Merge pull request #498 from Liujingfang1/doc

Add example for transformer configurations: crd
2026-06-17 20:08:17 +00:00 · 2018-10-24 12:13:53 -07:00 · 2018-10-24 12:08:48 -07:00 · 2018-10-23 15:33:16 -07:00 · 2018-10-23 13:46:03 -07:00 · 2018-10-22 16:15:06 -07:00
3817 changed files with 2026416 additions and 30316 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -4,9 +4,13 @@
 *.dll
 *.so
 *.dylib
+kustomize

 # Test binary, build with `go test -c`
 *.test

 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
+
+# We use sed -i.bak when doing in-line replace, because it works better cross-platform
+.bak
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -0,0 +1,30 @@
+run:
+  deadline: 5m
+
+linters:
+  disable-all: true
+  enable:
+    - dupl
+    - goconst
+    - gocyclo
+    - gofmt
+    - golint
+    - govet
+    - ineffassign
+    - interfacer
+    - lll
+    - misspell
+    - nakedret
+    - structcheck
+    - unparam
+    - varcheck
+
+linters-settings:
+  dupl:
+    threshold: 400 
+  lll:   
+    line-length: 170
+  gocyclo:
+    min-complexity: 15
+  golint:
+    min-confidence: 0.85
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,18 +1,25 @@
 language: go

 go:
-  - 1.10.x
+  - 1.11.x

-# go_import_path: k8s.io/kubectl
+go_import_path: sigs.k8s.io/kustomize
+
+# Maybe, maybe not.
+# sudo: false
+
+# Only clone the most recent commit.
+git:
+  depth: 1
+
+env:
+- GOLANGCI_RELEASE="v1.10.2"

 before_install:
  - source ./bin/consider-early-travis-exit.sh
  - sudo apt-get install tree
-  - go get -u github.com/golang/lint/golint
-  - go get -u golang.org/x/tools/cmd/goimports
-  - go get -u github.com/onsi/ginkgo/ginkgo
+  - curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $GOPATH/bin ${GOLANGCI_RELEASE}
  - go get -u github.com/monopole/mdrip
-  - go get -u github.com/fzipp/gocyclo

 # Install must be set to prevent default `go get` to run.
 # The dependencies have already been vendored by `dep` so
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,36 +1,22 @@
-# Contributing guidelines
+# Contributing Guidelines

-[Contributor License Agreement]: https://git.k8s.io/community/CLA.md
-[github workflow guide]: https://github.com/kubernetes/community/blob/master/contributors/guide/github-workflow.md
-[CNCF code of conduct]: https://github.com/cncf/foundation/blob/master/code-of-conduct.md
+Welcome to Kubernetes. We are excited about the prospect of you joining our [community](https://github.com/kubernetes/community)! The Kubernetes community abides by the CNCF [code of conduct](code-of-conduct.md). Here is an excerpt:

-## Contributing a Patch
+_As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities._

-1. Kubernetes projects require contributors to sign the
-   [Contributor License Agreement] before pull requests
-   can be considered.
-1. Submit an issue describing your proposed change to
-   the repo in question.
-1. The [repo owners](OWNERS) will respond to your issue
-   promptly.
-1. Fork the repo, develop and test your code.
-   See the [github workflow guide].
-1. For _new features_, provide a markdown-based demo following
-   the pattern established in the [examples](examples) directory.
-   Run `bin/pre-commit.sh` to test your demo.
-1. Submit a pull request.
+## Getting Started

-## Community, discussion, contribution, and support
+We have full documentation on how to get started contributing here:

-Learn how to engage with the Kubernetes community on
-the [community page](http://kubernetes.io/community/).
+- [Contributor License Agreement](https://git.k8s.io/community/CLA.md) Kubernetes projects require that you sign a Contributor License Agreement (CLA) before we can accept your pull requests
+- [Kubernetes Contributor Guide](http://git.k8s.io/community/contributors/guide) - Main contributor documentation, or you can just jump directly to the [contributing section](http://git.k8s.io/community/contributors/guide#contributing)
+- [Contributor Cheat Sheet](https://git.k8s.io/community/contributors/guide/contributor-cheatsheet.md) - Common resources for existing developers

-You can reach the maintainers of this project at:
+## Mentorship

- [Slack](http://slack.k8s.io/)
- [Mailing List](https://groups.google.com/forum/#!forum/kubernetes-kustomize)
+- [Mentoring Initiatives](https://git.k8s.io/community/mentoring) - We have a diverse set of mentorship programs available that are always looking for volunteers!

-## Code of conduct
+## Contact Information

-Participation in the Kubernetes community is governed
-by the [CNCF code of conduct].
+- [Slack channel](https://kubernetes.slack.com/messages/sig-cli)
+- [Mailing list](https://groups.google.com/forum/#!forum/kubernetes-sig-cli)
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -2,120 +2,351 @@


