map[string]*struct {
+		Input    string
+		Error    string
+		Key      string
+		Filename string
+	}{
+		"filename only": {
+			Input:    "./path/myfile",
+			Key:      "myfile",
+			Filename: "./path/myfile",
+		},
+		"key and filename": {
+			Input:    "newName.ini=oldName",
+			Key:      "newName.ini",
+			Filename: "oldName",
+		},
+		"multiple =": {
+			Input: "newName.ini==oldName",
+			Error: `source "newName.ini==oldName" key name or file path contains '='`,
+		},
+		"missing key": {
+			Input: "=myfile",
+			Error: `missing key name for file path "myfile" in source "=myfile"`,
+		},
+	}
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			key, file, err := ParseFileSource(test.Input)
+			if test.Error != "" {
+				require.EqualError(t, err, test.Error)
+			} else {
+				require.NoError(t, err)
+				require.Equal(t, test.Key, key)
+				require.Equal(t, test.Filename, file)
+			}
+		})
+	}
+}

api/internal/git/cloner.go

@@ -22,15 +22,17 @@ func ClonerUsingGitExec(repoSpec *RepoSpec) error {
 	if err = r.run("init"); err != nil {
 		return err
 	}
-	if err = r.run(
-		"remote", "add", "origin", repoSpec.CloneSpec()); err != nil {
+	// git relative submodule need origin, see https://github.com/kubernetes-sigs/kustomize/issues/5131
+	if err = r.run("remote", "add", "origin", repoSpec.CloneSpec()); err != nil {
 		return err
 	}
 	ref := "HEAD"
 	if repoSpec.Ref != "" {
 		ref = repoSpec.Ref
 	}
-	if err = r.run("fetch", "--depth=1", "origin", ref); err != nil {
+	// we use repoSpec.CloneSpec() instead of origin because on error,
+	// the prior prints the actual repo url for the user.
+	if err = r.run("fetch", "--depth=1", repoSpec.CloneSpec(), ref); err != nil {
 		return err
 	}
 	if err = r.run("checkout", "FETCH_HEAD"); err != nil {

api/internal/git/gitrunner.go

@@ -7,8 +7,8 @@ import (
 	"os/exec"
 	"time"
 
-	"github.com/pkg/errors"
 	"sigs.k8s.io/kustomize/api/internal/utils"
+	"sigs.k8s.io/kustomize/kyaml/errors"
 	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
@@ -24,7 +24,7 @@ type gitRunner struct {
 func newCmdRunner(timeout time.Duration) (*gitRunner, error) {
 	gitProgram, err := exec.LookPath("git")
 	if err != nil {
-		return nil, errors.Wrap(err, "no 'git' program on path")
+		return nil, errors.WrapPrefixf(err, "no 'git' program on path")
 	}
 	dir, err := filesys.NewTmpConfirmedDir()
 	if err != nil {
@@ -46,9 +46,9 @@ func (r gitRunner) run(args ...string) error {
 		cmd.String(),
 		r.duration,
 		func() error {
-			_, err := cmd.CombinedOutput()
+			out, err := cmd.CombinedOutput()
 			if err != nil {
-				return errors.Wrapf(err, "git cmd = '%s'", cmd.String())
+				return errors.WrapPrefixf(err, "failed to run '%s': %s", cmd.String(), string(out))
 			}
 			return err
 		})

api/internal/git/repospec.go

@@ -5,12 +5,15 @@ package git
 
 import (
 	"fmt"
+	"log"
 	"net/url"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
 
+	"sigs.k8s.io/kustomize/kyaml/errors"
 	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
@@ -27,26 +30,23 @@ type RepoSpec struct {
 	// TODO(monopole): Drop raw, use processed fields instead.
 	raw string
 
-	// Host, e.g. github.com
+	// Host, e.g. https://github.com/
 	Host string
 
-	// orgRepo name (organization/repoName),
+	// RepoPath name (Path to repository),
 	// e.g. kubernetes-sigs/kustomize
-	OrgRepo string
+	RepoPath string
 
-	// Dir where the orgRepo is cloned to.
+	// Dir is where the repository is cloned to.
 	Dir filesys.ConfirmedDir
 
 	// Relative path in the repository, and in the cloneDir,
 	// to a Kustomization.
-	Path string
+	KustRootPath string
 
 	// Branch or tag reference.
 	Ref string
 
-	// e.g. .git or empty in case of _git is present
-	GitSuffix string
-
 	// Submodules indicates whether or not to clone git submodules.
 	Submodules bool
 
@@ -56,10 +56,7 @@ type RepoSpec struct {
 
 // CloneSpec returns a string suitable for "git clone {spec}".
 func (x *RepoSpec) CloneSpec() string {
-	if isAzureHost(x.Host) || isAWSHost(x.Host) {
-		return x.Host + x.OrgRepo
-	}
-	return x.Host + x.OrgRepo + x.GitSuffix
+	return x.Host + x.RepoPath
 }
 
 func (x *RepoSpec) CloneDir() filesys.ConfirmedDir {
@@ -71,81 +68,140 @@ func (x *RepoSpec) Raw() string {
 }
 
 func (x *RepoSpec) AbsPath() string {
-	return x.Dir.Join(x.Path)
+	return x.Dir.Join(x.KustRootPath)
 }
 
 func (x *RepoSpec) Cleaner(fSys filesys.FileSystem) func() error {
 	return func() error { return fSys.RemoveAll(x.Dir.String()) }
 }
 
+const (
+	refQuery         = "?ref="
+	gitSuffix        = ".git"
+	gitRootDelimiter = "_git/"
+	pathSeparator    = "/" // do not use filepath.Separator, as this is a URL
+)
+
 // NewRepoSpecFromURL parses git-like urls.
 // From strings like git@github.com:someOrg/someRepo.git or
 // https://github.com/someOrg/someRepo?ref=someHash, extract
-// the parts.
+// the different parts of URL, set into a RepoSpec object and return RepoSpec object.
+// It MUST return an error if the input is not a git-like URL, as this is used by some code paths
+// to distinguish between local and remote paths.
+//
+// In particular, NewRepoSpecFromURL separates the URL used to clone the repo from the
+// elements Kustomize uses for other purposes (e.g. query params that turn into args, and
+// the path to the kustomization root within the repo).
 func NewRepoSpecFromURL(n string) (*RepoSpec, error) {
+	repoSpec := &RepoSpec{raw: n, Dir: notCloned, Timeout: defaultTimeout, Submodules: defaultSubmodules}
 	if filepath.IsAbs(n) {
 		return nil, fmt.Errorf("uri looks like abs path: %s", n)
 	}
-	host, orgRepo, path, gitRef, gitSubmodules, suffix, gitTimeout := parseGitURL(n)
-	if orgRepo == "" {
-		return nil, fmt.Errorf("url lacks orgRepo: %s", n)
+
+	// Parse the query first. This is safe because according to rfc3986 "?" is only allowed in the
+	// query and is not recognized %-encoded.
+	// Note that parseQuery returns default values for empty parameters.
+	n, query, _ := strings.Cut(n, "?")
+	repoSpec.Ref, repoSpec.Timeout, repoSpec.Submodules = parseQuery(query)
+
+	var err error
+
+	// Parse the host (e.g. scheme, username, domain) segment.
+	repoSpec.Host, n, err = extractHost(n)
+	if err != nil {
+		return nil, err
 	}
-	if host == "" {
-		return nil, fmt.Errorf("url lacks host: %s", n)
+
+	// In some cases, we're given a path to a git repo + a path to the kustomization root within
+	// that repo. We need to split them so that we can ultimately give the repo only to the cloner.
+	repoSpec.RepoPath, repoSpec.KustRootPath, err = parsePathParts(n, defaultRepoPathLength(repoSpec.Host))
+	if err != nil {
+		return nil, err
 	}
-	return &RepoSpec{
-		raw: n, Host: host, OrgRepo: orgRepo,
-		Dir: notCloned, Path: path, Ref: gitRef, GitSuffix: suffix,
-		Submodules: gitSubmodules, Timeout: gitTimeout}, nil
+
+	return repoSpec, nil
 }
 
-const (
-	refQuery     = "?ref="
-	gitSuffix    = ".git"
-	gitDelimiter = "_git/"
-)
+const allSegments = -999999
+const orgRepoSegments = 2
 
-// From strings like git@github.com:someOrg/someRepo.git or
-// https://github.com/someOrg/someRepo?ref=someHash, extract
-// the parts.
-func parseGitURL(n string) (
-	host string, orgRepo string, path string, gitRef string, gitSubmodules bool, gitSuff string, gitTimeout time.Duration) {
-	if strings.Contains(n, gitDelimiter) {
-		index := strings.Index(n, gitDelimiter)
-		// Adding _git/ to host
-		host = normalizeGitHostSpec(n[:index+len(gitDelimiter)])
-		orgRepo = strings.Split(strings.Split(n[index+len(gitDelimiter):], "/")[0], "?")[0]
-		path, gitRef, gitTimeout, gitSubmodules = peelQuery(n[index+len(gitDelimiter)+len(orgRepo):])
-		return
+func defaultRepoPathLength(host string) int {
+	if strings.HasPrefix(host, fileScheme) {
+		return allSegments
 	}
-	host, n = parseHostSpec(n)
-	gitSuff = gitSuffix
-	if strings.Contains(n, gitSuffix) {
-		index := strings.Index(n, gitSuffix)
-		orgRepo = n[0:index]
-		n = n[index+len(gitSuffix):]
-		if len(n) > 0 && n[0] == '/' {
-			n = n[1:]
-		}
-		path, gitRef, gitTimeout, gitSubmodules = peelQuery(n)
-		return
+	return orgRepoSegments
+}
+
+// parsePathParts splits the repo path that will ultimately be passed to git to clone the
+// repo from the kustomization root path, which Kustomize will execute the build in after the repo
+// is cloned.
+//
+// We first try to do this based on explicit markers in the URL (e.g. _git, .git or //).
+// If none are present, we try to apply a historical default repo path length that is derived from
+// Github URLs. If there aren't enough segments, we have historically considered the URL invalid.
+func parsePathParts(n string, defaultSegmentLength int) (string, string, error) {
+	repoPath, kustRootPath, success := tryExplicitMarkerSplit(n)
+	if !success {
+		repoPath, kustRootPath, success = tryDefaultLengthSplit(n, defaultSegmentLength)
 	}
 
-	i := strings.Index(n, "/")
-	if i < 1 {
-		path, gitRef, gitTimeout, gitSubmodules = peelQuery(n)
-		return
+	// Validate the result
+	if !success || len(repoPath) == 0 {
+		return "", "", fmt.Errorf("failed to parse repo path segment")
 	}
-	j := strings.Index(n[i+1:], "/")
-	if j >= 0 {
-		j += i + 1
-		orgRepo = n[:j]
-		path, gitRef, gitTimeout, gitSubmodules = peelQuery(n[j+1:])
-		return
+	if kustRootPathExitsRepo(kustRootPath) {
+		return "", "", fmt.Errorf("url path exits repo: %s", n)
 	}
-	path = ""
-	orgRepo, gitRef, gitTimeout, gitSubmodules = peelQuery(n)
-	return host, orgRepo, path, gitRef, gitSubmodules, gitSuff, gitTimeout
+
+	return repoPath, strings.TrimPrefix(kustRootPath, pathSeparator), nil
+}
+
+func tryExplicitMarkerSplit(n string) (string, string, bool) {
+	// Look for the _git delimiter, which by convention is expected to be ONE directory above the repo root.
+	// If found, split on the NEXT path element, which is the repo root.
+	// Example: https://username@dev.azure.com/org/project/_git/repo/path/to/kustomization/root
+	if gitRootIdx := strings.Index(n, gitRootDelimiter); gitRootIdx >= 0 {
+		gitRootPath := n[:gitRootIdx+len(gitRootDelimiter)]
+		subpathSegments := strings.Split(n[gitRootIdx+len(gitRootDelimiter):], pathSeparator)
+		return gitRootPath + subpathSegments[0], strings.Join(subpathSegments[1:], pathSeparator), true
+
+		// Look for a double-slash in the path, which if present separates the repo root from the kust path.
+		// It is a convention, not a real path element, so do not preserve it in the returned value.
+		// Example: https://github.com/org/repo//path/to/kustomozation/root
+	} else if repoRootIdx := strings.Index(n, "//"); repoRootIdx >= 0 {
+		return n[:repoRootIdx], n[repoRootIdx+2:], true
+
+		// Look for .git in the path, which if present is part of the directory name of the git repo.
+		// This means we want to grab everything up to and including that suffix
+		// Example: https://github.com/org/repo.git/path/to/kustomozation/root
+	} else if gitSuffixIdx := strings.Index(n, gitSuffix); gitSuffixIdx >= 0 {
+		upToGitSuffix := n[:gitSuffixIdx+len(gitSuffix)]
+		afterGitSuffix := n[gitSuffixIdx+len(gitSuffix):]
+		return upToGitSuffix, afterGitSuffix, true
+	}
+	return "", "", false
+}
+
+func tryDefaultLengthSplit(n string, defaultSegmentLength int) (string, string, bool) {
+	// If the default is to take all segments, do so.
+	if defaultSegmentLength == allSegments {
+		return n, "", true
+
+		// If the default is N segments, make sure we have at least that many and take them if so.
+		// If we have less than N, we have historically considered the URL invalid.
+	} else if segments := strings.Split(n, pathSeparator); len(segments) >= defaultSegmentLength {
+		firstNSegments := strings.Join(segments[:defaultSegmentLength], pathSeparator)
+		rest := strings.Join(segments[defaultSegmentLength:], pathSeparator)
+		return firstNSegments, rest, true
+	}
+	return "", "", false
+}
+
+func kustRootPathExitsRepo(kustRootPath string) bool {
+	cleanedPath := filepath.Clean(strings.TrimPrefix(kustRootPath, string(filepath.Separator)))
+	pathElements := strings.Split(cleanedPath, string(filepath.Separator))
+	return len(pathElements) > 0 &&
+		pathElements[0] == filesys.ParentDir
 }
 
 // Clone git submodules by default.
@@ -154,14 +210,12 @@ const defaultSubmodules = true
 // Arbitrary, but non-infinite, timeout for running commands.
 const defaultTimeout = 27 * time.Second
 
-func peelQuery(arg string) (string, string, time.Duration, bool) {
-	// Parse the given arg into a URL. In the event of a parse failure, return
-	// our defaults.
-	parsed, err := url.Parse(arg)
+func parseQuery(query string) (string, time.Duration, bool) {
+	values, err := url.ParseQuery(query)
+	// in event of parse failure, return defaults
 	if err != nil {
-		return arg, "", defaultTimeout, defaultSubmodules
+		return "", defaultTimeout, defaultSubmodules
 	}
-	values := parsed.Query()
 
 	// ref is the desired git ref to target. Can be specified by in a git URL
 	// with ?ref=<string> or ?version=<string>, although ref takes precedence.
@@ -192,76 +246,142 @@ func peelQuery(arg string) (string, string, time.Duration, bool) {
 		}
 	}
 
-	return parsed.Path, ref, duration, submodules
+	return ref, duration, submodules
 }
 