 [[projects]]
+  digest = "1:8e47871087b94913898333f37af26732faaab30cdb41571136cf7aec9921dae7"
+  name = "github.com/PuerkitoBio/purell"
+  packages = ["."]
+  pruneopts = ""
+  revision = "0bcb03f4b4d0a9428594752bd2a3b9aa0a9d4bd4"
+  version = "v1.1.0"
+
+[[projects]]
+  branch = "master"
+  digest = "1:331a419049c2be691e5ba1d24342fc77c7e767a80c666a18fd8a9f7b82419c1c"
+  name = "github.com/PuerkitoBio/urlesc"
+  packages = ["."]
+  pruneopts = ""
+  revision = "de5bf2ad457846296e2031421a34e2568e304e35"
+
+[[projects]]
+  digest = "1:4905d4dce09d1a9e93fe2b9733f92bee5f149dd229727bbc074465b24fb489cd"
+  name = "github.com/aws/aws-sdk-go"
+  packages = [
+    "aws",
+    "aws/awserr",
+    "aws/awsutil",
+    "aws/client",
+    "aws/client/metadata",
+    "aws/corehandlers",
+    "aws/credentials",
+    "aws/credentials/ec2rolecreds",
+    "aws/credentials/endpointcreds",
+    "aws/credentials/stscreds",
+    "aws/csm",
+    "aws/defaults",
+    "aws/ec2metadata",
+    "aws/endpoints",
+    "aws/request",
+    "aws/session",
+    "aws/signer/v4",
+    "internal/sdkio",
+    "internal/sdkrand",
+    "internal/sdkuri",
+    "internal/shareddefaults",
+    "private/protocol",
+    "private/protocol/eventstream",
+    "private/protocol/eventstream/eventstreamapi",
+    "private/protocol/query",
+    "private/protocol/query/queryutil",
+    "private/protocol/rest",
+    "private/protocol/restxml",
+    "private/protocol/xml/xmlutil",
+    "service/s3",
+    "service/sts",
+  ]
+  pruneopts = ""
+  revision = "fde4ded7becdeae4d26bf1212916aabba79349b4"
+  version = "v1.14.12"
+
+[[projects]]
+  branch = "master"
+  digest = "1:98e84060475ed245c3b355042afd43a74aa7d32efe50658f4f995977916f9fc3"
+  name = "github.com/bgentry/go-netrc"
+  packages = ["netrc"]
+  pruneopts = ""
+  revision = "9fd32a8b3d3d3f9d43c341bfe098430e07609480"
+
+[[projects]]
+  digest = "1:56c130d885a4aacae1dd9c7b71cfe39912c7ebc1ff7d2b46083c8812996dc43b"
  name = "github.com/davecgh/go-spew"
  packages = ["spew"]
+  pruneopts = ""
  revision = "346938d642f2ec3594ed81d874461961cd0faa76"
  version = "v1.1.0"

 [[projects]]
+  digest = "1:971e9ba63a417c5f1f83ab358677bc59e96ff04285f26c6646ff089fb60b15e8"
+  name = "github.com/emicklei/go-restful"
+  packages = [
+    ".",
+    "log",
+  ]
+  pruneopts = ""
+  revision = "3658237ded108b4134956c1b3050349d93e7b895"
+  version = "v2.7.1"
+
+[[projects]]
+  digest = "1:dcefbadf4534c5ecac8573698fba6e6e601157bfa8f96aafe29df31ae582ef2a"
  name = "github.com/evanphx/json-patch"
  packages = ["."]
+  pruneopts = ""
  revision = "afac545df32f2287a079e2dfb7ba2745a643747e"
  version = "v3.0.0"

 [[projects]]
+  digest = "1:b13707423743d41665fd23f0c36b2f37bb49c30e94adb813319c44188a51ba22"
  name = "github.com/ghodss/yaml"
  packages = ["."]
+  pruneopts = ""
  revision = "0ca9ea5df5451ffdf184b4428c902747c2c11cd7"
  version = "v1.0.0"

 [[projects]]
+  digest = "1:858b7fe7b0f4bc7ef9953926828f2816ea52d01a88d72d1c45bc8c108f23c356"
+  name = "github.com/go-ini/ini"
+  packages = ["."]
+  pruneopts = ""
+  revision = "358ee7663966325963d4e8b2e1fbd570c5195153"
+  version = "v1.38.1"
+
+[[projects]]
+  branch = "master"
+  digest = "1:e116a4866bffeec941056a1fcfd37e520fad1ee60e4e3579719f19a43c392e10"
+  name = "github.com/go-openapi/jsonpointer"
+  packages = ["."]
+  pruneopts = ""
+  revision = "3a0015ad55fa9873f41605d3e8f28cd279c32ab2"
+
+[[projects]]
+  branch = "master"
+  digest = "1:3830527ef0f4f9b268d9286661c0f52f9115f8aefd9f45ee7352516f93489ac9"
+  name = "github.com/go-openapi/jsonreference"
+  packages = ["."]
+  pruneopts = ""
+  revision = "3fb327e6747da3043567ee86abd02bb6376b6be2"
+
+[[projects]]
+  branch = "master"
+  digest = "1:238a056875c4b053b4b29984765ee335bf8c539fdf17e527fd9b7aa72521c8dd"
+  name = "github.com/go-openapi/spec"
+  packages = ["."]
+  pruneopts = ""
+  revision = "bcff419492eeeb01f76e77d2ebc714dc97b607f5"
+
+[[projects]]
+  branch = "master"
+  digest = "1:7b067ca8b94982960860d18c42e29f15bbd0e8d9ae8145a83a218296e75393cf"
+  name = "github.com/go-openapi/swag"
+  packages = ["."]
+  pruneopts = ""
+  revision = "811b1089cde9dad18d4d0c2d09fbdbf28dbd27a5"
+
+[[projects]]
+  digest = "1:0a3f6a0c68ab8f3d455f8892295503b179e571b7fefe47cc6c556405d1f83411"
  name = "github.com/gogo/protobuf"
  packages = [
    "proto",
-    "sortkeys"
+    "sortkeys",
  ]
+  pruneopts = ""
  revision = "1adfc126b41513cc696b209667c8656ea7aac67c"
  version = "v1.0.0"

 [[projects]]
  branch = "master"
+  digest = "1:107b233e45174dbab5b1324201d092ea9448e58243ab9f039e4c0f332e121e3a"
  name = "github.com/golang/glog"
  packages = ["."]
+  pruneopts = ""
  revision = "23def4e6c14b4da8ac2ed8007337bc5eb5007998"

 [[projects]]
+  digest = "1:f958a1c137db276e52f0b50efee41a1a389dcdded59a69711f3e872757dab34b"
  name = "github.com/golang/protobuf"
  packages = [
    "proto",
    "ptypes",
    "ptypes/any",
    "ptypes/duration",
-    "ptypes/timestamp"
+    "ptypes/timestamp",
  ]
+  pruneopts = ""
  revision = "b4deda0973fb4c70b50d226b1af49f3da59f5265"
  version = "v1.1.0"

 [[projects]]
  branch = "master"
+  digest = "1:754f77e9c839b24778a4b64422236d38515301d2baeb63113aa3edc42e6af692"
  name = "github.com/google/gofuzz"
  packages = ["."]
+  pruneopts = ""
  revision = "24818f796faf91cd76ec7bddd72458fbced7a6c1"

 [[projects]]
+  digest = "1:2a131706ff80636629ab6373f2944569b8252ecc018cda8040931b05d32e3c16"
  name = "github.com/googleapis/gnostic"
  packages = [
    "OpenAPIv2",
    "compiler",
-    "extensions"
+    "extensions",
  ]
+  pruneopts = ""
  revision = "ee43cbb60db7bd22502942cccbc39059117352ab"
  version = "v0.1.0"