-func parseHostSpec(n string) (string, string) {
-	var host string
-	// Start accumulating the host part.
-	for _, p := range []string{
-		// Order matters here.
-		"git::", "gh:", "ssh://", "https://", "http://",
-		"git@", "github.com:", "github.com/"} {
-		if len(p) < len(n) && strings.ToLower(n[:len(p)]) == p {
-			n = n[len(p):]
-			host += p
+func extractHost(n string) (string, string, error) {
+	n = ignoreForcedGitProtocol(n)
+	scheme, n := extractScheme(n)
+	username, n := extractUsername(n)
+	stdGithub := isStandardGithubHost(n)
+	acceptSCP := acceptSCPStyle(scheme, username, stdGithub)
+
+	// Validate the username and scheme before attempting host/path parsing, because if the parsing
+	// so far has not succeeded, we will not be able to extract the host and path correctly.
+	if err := validateScheme(scheme, acceptSCP); err != nil {
+		return "", "", err
+	}
+
+	// Now that we have extracted a valid scheme+username, we can parse host itself.
+
+	// The file protocol specifies an absolute path to a local git repo.
+	// Everything after the scheme (including any 'username' we found) is actually part of that path.
+	if scheme == fileScheme {
+		return scheme, username + n, nil
+	}
+	var host, rest = n, ""
+	if sepIndex := findPathSeparator(n, acceptSCP); sepIndex >= 0 {
+		host, rest = n[:sepIndex+1], n[sepIndex+1:]
+	}
+
+	// Github URLs are strictly normalized in a way that may discard scheme and username components.
+	if stdGithub {
+		scheme, username, host = normalizeGithubHostParts(scheme, username)
+	}
+
+	// Host is required, so do not concat the scheme and username if we didn't find one.
+	if host == "" {
+		return "", "", errors.Errorf("failed to parse host segment")
+	}
+	return scheme + username + host, rest, nil
+}
+
+// ignoreForcedGitProtocol strips the "git::" prefix from URLs.
+// We used to use go-getter to handle our urls: https://github.com/hashicorp/go-getter.
+// The git:: prefix signaled go-getter to use the git protocol to fetch the url's contents.
+// We silently strip this prefix to allow these go-getter-style urls to continue to work,
+// although the git protocol (which is insecure and unsupported on many platforms, including Github)
+// will not actually be used as intended.
+func ignoreForcedGitProtocol(n string) string {
+	n, found := trimPrefixIgnoreCase(n, "git::")
+	if found {
+		log.Println("Warning: Forcing the git protocol using the 'git::' URL prefix is not supported. " +
+			"Kustomize currently strips this invalid prefix, but will stop doing so in a future release. " +
+			"Please remove the 'git::' prefix from your configuration.")
+	}
+	return n
+}
+
+// acceptSCPStyle returns true if the scheme and username indicate potential use of an SCP-style URL.
+// With this style, the scheme is not explicit and the path is delimited by a colon.
+// Strictly speaking the username is optional in SCP-like syntax, but Kustomize has always
+// required it for non-Github URLs.
+// Example: user@host.xz:path/to/repo.git/
+func acceptSCPStyle(scheme, username string, isGithubURL bool) bool {
+	return scheme == "" && (username != "" || isGithubURL)
+}
+
+func validateScheme(scheme string, acceptSCPStyle bool) error {
+	// see https://git-scm.com/docs/git-fetch#_git_urls for info relevant to these validations
+	switch scheme {
+	case "":
+		// Empty scheme is only ok if it's a Github URL or if it looks like SCP-style syntax
+		if !acceptSCPStyle {
+			return fmt.Errorf("failed to parse scheme")
+		}
+	case sshScheme, fileScheme, httpsScheme, httpScheme:
+		// These are all supported schemes
+	default:
+		// At time of writing, we should never end up here because we do not parse out
+		// unsupported schemes to begin with.
+		return fmt.Errorf("unsupported scheme %q", scheme)
+	}
+	return nil
+}
+
+const fileScheme = "file://"
+const httpScheme = "http://"
+const httpsScheme = "https://"
+const sshScheme = "ssh://"
+
+func extractScheme(s string) (string, string) {
+	for _, prefix := range []string{sshScheme, httpsScheme, httpScheme, fileScheme} {
+		if rest, found := trimPrefixIgnoreCase(s, prefix); found {
+			return prefix, rest
 		}
 	}
-	if host == "git@" {
-		i := strings.Index(n, "/")
-		if i > -1 {
-			host += n[:i+1]
-			n = n[i+1:]
-		} else {
-			i = strings.Index(n, ":")
-			if i > -1 {
-				host += n[:i+1]
-				n = n[i+1:]
-			}
-		}
-		return host, n
-	}
+	return "", s
+}
 
-	// If host is a http(s) or ssh URL, grab the domain part.
-	for _, p := range []string{
-		"ssh://", "https://", "http://"} {
-		if strings.HasSuffix(host, p) {
-			i := strings.Index(n, "/")
-			if i > -1 {
-				host += n[0 : i+1]
-				n = n[i+1:]
-			}
-			break
+func extractUsername(s string) (string, string) {
+	var userRegexp = regexp.MustCompile(`^([a-zA-Z][a-zA-Z0-9-]*)@`)
+	if m := userRegexp.FindStringSubmatch(s); m != nil {
+		username := m[1] + "@"
+		return username, s[len(username):]
+	}
+	return "", s
+}
+
+func isStandardGithubHost(s string) bool {
+	lowerCased := strings.ToLower(s)
+	return strings.HasPrefix(lowerCased, "github.com/") ||
+		strings.HasPrefix(lowerCased, "github.com:")
+}
+
+// trimPrefixIgnoreCase returns the rest of s and true if prefix, ignoring case, prefixes s.
+// Otherwise, trimPrefixIgnoreCase returns s and false.
+func trimPrefixIgnoreCase(s, prefix string) (string, bool) {
+	if len(prefix) <= len(s) && strings.ToLower(s[:len(prefix)]) == prefix {
+		return s[len(prefix):], true
+	}
+	return s, false
+}
+
+func findPathSeparator(hostPath string, acceptSCP bool) int {
+	sepIndex := strings.Index(hostPath, pathSeparator)
+	if acceptSCP {
+		colonIndex := strings.Index(hostPath, ":")
+		// The colon acts as a delimiter in scp-style ssh URLs only if not prefixed by '/'.
+		if sepIndex == -1 || (colonIndex > 0 && colonIndex < sepIndex) {
+			sepIndex = colonIndex
 		}
 	}
-
-	return normalizeGitHostSpec(host), n
+	return sepIndex
 }
 
-func normalizeGitHostSpec(host string) string {
-	s := strings.ToLower(host)
-	if strings.Contains(s, "github.com") {
-		if strings.Contains(s, "git@") || strings.Contains(s, "ssh:") {
-			host = "git@github.com:"
-		} else {
-			host = "https://github.com/"
-		}
+func normalizeGithubHostParts(scheme, username string) (string, string, string) {
+	if strings.HasPrefix(scheme, sshScheme) || username != "" {
+		return "", username, "github.com:"
 	}
-	if strings.HasPrefix(s, "git::") {
-		host = strings.TrimPrefix(s, "git::")
-	}
-	return host
-}
-
-// The format of Azure repo URL is documented
-// https://docs.microsoft.com/en-us/azure/devops/repos/git/clone?view=vsts&tabs=visual-studio#clone_url
-func isAzureHost(host string) bool {
-	return strings.Contains(host, "dev.azure.com") ||
-		strings.Contains(host, "visualstudio.com")
-}
-
-// The format of AWS repo URL is documented
-// https://docs.aws.amazon.com/codecommit/latest/userguide/regions.html
-func isAWSHost(host string) bool {
-	return strings.Contains(host, "amazonaws.com")
+	return httpsScheme, "", "github.com/"
 }

api/internal/image/image_test.go

@@ -1,12 +1,13 @@
 // Copyright 2020 The Kubernetes Authors.
 // SPDX-License-Identifier: Apache-2.0
 
-package image
+package image_test
 
 import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"sigs.k8s.io/kustomize/api/internal/image"
 )
 
 func TestIsImageMatched(t *testing.T) {
@@ -50,7 +51,7 @@ func TestIsImageMatched(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.testName, func(t *testing.T) {
-			assert.Equal(t, tc.isMatched, IsImageMatched(tc.value, tc.name))
+			assert.Equal(t, tc.isMatched, image.IsImageMatched(tc.value, tc.name))
 		})
 	}
 }
@@ -116,7 +117,7 @@ func TestSplit(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.testName, func(t *testing.T) {
-			name, tag, digest := Split(tc.value)
+			name, tag, digest := image.Split(tc.value)
 			assert.Equal(t, tc.name, name)
 			assert.Equal(t, tc.tag, tag)
 			assert.Equal(t, tc.digest, digest)

api/internal/konfig/builtinpluginconsts/commonlabels.go

@@ -5,9 +5,6 @@ package builtinpluginconsts
 
 const commonLabelFieldSpecs = `
 commonLabels:
-- path: metadata/labels
-  create: true
-
 - path: spec/selector
   create: true
   version: v1
@@ -17,20 +14,10 @@ commonLabels:
   create: true
   version: v1
   kind: ReplicationController
-
-- path: spec/template/metadata/labels
-  create: true
-  version: v1
-  kind: ReplicationController
-
 - path: spec/selector/matchLabels
   create: true
   kind: Deployment
 
-- path: spec/template/metadata/labels
-  create: true
-  kind: Deployment
-
 - path: spec/template/spec/affinity/podAffinity/preferredDuringSchedulingIgnoredDuringExecution/podAffinityTerm/labelSelector/matchLabels
   create: false
   group: apps
@@ -60,28 +47,15 @@ commonLabels:
   create: true
   kind: ReplicaSet
 
-- path: spec/template/metadata/labels
-  create: true
-  kind: ReplicaSet
-
 - path: spec/selector/matchLabels
   create: true
   kind: DaemonSet
 
-- path: spec/template/metadata/labels
-  create: true
-  kind: DaemonSet
-
 - path: spec/selector/matchLabels
   create: true
   group: apps
   kind: StatefulSet
 
-- path: spec/template/metadata/labels
-  create: true
-  group: apps
-  kind: StatefulSet
-
 - path: spec/template/spec/affinity/podAffinity/preferredDuringSchedulingIgnoredDuringExecution/podAffinityTerm/labelSelector/matchLabels
   create: false
   group: apps
@@ -107,36 +81,16 @@ commonLabels:
   group: apps
   kind: StatefulSet
 
-- path: spec/volumeClaimTemplates[]/metadata/labels
-  create: true
-  group: apps
-  kind: StatefulSet
-
 - path: spec/selector/matchLabels
   create: false
   group: batch
   kind: Job
 
-- path: spec/template/metadata/labels
-  create: true
-  group: batch
-  kind: Job
-
 - path: spec/jobTemplate/spec/selector/matchLabels
   create: false
   group: batch
   kind: CronJob
 
-- path: spec/jobTemplate/metadata/labels
-  create: true
-  group: batch
-  kind: CronJob
-
-- path: spec/jobTemplate/spec/template/metadata/labels
-  create: true
-  group: batch
-  kind: CronJob
-
 - path: spec/selector/matchLabels
   create: false
   group: policy
@@ -156,4 +110,4 @@ commonLabels:
   create: false
   group: networking.k8s.io
   kind: NetworkPolicy
-`
+` + metadataLabelsFieldSpecs

api/internal/konfig/builtinpluginconsts/defaultconfig.go

@@ -13,6 +13,7 @@ func GetDefaultFieldSpecs() []byte {
 		[]byte(namePrefixFieldSpecs),
 		[]byte(nameSuffixFieldSpecs),
 		[]byte(commonLabelFieldSpecs),
+		[]byte(templateLabelFieldSpecs),
 		[]byte(commonAnnotationFieldSpecs),
 		[]byte(namespaceFieldSpecs),
 		[]byte(varReferenceFieldSpecs),
@@ -30,6 +31,7 @@ func GetDefaultFieldSpecsAsMap() map[string]string {
 	result["nameprefix"] = namePrefixFieldSpecs
 	result["namesuffix"] = nameSuffixFieldSpecs
 	result["commonlabels"] = commonLabelFieldSpecs
+	result["templatelabels"] = templateLabelFieldSpecs
 	result["commonannotations"] = commonAnnotationFieldSpecs
 	result["namespace"] = namespaceFieldSpecs
 	result["varreference"] = varReferenceFieldSpecs

api/internal/konfig/builtinpluginconsts/metadatalabels.go

@@ -0,0 +1,51 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinpluginconsts
+
+const metadataLabelsFieldSpecs = `
+- path: metadata/labels
+  create: true
+
+- path: spec/template/metadata/labels
+  create: true
+  version: v1
+  kind: ReplicationController
+
+- path: spec/template/metadata/labels
+  create: true
+  kind: Deployment
+
+- path: spec/template/metadata/labels
+  create: true
+  kind: ReplicaSet
+
+- path: spec/template/metadata/labels
+  create: true
+  kind: DaemonSet
+
+- path: spec/template/metadata/labels
+  create: true
+  group: apps
+  kind: StatefulSet
+
+- path: spec/volumeClaimTemplates[]/metadata/labels
+  create: true
+  group: apps
+  kind: StatefulSet
+
+- path: spec/template/metadata/labels
+  create: true
+  group: batch
+  kind: Job
+
+- path: spec/jobTemplate/metadata/labels
+  create: true
+  group: batch
+  kind: CronJob
+
+- path: spec/jobTemplate/spec/template/metadata/labels
+  create: true
+  group: batch
+  kind: CronJob
+`

api/internal/konfig/builtinpluginconsts/templatelabels.go

@@ -0,0 +1,8 @@
+// Copyright 2019 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package builtinpluginconsts
+
+const templateLabelFieldSpecs = `
+templateLabels:
+` + metadataLabelsFieldSpecs

api/internal/loader/fileloader.go

@@ -5,7 +5,7 @@ package loader
 
 import (
 	"fmt"
-	"io/ioutil"
+	"io"
 	"log"
 	"net/http"
 	"net/url"
@@ -18,7 +18,14 @@ import (
 	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
-// fileLoader is a kustomization's interface to files.
+// IsRemoteFile returns whether path has a url scheme that kustomize allows for
+// remote files. See https://github.com/kubernetes-sigs/kustomize/blob/master/examples/remoteBuild.md
+func IsRemoteFile(path string) bool {
+	u, err := url.Parse(path)
+	return err == nil && (u.Scheme == "http" || u.Scheme == "https")
+}
+
+// FileLoader is a kustomization's interface to files.
 //
 // The directory in which a kustomization file sits
 // is referred to below as the kustomization's _root_.
@@ -31,49 +38,48 @@ import (
 //
 // * supplemental data paths
 //
-//   `Load` is used to visit these paths.
+//	`Load` is used to visit these paths.
 //
-//   These paths refer to resources, patches,
-//   data for ConfigMaps and Secrets, etc.
+//	These paths refer to resources, patches,
+//	data for ConfigMaps and Secrets, etc.
 //
-//   The loadRestrictor may disallow certain paths
-//   or classes of paths.
+//	The loadRestrictor may disallow certain paths
+//	or classes of paths.
 //
 // * bases (other kustomizations)
 //
-//   `New` is used to load bases.
+//	`New` is used to load bases.
 //
-//   A base can be either a remote git repo URL, or
-//   a directory specified relative to the current
-//   root. In the former case, the repo is locally
-//   cloned, and the new loader is rooted on a path
-//   in that clone.
+//	A base can be either a remote git repo URL, or
+//	a directory specified relative to the current
+//	root. In the former case, the repo is locally
+//	cloned, and the new loader is rooted on a path
+//	in that clone.
 //
-//   As loaders create new loaders, a root history
-//   is established, and used to disallow:
+//	As loaders create new loaders, a root history
+//	is established, and used to disallow:
 //
-//   - A base that is a repository that, in turn,
-//     specifies a base repository seen previously
-//     in the loading stack (a cycle).
+//	- A base that is a repository that, in turn,
+//	  specifies a base repository seen previously
+//	  in the loading stack (a cycle).
 //
-//   - An overlay depending on a base positioned at
-//     or above it.  I.e. '../foo' is OK, but '.',
-//     '..', '../..', etc. are disallowed.  Allowing
-//     such a base has no advantages and encourages
-//     cycles, particularly if some future change
-//     were to introduce globbing to file
-//     specifications in the kustomization file.
+//	- An overlay depending on a base positioned at
+//	  or above it.  I.e. '../foo' is OK, but '.',
+//	  '..', '../..', etc. are disallowed.  Allowing
+//	  such a base has no advantages and encourages
+//	  cycles, particularly if some future change
+//	  were to introduce globbing to file
+//	  specifications in the kustomization file.
 //
 // These restrictions assure that kustomizations
 // are self-contained and relocatable, and impose
 // some safety when relying on remote kustomizations,
 // e.g. a remotely loaded ConfigMap generator specified
 // to read from /etc/passwd will fail.
-//
-type fileLoader struct {
+type FileLoader struct {
 	// Loader that spawned this loader.
 	// Used to avoid cycles.
-	referrer *fileLoader
+	referrer *FileLoader
 
 	// An absolute, cleaned path to a directory.
 	// The Load function will read non-absolute
@@ -100,29 +106,24 @@ type fileLoader struct {
 	cleaner func() error
 }
 
-// NewFileLoaderAtCwd returns a loader that loads from PWD.
-// A convenience for kustomize edit commands.
-func NewFileLoaderAtCwd(fSys filesys.FileSystem) *fileLoader {
-	return newLoaderOrDie(
-		RestrictionRootOnly, fSys, filesys.SelfDir)
-}
-
-// NewFileLoaderAtRoot returns a loader that loads from "/".
-// A convenience for tests.
-func NewFileLoaderAtRoot(fSys filesys.FileSystem) *fileLoader {
-	return newLoaderOrDie(
-		RestrictionRootOnly, fSys, filesys.Separator)
+// Repo returns the absolute path to the repo that contains Root if this fileLoader was created from a url
+// or the empty string otherwise.
+func (fl *FileLoader) Repo() string {
+	if fl.repoSpec != nil {
+		return fl.repoSpec.Dir.String()
+	}
+	return ""
 }
 
 // Root returns the absolute path that is prepended to any
 // relative paths used in Load.
-func (fl *fileLoader) Root() string {
+func (fl *FileLoader) Root() string {
 	return fl.root.String()
 }
 
-func newLoaderOrDie(
+func NewLoaderOrDie(
 	lr LoadRestrictorFunc,
-	fSys filesys.FileSystem, path string) *fileLoader {
+	fSys filesys.FileSystem, path string) *FileLoader {
 	root, err := filesys.ConfirmDir(fSys, path)
 	if err != nil {
 		log.Fatalf("unable to make loader at '%s'; %v", path, err)
@@ -131,12 +132,12 @@ func newLoaderOrDie(
 		lr, root, fSys, nil, git.ClonerUsingGitExec)
 }
 
-// newLoaderAtConfirmedDir returns a new fileLoader with given root.
+// newLoaderAtConfirmedDir returns a new FileLoader with given root.
 func newLoaderAtConfirmedDir(
 	lr LoadRestrictorFunc,
 	root filesys.ConfirmedDir, fSys filesys.FileSystem,
-	referrer *fileLoader, cloner git.Cloner) *fileLoader {
-	return &fileLoader{
+	referrer *FileLoader, cloner git.Cloner) *FileLoader {
+	return &FileLoader{
 		loadRestrictor: lr,
 		root:           root,
 		referrer:       referrer,
@@ -148,7 +149,7 @@ func newLoaderAtConfirmedDir(
 
 // New returns a new Loader, rooted relative to current loader,
 // or rooted in a temp directory holding a git repo clone.
-func (fl *fileLoader) New(path string) (ifc.Loader, error) {
+func (fl *FileLoader) New(path string) (ifc.Loader, error) {
 	if path == "" {
 		return nil, errors.Errorf("new root cannot be empty")
 	}
@@ -184,7 +185,7 @@ func (fl *fileLoader) New(path string) (ifc.Loader, error) {
 // directory holding a cloned git repo.
 func newLoaderAtGitClone(
 	repoSpec *git.RepoSpec, fSys filesys.FileSystem,
-	referrer *fileLoader, cloner git.Cloner) (ifc.Loader, error) {
+	referrer *FileLoader, cloner git.Cloner) (ifc.Loader, error) {
 	cleaner := repoSpec.Cleaner(fSys)
 	err := cloner(repoSpec)
 	if err != nil {
@@ -206,7 +207,14 @@ func newLoaderAtGitClone(
 			"'%s' refers to file '%s'; expecting directory",
 			repoSpec.AbsPath(), f)
 	}
-	return &fileLoader{
+	// Path in repo can contain symlinks that exit repo. We can only
+	// check for this after cloning repo.
+	if !root.HasPrefix(repoSpec.CloneDir()) {
+		_ = cleaner()
+		return nil, fmt.Errorf("%q refers to directory outside of repo %q", repoSpec.AbsPath(),
+			repoSpec.CloneDir())
+	}
+	return &FileLoader{
 		// Clones never allowed to escape root.
 		loadRestrictor: RestrictionRootOnly,
 		root:           root,
@@ -218,7 +226,7 @@ func newLoaderAtGitClone(
 	}, nil
 }
 
-func (fl *fileLoader) errIfGitContainmentViolation(
+func (fl *FileLoader) errIfGitContainmentViolation(
 	base filesys.ConfirmedDir) error {
 	containingRepo := fl.containingRepo()
 	if containingRepo == nil {
@@ -236,7 +244,7 @@ func (fl *fileLoader) errIfGitContainmentViolation(
 
 // Looks back through referrers for a git repo, returning nil
 // if none found.
-func (fl *fileLoader) containingRepo() *git.RepoSpec {
+func (fl *FileLoader) containingRepo() *git.RepoSpec {
 	if fl.repoSpec != nil {
 		return fl.repoSpec
 	}
@@ -248,7 +256,7 @@ func (fl *fileLoader) containingRepo() *git.RepoSpec {
 
 // errIfArgEqualOrHigher tests whether the argument,
 // is equal to or above the root of any ancestor.
-func (fl *fileLoader) errIfArgEqualOrHigher(
+func (fl *FileLoader) errIfArgEqualOrHigher(
 	candidateRoot filesys.ConfirmedDir) error {
 	if fl.root.HasPrefix(candidateRoot) {
 		return fmt.Errorf(
@@ -265,7 +273,7 @@ func (fl *fileLoader) errIfArgEqualOrHigher(
 // I.e. Allow a distinction between git URI with
 // path foo and tag bar and a git URI with the same
 // path but a different tag?
-func (fl *fileLoader) errIfRepoCycle(newRepoSpec *git.RepoSpec) error {
+func (fl *FileLoader) errIfRepoCycle(newRepoSpec *git.RepoSpec) error {
 	// TODO(monopole): Use parsed data instead of Raw().
 	if fl.repoSpec != nil &&
 		strings.HasPrefix(fl.repoSpec.Raw(), newRepoSpec.Raw()) {
@@ -282,31 +290,9 @@ func (fl *fileLoader) errIfRepoCycle(newRepoSpec *git.RepoSpec) error {
 // Load returns the content of file at the given path,
 // else an error. Relative paths are taken relative
 // to the root.
-func (fl *fileLoader) Load(path string) ([]byte, error) {
-	if u, err := url.Parse(path); err == nil && (u.Scheme == "http" || u.Scheme == "https") {
-		var hc *http.Client
-		if fl.http != nil {
-			hc = fl.http
-		} else {
-			hc = &http.Client{}
-		}
-		resp, err := hc.Get(path)
-		if err != nil {
-			return nil, err
-		}
-		defer resp.Body.Close()
-		if resp.StatusCode < 200 || resp.StatusCode > 299 {
-			_, err := git.NewRepoSpecFromURL(path)
-			if err == nil {
-				return nil, errors.Errorf("URL is a git repository")
-			}
-			return nil, fmt.Errorf("%w: status code %d (%s)", ErrHTTP, resp.StatusCode, http.StatusText(resp.StatusCode))
-		}
-		body, err := ioutil.ReadAll(resp.Body)
-		if err != nil {
-			return nil, err
-		}
-		return body, nil
+func (fl *FileLoader) Load(path string) ([]byte, error) {
+	if IsRemoteFile(path) {
+		return fl.httpClientGetContent(path)
 	}
 	if !filepath.IsAbs(path) {
 		path = fl.root.Join(path)
@@ -318,7 +304,31 @@ func (fl *fileLoader) Load(path string) ([]byte, error) {
 	return fl.fSys.ReadFile(path)
 }
 
+func (fl *FileLoader) httpClientGetContent(path string) ([]byte, error) {
+	var hc *http.Client
+	if fl.http != nil {
+		hc = fl.http
+	} else {
+		hc = &http.Client{}
+	}
+	resp, err := hc.Get(path)
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+	defer resp.Body.Close()
+	// response unsuccessful
+	if resp.StatusCode < 200 || resp.StatusCode > 299 {
+		_, err = git.NewRepoSpecFromURL(path)
+		if err == nil {
+			return nil, errors.Errorf("URL is a git repository")
+		}
+		return nil, fmt.Errorf("%w: status code %d (%s)", ErrHTTP, resp.StatusCode, http.StatusText(resp.StatusCode))
+	}
+	content, err := io.ReadAll(resp.Body)
+	return content, errors.Wrap(err)
+}
+
 // Cleanup runs the cleaner.
-func (fl *fileLoader) Cleanup() error {
+func (fl *FileLoader) Cleanup() error {
 	return fl.cleaner()
 }

api/internal/loader/fileloader_test.go

@@ -5,7 +5,8 @@ package loader
 
 import (
 	"bytes"
-	"io/ioutil"
+	"fmt"
+	"io"
 	"net/http"
 	"os"
 	"path"
@@ -21,6 +22,45 @@ import (
 	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
+func TestIsRemoteFile(t *testing.T) {
+	cases := map[string]struct {
+		url   string
+		valid bool
+	}{
+		"https file": {
+			"https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/examples/helloWorld/configMap.yaml",
+			true,
+		},
+		"malformed https": {
+			// TODO(annasong): Maybe we want to fix this. Needs more research.
+			"https:/raw.githubusercontent.com/kubernetes-sigs/kustomize/master/examples/helloWorld/configMap.yaml",
+			true,
+		},
+		"https dir": {
+			"https://github.com/kubernetes-sigs/kustomize//examples/helloWorld/",
+			true,
+		},
+		"no scheme": {
+			"github.com/kubernetes-sigs/kustomize//examples/helloWorld/",
+			false,
+		},
+		"ssh": {
+			"ssh://git@github.com/kubernetes-sigs/kustomize.git",
+			false,
+		},
+		"local": {
+			"pod.yaml",
+			false,
+		},
+	}
+	for name, test := range cases {
+		test := test
+		t.Run(name, func(t *testing.T) {
+			require.Equal(t, test.valid, IsRemoteFile(test.url))
+		})
+	}
+}
+
 type testData struct {
 	path            string
 	expectedContent string
@@ -53,14 +93,17 @@ func MakeFakeFs(td []testData) filesys.FileSystem {
 	return fSys
 }
 
-func makeLoader() *fileLoader {
-	return NewFileLoaderAtRoot(MakeFakeFs(testCases))
+func makeLoader() *FileLoader {
+	return NewLoaderOrDie(
+		RestrictionRootOnly, MakeFakeFs(testCases), filesys.Separator)
 }
 
 func TestLoaderLoad(t *testing.T) {
 	require := require.New(t)
 
 	l1 := makeLoader()
+	repo := l1.Repo()
+	require.Empty(repo)
 	require.Equal("/", l1.Root())
 
 	for _, x := range testCases {
@@ -73,6 +116,9 @@ func TestLoaderLoad(t *testing.T) {
 	}
 	l2, err := l1.New("foo/project")
 	require.NoError(err)
+
+	repo = l2.Repo()
+	require.Empty(repo)
 	require.Equal("/foo/project", l2.Root())
 
 	for _, x := range testCases {
@@ -156,13 +202,52 @@ func TestLoaderBadRelative(t *testing.T) {
 	require.Error(err)
 }
 
-func TestLoaderMisc(t *testing.T) {
-	l := makeLoader()
-	_, err := l.New("")
+func TestNewEmptyLoader(t *testing.T) {
+	_, err := makeLoader().New("")
 	require.Error(t, err)
+}
 
-	_, err = l.New("https://google.com/project")
-	require.Error(t, err)
+func TestNewRemoteLoaderDoesNotExist(t *testing.T) {
+	_, err := makeLoader().New("https://example.com/org/repo")
+	require.ErrorContains(t, err, "fetch")
+}
+
+func TestLoaderLocalScheme(t *testing.T) {
+	// It is unlikely but possible for a reference with a url scheme to
+	// actually refer to a local file or directory.
+	t.Run("file", func(t *testing.T) {
+		fSys, dir := setupOnDisk(t)
+		parts := []string{
+			"ssh:",
+			"resource.yaml",
+		}
+		require.NoError(t, fSys.Mkdir(dir.Join(parts[0])))
+		const content = "resource config"
+		require.NoError(t, fSys.WriteFile(
+			dir.Join(filepath.Join(parts...)),
+			[]byte(content),
+		))
+		actualContent, err := NewLoaderOrDie(RestrictionRootOnly,
+			fSys,
+			dir.String(),
+		).Load(strings.Join(parts, "//"))
+		require.NoError(t, err)
+		require.Equal(t, content, string(actualContent))
+	})
+	t.Run("directory", func(t *testing.T) {
+		fSys, dir := setupOnDisk(t)
+		parts := []string{
+			"https:",
+			"root",
+		}
+		require.NoError(t, fSys.MkdirAll(dir.Join(filepath.Join(parts...))))
+		ldr, err := NewLoaderOrDie(RestrictionRootOnly,
+			fSys,
+			dir.String(),
+		).New(strings.Join(parts, "//"))
+		require.NoError(t, err)
+		require.Empty(t, ldr.Repo())
+	})
 }
 
 const (
@@ -172,17 +257,17 @@ const (
 
 // Create a structure like this
 //
-//   /tmp/kustomize-test-random
-//   ├── base
-//   │   ├── okayData
-//   │   ├── symLinkToOkayData -> okayData
-//   │   └── symLinkToExteriorData -> ../exteriorData
-//   └── exteriorData
-//
+//	/tmp/kustomize-test-random
+//	├── base
+//	│   ├── okayData
+//	│   ├── symLinkToOkayData -> okayData
+//	│   └── symLinkToExteriorData -> ../exteriorData
+//	└── exteriorData
 func commonSetupForLoaderRestrictionTest(t *testing.T) (string, filesys.FileSystem) {
 	t.Helper()
-	dir := t.TempDir()
-	fSys := filesys.MakeFsOnDisk()
+	fSys, tmpDir := setupOnDisk(t)
+	dir := tmpDir.String()
+
 	fSys.Mkdir(filepath.Join(dir, "base"))
 
 	fSys.WriteFile(
@@ -238,7 +323,7 @@ func TestRestrictionRootOnlyInRealLoader(t *testing.T) {
 
 	var l ifc.Loader
 
-	l = newLoaderOrDie(RestrictionRootOnly, fSys, dir)
+	l = NewLoaderOrDie(RestrictionRootOnly, fSys, dir)
 
 	l = doSanityChecksAndDropIntoBase(t, l)
 
@@ -259,7 +344,7 @@ func TestRestrictionNoneInRealLoader(t *testing.T) {
 
 	var l ifc.Loader
 
-	l = newLoaderOrDie(RestrictionNone, fSys, dir)
+	l = NewLoaderOrDie(RestrictionNone, fSys, dir)
 
 	l = doSanityChecksAndDropIntoBase(t, l)
 
@@ -322,6 +407,8 @@ whatever
 		repoSpec, fSys, nil,
 		git.DoNothingCloner(filesys.ConfirmedDir(coRoot)))
 	require.NoError(err)
+	repo := l.Repo()
+	require.Equal(coRoot, repo)
 	require.Equal(coRoot+"/"+pathInRepo, l.Root())
 
 	_, err = l.New(url)
@@ -335,6 +422,9 @@ whatever
 	url = rootURL + "/" + pathInRepo
 	l2, err := l.New(url)
 	require.NoError(err)
+
+	repo = l2.Repo()
+	require.Equal(coRoot, repo)
 	require.Equal(coRoot+"/"+pathInRepo, l2.Root())
 }
 
@@ -353,7 +443,7 @@ func TestLoaderDisallowsLocalBaseFromRemoteOverlay(t *testing.T) {
 