 [[projects]]
+  branch = "master"
+  digest = "1:f5d25fd7bdda08e39e01193ef94a1ebf7547b1b931bcdec785d08050598f306c"
+  name = "github.com/hashicorp/go-cleanhttp"
+  packages = ["."]
+  pruneopts = ""
+  revision = "d5fe4b57a186c716b0e00b8c301cbd9b4182694d"
+
+[[projects]]
+  branch = "master"
+  digest = "1:fd15b3f6aac9d0fe68c6e38922282e0d2e88cd77b927ac3dd842e363645522c0"
+  name = "github.com/hashicorp/go-getter"
+  packages = [
+    ".",
+    "helper/url",
+  ]
+  pruneopts = ""
+  revision = "4bda8fa99001c61db3cad96b421d4c12a81f256d"
+
+[[projects]]
+  branch = "master"
+  digest = "1:2cf6c60c74eacadd31652674364af55c8d54a86b8ea193548f1c37f8c9af8f9c"
+  name = "github.com/hashicorp/go-safetemp"
+  packages = ["."]
+  pruneopts = ""
+  revision = "b1a1dbde6fdc11e3ae79efd9039009e22d4ae240"
+
+[[projects]]
+  branch = "master"
+  digest = "1:139bdc2c89779b8ff8b1150be28f889b0ed964e6da96f32cbc9035bd4642881c"
+  name = "github.com/hashicorp/go-version"
+  packages = ["."]
+  pruneopts = ""
+  revision = "270f2f71b1ee587f3b609f00f422b76a6b28f348"
+
+[[projects]]
+  digest = "1:870d441fe217b8e689d7949fef6e43efbc787e50f200cb1e70dbca9204a1d6be"
  name = "github.com/inconshreveable/mousetrap"
  packages = ["."]
+  pruneopts = ""
  revision = "76626ae9c91c4f2a10f34cad8ce83ea42c93bb75"
  version = "v1.0"

 [[projects]]
+  digest = "1:6f49eae0c1e5dab1dafafee34b207aeb7a42303105960944828c2079b92fc88e"
+  name = "github.com/jmespath/go-jmespath"
+  packages = ["."]
+  pruneopts = ""
+  revision = "0b12d6b5"
+
+[[projects]]
+  digest = "1:9eab2325abbed0ebcee9d44bb3660a69d5d10e42d5ac4a0e77f7a6ea22bfce88"
  name = "github.com/json-iterator/go"
  packages = ["."]
+  pruneopts = ""
  revision = "ca39e5af3ece67bbcda3d0f4f56a8e24d9f2dad4"
  version = "1.1.3"

 [[projects]]
+  branch = "master"
+  digest = "1:d9e483f4b9e306facf126bd90b02d512bd22ea4471e1568867e32221a8abbb16"
+  name = "github.com/mailru/easyjson"
+  packages = [
+    "buffer",
+    "jlexer",
+    "jwriter",
+  ]
+  pruneopts = ""
+  revision = "3fdea8d05856a0c8df22ed4bc71b3219245e4485"
+
+[[projects]]
+  branch = "master"
+  digest = "1:83854f6b1d2ce047b69657e3a87ba7602f4c5505e8bdfd02ab857db8e983bde1"
+  name = "github.com/mitchellh/go-homedir"
+  packages = ["."]
+  pruneopts = ""
+  revision = "58046073cbffe2f25d425fe1331102f55cf719de"
+
+[[projects]]
+  branch = "master"
+  digest = "1:51c98e2c9a8d0a724a69f46421876af14e12132cb02f1d0e144785d752247162"
+  name = "github.com/mitchellh/go-testing-interface"
+  packages = ["."]
+  pruneopts = ""
+  revision = "a61a99592b77c9ba629d254a693acffaeb4b7e28"
+
+[[projects]]
+  digest = "1:0c0ff2a89c1bb0d01887e1dac043ad7efbf3ec77482ef058ac423d13497e16fd"
  name = "github.com/modern-go/concurrent"
  packages = ["."]
+  pruneopts = ""
  revision = "bacd9c7ef1dd9b15be4a9909b8ac7a4e313eec94"
  version = "1.0.3"

 [[projects]]
+  digest = "1:420f9231f816eeca3ff5aab070caac3ed7f27e4d37ded96ce9de3d7a7a2e31ad"
  name = "github.com/modern-go/reflect2"
  packages = ["."]
+  pruneopts = ""
  revision = "1df9eeb2bb81f327b96228865c5687bc2194af3f"
  version = "1.0.0"

 [[projects]]
+  digest = "1:7365acd48986e205ccb8652cc746f09c8b7876030d53710ea6ef7d0bd0dcd7ca"
  name = "github.com/pkg/errors"
  packages = ["."]
+  pruneopts = ""
  revision = "645ef00459ed84a119197bfb8d8205042c6df63d"
  version = "v0.8.0"

 [[projects]]
+  digest = "1:74c32990510c9f188556aa17600313e867d1d06f5a9db244056a95d144ec34ce"
  name = "github.com/spf13/cobra"
  packages = ["."]
+  pruneopts = ""
  revision = "a1f051bc3eba734da4772d60e2d677f47cf93ef4"
  version = "v0.0.2"

 [[projects]]
+  digest = "1:8e243c568f36b09031ec18dff5f7d2769dcf5ca4d624ea511c8e3197dc3d352d"
  name = "github.com/spf13/pflag"
  packages = ["."]
+  pruneopts = ""
  revision = "583c0c0531f06d5278b7d917446061adc344b5cd"
  version = "v1.0.1"

 [[projects]]
-  branch = "master"
-  name = "golang.org/x/net"
+  digest = "1:ee723e6a1962a196eeba1b24f82af61a4f60f8821d7aa96d48e787f8337bcffc"
+  name = "github.com/ulikunitz/xz"
  packages = [
-    "http/httpguts",
-    "http2",
-    "http2/hpack",
-    "idna"
+    ".",
+    "internal/hash",
+    "internal/xlog",
+    "lzma",
  ]
-  revision = "2491c5de3490fced2f6cff376127c667efeed857"
+  pruneopts = ""
+  revision = "0c6b41e72360850ca4f98dc341fd999726ea007f"
+  version = "v0.5.4"

 [[projects]]
+  branch = "master"
+  digest = "1:35171304d8332a0cfac5f3bd9222467f036732ddde75c65278b16f65216e03ed"
+  name = "golang.org/x/net"
+  packages = [
+    "http2",
+    "http2/hpack",
+    "idna",
+    "lex/httplex",
+  ]
+  pruneopts = ""
+  revision = "1c05540f6879653db88113bc4a2b70aec4bd491f"
+
+[[projects]]
+  digest = "1:5acd3512b047305d49e8763eef7ba423901e85d5dd2fd1e71778a0ea8de10bd4"
  name = "golang.org/x/text"
  packages = [
    "collate",
@@ -131,25 +362,32 @@
    "unicode/bidi",
    "unicode/cldr",
    "unicode/norm",
-    "unicode/rangetable"
+    "unicode/rangetable",
+    "width",
  ]
+  pruneopts = ""
  revision = "f21a4dfb5e38f5895301dc265a8def02365cc3d0"
  version = "v0.3.0"

 [[projects]]
+  digest = "1:75fb3fcfc73a8c723efde7777b40e8e8ff9babf30d8c56160d01beffea8a95a6"
  name = "gopkg.in/inf.v0"
  packages = ["."]
+  pruneopts = ""
  revision = "d2d2541c53f18d2a059457998ce2876cc8e67cbf"
  version = "v0.9.1"

 [[projects]]
+  digest = "1:f0620375dd1f6251d9973b5f2596228cc8042e887cd7f827e4220bc1ce8c30e2"
  name = "gopkg.in/yaml.v2"
  packages = ["."]
+  pruneopts = ""
  revision = "5420a8b6744d3b0345ab293f6fcba19c978f1183"
  version = "v2.2.1"

 [[projects]]
  branch = "master"
+  digest = "1:663df6da5560210fc39194a0a2c4fceba09ead717c330f1174bb15597cf18ce8"
  name = "k8s.io/api"
  packages = [
    "admissionregistration/v1alpha1",
@@ -179,17 +417,24 @@
    "settings/v1alpha1",
    "storage/v1",
    "storage/v1alpha1",
-    "storage/v1beta1"
+    "storage/v1beta1",
  ]
+  pruneopts = ""
  revision = "53d615ae3f440f957cb9989d989d597f047262d9"

 [[projects]]
  branch = "master"
+  digest = "1:bcb2285bb525712de7903a5d254c2789df65c8b58d2cfac5a26d950ad94c2079"
  name = "k8s.io/apimachinery"
  packages = [
+    "pkg/api/equality",
+    "pkg/api/meta",
    "pkg/api/resource",
+    "pkg/api/validation",
    "pkg/apis/meta/v1",
    "pkg/apis/meta/v1/unstructured",
+    "pkg/apis/meta/v1/validation",
+    "pkg/apis/meta/v1beta1",
    "pkg/conversion",
    "pkg/conversion/queryparams",
    "pkg/fields",
@@ -218,31 +463,55 @@
    "pkg/util/yaml",
    "pkg/watch",
    "third_party/forked/golang/json",
-    "third_party/forked/golang/reflect"
+    "third_party/forked/golang/reflect",
  ]
+  pruneopts = ""
  revision = "13b73596e4b63e03203e86f6d9c7bcc1b937c62f"

 [[projects]]
+  digest = "1:071cc2f032b701b9dba26568e040940f26931a49e3a3985f3375f17f7f6d9c5f"
  name = "k8s.io/client-go"
  packages = ["kubernetes/scheme"]
+  pruneopts = ""
  revision = "23781f4d6632d88e869066eaebb743857aa1ef9b"
  version = "v7.0.0"

 [[projects]]
  branch = "master"
+  digest = "1:386c5d69077ce740614e8309ddf107dde91a5db25d3d779143f452fb4fbdfd1e"
  name = "k8s.io/kube-openapi"
-  packages = ["pkg/util/proto"]
+  packages = [
+    "pkg/common",
+    "pkg/util/proto",
+  ]
+  pruneopts = ""
  revision = "b3f03f55328800731ce03a164b80973014ecd455"

-[[projects]]
-  branch = "master"
-  name = "k8s.io/utils"
-  packages = ["exec"]
-  revision = "258e2a2fa64568210fbd6267cf1d8fd87c3cb86e"
-
 [solve-meta]
  analyzer-name = "dep"
  analyzer-version = 1
-  inputs-digest = "e966d7880a29cf5669060d6564407f0f4c164e93eb844c22efec383383af2d3e"
+  input-imports = [
+    "github.com/evanphx/json-patch",
+    "github.com/ghodss/yaml",
+    "github.com/golang/glog",
+    "github.com/hashicorp/go-getter",
+    "github.com/pkg/errors",
+    "github.com/spf13/cobra",
+    "gopkg.in/yaml.v2",
+    "k8s.io/api/core/v1",
+    "k8s.io/apimachinery/pkg/api/validation",
+    "k8s.io/apimachinery/pkg/apis/meta/v1",
+    "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured",
+    "k8s.io/apimachinery/pkg/apis/meta/v1/validation",
+    "k8s.io/apimachinery/pkg/runtime",
+    "k8s.io/apimachinery/pkg/runtime/schema",
+    "k8s.io/apimachinery/pkg/util/mergepatch",
+    "k8s.io/apimachinery/pkg/util/strategicpatch",
+    "k8s.io/apimachinery/pkg/util/validation",
+    "k8s.io/apimachinery/pkg/util/validation/field",
+    "k8s.io/apimachinery/pkg/util/yaml",
+    "k8s.io/client-go/kubernetes/scheme",
+    "k8s.io/kube-openapi/pkg/common",
+  ]
  solver-name = "gps-cdcl"
  solver-version = 1
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -49,6 +49,18 @@
  name = "k8s.io/client-go"
  version = "7.0.0"

-[[constraint]]
+[[override]]
  branch = "master"
  name = "k8s.io/utils"
+
+[[override]]
+  branch = "master"
+  name = "github.com/go-openapi/spec"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/hashicorp/go-getter"
+
+[[constraint]]
+  name = "github.com/krishicks/yaml-patch"
+  version = "0.0.10"
--- a/README.md
+++ b/README.md
@@ -9,6 +9,8 @@ patch [kubernetes style] API objects.  It's like
 [`make`], in that what it does is declared in a file,
 and it's like [`sed`], in that it emits editted text.