 	// Establish that a local overlay can navigate
 	// to the local bases.
-	l1 = newLoaderOrDie(
+	l1 = NewLoaderOrDie(
 		RestrictionRootOnly, fSys, cloneRoot+"/foo/overlay")
 	require.Equal(cloneRoot+"/foo/overlay", l1.Root())
 
@@ -389,6 +479,8 @@ func TestLoaderDisallowsLocalBaseFromRemoteOverlay(t *testing.T) {
 	// This is okay.
 	l2, err = l1.New("../base")
 	require.NoError(err)
+	repo := l2.Repo()
+	require.Empty(repo)
 	require.Equal(cloneRoot+"/foo/base", l2.Root())
 
 	// This is not okay.
@@ -398,6 +490,23 @@ func TestLoaderDisallowsLocalBaseFromRemoteOverlay(t *testing.T) {
 		"base '/whatever/highBase' is outside '/whatever/someClone'")
 }
 
+func TestLoaderDisallowsRemoteBaseExitRepo(t *testing.T) {
+	fSys, dir := setupOnDisk(t)
+
+	repo := dir.Join("repo")
+	require.NoError(t, fSys.Mkdir(repo))
+
+	base := filepath.Join(repo, "base")
+	require.NoError(t, os.Symlink(dir.String(), base))
+
+	repoSpec, err := git.NewRepoSpecFromURL("https://github.com/org/repo/base")
+	require.NoError(t, err)
+
+	_, err = newLoaderAtGitClone(repoSpec, fSys, nil, git.DoNothingCloner(filesys.ConfirmedDir(repo)))
+	require.Error(t, err)
+	require.Contains(t, err.Error(), fmt.Sprintf("%q refers to directory outside of repo %q", base, repo))
+}
+
 func TestLocalLoaderReferencingGitBase(t *testing.T) {
 	require := require.New(t)
 
@@ -414,6 +523,8 @@ func TestLocalLoaderReferencingGitBase(t *testing.T) {
 
 	l2, err := l1.New("github.com/someOrg/someRepo/foo/base")
 	require.NoError(err)
+	repo := l2.Repo()
+	require.Equal(cloneRoot, repo)
 	require.Equal(cloneRoot+"/foo/base", l2.Root())
 }
 
@@ -490,7 +601,8 @@ func TestLoaderHTTP(t *testing.T) {
 		},
 	}
 
-	l1 := NewFileLoaderAtRoot(MakeFakeFs(testCasesFile))
+	l1 := NewLoaderOrDie(
+		RestrictionRootOnly, MakeFakeFs(testCasesFile), filesys.Separator)
 	require.Equal("/", l1.Root())
 
 	for _, x := range testCasesFile {
@@ -518,7 +630,7 @@ func TestLoaderHTTP(t *testing.T) {
 			require.Equal(x.path, u)
 			return &http.Response{
 				StatusCode: 200,
-				Body:       ioutil.NopCloser(bytes.NewBufferString(x.expectedContent)),
+				Body:       io.NopCloser(bytes.NewBufferString(x.expectedContent)),
 				Header:     make(http.Header),
 			}
 		})
@@ -548,3 +660,19 @@ func TestLoaderHTTP(t *testing.T) {
 		require.Error(err)
 	}
 }
+
+// setupOnDisk sets up a file system on disk and directory that is cleaned after
+// test completion.
+// TODO(annasong): Move all loader tests that require real file system into
+// api/krusty.
+func setupOnDisk(t *testing.T) (filesys.FileSystem, filesys.ConfirmedDir) {
+	t.Helper()
+
+	fSys := filesys.MakeFsOnDisk()
+	dir, err := filesys.NewTmpConfirmedDir()
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		_ = fSys.RemoveAll(dir.String())
+	})
+	return fSys, dir
+}

api/internal/localizer/builtinplugins.go

@@ -0,0 +1,152 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package localizer
+
+import (
+	"sigs.k8s.io/kustomize/api/filters/fieldspec"
+	"sigs.k8s.io/kustomize/api/filters/filtersutil"
+	"sigs.k8s.io/kustomize/api/filters/fsslice"
+	"sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers"
+	"sigs.k8s.io/kustomize/api/konfig"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/kio"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+// localizeBuiltinPlugins localizes built-in plugins with file paths.
+// Note that this excludes helm, which needs a repo.
+type localizeBuiltinPlugins struct {
+	lc *localizer
+
+	// locPathFn is used by localizeNode to set the localized path on the plugin.
+	locPathFn func(string) (string, error)
+}
+
+var _ kio.Filter = &localizeBuiltinPlugins{}
+
+// Filter localizes the built-in plugins with file paths.
+func (lbp *localizeBuiltinPlugins) Filter(plugins []*yaml.RNode) ([]*yaml.RNode, error) {
+	for _, singlePlugin := range plugins {
+		err := singlePlugin.PipeE(fsslice.Filter{
+			FsSlice: types.FsSlice{
+				types.FieldSpec{
+					Gvk:  resid.Gvk{Version: konfig.BuiltinPluginApiVersion, Kind: builtinhelpers.ConfigMapGenerator.String()},
+					Path: "env",
+				},
+				types.FieldSpec{
+					Gvk:  resid.Gvk{Version: konfig.BuiltinPluginApiVersion, Kind: builtinhelpers.ConfigMapGenerator.String()},
+					Path: "envs",
+				},
+				types.FieldSpec{
+					Gvk:  resid.Gvk{Version: konfig.BuiltinPluginApiVersion, Kind: builtinhelpers.SecretGenerator.String()},
+					Path: "env",
+				},
+				types.FieldSpec{
+					Gvk:  resid.Gvk{Version: konfig.BuiltinPluginApiVersion, Kind: builtinhelpers.SecretGenerator.String()},
+					Path: "envs",
+				},
+				types.FieldSpec{
+					Gvk:  resid.Gvk{Version: konfig.BuiltinPluginApiVersion, Kind: builtinhelpers.HelmChartInflationGenerator.String()},
+					Path: "valuesFile",
+				},
+				types.FieldSpec{
+					Gvk:  resid.Gvk{Version: konfig.BuiltinPluginApiVersion, Kind: builtinhelpers.HelmChartInflationGenerator.String()},
+					Path: "additionalValuesFiles",
+				},
+				types.FieldSpec{
+					Gvk:  resid.Gvk{Version: konfig.BuiltinPluginApiVersion, Kind: builtinhelpers.PatchTransformer.String()},
+					Path: "path",
+				},
+				types.FieldSpec{
+					Gvk:  resid.Gvk{Version: konfig.BuiltinPluginApiVersion, Kind: builtinhelpers.PatchJson6902Transformer.String()},
+					Path: "path",
+				},
+				types.FieldSpec{
+					Gvk:  resid.Gvk{Version: konfig.BuiltinPluginApiVersion, Kind: builtinhelpers.ReplacementTransformer.String()},
+					Path: "replacements/path",
+				},
+			},
+			SetValue: func(node *yaml.RNode) error {
+				lbp.locPathFn = lbp.lc.localizeFile
+				return lbp.localizeAll(node)
+			},
+		},
+			fsslice.Filter{
+				FsSlice: types.FsSlice{
+					types.FieldSpec{
+						Gvk:  resid.Gvk{Version: konfig.BuiltinPluginApiVersion, Kind: builtinhelpers.ConfigMapGenerator.String()},
+						Path: "files",
+					},
+					types.FieldSpec{
+						Gvk:  resid.Gvk{Version: konfig.BuiltinPluginApiVersion, Kind: builtinhelpers.SecretGenerator.String()},
+						Path: "files",
+					},
+				},
+				SetValue: func(node *yaml.RNode) error {
+					lbp.locPathFn = lbp.lc.localizeFileSource
+					return lbp.localizeAll(node)
+				},
+			},
+			yaml.FilterFunc(func(node *yaml.RNode) (*yaml.RNode, error) {
+				isHelm := node.GetApiVersion() == konfig.BuiltinPluginApiVersion &&
+					node.GetKind() == builtinhelpers.HelmChartInflationGenerator.String()
+				if !isHelm {
+					return node, nil
+				}
+				home, err := node.Pipe(yaml.Lookup("chartHome"))
+				if err != nil {
+					return nil, errors.Wrap(err)
+				}
+				if home == nil {
+					_, err = lbp.lc.copyChartHomeEntry("")
+				} else {
+					lbp.locPathFn = lbp.lc.copyChartHomeEntry
+					err = lbp.localizeScalar(home)
+				}
+				return node, errors.WrapPrefixf(err, "plugin %s", resid.FromRNode(node))
+			}),
+			fieldspec.Filter{
+				FieldSpec: types.FieldSpec{
+					Gvk:  resid.Gvk{Version: konfig.BuiltinPluginApiVersion, Kind: builtinhelpers.PatchStrategicMergeTransformer.String()},
+					Path: "paths",
+				},
+				SetValue: func(node *yaml.RNode) error {
+					lbp.locPathFn = lbp.lc.localizeK8sResource
+					return lbp.localizeAll(node)
+				},
+			})
+		if err != nil {
+			return nil, errors.Wrap(err)
+		}
+	}
+	return plugins, nil
+}
+
+// localizeAll sets each entry in node to its value localized by locPathFn.
+// Node is a sequence or scalar value.
+func (lbp *localizeBuiltinPlugins) localizeAll(node *yaml.RNode) error {
+	// We rely on the build command to throw errors for nodes in
+	// built-in plugins that are sequences when expected to be scalar,
+	// and vice versa.
+	//nolint: exhaustive
+	switch node.YNode().Kind {
+	case yaml.SequenceNode:
+		return errors.Wrap(node.VisitElements(lbp.localizeScalar))
+	case yaml.ScalarNode:
+		return lbp.localizeScalar(node)
+	default:
+		return errors.Errorf("expected sequence or scalar node")
+	}
+}
+
+// localizeScalar sets the scalar node to its value localized by locPathFn.
+func (lbp *localizeBuiltinPlugins) localizeScalar(node *yaml.RNode) error {
+	localizedPath, err := lbp.locPathFn(node.YNode().Value)
+	if err != nil {
+		return err
+	}
+	return filtersutil.SetScalar(localizedPath)(node)
+}

api/internal/localizer/doc.go

@@ -0,0 +1,7 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package localizer contains utilities for the command kustomize localize, which is
+// documented under proposals/localize-command or at
+// https://github.com/kubernetes-sigs/kustomize/blob/master/proposals/22-04-localize-command.md
+package localizer

api/internal/localizer/errors.go

@@ -0,0 +1,27 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package localizer
+
+import "fmt"
+
+type ResourceLoadError struct {
+	InlineError error
+	FileError   error
+}
+
+func (rle ResourceLoadError) Error() string {
+	return fmt.Sprintf(`when parsing as inline received error: %s
+when parsing as filepath received error: %s`, rle.InlineError, rle.FileError)
+}
+
+type PathLocalizeError struct {
+	Path      string
+	FileError error
+	RootError error
+}
+
+func (ple PathLocalizeError) Error() string {
+	return fmt.Sprintf(`could not localize path %q as file: %s; could not localize path %q as directory: %s`,
+		ple.Path, ple.FileError, ple.Path, ple.RootError)
+}