+This tool is sponsored by [sig-cli] ([KEP]).
+
 [![Build Status](https://travis-ci.org/kubernetes-sigs/kustomize.svg?branch=master)](https://travis-ci.org/kubernetes-sigs/kustomize)
 [![Go Report Card](https://goreportcard.com/badge/github.com/kubernetes-sigs/kustomize)](https://goreportcard.com/report/github.com/kubernetes-sigs/kustomize)

@@ -113,10 +115,18 @@ The YAML can be directly [applied] to a cluster:
 > kustomize build ~/someApp/overlays/production | kubectl apply -f -
 > ```

-## About
+## Community, discussion, contribution, and support

-This tool is sponsored by [sig-cli] ([KEP]).
+Learn how to engage with the Kubernetes community on the [community page].

+You can reach the maintainers of this project at:
+
+- [Slack]
+- [Mailing List]
+
+### Code of conduct
+
+Participation in the Kubernetes community is governed by the [Kubernetes Code of Conduct].

 [KEP]: https://github.com/kubernetes/community/blob/master/keps/sig-cli/0008-kustomize.md
 [`make`]: https://www.gnu.org/software/make
@@ -127,7 +137,7 @@ This tool is sponsored by [sig-cli] ([KEP]).
 [examples]: examples/README.md
 [imageBase]: docs/base.jpg
 [imageOverlay]: docs/overlay.jpg
-[install]: INSTALL.md
+[install]: docs/INSTALL.md
 [kubernetes style]: docs/glossary.md#kubernetes-style-object
 [kustomization]: docs/glossary.md#kustomization
 [overlay]: docs/glossary.md#overlay
@@ -139,3 +149,7 @@ This tool is sponsored by [sig-cli] ([KEP]).
 [variant]: docs/glossary.md#variant
 [variants]: docs/glossary.md#variant
 [workflows]: docs/workflows.md
+[community page]: http://kubernetes.io/community/
+[Kubernetes Code of Conduct]: code-of-conduct.md
+[Slack]: https://kubernetes.slack.com/messages/sig-cli
+[Mailing List]: https://groups.google.com/forum/#!forum/kubernetes-sig-cli
--- a/15
+++ b/15
@@ -0,0 +1,15 @@
+# Defined below are the security contacts for this repo.
+#
+# They are the contact point for the Product Security Team to reach out
+# to for triaging and handling of incoming issues.
+#
+# The below names agree to abide by the
+# [Embargo Policy](https://github.com/kubernetes/sig-release/blob/master/security-release-process-documentation/security-release-process.md#embargo-policy)
+# and will be removed and replaced if they violate that agreement.
+#
+# DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
+# INSTRUCTIONS AT https://kubernetes.io/security/
+
+monopole
+Liujingfang1
+pwittrock
--- a/bin/pre-commit.sh
+++ b/bin/pre-commit.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+set -e

 # Make sure, we run in the root of the repo and
 # therefore run the tests on all packages
@@ -10,10 +11,6 @@ cd "$base_dir" || {

 rc=0

-function go_dirs {
-  go list -f '{{.Dir}}' ./... | tail -n +2 | tr '\n' '\0'
-}
-
 function runTest {
  local name=$1
  local result="SUCCESS"
@@ -27,25 +24,8 @@ function runTest {
  printf "============== end %s : %s code=%d\n\n\n" "$name" "$result" $code
 }

-function testGoFmt {
-  diff <(echo -n) <(go_dirs | xargs -0 gofmt -s -d -l)
-}
-
-
-function testGoCyclo {
-  diff <(echo -n) <(go_dirs | xargs -0 gocyclo -over 15)
-}
-
-function testGoImports {
-  diff -u <(echo -n) <(go_dirs | xargs -0 goimports -l)
-}
-
-function testGoLint {
-  diff -u <(echo -n) <(go_dirs | xargs -0 golint --min_confidence 0.85 )
-}
-
-function testGoVet {
-  go vet -all ./...
+function testGoLangCILint {
+  golangci-lint run ./...
 }

 function testGoTest {
@@ -56,11 +36,7 @@ function testExamples {
  mdrip --mode test --label test README.md ./examples
 }

-runTest testGoFmt
-runTest testGoImports
-runTest testGoLint
-runTest testGoVet
-runTest testGoCyclo
+runTest testGoLangCILint
 runTest testGoTest
 runTest testExamples

--- a/build/README.md
+++ b/build/README.md
@@ -1,16 +1,16 @@
 [releases page]: https://github.com/kubernetes-sigs/kustomize/releases
-[`container-builder-local`]: https://github.com/GoogleCloudPlatform/container-builder-local
-[Google Container Builder]: https://cloud.google.com/container-builder
+[`cloud-build-local`]: https://github.com/GoogleCloudPlatform/cloud-build-local
+[Google Cloud Build]: https://cloud.google.com/cloud-build

 Scripts and configuration files for publishing a
 `kustomize` release on the [releases page].