api/internal/localizer/localizer.go

@@ -0,0 +1,613 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package localizer
+
+import (
+	"io/fs"
+	"log"
+	"os"
+	"path/filepath"
+
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/internal/generators"
+	"sigs.k8s.io/kustomize/api/internal/loader"
+	"sigs.k8s.io/kustomize/api/internal/target"
+	"sigs.k8s.io/kustomize/api/provider"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+	"sigs.k8s.io/yaml"
+)
+
+// localizer encapsulates all state needed to localize the root at ldr.
+type localizer struct {
+	fSys filesys.FileSystem
+
+	// underlying type is Loader
+	ldr ifc.Loader
+
+	// root is at ldr.Root()
+	root filesys.ConfirmedDir
+
+	rFactory *resmap.Factory
+
+	// destination directory in newDir that mirrors root
+	dst string
+}
+
+// Run attempts to localize the kustomization root at target with the given localize arguments
+// and returns the path to the created newDir.
+func Run(target, scope, newDir string, fSys filesys.FileSystem) (string, error) {
+	ldr, args, err := NewLoader(target, scope, newDir, fSys)
+	if err != nil {
+		return "", errors.Wrap(err)
+	}
+	defer func() { _ = ldr.Cleanup() }()
+
+	toDst, err := filepath.Rel(args.Scope.String(), args.Target.String())
+	if err != nil {
+		log.Panicf("cannot find path from %q to child directory %q: %s", args.Scope, args.Target, err)
+	}
+	dst := args.NewDir.Join(toDst)
+	if err = fSys.MkdirAll(dst); err != nil {
+		return "", errors.WrapPrefixf(err, "unable to create directory in localize destination")
+	}
+
+	err = (&localizer{
+		fSys:     fSys,
+		ldr:      ldr,
+		root:     args.Target,
+		rFactory: resmap.NewFactory(provider.NewDepProvider().GetResourceFactory()),
+		dst:      dst,
+	}).localize()
+	if err != nil {
+		errCleanup := fSys.RemoveAll(args.NewDir.String())
+		if errCleanup != nil {
+			log.Printf("unable to clean localize destination: %s", errCleanup)
+		}
+		return "", errors.WrapPrefixf(err, "unable to localize target %q", target)
+	}
+	return args.NewDir.String(), nil
+}
+
+// localize localizes the root that lc is at
+func (lc *localizer) localize() error {
+	kustomization, kustFileName, err := lc.load()
+	if err != nil {
+		return err
+	}
+	err = lc.localizeNativeFields(kustomization)
+	if err != nil {
+		return err
+	}
+	err = lc.localizeBuiltinPlugins(kustomization)
+	if err != nil {
+		return err
+	}
+
+	content, err := yaml.Marshal(kustomization)
+	if err != nil {
+		return errors.WrapPrefixf(err, "unable to serialize localized kustomization file")
+	}
+	if err = lc.fSys.WriteFile(filepath.Join(lc.dst, kustFileName), content); err != nil {
+		return errors.WrapPrefixf(err, "unable to write localized kustomization file")
+	}
+	return nil
+}
+
+// load returns the kustomization at lc.root and the file name under which it was found
+func (lc *localizer) load() (*types.Kustomization, string, error) {
+	content, kustFileName, err := target.LoadKustFile(lc.ldr)
+	if err != nil {
+		return nil, "", errors.Wrap(err)
+	}
+
+	var kust types.Kustomization
+	err = (&kust).Unmarshal(content)
+	if err != nil {
+		return nil, "", errors.Wrap(err)
+	}
+
+	// Localize intentionally does not replace legacy fields to return a localized kustomization
+	// with as much resemblance to the original as possible.
+	// Localize also intentionally does not enforce fields, as localize does not wish to unnecessarily
+	// repeat the responsibilities of kustomize build.
+
+	return &kust, kustFileName, nil
+}
+
+// localizeNativeFields localizes paths on kustomize-native fields, like configMapGenerator, that kustomize has a
+// built-in understanding of. This excludes helm-related fields, such as `helmGlobals` and `helmCharts`.
+func (lc *localizer) localizeNativeFields(kust *types.Kustomization) error {
+	if path, exists := kust.OpenAPI["path"]; exists {
+		locPath, err := lc.localizeFile(path)
+		if err != nil {
+			return errors.WrapPrefixf(err, "unable to localize openapi path")
+		}
+		kust.OpenAPI["path"] = locPath
+	}
+
+	for fieldName, field := range map[string]struct {
+		paths []string
+		locFn func(string) (string, error)
+	}{
+		"bases": {
+			// Allow use of deprecated field
+			//nolint:staticcheck
+			kust.Bases,
+			lc.localizeRoot,
+		},
+		"components": {
+			kust.Components,
+			lc.localizeRoot,
+		},
+		"configurations": {
+			kust.Configurations,
+			lc.localizeFile,
+		},
+		"crds": {
+			kust.Crds,
+			lc.localizeFile,
+		},
+		"resources": {
+			kust.Resources,
+			lc.localizeResource,
+		},
+	} {
+		for i, path := range field.paths {
+			locPath, err := field.locFn(path)
+			if err != nil {
+				return errors.WrapPrefixf(err, "unable to localize %s entry", fieldName)
+			}
+			field.paths[i] = locPath
+		}
+	}
+
+	for i := range kust.ConfigMapGenerator {
+		if err := lc.localizeGenerator(&kust.ConfigMapGenerator[i].GeneratorArgs); err != nil {
+			return errors.WrapPrefixf(err, "unable to localize configMapGenerator")
+		}
+	}
+	for i := range kust.SecretGenerator {
+		if err := lc.localizeGenerator(&kust.SecretGenerator[i].GeneratorArgs); err != nil {
+			return errors.WrapPrefixf(err, "unable to localize secretGenerator")
+		}
+	}
+	if err := lc.localizeHelmInflationGenerator(kust); err != nil {
+		return err
+	}
+	if err := lc.localizeHelmCharts(kust); err != nil {
+		return err
+	}
+	if err := lc.localizePatches(kust.Patches); err != nil {
+		return errors.WrapPrefixf(err, "unable to localize patches")
+	}
+	//nolint:staticcheck
+	if err := lc.localizePatches(kust.PatchesJson6902); err != nil {
+		return errors.WrapPrefixf(err, "unable to localize patchesJson6902")
+	}
+	//nolint:staticcheck
+	for i, patch := range kust.PatchesStrategicMerge {
+		locPath, err := lc.localizeK8sResource(string(patch))
+		if err != nil {
+			return errors.WrapPrefixf(err, "unable to localize patchesStrategicMerge entry")
+		}
+		kust.PatchesStrategicMerge[i] = types.PatchStrategicMerge(locPath)
+	}
+	for i, replacement := range kust.Replacements {
+		locPath, err := lc.localizeFile(replacement.Path)
+		if err != nil {
+			return errors.WrapPrefixf(err, "unable to localize replacements entry")
+		}
+		kust.Replacements[i].Path = locPath
+	}
+	return nil
+}
+
+// localizeGenerator localizes the file paths on generator.
+func (lc *localizer) localizeGenerator(generator *types.GeneratorArgs) error {
+	locEnvSrc, err := lc.localizeFile(generator.EnvSource)
+	if err != nil {
+		return errors.WrapPrefixf(err, "unable to localize generator env file")
+	}
+	locEnvs := make([]string, len(generator.EnvSources))
+	for i, env := range generator.EnvSources {
+		locEnvs[i], err = lc.localizeFile(env)
+		if err != nil {
+			return errors.WrapPrefixf(err, "unable to localize generator envs file")
+		}
+	}
+	locFiles := make([]string, len(generator.FileSources))
+	for i, file := range generator.FileSources {
+		locFiles[i], err = lc.localizeFileSource(file)
+		if err != nil {
+			return err
+		}
+	}
+	generator.EnvSource = locEnvSrc
+	generator.EnvSources = locEnvs
+	generator.FileSources = locFiles
+	return nil
+}
+
+// localizeFileSource returns the localized file source found in configMap and
+// secretGenerators.
+func (lc *localizer) localizeFileSource(source string) (string, error) {
+	key, file, err := generators.ParseFileSource(source)
+	if err != nil {
+		return "", errors.Wrap(err)
+	}
+	locFile, err := lc.localizeFile(file)
+	if err != nil {
+		return "", errors.WrapPrefixf(err, "invalid file source %q", source)
+	}
+	var locSource string
+	if source == file {
+		locSource = locFile
+	} else {
+		locSource = key + "=" + locFile
+	}
+	return locSource, nil
+}
+
+// localizeHelmInflationGenerator localizes helmChartInflationGenerator on kust.
+// localizeHelmInflationGenerator localizes values files and copies local chart homes.
+func (lc *localizer) localizeHelmInflationGenerator(kust *types.Kustomization) error {
+	for i, chart := range kust.HelmChartInflationGenerator {
+		locFile, err := lc.localizeFile(chart.Values)
+		if err != nil {
+			return errors.WrapPrefixf(err, "unable to localize helmChartInflationGenerator entry %d values", i)
+		}
+		kust.HelmChartInflationGenerator[i].Values = locFile
+
+		locDir, err := lc.copyChartHomeEntry(chart.ChartHome)
+		if err != nil {
+			return errors.WrapPrefixf(err, "unable to copy helmChartInflationGenerator entry %d", i)
+		}
+		kust.HelmChartInflationGenerator[i].ChartHome = locDir
+	}
+	return nil
+}
+
+// localizeHelmCharts localizes helmCharts and helmGlobals on kust.
+// localizeHelmCharts localizes values files and copies a local chart home.
+func (lc *localizer) localizeHelmCharts(kust *types.Kustomization) error {
+	for i, chart := range kust.HelmCharts {
+		locFile, err := lc.localizeFile(chart.ValuesFile)
+		if err != nil {
+			return errors.WrapPrefixf(err, "unable to localize helmCharts entry %d valuesFile", i)
+		}
+		kust.HelmCharts[i].ValuesFile = locFile
+
+		for j, valuesFile := range chart.AdditionalValuesFiles {
+			locFile, err = lc.localizeFile(valuesFile)
+			if err != nil {
+				return errors.WrapPrefixf(err, "unable to localize helmCharts entry %d additionalValuesFiles", i)
+			}
+			kust.HelmCharts[i].AdditionalValuesFiles[j] = locFile
+		}
+	}
+	if kust.HelmGlobals != nil {
+		locDir, err := lc.copyChartHomeEntry(kust.HelmGlobals.ChartHome)
+		if err != nil {
+			return errors.WrapPrefixf(err, "unable to copy helmGlobals")
+		}
+		kust.HelmGlobals.ChartHome = locDir
+	} else if len(kust.HelmCharts) > 0 {
+		_, err := lc.copyChartHomeEntry("")
+		if err != nil {
+			return errors.WrapPrefixf(err, "unable to copy default chart home")
+		}
+	}
+	return nil
+}
+
+// localizePatches localizes the file paths on patches if they are non-empty
+func (lc *localizer) localizePatches(patches []types.Patch) error {
+	for i := range patches {
+		locPath, err := lc.localizeFile(patches[i].Path)
+		if err != nil {
+			return err
+		}
+		patches[i].Path = locPath
+	}
+	return nil
+}
+
+// localizeResource localizes resource path, a file or root, and returns the
+// localized path
+func (lc *localizer) localizeResource(path string) (string, error) {
+	var locPath string
+
+	content, fileErr := lc.ldr.Load(path)
+	// The following check catches the case where path is a repo root.
+	// Load on a repo will successfully return its README in HTML.
+	// Because HTML does not follow resource formatting, we then correctly try
+	// to localize path as a root.
+	if fileErr == nil {
+		_, resErr := lc.rFactory.NewResMapFromBytes(content)
+		if resErr != nil {
+			fileErr = errors.WrapPrefixf(resErr, "invalid resource at file %q", path)
+		} else {
+			locPath, fileErr = lc.localizeFileWithContent(path, content)
+		}
+	}
+	if fileErr != nil {
+		var rootErr error
+		locPath, rootErr = lc.localizeRoot(path)
+		if rootErr != nil {
+			err := PathLocalizeError{
+				Path:      path,
+				FileError: fileErr,
+				RootError: rootErr,
+			}
+			return "", err
+		}
+	}
+	return locPath, nil
+}
+
+// localizeFile localizes file path if set and returns the localized path
+func (lc *localizer) localizeFile(path string) (string, error) {
+	// Some localizable fields can be empty, for example, replacements.path.
+	// We rely on the build command to throw errors for the ones that cannot.
+	if path == "" {
+		return "", nil
+	}
+	content, err := lc.ldr.Load(path)
+	if err != nil {
+		return "", errors.Wrap(err)
+	}
+	return lc.localizeFileWithContent(path, content)
+}
+
+// localizeFileWithContent writes content to the localized file path and returns the localized path.
+func (lc *localizer) localizeFileWithContent(path string, content []byte) (string, error) {
+	var locPath string
+	if loader.IsRemoteFile(path) {
+		if lc.fSys.Exists(lc.root.Join(LocalizeDir)) {
+			return "", errors.Errorf("%s already contains %s needed to store file %q", lc.root, LocalizeDir, path)
+		}
+		locPath = locFilePath(path)
+	} else {
+		// ldr has checked that path must be relative; this is subject to change in beta.
+
+		// We must clean path to:
+		// 1. avoid symlinks. A `kustomize build` run will fail if we write files to
+		//    symlink paths outside the current root, given that we don't want to recreate
+		//    the symlinks. Even worse, we could be writing files outside the localize destination.
+		// 2. avoid paths that temporarily traverse outside the current root,
+		//    i.e. ../../../scope/target/current-root. The localized file will be surrounded by
+		//    different directories than its source, and so an uncleaned path may no longer be valid.
+		locPath = cleanFilePath(lc.fSys, lc.root, path)
+	}
+	absPath := filepath.Join(lc.dst, locPath)
+	if err := lc.fSys.MkdirAll(filepath.Dir(absPath)); err != nil {
+		return "", errors.WrapPrefixf(err, "unable to create directories to localize file %q", path)
+	}
+	if err := lc.fSys.WriteFile(absPath, content); err != nil {
+		return "", errors.WrapPrefixf(err, "unable to localize file %q", path)
+	}
+	return locPath, nil
+}
+
+// localizeRoot localizes root path if set and returns the localized path
+func (lc *localizer) localizeRoot(path string) (string, error) {
+	if path == "" {
+		return "", nil
+	}
+	ldr, err := lc.ldr.New(path)
+	if err != nil {
+		return "", errors.Wrap(err)
+	}
+	defer func() { _ = ldr.Cleanup() }()
+
+	root, err := filesys.ConfirmDir(lc.fSys, ldr.Root())
+	if err != nil {
+		log.Panicf("unable to establish validated root reference %q: %s", path, err)
+	}
+	var locPath string
+	if repo := ldr.Repo(); repo != "" {
+		if lc.fSys.Exists(lc.root.Join(LocalizeDir)) {
+			return "", errors.Errorf("%s already contains %s needed to store root %q", lc.root, LocalizeDir, path)
+		}
+		locPath, err = locRootPath(path, repo, root, lc.fSys)
+		if err != nil {
+			return "", err
+		}
+	} else {
+		locPath, err = filepath.Rel(lc.root.String(), root.String())
+		if err != nil {
+			log.Panicf("cannot find relative path between scoped localize roots %q and %q: %s", lc.root, root, err)
+		}
+	}
+	newDst := filepath.Join(lc.dst, locPath)
+	if err = lc.fSys.MkdirAll(newDst); err != nil {
+		return "", errors.WrapPrefixf(err, "unable to create root %q in localize destination", path)
+	}
+	err = (&localizer{
+		fSys:     lc.fSys,
+		ldr:      ldr,
+		root:     root,
+		rFactory: lc.rFactory,
+		dst:      newDst,
+	}).localize()
+	if err != nil {
+		return "", errors.WrapPrefixf(err, "unable to localize root %q", path)
+	}
+	return locPath, nil
+}
+
+// copyChartHomeEntry copies the helm chart home entry to lc dst
+// at the same location relative to the root and returns said relative path.
+// If entry is empty, copyChartHomeEntry returns the empty string.
+// If entry does not exist, copyChartHome returns entry.
+//
+// copyChartHomeEntry copies the default home to the same location at dst,
+// without following symlinks. An empty entry also indicates the default home.
+func (lc *localizer) copyChartHomeEntry(entry string) (string, error) {
+	path := entry
+	if entry == "" {
+		path = types.HelmDefaultHome
+	}
+	if filepath.IsAbs(path) {
+		return "", errors.Errorf("absolute path %q not handled in alpha", path)
+	}
+	isDefault := lc.root.Join(path) == lc.root.Join(types.HelmDefaultHome)
+	locPath, err := lc.copyChartHome(path, !isDefault)
+	if err != nil {
+		return "", errors.WrapPrefixf(err, "unable to copy home %q", entry)
+	}
+	if entry == "" {
+		return "", nil
+	}
+	return locPath, nil
+}
+
+// copyChartHome copies path relative to lc root to dst and returns the
+// copied location relative to dst. If clean is true, copyChartHome uses path's
+// delinked location as the copy destination.
+//
+// If path does not exist, copyChartHome returns path.
+func (lc *localizer) copyChartHome(path string, clean bool) (string, error) {
+	path, err := filepath.Rel(lc.root.String(), lc.root.Join(path))
+	if err != nil {
+		return "", errors.WrapPrefixf(err, "no path to chart home %q", path)
+	}
+	// Chart home may serve as untar destination.
+	// Note that we don't check if path is in scope.
+	if !lc.fSys.Exists(lc.root.Join(path)) {
+		return path, nil
+	}
+	// Perform localize directory checks.
+	ldr, err := lc.ldr.New(path)
+	if err != nil {
+		return "", errors.WrapPrefixf(err, "invalid chart home")
+	}
+	cleaned, err := filesys.ConfirmDir(lc.fSys, ldr.Root())
+	if err != nil {
+		log.Panicf("unable to confirm validated directory %q: %s", ldr.Root(), err)
+	}
+	toDst := path
+	if clean {
+		toDst, err = filepath.Rel(lc.root.String(), cleaned.String())
+		if err != nil {
+			log.Panicf("no path between scoped directories %q and %q: %s", lc.root, cleaned, err)
+		}
+	}
+	// Note this check does not guarantee that we copied the entire directory.
+	if dst := filepath.Join(lc.dst, toDst); !lc.fSys.Exists(dst) {
+		err = lc.copyDir(cleaned, filepath.Join(lc.dst, toDst))
+		if err != nil {
+			return "", errors.WrapPrefixf(err, "unable to copy chart home %q", path)
+		}
+	}
+	return toDst, nil
+}
+
+// copyDir copies src to dst. copyDir does not follow symlinks.
+func (lc *localizer) copyDir(src filesys.ConfirmedDir, dst string) error {
+	err := lc.fSys.Walk(src.String(),
+		func(path string, info fs.FileInfo, err error) error {
+			if err != nil {
+				return err
+			}
+			pathToCreate, err := filepath.Rel(src.String(), path)
+			if err != nil {
+				log.Panicf("no path from %q to child file %q: %s", src, path, err)
+			}
+			pathInDst := filepath.Join(dst, pathToCreate)
+			if info.Mode()&os.ModeSymlink == os.ModeSymlink {
+				return nil
+			}
+			if info.IsDir() {
+				err = lc.fSys.MkdirAll(pathInDst)
+			} else {
+				var content []byte
+				content, err = lc.fSys.ReadFile(path)
+				if err != nil {
+					return errors.Wrap(err)
+				}
+				err = lc.fSys.WriteFile(pathInDst, content)
+			}
+			return errors.Wrap(err)
+		})
+	if err != nil {
+		return errors.WrapPrefixf(err, "unable to copy directory %q", src)
+	}
+	return nil
+}
+
+// localizeBuiltinPlugins localizes built-in plugins on kust that can contain file paths. The built-in plugins
+// can be inline or in a file. This excludes the HelmChartInflationGenerator.
+//
+// Note that the localization in this function has not been implemented yet.
+func (lc *localizer) localizeBuiltinPlugins(kust *types.Kustomization) error {
+	for fieldName, entries := range map[string][]string{
+		"generators":   kust.Generators,
+		"transformers": kust.Transformers,
+		"validators":   kust.Validators,
+	} {
+		for i, entry := range entries {
+			rm, isPath, err := lc.loadK8sResource(entry)
+			if err != nil {
+				return errors.WrapPrefixf(err, "unable to load %s entry", fieldName)
+			}
+			err = rm.ApplyFilter(&localizeBuiltinPlugins{lc: lc})
+			if err != nil {
+				return errors.Wrap(err)
+			}
+			localizedPlugin, err := rm.AsYaml()
+			if err != nil {
+				return errors.WrapPrefixf(err, "unable to serialize localized %s entry %q", fieldName, entry)
+			}
+			var localizedEntry string
+			if isPath {
+				localizedEntry, err = lc.localizeFileWithContent(entry, localizedPlugin)
+				if err != nil {
+					return errors.WrapPrefixf(err, "unable to localize %s entry", fieldName)
+				}
+			} else {
+				localizedEntry = string(localizedPlugin)
+			}
+			entries[i] = localizedEntry
+		}
+	}
+	return nil
+}
+
+// localizeK8sResource returns the localized resourceEntry if it is a file
+// containing a kubernetes resource.
+// localizeK8sResource returns resourceEntry if it is an inline resource.
+func (lc *localizer) localizeK8sResource(resourceEntry string) (string, error) {
+	_, isFile, err := lc.loadK8sResource(resourceEntry)
+	if err != nil {
+		return "", err
+	}
+	if isFile {
+		return lc.localizeFile(resourceEntry)
+	}
+	return resourceEntry, nil
+}
+
+// loadK8sResource tries to load resourceEntry as a file path or inline
+// kubernetes resource.
+// On success, loadK8sResource returns the loaded resource map and whether
+// resourceEntry is a file path.
+func (lc *localizer) loadK8sResource(resourceEntry string) (resmap.ResMap, bool, error) {
+	rm, inlineErr := lc.rFactory.NewResMapFromBytes([]byte(resourceEntry))
+	if inlineErr != nil {
+		var fileErr error
+		rm, fileErr = lc.rFactory.FromFile(lc.ldr, resourceEntry)
+		if fileErr != nil {
+			err := ResourceLoadError{
+				InlineError: inlineErr,
+				FileError:   fileErr,
+			}
+			return nil, false, errors.WrapPrefixf(err, "unable to load resource entry %q", resourceEntry)
+		}
+	}
+	return rm, inlineErr != nil, nil
+}