 ### Build a release locally

-Install [`container-builder-local`], then run
+Install [`cloud-build-local`], then run

 ```
-container-builder-local \
+cloud-build-local \
   --config=build/cloudbuild_local.yaml \
   --dryrun=false --write-workspace=/tmp/w .
 ```
@@ -41,5 +41,5 @@ Push the tag upstream:
 git push upstream $version
 ```

-The new tag will trigger a job in [Google Container
-Builder] to put a new release on the [releases page].
+The new tag will trigger a job in [Google Cloud
+Build] to put a new release on the [releases page].
--- a/build/build.sh
+++ b/build/build.sh
@@ -23,10 +23,10 @@ set -x
 # - Use /go as the default GOPATH because this is what the image uses
 # - Link our current directory (containing the source code) to the package location in the GOPATH

-OWNER="kubernetes-sigs"
+OWNER="sigs.k8s.io"
 REPO="kustomize"

-GO_PKG_OWNER=$GOPATH/src/github.com/$OWNER
+GO_PKG_OWNER=$GOPATH/src/$OWNER
 GO_PKG_PATH=$GO_PKG_OWNER/$REPO

 mkdir -p $GO_PKG_OWNER
@@ -56,4 +56,4 @@ case $key in
 esac
 done

-/goreleaser release --config=build/goreleaser.yml --rm-dist --skip-validate ${SNAPSHOT}
+/goreleaser release --config=build/goreleaser.yaml --rm-dist --skip-validate ${SNAPSHOT}
--- a/build/goreleaser.yaml
+++ b/build/goreleaser.yaml
@@ -4,7 +4,7 @@ project_name: kustomize
 builds:
 - main: ./kustomize.go
  binary: kustomize
-  ldflags: -s -X github.com/kubernetes-sigs/kustomize/version.kustomizeVersion={{.Version}} -X github.com/kubernetes-sigs/kustomize/version.gitCommit={{.Commit}} -X github.com/kubernetes-sigs/kustomize/version.buildDate={{.Date}}
+  ldflags: -s -X sigs.k8s.io/kustomize/pkg/commands.kustomizeVersion={{.Version}} -X sigs.k8s.io/kustomize/pkg/commands.gitCommit={{.Commit}} -X sigs.k8s.io/kustomize/pkg/commands.buildDate={{.Date}}
  goos:
  - darwin
  - linux
--- a/build/goreleaser.yml
+++ b/build/goreleaser.yml
@@ -1,33 +0,0 @@
-# This is an example goreleaser.yaml file with some sane defaults.
-# Make sure to check the documentation at http://goreleaser.com
-project_name: kustomize
-builds:
- main: ./kustomize.go
-  binary: kustomize
-  ldflags: -s -X github.com/kubernetes-sigs/kustomize/version.kustomizeVersion={{.Version}} -X github.com/kubernetes-sigs/kustomize/version.gitCommit={{.Commit}} -X github.com/kubernetes-sigs/kustomize/version.buildDate={{.Date}}
-  goos:
-  - darwin
-  - linux
-  - windows
-  goarch:
-   - amd64
-  env:
-  - CGO_ENABLED=0
-checksum:
-  name_template: 'checksums.txt'
-archive:
-  format: binary
-snapshot:
-  name_template: "master"
-changelog:
-  sort: asc
-  filters:
-    exclude:
-    - '^docs:'
-    - '^test:'
-    - Merge pull request
-    - Merge branch
-release:
-  github:
-    owner: kubernetes-sigs
-    name: kustomize
--- a/build/vendor_kustomize.sh
+++ b/build/vendor_kustomize.sh
@@ -0,0 +1,144 @@
+#!/bin/bash
+#
+#  Copyright 2018 The Kubernetes Authors.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+set -e
+set -x
+
+# vendor_kustomize.sh creates the change in kubernetes repo for vendoring kustomize
+
+function setUpWorkspace {
+  KPATH=~/kustomize_vendor
+  mkdir $KPATH
+  GOPATH=$KPATH
+}
+
+function cloneK8s {
+  mkdir -p $GOPATH/src/k8s.io
+  cd $GOPATH/src/k8s.io
+
+  git clone git@github.com:kubernetes/kubernetes.git
+}
+
+function godepRestore {
+  cd $GOPATH/src/k8s.io/kubernetes
+
+  # restore dependencies
+  hack/godep-restore.sh
+}
+
+function getKustomizeDeps {
+  # get Kustomize and Kustomize dependencies
+  godep get sigs.k8s.io/kustomize/pkg/commands
+  godep get github.com/bgentry/go-netrc/netrc
+  godep get github.com/hashicorp/go-cleanhttp
+  godep get github.com/hashicorp/go-getter
+  godep get github.com/hashicorp/go-safetemp
+  godep get github.com/hashicorp/go-version
+
+  # The hashes below passed bin/pre-commit.sh with kustomize HEAD at time of merger.
+  DEPS=(
+  "hashicorp/go-getter     4bda8fa99001c61db3cad96b421d4c12a81f256d"
+  "hashicorp/go-cleanhttp  d5fe4b57a186c716b0e00b8c301cbd9b4182694d"
+  "hashicorp/go-safetemp   b1a1dbde6fdc11e3ae79efd9039009e22d4ae240"
+  "hashicorp/go-version    270f2f71b1ee587f3b609f00f422b76a6b28f348"
+  "bgentry/go-netrc        9fd32a8b3d3d3f9d43c341bfe098430e07609480"
+  "mitchellh/go-homedir    58046073cbffe2f25d425fe1331102f55cf719de"
+  "mitchellh/go-testing-interface  a61a99592b77c9ba629d254a693acffaeb4b7e28"
+  "ulikunitz/xz            v0.5.4"
+  )
+
+  function foo {
+    cd $GOPATH/src/github.com/$1
+    git checkout $2
+  }
+  for i in "${DEPS[@]}"; do
+    foo $i
+  done
+}
+
+function updateK8s {
+  # Copy k8sdeps from Kustomize to kubectl
+  mkdir -p $GOPATH/src/k8s.io/kubernetes/pkg/kubectl/kustomize
+  cp -r $GOPATH/src/sigs.k8s.io/kustomize/internal/k8sdeps \
+    $GOPATH/src/k8s.io/kubernetes/pkg/kubectl/kustomize/k8sdeps
+
+  # Change import path of k8sdeps
+  find $GOPATH/src/k8s.io/kubernetes/pkg/kubectl/kustomize/k8sdeps \
+    -type f -name "*.go" | \
+    xargs sed -i \
+    's!sigs.k8s.io/kustomize/internal/k8sdeps!k8s.io/kubernetes/pkg/kubectl/kustomize/k8sdeps!'
+
+
+  # Add kustomize command to kubectl
+  cat > $GOPATH/kubectl.diff << EOF
+diff --git a/pkg/kubectl/cmd/cmd.go b/pkg/kubectl/cmd/cmd.go
+index 43a541ecc9..2d23bfd27d 100644
+--- a/pkg/kubectl/cmd/cmd.go
+++ b/pkg/kubectl/cmd/cmd.go
+@@ -74,6 +74,8 @@ import (
+        "k8s.io/kubernetes/pkg/kubectl/util/templates"
+
+        "k8s.io/cli-runtime/pkg/genericclioptions"
+       "k8s.io/kubernetes/pkg/kubectl/kustomize/k8sdeps"
+       "sigs.k8s.io/kustomize/pkg/commands"
+ )
+
+ const (
+@@ -505,6 +507,7 @@ func NewKubectlCommand(in io.Reader, out, err io.Writer) *cobra.Command {
+                                replace.NewCmdReplace(f, ioStreams),
+                                wait.NewCmdWait(f, ioStreams),
+                                convert.NewCmdConvert(f, ioStreams),