api/internal/localizer/locloader.go

@@ -0,0 +1,135 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package localizer
+
+import (
+	"path/filepath"
+
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/internal/git"
+	"sigs.k8s.io/kustomize/api/internal/loader"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+)
+
+// Args holds localize arguments
+type Args struct {
+	// target; local copy if remote
+	Target filesys.ConfirmedDir
+
+	// directory that bounds target's local references
+	// repo directory of local copy if target is remote
+	Scope filesys.ConfirmedDir
+
+	// localize destination
+	NewDir filesys.ConfirmedDir
+}
+
+// Loader is an ifc.Loader that enforces additional constraints specific to kustomize localize.
+type Loader struct {
+	fSys filesys.FileSystem
+
+	args *Args
+
+	// loader at Loader's current directory
+	ifc.Loader
+
+	// whether Loader and all its ancestors are the result of local references
+	local bool
+}
+
+var _ ifc.Loader = &Loader{}
+
+// NewLoader is the factory method for Loader, under localize constraints, at rawTarget. For invalid localize arguments,
+// NewLoader returns an error.
+func NewLoader(rawTarget string, rawScope string, rawNewDir string, fSys filesys.FileSystem) (*Loader, Args, error) {
+	// check earlier to avoid cleanup
+	repoSpec, err := git.NewRepoSpecFromURL(rawTarget)
+	if err == nil && repoSpec.Ref == "" {
+		return nil, Args{}, errors.Errorf("localize remote root %q missing ref query string parameter", rawTarget)
+	}
+
+	// for security, should enforce load restrictions
+	ldr, err := loader.NewLoader(loader.RestrictionRootOnly, rawTarget, fSys)
+	if err != nil {
+		return nil, Args{}, errors.WrapPrefixf(err, "unable to establish localize target %q", rawTarget)
+	}
+
+	scope, err := establishScope(rawScope, rawTarget, ldr, fSys)
+	if err != nil {
+		_ = ldr.Cleanup()
+		return nil, Args{}, errors.WrapPrefixf(err, "invalid localize scope %q", rawScope)
+	}
+
+	newDir, err := createNewDir(rawNewDir, ldr, repoSpec, fSys)
+	if err != nil {
+		_ = ldr.Cleanup()
+		return nil, Args{}, errors.WrapPrefixf(err, "invalid localize destination %q", rawNewDir)
+	}
+
+	args := Args{
+		Target: filesys.ConfirmedDir(ldr.Root()),
+		Scope:  scope,
+		NewDir: newDir,
+	}
+	return &Loader{
+		fSys:   fSys,
+		args:   &args,
+		Loader: ldr,
+		local:  scope != "",
+	}, args, nil
+}
+
+// Load returns the contents of path if path is a valid localize file.
+// Otherwise, Load returns an error.
+func (ll *Loader) Load(path string) ([]byte, error) {
+	// checks in root, and thus in scope
+	content, err := ll.Loader.Load(path)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "invalid file reference")
+	}
+	if filepath.IsAbs(path) {
+		return nil, errors.Errorf("absolute paths not yet supported in alpha: file path %q is absolute", path)
+	}
+	if !loader.IsRemoteFile(path) && ll.local {
+		cleanPath := cleanFilePath(ll.fSys, filesys.ConfirmedDir(ll.Root()), path)
+		cleanAbs := filepath.Join(ll.Root(), cleanPath)
+		dir := filesys.ConfirmedDir(filepath.Dir(cleanAbs))
+		// target cannot reference newDir, as this load would've failed prior to localize;
+		// not a problem if remote because then reference could only be in newDir if repo copy,
+		// which will be cleaned, is inside newDir
+		if dir.HasPrefix(ll.args.NewDir) {
+			return nil, errors.Errorf("file %q at %q enters localize destination %q", path, cleanAbs, ll.args.NewDir)
+		}
+	}
+	return content, nil
+}
+
+// New returns a Loader at path if path is a valid localize root.
+// Otherwise, New returns an error.
+func (ll *Loader) New(path string) (ifc.Loader, error) {
+	ldr, err := ll.Loader.New(path)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "invalid root reference")
+	}
+
+	if repo := ldr.Repo(); repo == "" {
+		if ll.local && !filesys.ConfirmedDir(ldr.Root()).HasPrefix(ll.args.Scope) {
+			return nil, errors.Errorf("root %q outside localize scope %q", ldr.Root(), ll.args.Scope)
+		}
+		if ll.local && filesys.ConfirmedDir(ldr.Root()).HasPrefix(ll.args.NewDir) {
+			return nil, errors.Errorf(
+				"root %q references into localize destination %q", ldr.Root(), ll.args.NewDir)
+		}
+	} else if !hasRef(path) {
+		return nil, errors.Errorf("localize remote root %q missing ref query string parameter", path)
+	}
+
+	return &Loader{
+		fSys:   ll.fSys,
+		args:   ll.args,
+		Loader: ldr,
+		local:  ll.local && ldr.Repo() == "",
+	}, nil
+}

api/internal/localizer/locloader_test.go

@@ -0,0 +1,300 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package localizer_test
+
+import (
+	"bytes"
+	"log"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"sigs.k8s.io/kustomize/api/ifc"
+	. "sigs.k8s.io/kustomize/api/internal/localizer"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+)
+
+func checkNewLoader(req *require.Assertions, ldr *Loader, args *Args, target string, scope string, newDir string, fSys filesys.FileSystem) {
+	checkLoader(req, ldr, target)
+	checkArgs(req, args, target, scope, newDir, fSys)
+}
+
+func checkLoader(req *require.Assertions, ldr ifc.Loader, root string) {
+	req.Equal(root, ldr.Root())
+	req.Empty(ldr.Repo())
+}
+
+func checkArgs(req *require.Assertions, args *Args, target string, scope string, newDir string, fSys filesys.FileSystem) {
+	req.Equal(target, args.Target.String())
+	req.Equal(scope, args.Scope.String())
+	req.Equal(newDir, args.NewDir.String())
+	req.True(fSys.Exists(newDir))
+}
+
+func TestLocalLoadNewAndCleanup(t *testing.T) {
+	req := require.New(t)
+	fSys := makeMemoryFs(t)
+
+	var buf bytes.Buffer
+	log.SetOutput(&buf)
+	defer func() {
+		log.SetOutput(os.Stderr)
+	}()
+	// typical setup
+	ldr, args, err := NewLoader("a", "/", "/newDir", fSys)
+	req.NoError(err)
+	checkNewLoader(req, ldr, &args, "/a", "/", "/newDir", fSys)
+
+	fSysCopy := makeMemoryFs(t)
+	req.NoError(fSysCopy.Mkdir("/newDir"))
+	req.Equal(fSysCopy, fSys)
+
+	// easy load directly in root
+	content, err := ldr.Load("pod.yaml")
+	req.NoError(err)
+	req.Equal([]byte(podConfiguration), content)
+
+	// typical sibling root reference
+	sibLdr, err := ldr.New("../alpha")
+	req.NoError(err)
+	checkLoader(req, sibLdr, "/alpha")
+
+	// only need to test once, since don't need to call Cleanup() on local target
+	req.NoError(sibLdr.Cleanup())
+	req.NoError(ldr.Cleanup())
+
+	// file system and buffer checks are also one-time
+	req.Equal(fSysCopy, fSys)
+	req.Empty(buf.String())
+}
+
+func TestNewLocLoaderDefaultForRootTarget(t *testing.T) {
+	cases := map[string]struct {
+		target string
+		scope  string
+	}{
+		"explicit": {
+			"/",
+			".",
+		},
+		"implicit": {
+			".",
+			"",
+		},
+	}
+	for name, params := range cases {
+		params := params
+		t.Run(name, func(t *testing.T) {
+			req := require.New(t)
+			fSys := makeMemoryFs(t)
+
+			ldr, args, err := NewLoader(params.target, params.scope, "", fSys)
+			req.NoError(err)
+			checkNewLoader(req, ldr, &args, "/", "/", "/"+DstPrefix, fSys)
+
+			// file in root, but nested
+			content, err := ldr.Load("a/pod.yaml")
+			req.NoError(err)
+			req.Equal([]byte(podConfiguration), content)
+
+			childLdr, err := ldr.New("a")
+			req.NoError(err)
+			checkLoader(req, childLdr, "/a")
+
+			// messy, uncleaned path
+			content, err = childLdr.Load("./../a/pod.yaml")
+			req.NoError(err)
+			req.Equal([]byte(podConfiguration), content)
+		})
+	}
+}
+
+func TestNewMultiple(t *testing.T) {
+	req := require.New(t)
+	fSys := makeMemoryFs(t)
+
+	// default destination for non-file system root target
+	// destination outside of scope
+	ldr, args, err := NewLoader("/alpha/beta", "/alpha", "", fSys)
+	req.NoError(err)
+	checkNewLoader(req, ldr, &args, "/alpha/beta", "/alpha", "/"+DstPrefix+"-beta", fSys)
+
+	// nested child root that isn't cleaned
+	descLdr, err := ldr.New("../beta/gamma/delta")
+	req.NoError(err)
+	checkLoader(req, descLdr, "/alpha/beta/gamma/delta")
+
+	// upwards traversal
+	higherLdr, err := descLdr.New("../../say")
+	req.NoError(err)
+	checkLoader(req, higherLdr, "/alpha/beta/say")
+}
+
+func makeWdFs(t *testing.T) map[string]filesys.FileSystem {
+	t.Helper()
+	req := require.New(t)
+
+	root := filesys.MakeEmptyDirInMemory()
+	req.NoError(root.MkdirAll("a/b/c/d/e"))
+
+	outer, err := root.Find("a")
+	req.NoError(err)
+	middle, err := root.Find("a/b/c")
+	req.NoError(err)
+
+	return map[string]filesys.FileSystem{
+		"a":     outer,
+		"a/b/c": middle,
+	}
+}
+
+func TestNewLocLoaderCwdNotRoot(t *testing.T) {
+	cases := map[string]struct {
+		wd     string
+		target string
+		scope  string
+		newDir string
+	}{
+		// target not immediate child of scope
+		"outer dir": {
+			"a",
+			"b/c/d/e",
+			"b/c",
+			"b/newDir",
+		},
+		"scope": {
+			"a/b/c",
+			"d/e",
+			".",
+			"d/e/newDir",
+		},
+	}
+
+	for name, test := range cases {
+		test := test
+		t.Run(name, func(t *testing.T) {
+			req := require.New(t)
+			fSys := makeWdFs(t)[test.wd]
+
+			ldr, args, err := NewLoader(test.target, test.scope, test.newDir, fSys)
+			req.NoError(err)
+			checkLoader(req, ldr, "a/b/c/d/e")
+
+			req.Equal("a/b/c/d/e", args.Target.String())
+			req.Equal("a/b/c", args.Scope.String())
+			req.Equal(test.wd+"/"+test.newDir, args.NewDir.String())
+			// memory file system can only find paths rooted at current node
+			req.True(fSys.Exists(test.newDir))
+		})
+	}
+}
+
+func TestNewLocLoaderFails(t *testing.T) {
+	cases := map[string]struct {
+		target string
+		scope  string
+		dest   string
+	}{
+		"non-existent target": {
+			"/b",
+			"/",
+			"/newDir",
+		},
+		"file target": {
+			"/a/pod.yaml",
+			"/",
+			"/newDir",
+		},
+		"inner scope": {
+			"/alpha",
+			"/alpha/beta",
+			"/newDir",
+		},
+		"side scope": {
+			"/alpha",
+			"/a",
+			"/newDir",
+		},
+		"existing dst": {
+			"/alpha",
+			"/",
+			"/a",
+		},
+	}
+	for name, params := range cases {
+		params := params
+		t.Run(name, func(t *testing.T) {
+			var buf bytes.Buffer
+			log.SetOutput(&buf)
+			defer func() {
+				log.SetOutput(os.Stderr)
+			}()
+
+			_, _, err := NewLoader(params.target, params.scope, params.dest, makeMemoryFs(t))
+			require.Error(t, err)
+			require.Empty(t, buf.String())
+		})
+	}
+}
+
+func TestNewFails(t *testing.T) {
+	req := require.New(t)
+	fSys := makeMemoryFs(t)
+
+	ldr, args, err := NewLoader("/alpha/beta/gamma", "alpha", "alpha/beta/gamma/newDir", fSys)
+	req.NoError(err)
+	checkNewLoader(req, ldr, &args, "/alpha/beta/gamma", "/alpha", "/alpha/beta/gamma/newDir", fSys)
+
+	cases := map[string]string{
+		"outside scope":     "../../../a",
+		"at dst":            "newDir",
+		"ancestor":          "../../beta",
+		"non-existent root": "delt",
+		"file":              "delta/deployment.yaml",
+	}
+	for name, root := range cases {
+		root := root
+		t.Run(name, func(t *testing.T) {
+			fSys := makeMemoryFs(t)
+
+			ldr, _, err := NewLoader("/alpha/beta/gamma", "alpha", "alpha/beta/gamma/newDir", fSys)
+			require.NoError(t, err)
+
+			_, err = ldr.New(root)
+			require.Error(t, err)
+		})
+	}
+}
+
+func TestLoadFails(t *testing.T) {
+	req := require.New(t)
+	fSys := makeMemoryFs(t)
+
+	ldr, args, err := NewLoader("./a/../a", "/a/../a", "/a/newDir", fSys)
+	req.NoError(err)
+	checkNewLoader(req, ldr, &args, "/a", "/a", "/a/newDir", fSys)
+
+	cases := map[string]string{
+		"absolute path":     "/a/pod.yaml",
+		"directory":         "b",
+		"non-existent file": "kubectl.yaml",
+		"file outside root": "../alpha/beta/gamma/delta/deployment.yaml",
+		"inside dst":        "newDir/pod.yaml",
+	}
+	for name, file := range cases {
+		file := file
+		t.Run(name, func(t *testing.T) {
+			req := require.New(t)
+			fSys := makeMemoryFs(t)
+
+			ldr, _, err := NewLoader("./a/../a", "/a/../a", "/a/newDir", fSys)
+			req.NoError(err)
+
+			req.NoError(fSys.WriteFile("/a/newDir/pod.yaml", []byte(podConfiguration)))
+
+			_, err = ldr.Load(file)
+			req.Error(err)
+		})
+	}
+}