+                               templates.NormalizeAll(commands.NewDefaultCommand(k8sdeps.NewFactory())),
+                        },
+                },
+                {
+
+EOF
+
+  cd $GOPATH/src/k8s.io/kubernetes
+  git apply --ignore-space-change --ignore-whitespace $GOPATH/kubectl.diff
+}
+
+function godepSave {
+  # Save all dependencies into k8s.io/kubernetes/vendor by running
+  # hack/godep-save.sh
+  ./hack/godep-save.sh
+}
+
+function verify {
+  # make sure in k8s.io/kubernetes/vendor/sigs.k8s.io/kustomize
+  # there is no internal package
+  test 0 == $(ls $GOPATH/src/k8s.io/kubernetes/vendor/sigs.k8s.io/kustomize | grep “internal” | wc -l)
+
+  # Make sure it compiles.
+  test 0 == $(bazel build cmd/kubectl:kubectl)
+
+  # next step, open a PR
+  echo "The change for vendoring kustomize is ready in $GOPATH/src/k8s.io/kubernetes.\n Next step, open a PR for it.\n"
+}
+
+function updateDocs {
+  ./hack/update-generated-docs.sh
+}
+
+setUpWorkspace
+cloneK8s
+godepRestore
+getKustomizeDeps
+updateK8s
+godepSave
+verify
+updateDocs
--- a/code-of-conduct.md
+++ b/code-of-conduct.md
@@ -1,6 +1,3 @@
-[Kubernetes Community Code of Conduct]: https://git.k8s.io/community/code-of-conduct.md
+# Kubernetes Community Code of Conduct

-# Code of Conduct
-
-This project has adopted the
-[Kubernetes Community Code of Conduct].
+Please refer to our [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md)
--- a/docs/INSTALL.md
+++ b/docs/INSTALL.md
@@ -3,7 +3,13 @@

 ## Installation

-Download a binary from the [release page].
+On macOS, you can install kustomize with Homebrew package
+manager:
+
+    brew install kustomize
+
+For all operating systems, download a binary from the
+[release page].

 Or try this to grab the latest official release
 using the command line:
@@ -23,5 +29,5 @@ To install from head with [Go] v1.10.1 or higher:

 <!-- @installkustomize @test -->
 ```
-go get github.com/kubernetes-sigs/kustomize
+go get sigs.k8s.io/kustomize
 ```
--- a/docs/README.md
+++ b/docs/README.md
@@ -0,0 +1,23 @@
+# Kustomize docs
+ 
+ * [installation instructions](INSTALL.md)
+ 
+ * [kustomization.yaml](kustomization.yaml) - Example of a
+   [kustomization](glossary.md#kustomization)
+   with explanations of each field.
+
+ * [workflow](workflows.md) - Some steps one might take in using
+   bespoke and off-the-shelf configurations.
+  
+ * [glossary](glossary.md) - An attempt to disambiguiate terminology.
+   
+ * [eschewed features](eschewedFeatures.md) - Why certain features are (currently)
+   not supported in Kustomize.
+
+ * [contributing guidelines](../CONTRIBUTING.md) - Please read before sending a PR.
+ 
+ * [code of conduct](../code-of-conduct.md)
+ 
+ 
+ 
+ 
--- a/docs/eschewedFeatures.md
+++ b/docs/eschewedFeatures.md
@@ -0,0 +1,85 @@
+# Eschewed Features
+
+For a bigger picture about why kustomize
+does some things and not others, see the
+glossary entry for [DAM].
+
+## Removal directives
+
+`kustomize` supports configurations that can be reasoned about as
+_compositions_ or _mixins_ - concepts that are widely accepted as
+a best practice in various programming languages.
+
+To this end, `kustomize` offers various _addition_ directives.  One
+can add labels, annotations, patches, resources and bases.
+Corresponding _removal_ directives are not offered.
+
+Removal semantics would introduce many possibilities for
+inconsistency, and the need to add code to detect, report and
+reject it.  It would also allow, and possibly encourage,
+unnecessarily complex configuration layouts.
+
+When faced with a situation where removal is desirable, it's
+always possible to remove things from a base like labels and
+annotations, and/or split multi-resource manifests into individual
+resource files - then add things back as desired via the
+[kustomization].
+
+If the underlying base is outside of one's control, an [OTS
+workflow] is the recommended best practice.  Fork the base, remove
+what you don't want and commit it to your private fork, then use
+kustomize on your fork.  As often as desired, use _git rebase_ to
+capture improvements from the upstream base.
+
+## Build-time side effects from CLI args or env variables
+
+`kustomize` supports the best practice of storing one's
+entire configuration in a version control system.
+
+Changing `kustomize build` configuration output as a result
+of additional arguments or flags to `build`, or by
+consulting shell environment variable values in `build`
+code, would violate that goal.
+
+`kustomize` insteads offers [kustomization] file `edit`
+commands.  Like any shell command, they can accept
+environment variable arguments.
+
+For example, to set the tag used on an image to match an
+environment variable, run
+
+```
+kustomize edit set imagetag nginx:$MY_NGINX_VERSION
+```
+
+as part of some encapsulating work flow executed before
+`kustomize build`.
+
+
+## Globs in kustomization files
+
+`kustomize` supports the best practice of storing one's
+entire configuration in a version control system.
+
+Globbing the local file system for files not explicitly
+declared in the [kustomization] file at `kustomize build` time
+would violate that goal.
+
+Allowing globbing in a kustomization file would also introduce
+the same problems as allowing globbing in [java import]
+declarations or BUILD/Makefile dependency rules.
+
+`kustomize` will instead provide kustomization file editting
+commands that accept globbed arguments, expand them at _edit
+time_ relative to the local file system, and store the resulting
+explicit names into the kustomization file.
+
+In this way the resources, patches and bases used at _build time_
+remain explicitly declared in version control.
+
+
+[DAM]: glossary.md#declarative-application-management
+[base]: glossary.md#base
+[kustomization]: glossary.md#kustomization