api/internal/localizer/util.go

@@ -0,0 +1,218 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package localizer
+
+import (
+	"log"
+	"net/url"
+	"path/filepath"
+	"strings"
+
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/internal/git"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+)
+
+const (
+	// DstPrefix prefixes the target and ref, if target is remote, in the default localize destination directory name
+	DstPrefix = "localized"
+
+	// LocalizeDir is the name of the localize directories used to store remote content in the localize destination
+	LocalizeDir = "localized-files"
+
+	// FileSchemeDir is the name of the directory immediately inside LocalizeDir used to store file-schemed repos
+	FileSchemeDir = "file-schemed"
+)
+
+// establishScope returns the effective scope given localize arguments and targetLdr at rawTarget. For remote rawTarget,
+// the effective scope is the downloaded repo.
+func establishScope(rawScope string, rawTarget string, targetLdr ifc.Loader, fSys filesys.FileSystem) (filesys.ConfirmedDir, error) {
+	if repo := targetLdr.Repo(); repo != "" {
+		if rawScope != "" {
+			return "", errors.Errorf("scope %q specified for remote localize target %q", rawScope, rawTarget)
+		}
+		return filesys.ConfirmedDir(repo), nil
+	}
+	// default scope
+	if rawScope == "" {
+		return filesys.ConfirmedDir(targetLdr.Root()), nil
+	}
+	scope, err := filesys.ConfirmDir(fSys, rawScope)
+	if err != nil {
+		return "", errors.WrapPrefixf(err, "unable to establish localize scope")
+	}
+	if !filesys.ConfirmedDir(targetLdr.Root()).HasPrefix(scope) {
+		return scope, errors.Errorf("localize scope %q does not contain target %q at %q", rawScope, rawTarget,
+			targetLdr.Root())
+	}
+	return scope, nil
+}
+
+// createNewDir returns the localize destination directory or error. Note that spec is nil if targetLdr is at local
+// target.
+func createNewDir(rawNewDir string, targetLdr ifc.Loader, spec *git.RepoSpec, fSys filesys.FileSystem) (filesys.ConfirmedDir, error) {
+	if rawNewDir == "" {
+		rawNewDir = defaultNewDir(targetLdr, spec)
+	}
+	if fSys.Exists(rawNewDir) {
+		return "", errors.Errorf("localize destination %q already exists", rawNewDir)
+	}
+	// destination directory must sit in an existing directory
+	if err := fSys.Mkdir(rawNewDir); err != nil {
+		return "", errors.WrapPrefixf(err, "unable to create localize destination directory")
+	}
+	newDir, err := filesys.ConfirmDir(fSys, rawNewDir)
+	if err != nil {
+		if errCleanup := fSys.RemoveAll(newDir.String()); errCleanup != nil {
+			log.Printf("%s", errors.WrapPrefixf(errCleanup, "unable to clean localize destination"))
+		}
+		return "", errors.WrapPrefixf(err, "unable to establish localize destination")
+	}
+
+	return newDir, nil
+}
+
+// defaultNewDir calculates the default localize destination directory name from targetLdr at the localize target
+// and spec of target, which is nil if target is local
+func defaultNewDir(targetLdr ifc.Loader, spec *git.RepoSpec) string {
+	targetDir := filepath.Base(targetLdr.Root())
+	if repo := targetLdr.Repo(); repo != "" {
+		// kustomize doesn't download repo into repo-named folder
+		// must find repo folder name from url
+		if repo == targetLdr.Root() {
+			targetDir = urlBase(spec.RepoPath)
+		}
+		return strings.Join([]string{DstPrefix, targetDir, strings.ReplaceAll(spec.Ref, "/", "-")}, "-")
+	}
+	// special case for local target directory since destination directory cannot have "/" in name
+	if targetDir == string(filepath.Separator) {
+		return DstPrefix
+	}
+	return strings.Join([]string{DstPrefix, targetDir}, "-")
+}
+
+// urlBase is the url equivalent of filepath.Base
+func urlBase(url string) string {
+	cleaned := strings.TrimRight(url, "/")
+	i := strings.LastIndex(cleaned, "/")
+	if i < 0 {
+		return cleaned
+	}
+	return cleaned[i+1:]
+}
+
+// hasRef checks if repoURL has ref query string parameter
+func hasRef(repoURL string) bool {
+	repoSpec, err := git.NewRepoSpecFromURL(repoURL)
+	if err != nil {
+		log.Fatalf("unable to parse validated root url: %s", err)
+	}
+	return repoSpec.Ref != ""
+}
+
+// cleanFilePath returns file cleaned, where file is a relative path to root on fSys
+func cleanFilePath(fSys filesys.FileSystem, root filesys.ConfirmedDir, file string) string {
+	abs := root.Join(file)
+	dir, f, err := fSys.CleanedAbs(abs)
+	if err != nil {
+		log.Fatalf("cannot clean validated file path %q: %s", abs, err)
+	}
+	locPath, err := filepath.Rel(root.String(), dir.Join(f))
+	if err != nil {
+		log.Fatalf("cannot find path from parent %q to file %q: %s", root, dir.Join(f), err)
+	}
+	return locPath
+}
+
+// locFilePath converts a URL to its localized form, e.g.
+// https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/api/krusty/testdata/localize/simple/service.yaml ->
+// localized-files/raw.githubusercontent.com/kubernetes-sigs/kustomize/master/api/krusty/testdata/localize/simple/service.yaml.
+//
+// fileURL must be a validated file URL.
+func locFilePath(fileURL string) string {
+	// File urls must have http or https scheme, so it is safe to use url.Parse.
+	u, err := url.Parse(fileURL)
+	if err != nil {
+		log.Panicf("cannot parse validated file url %q: %s", fileURL, err)
+	}
+
+	// HTTP requests use the escaped path, so we use it here. Escaped paths also help us
+	// preserve percent-encoding in the original path, in the absence of illegal characters,
+	// in case they have special meaning to the host.
+	// Extraneous '..' parent directory dot-segments should be removed.
+	path := filepath.Join(string(filepath.Separator), filepath.FromSlash(u.EscapedPath()))
+
+	// We intentionally exclude userinfo and port.
+	// Raw github urls are the only type of file urls kustomize officially accepts.
+	// In this case, the path already consists of org, repo, version, and path in repo, in order,
+	// so we can use it as is.
+	return filepath.Join(LocalizeDir, u.Hostname(), path)
+}
+
+// locRootPath returns the relative localized path of the validated root url rootURL, where the local copy of its repo
+// is at repoDir and the copy of its root is at root on fSys.
+func locRootPath(rootURL, repoDir string, root filesys.ConfirmedDir, fSys filesys.FileSystem) (string, error) {
+	repoSpec, err := git.NewRepoSpecFromURL(rootURL)
+	if err != nil {
+		log.Panicf("cannot parse validated repo url %q: %s", rootURL, err)
+	}
+	host, err := parseHost(repoSpec)
+	if err != nil {
+		return "", errors.WrapPrefixf(err, "unable to parse host of remote root %q", rootURL)
+	}
+	repo, err := filesys.ConfirmDir(fSys, repoDir)
+	if err != nil {
+		log.Panicf("unable to establish validated repo download location %q: %s", repoDir, err)
+	}
+	// calculate from copy instead of url to straighten symlinks
+	inRepo, err := filepath.Rel(repo.String(), root.String())
+	if err != nil {
+		log.Panicf("cannot find path from %q to child directory %q: %s", repo, root, err)
+	}
+	// the git-server-side directory name conventionally (but not universally) ends in .git, which
+	// is conventionally stripped from the client-side directory name used for the clone.
+	localRepoPath := strings.TrimSuffix(repoSpec.RepoPath, ".git")
+
+	// We do not need to escape RepoPath, a path on the git server.
+	// However, like git, we clean dot-segments from RepoPath.
+	// Git does not allow ref value to contain dot-segments.
+	return filepath.Join(LocalizeDir,
+		host,
+		filepath.Join(string(filepath.Separator), filepath.FromSlash(localRepoPath)),
+		filepath.FromSlash(repoSpec.Ref),
+		inRepo), nil
+}
+
+// parseHost returns the localize directory path corresponding to repoSpec.Host
+func parseHost(repoSpec *git.RepoSpec) (string, error) {
+	var target string
+	switch scheme, _, _ := strings.Cut(repoSpec.Host, "://"); scheme {
+	case "gh:":
+		// 'gh' was meant to be a local github.com shorthand, in which case
+		// the .gitconfig file could map it to any host. See origin here:
+		// https://github.com/kubernetes-sigs/kustomize/blob/kustomize/v4.5.7/api/internal/git/repospec.go#L203
+		// We give it a special host directory here under the assumption
+		// that we are unlikely to have another host simply named 'gh'.
+		return "gh", nil
+	case "file":
+		// We put file-scheme repos under a special directory to avoid
+		// colluding local absolute paths with hosts.
+		return FileSchemeDir, nil
+	case "https", "http", "ssh":
+		target = repoSpec.Host
+	default:
+		// We must have relative ssh url; in other words, the url has scp-like syntax.
+		// We attach a scheme to avoid url.Parse errors.
+		target = "ssh://" + repoSpec.Host
+	}
+	// url.Parse will not recognize ':' delimiter that both RepoSpec and git accept.
+	target = strings.TrimSuffix(target, ":")
+	u, err := url.Parse(target)
+	if err != nil {
+		return "", errors.Wrap(err)
+	}
+	// strip scheme, userinfo, port, and any trailing slashes.
+	return u.Hostname(), nil
+}

api/internal/localizer/util_test.go

@@ -0,0 +1,303 @@
+// Copyright 2022 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+package localizer //nolint:testpackage
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"sigs.k8s.io/kustomize/api/ifc"
+	"sigs.k8s.io/kustomize/api/internal/git"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
+)
+
+func TestDefaultNewDirRepo(t *testing.T) {
+	for name, test := range map[string]struct {
+		url, dst string
+	}{
+		"simple": {
+			url: "https://github.com/org/repo?ref=value",
+			dst: "localized-repo-value",
+		},
+		"slashed_ref": {
+			url: "https://github.com/org/repo?ref=group/version",
+			dst: "localized-repo-group-version",
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			repoSpec, err := git.NewRepoSpecFromURL(test.url)
+			require.NoError(t, err)
+			require.Equal(t, test.dst, defaultNewDir(&fakeLoader{t.TempDir()}, repoSpec))
+		})
+	}
+}
+
+type fakeLoader struct {
+	root string
+}
+
+func (fl *fakeLoader) Root() string {
+	return fl.root
+}
+func (fl *fakeLoader) Repo() string {
+	return fl.root
+}
+func (fl *fakeLoader) Load(_ string) ([]byte, error) {
+	return []byte{}, nil
+}
+func (fl *fakeLoader) New(path string) (ifc.Loader, error) {
+	return &fakeLoader{path}, nil
+}
+func (fl *fakeLoader) Cleanup() error {
+	return nil
+}
+
+func TestUrlBase(t *testing.T) {
+	require.Equal(t, "repo", urlBase("https://github.com/org/repo"))
+}
+
+func TestUrlBaseTrailingSlash(t *testing.T) {
+	require.Equal(t, "repo", urlBase("github.com/org/repo//"))
+}
+
+// simpleJoin is filepath.Join() without the side effects of filepath.Clean()
+func simpleJoin(t *testing.T, elems ...string) string {
+	t.Helper()
+
+	return strings.Join(elems, string(filepath.Separator))
+}
+
+func TestLocFilePath(t *testing.T) {
+	for name, tUnit := range map[string]struct {
+		url, path string
+	}{
+		"official": {
+			url:  "https://raw.githubusercontent.com/org/repo/ref/path/to/file.yaml",
+			path: simpleJoin(t, "raw.githubusercontent.com", "org", "repo", "ref", "path", "to", "file.yaml"),
+		},
+		"http-scheme": {
+			url:  "http://host/path",
+			path: simpleJoin(t, "host", "path"),
+		},
+		"extraneous_components": {
+			url:  "http://userinfo@host:1234/path/file?query",
+			path: simpleJoin(t, "host", "path", "file"),
+		},
+		"empty_path": {
+			url:  "https://host",
+			path: "host",
+		},
+		"empty_path_segment": {
+			url:  "https://host//",
+			path: "host",
+		},
+		"percent-encoded_path": {
+			url:  "https://host/file%2Eyaml",
+			path: simpleJoin(t, "host", "file%2Eyaml"),
+		},
+		"dot-segments": {
+			url:  "https://host/path/blah/../to/foo/bar/../../file/./",
+			path: simpleJoin(t, "host", "path", "to", "file"),
+		},
+		"extraneous_dot-segments": {
+			url:  "https://host/foo/bar/baz/../../../../file",
+			path: simpleJoin(t, "host", "file"),
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			require.Equal(t, simpleJoin(t, LocalizeDir, tUnit.path), locFilePath(tUnit.url))
+		})
+	}
+}
+
+func TestLocFilePathColon(t *testing.T) {
+	req := require.New(t)
+
+	// The colon is special because it was once used as the unix file separator.
+	const url = "https://[2001:4860:4860::8888]/file.yaml"
+	const host = "2001:4860:4860::8888"
+	const file = "file.yaml"
+	req.Equal(simpleJoin(t, LocalizeDir, host, file), locFilePath(url))
+
+	fSys := filesys.MakeFsOnDisk()
+	targetDir := simpleJoin(t, t.TempDir(), host)
+
+	// We check that we can create single directory, meaning ':' not used as file separator.
+	req.NoError(fSys.Mkdir(targetDir))
+	_, err := fSys.Create(simpleJoin(t, targetDir, file))
+	req.NoError(err)
+
+	// We check that the directory with such name is readable.
+	files, err := fSys.ReadDir(targetDir)
+	req.NoError(err)
+	req.Equal([]string{file}, files)
+}
+
+func TestLocFilePath_SpecialChar(t *testing.T) {
+	req := require.New(t)
+
+	// The wild card character is one of the legal uri characters with more meaning
+	// to the system, so we test it here.
+	const wildcard = "*"
+	req.Equal(simpleJoin(t, LocalizeDir, "host", wildcard), locFilePath("https://host/*"))
+
+	fSys := filesys.MakeFsOnDisk()
+	testDir := t.TempDir()
+	req.NoError(fSys.Mkdir(simpleJoin(t, testDir, "a")))
+	req.NoError(fSys.WriteFile(simpleJoin(t, testDir, "b"), []byte{}))
+
+	// We check that we can create and read from wild card-named file.
+	// We check that the file system is not matching it to existing file names.
+	req.NoError(fSys.WriteFile(simpleJoin(t, testDir, wildcard), []byte("test")))
+	content, err := fSys.ReadFile(simpleJoin(t, testDir, wildcard))
+	req.NoError(err)
+	req.Equal("test", string(content))
+}
+
+func TestLocFilePath_SpecialFiles(t *testing.T) {
+	for name, tFSys := range map[string]struct {
+		urlPath           string
+		pathDir, pathFile string
+	}{
+		"windows_reserved_name": {
+			urlPath:  "/aux/file",
+			pathDir:  "aux",
+			pathFile: "file",
+		},
+		"hidden_files": {
+			urlPath:  "/.../.file",
+			pathDir:  "...",
+			pathFile: ".file",
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			req := require.New(t)
+
+			expectedPath := simpleJoin(t, LocalizeDir, "host", tFSys.pathDir, tFSys.pathFile)
+			req.Equal(expectedPath, locFilePath("https://host"+tFSys.urlPath))
+
+			fSys := filesys.MakeFsOnDisk()
+			targetDir := simpleJoin(t, t.TempDir(), tFSys.pathDir)
+			req.NoError(fSys.Mkdir(targetDir))
+			req.NoError(fSys.WriteFile(simpleJoin(t, targetDir, tFSys.pathFile), []byte("test")))
+
+			content, err := fSys.ReadFile(simpleJoin(t, targetDir, tFSys.pathFile))
+			req.NoError(err)
+			req.Equal([]byte("test"), content)
+		})
+	}
+}
+
+func makeConfirmedDir(t *testing.T) (filesys.FileSystem, filesys.ConfirmedDir) {
+	t.Helper()
+
+	fSys := filesys.MakeFsOnDisk()
+	testDir, err := filesys.NewTmpConfirmedDir()
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		_ = fSys.RemoveAll(testDir.String())
+	})
+
+	return fSys, testDir
+}
+
+func TestLocRootPath_URLComponents(t *testing.T) {
+	for name, test := range map[string]struct {
+		urlf, path string
+	}{
+		"ssh": {
+			urlf: "ssh://git@github.com/org/repo//%s?ref=value",
+			path: simpleJoin(t, "github.com", "org", "repo", "value"),
+		},
+		"rel_ssh": {
+			urlf: "git@github.com:org/repo//%s?ref=value",
+			path: simpleJoin(t, "github.com", "org", "repo", "value"),
+		},
+		"https": {
+			urlf: "https://gitlab.com/org/repo//%s?ref=value",
+			path: simpleJoin(t, "gitlab.com", "org", "repo", "value"),
+		},
+		"file": {
+			urlf: "file:///var/run/repo//%s?ref=value",
+			path: simpleJoin(t, FileSchemeDir, "var", "run", "repo", "value"),
+		},
+		"IPv6": {
+			urlf: "https://[2001:4860:4860::8888]/org/repo//%s?ref=value",
+			path: simpleJoin(t, "2001:4860:4860::8888", "org", "repo", "value"),
+		},
+		"port": {
+			urlf: "https://localhost.com:8080/org/repo//%s?ref=value",
+			path: simpleJoin(t, "localhost.com", "org", "repo", "value"),
+		},
+		"no_org": {
+			urlf: "https://github.com/repo//%s?ref=value",
+			path: simpleJoin(t, "github.com", "repo", "value"),
+		},
+		".git_suffix": {
+			urlf: "https://github.com/org1/org2/repo.git//%s?ref=value",
+			path: simpleJoin(t, "github.com", "org1", "org2", "repo", "value"),
+		},
+		"dot-segments": {
+			urlf: "https://github.com/./../org/../org/repo.git//%s?ref=value",
+			path: simpleJoin(t, "github.com", "org", "repo", "value"),
+		},
+		"no_path_delimiter": {
+			urlf: "https://github.com/org/repo/%s?ref=value",
+			path: simpleJoin(t, "github.com", "org", "repo", "value"),
+		},
+		"illegal_windows_dir": {
+			urlf: "https://gitlab.com/org./repo..git//%s?ref=value",
+			path: simpleJoin(t, "gitlab.com", "org.", "repo.", "value"),
+		},
+		"ref_has_slash": {
+			urlf: "https://gitlab.com/org/repo//%s?ref=group/version/kind",
+			path: simpleJoin(t, "gitlab.com", "org", "repo", "group", "version", "kind"),
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			u := fmt.Sprintf(test.urlf, "path/to/root")
+			path := simpleJoin(t, LocalizeDir, test.path, "path", "to", "root")
+
+			fSys, testDir := makeConfirmedDir(t)
+			repoDir := simpleJoin(t, testDir.String(), "repo_random-hash")
+			require.NoError(t, fSys.Mkdir(repoDir))
+			rootDir := simpleJoin(t, repoDir, "path", "to", "root")
+			require.NoError(t, fSys.MkdirAll(rootDir))
+
+			actual, err := locRootPath(u, repoDir, filesys.ConfirmedDir(rootDir), fSys)
+			require.NoError(t, err)
+			require.Equal(t, path, actual)
+
+			require.NoError(t, fSys.MkdirAll(simpleJoin(t, testDir.String(), path)))
+		})
+	}
+}
+
+func TestLocRootPath_Repo(t *testing.T) {
+	const url = "https://github.com/org/repo?ref=value"
+	expected := simpleJoin(t, LocalizeDir, "github.com", "org", "repo", "value")
+
+	fSys, testDir := makeConfirmedDir(t)
+	actual, err := locRootPath(url, testDir.String(), testDir, fSys)
+	require.NoError(t, err)
+	require.Equal(t, expected, actual)
+}
+
+func TestLocRootPath_SymlinkPath(t *testing.T) {
+	const url = "https://github.com/org/repo//symlink?ref=value"
+
+	fSys, repoDir := makeConfirmedDir(t)
+	rootDir := simpleJoin(t, repoDir.String(), "actual-root")
+	require.NoError(t, fSys.Mkdir(rootDir))
+	require.NoError(t, os.Symlink(rootDir, simpleJoin(t, repoDir.String(), "symlink")))
+
+	expected := simpleJoin(t, LocalizeDir, "github.com", "org", "repo", "value", "actual-root")
+	actual, err := locRootPath(url, repoDir.String(), filesys.ConfirmedDir(rootDir), fSys)
+	require.NoError(t, err)
+	require.Equal(t, expected, actual)
+}

api/internal/plugins/builtinconfig/loaddefaultconfig_test.go

@@ -7,7 +7,7 @@ import (
 	"reflect"
 	"testing"
 
-	"sigs.k8s.io/kustomize/api/loader"
+	"sigs.k8s.io/kustomize/api/internal/loader"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/filesys"
 	"sigs.k8s.io/kustomize/kyaml/resid"

api/internal/plugins/builtinconfig/namebackreferences.go

@@ -22,7 +22,7 @@ import (
 // contains a Pod; Deployment, Job, StatefulSet, etc.
 // The ConfigMap is the ReferralTarget, the others are Referrers.
 //
-// If the the name of a ConfigMap instance changed from 'alice' to 'bob',
+// If the name of a ConfigMap instance changed from 'alice' to 'bob',
 // one must
 //  - visit all objects that could refer to the ConfigMap (the Referrers)
 //  - see if they mention 'alice',
@@ -47,6 +47,8 @@ type NameBackReferences struct {
 	// TODO: rename json 'fieldSpecs' to 'referrers' for clarity.
 	// This will, however, break anyone using a custom config.
 	Referrers types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+
+	// Note: If any new pointer based members are added, DeepCopy needs to be updated
 }
 
 func (n NameBackReferences) String() string {
@@ -66,6 +68,17 @@ func (s nbrSlice) Less(i, j int) bool {
 	return s[i].Gvk.IsLessThan(s[j].Gvk)
 }
 
+// DeepCopy returns a new copy of nbrSlice
+func (s nbrSlice) DeepCopy() nbrSlice {
+	ret := make(nbrSlice, len(s))
+	copy(ret, s)
+	for i, slice := range ret {
+		ret[i].Referrers = slice.Referrers.DeepCopy()
+	}
+
+	return ret
+}
+
 func (s nbrSlice) mergeAll(o nbrSlice) (result nbrSlice, err error) {
 	result = s
 	for _, r := range o {

api/internal/plugins/builtinconfig/namebackreferences_test.go

@@ -95,3 +95,29 @@ func TestMergeAll(t *testing.T) {
 		t.Fatalf("expected\n %v\n but got\n %v\n", expected, actual)
 	}
 }
+
+func TestNbrSlice_DeepCopy(t *testing.T) {
+	original := make(nbrSlice, 2, 4)
+	original[0] = NameBackReferences{Gvk: resid.FromKind("A"), Referrers: types.FsSlice{{Path: "a"}}}
+	original[1] = NameBackReferences{Gvk: resid.FromKind("B"), Referrers: types.FsSlice{{Path: "b"}}}
+
+	copied := original.DeepCopy()
+
+	original, _ = original.mergeOne(NameBackReferences{Gvk: resid.FromKind("C"), Referrers: types.FsSlice{{Path: "c"}}})
+
+	// perform mutations which should not affect original
+	copied.Swap(0, 1)
+	copied[0].Referrers[0].Path = "very b" // ensure Referrers are not shared
+	_, _ = copied.mergeOne(NameBackReferences{Gvk: resid.FromKind("D"), Referrers: types.FsSlice{{Path: "d"}}})
+
+	// if DeepCopy does not work, original would be {very b,a,d} instead of {a,b,c}
+	expected := nbrSlice{
+		{Gvk: resid.FromKind("A"), Referrers: types.FsSlice{{Path: "a"}}},
+		{Gvk: resid.FromKind("B"), Referrers: types.FsSlice{{Path: "b"}}},
+		{Gvk: resid.FromKind("C"), Referrers: types.FsSlice{{Path: "c"}}},
+	}
+
+	if !reflect.DeepEqual(original, expected) {
+		t.Fatalf("original affected by mutations to copied object:\ngot\t%+v,\nexpected: %+v", original, expected)
+	}
+}

api/internal/plugins/builtinconfig/transformerconfig.go

@@ -6,18 +6,22 @@ package builtinconfig
 import (
 	"log"
 	"sort"
+	"sync"
 
 	"sigs.k8s.io/kustomize/api/ifc"
-	"sigs.k8s.io/kustomize/api/konfig/builtinpluginconsts"
+	"sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
 )
 
 // TransformerConfig holds the data needed to perform transformations.
 type TransformerConfig struct {
+	// if any fields are added, update the DeepCopy implementation
 	NamePrefix        types.FsSlice `json:"namePrefix,omitempty" yaml:"namePrefix,omitempty"`
 	NameSuffix        types.FsSlice `json:"nameSuffix,omitempty" yaml:"nameSuffix,omitempty"`
 	NameSpace         types.FsSlice `json:"namespace,omitempty" yaml:"namespace,omitempty"`
 	CommonLabels      types.FsSlice `json:"commonLabels,omitempty" yaml:"commonLabels,omitempty"`
+	TemplateLabels    types.FsSlice `json:"templateLabels,omitempty" yaml:"templateLabels,omitempty"`
 	CommonAnnotations types.FsSlice `json:"commonAnnotations,omitempty" yaml:"commonAnnotations,omitempty"`
 	NameReference     nbrSlice      `json:"nameReference,omitempty" yaml:"nameReference,omitempty"`
 	VarReference      types.FsSlice `json:"varReference,omitempty" yaml:"varReference,omitempty"`
@@ -30,14 +34,43 @@ func MakeEmptyConfig() *TransformerConfig {
 	return &TransformerConfig{}
 }
 
+// DeepCopy returns a new copy of TransformerConfig
+func (t *TransformerConfig) DeepCopy() *TransformerConfig {
+	return &TransformerConfig{
+		NamePrefix:        t.NamePrefix.DeepCopy(),
+		NameSuffix:        t.NameSuffix.DeepCopy(),
+		NameSpace:         t.NameSpace.DeepCopy(),
+		CommonLabels:      t.CommonLabels.DeepCopy(),
+		TemplateLabels:    t.TemplateLabels.DeepCopy(),
+		CommonAnnotations: t.CommonAnnotations.DeepCopy(),
+		NameReference:     t.NameReference.DeepCopy(),
+		VarReference:      t.VarReference.DeepCopy(),
+		Images:            t.Images.DeepCopy(),
+		Replicas:          t.Replicas.DeepCopy(),
+	}
+}
+
+// the default transformer config is initialized by MakeDefaultConfig,
+// and must only be accessed via that function.
+var (
+	initDefaultConfig sync.Once          //nolint:gochecknoglobals
+	defaultConfig     *TransformerConfig //nolint:gochecknoglobals
+)
+
 // MakeDefaultConfig returns a default TransformerConfig.
 func MakeDefaultConfig() *TransformerConfig {
-	c, err := makeTransformerConfigFromBytes(
-		builtinpluginconsts.GetDefaultFieldSpecs())
-	if err != nil {
-		log.Fatalf("Unable to make default transformconfig: %v", err)
-	}
-	return c
+	// parsing is expensive when having a large tree with many kustomization modules, so only do it once
+	initDefaultConfig.Do(func() {
+		var err error
+		defaultConfig, err = makeTransformerConfigFromBytes(
+			builtinpluginconsts.GetDefaultFieldSpecs())
+		if err != nil {
+			log.Fatalf("Unable to make default transformconfig: %v", err)
+		}
+	})
+
+	// return a copy to avoid any mutations to protect the reference copy
+	return defaultConfig.DeepCopy()
 }
 
 // MakeTransformerConfig returns a merger of custom config,
@@ -58,8 +91,10 @@ func MakeTransformerConfig(
 // sortFields provides determinism in logging, tests, etc.
 func (t *TransformerConfig) sortFields() {
 	sort.Sort(t.NamePrefix)
+	sort.Sort(t.NameSuffix)
 	sort.Sort(t.NameSpace)
 	sort.Sort(t.CommonLabels)
+	sort.Sort(t.TemplateLabels)
 	sort.Sort(t.CommonAnnotations)
 	sort.Sort(t.NameReference)
 	sort.Sort(t.VarReference)
@@ -108,40 +143,44 @@ func (t *TransformerConfig) Merge(input *TransformerConfig) (
 	merged = &TransformerConfig{}
 	merged.NamePrefix, err = t.NamePrefix.MergeAll(input.NamePrefix)
 	if err != nil {
-		return nil, err
+		return nil, errors.WrapPrefixf(err, "failed to merge NamePrefix fieldSpec")
 	}
 	merged.NameSuffix, err = t.NameSuffix.MergeAll(input.NameSuffix)
 	if err != nil {
-		return nil, err
+		return nil, errors.WrapPrefixf(err, "failed to merge NameSuffix fieldSpec")
 	}
 	merged.NameSpace, err = t.NameSpace.MergeAll(input.NameSpace)
 	if err != nil {
-		return nil, err
+		return nil, errors.WrapPrefixf(err, "failed to merge NameSpace fieldSpec")
 	}
 	merged.CommonAnnotations, err = t.CommonAnnotations.MergeAll(
 		input.CommonAnnotations)
 	if err != nil {
-		return nil, err
+		return nil, errors.WrapPrefixf(err, "failed to merge CommonAnnotations fieldSpec")
 	}
 	merged.CommonLabels, err = t.CommonLabels.MergeAll(input.CommonLabels)
 	if err != nil {
-		return nil, err
+		return nil, errors.WrapPrefixf(err, "failed to merge CommonLabels fieldSpec")
+	}
+	merged.TemplateLabels, err = t.TemplateLabels.MergeAll(input.TemplateLabels)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "failed to merge TemplateLabels fieldSpec")
 	}
 	merged.VarReference, err = t.VarReference.MergeAll(input.VarReference)
 	if err != nil {
-		return nil, err
+		return nil, errors.WrapPrefixf(err, "failed to merge VarReference fieldSpec")
 	}
 	merged.NameReference, err = t.NameReference.mergeAll(input.NameReference)
 	if err != nil {
-		return nil, err
+		return nil, errors.WrapPrefixf(err, "failed to merge NameReference fieldSpec")
 	}
 	merged.Images, err = t.Images.MergeAll(input.Images)
 	if err != nil {
-		return nil, err
+		return nil, errors.WrapPrefixf(err, "failed to merge Images fieldSpec")
 	}
 	merged.Replicas, err = t.Replicas.MergeAll(input.Replicas)
 	if err != nil {
-		return nil, err
+		return nil, errors.WrapPrefixf(err, "failed to merge Replicas fieldSpec")
 	}
 	merged.sortFields()
 	return merged, nil

api/internal/plugins/builtinconfig/transformerconfig_test.go

@@ -173,3 +173,22 @@ func TestMerge(t *testing.T) {
 		t.Fatalf("expected: %v\n but got: %v\n", cfga, actual)
 	}
 }
+
+func TestMakeDefaultConfig_mutation(t *testing.T) {
+	a := MakeDefaultConfig()
+
+	// mutate
+	a.NameReference[0].Kind = "mutated"
+	a.NameReference = a.NameReference[:1]
+
+	clean := MakeDefaultConfig()
+	if clean.NameReference[0].Kind == "mutated" {
+		t.Errorf("MakeDefaultConfig() did not return a clean copy: %+v", clean.NameReference)
+	}
+}
+
+func BenchmarkMakeDefaultConfig(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		_ = MakeDefaultConfig()
+	}
+}