+[OTS workflow]: workflows.md#off-the-shelf-configuration
+[java import]: https://www.codebyamir.com/blog/pitfalls-java-import-wildcards
--- a/docs/glossary.md
+++ b/docs/glossary.md
@@ -1,7 +1,10 @@
 # Glossary
-
+[CRD spec]: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/
+[CRD]: #custom-resource-definition
 [DAM]: #declarative-application-management
+[Declarative Application Management]: https://github.com/kubernetes/community/blob/master/contributors/design-proposals/architecture/declarative-application-management.md
 [JSON]: https://www.json.org/
+[JSONPatch]: https://tools.ietf.org/html/rfc6902
 [Resource]: #resource
 [YAML]: http://www.yaml.org/start.html
 [application]: #application
@@ -15,16 +18,20 @@
 [kubernetes]: #kubernetes
 [kustomize]: #kustomize
 [kustomization]: #kustomization
-[off-the-shelf]: #off-the-shelf
+[off-the-shelf]: #off-the-shelf-configuration
 [overlay]: #overlay
 [overlays]: #overlay
 [patch]: #patch
 [patches]: #patch
+[patchJson6902]: #patchjson6902
+[patchExampleJson6902]: https://github.com/kubernetes-sigs/kustomize/blob/master/examples/jsonpatch.md
+[patchesJson6902]: #patchjson6902
 [proposal]: https://github.com/kubernetes/community/pull/1629
 [rebase]: https://git-scm.com/docs/git-rebase
 [resource]: #resource
 [resources]: #resource
 [rpm]: https://en.wikipedia.org/wiki/Rpm_(software)
+[strategic-merge]: https://github.com/kubernetes/community/blob/master/contributors/devel/strategic-merge-patch.md
 [target]: #target
 [variant]: #variant
 [variants]: #variant
@@ -92,22 +99,37 @@ simpler than the workflow associated with an
 periodically capturing someone else's upgrades to the
 [off-the-shelf] config.

+## custom resource definition
+
+One can extend the k8s API by making a
+Custom Resource Definition ([CRD spec]).
+
+This defines a custom [resource] (CD), an entirely
+new resource that can be used alongside _native_
+resources like ConfigMaps, Deployments, etc.
+
+Kustomize can customize a CD, but to do so
+kustomize must also be given the corresponding CRD
+so that it can interpret the structure correctly.
+
 ## declarative application management

-_Declarative Application Management_ (DAM) is a [set of
-ideas](https://goo.gl/T66ZcD) aiming to ease management
-of k8s clusters.
+Kustomize aspires to support [Declarative Application Management],
+a set of best practices around managing k8s clusters.

- * Works with any configuration, be it bespoke,
+In brief, kustomize should
+
+ * Work with any configuration, be it bespoke,
   off-the-shelf, stateless, stateful, etc.
- * Supports common customizations, and creation of
-   [variants] (dev vs. staging vs. production).
- * Exposes and teaches native k8s APIs, rather than
-   hiding them.
- * No friction integration with version control to
+ * Support common customizations, and creation of
+   [variants] (e.g. _development_ vs.
+   _staging_ vs. _production_).
+ * Expose and teach native k8s APIs, rather than
+   hide them.
+ * Add no friction to version control integration to
   support reviews and audit trails.
- * Composable with other tools in a unix sense.
- * Eschews crossing the line into templating, domain
+ * Compose with other tools in a unix sense.
+ * Eschew crossing the line into templating, domain
   specific languages, etc., frustrating the other
   goals.

@@ -127,18 +149,23 @@ Here's an [example](kustomization.yaml).

 A kustomization contains fields falling into these categories:

- * Immediate customization declarations, e.g.
-   _namePrefix_, _commonLabels_, etc.
- * Resource _generators_ for configmaps and secrets.
- * References to _external files_ in these categories:
+ * _Customization operators_ for modifying operands, e.g.
+   _namePrefix_, _commonLabels_, _patches_, etc.
+
+ * _Customization operands_:
   * [resources] - completely specified k8s API objects,
      e.g. `deployment.yaml`, `configmap.yaml`, etc.
-   * [patches] - _partial_ resources that modify full
-     resources defined in a [base]
-     (only meaningful in an [overlay]).
-   * [bases] - path to a directory containing
-     a [kustomization] (only meaningful in an [overlay]).
- * (_TBD_) Standard k8s API kind-version fields.
+   * [bases] - paths or github URLs specifying directories
+     containing a [kustomization].  These bases may
+     be subjected to more customization, or merely
+     included in the output.
+   * [CRD]s - custom resource definition files, to allow use
+     of _custom_ resources in the _resources_ list.
+     Not an actual operand - but allows the use of new operands.
+
+ * Generators, for creating more resources
+   (configmaps and secrets) which can then be
+   customized.

 ## kubernetes

@@ -242,36 +269,68 @@ management tool in the tradition of, say, [apt] or

 ## patch

-A _patch_ is a partially defined k8s resource with a
-name that must match a resource already known per
-traversal rules built into [kustomize].
+General instructions to modify a resource.

-_Patch_ is a field in the kustomization, distinct from
-resources, because a patch file looks like a resource
-file, but has different semantics.  A patch depends on
-(modifies) a resource, whereas a resource has no
-dependencies.  Since any resource file can be used as a
-patch, one cannot reliably distinguish a resource from
-a patch just by looking at the file's [YAML].
+There are two alternative techniques with similar
+power but different notation - the
+[strategic merge patch](#patchstrategicmerge)
+and the [JSON patch](#patchjson6902).
+
+## patchStrategicMerge
+
+A _patchStrategicMerge_ is [strategic-merge]-style patch (SMP).
+
+An SMP looks like an incomplete YAML specification of
+a k8s resource.  The SMP includes `TypeMeta`
+fields to establish the group/version/kind/name of the
+[resource] to patch, then just enough remaining fields
+to step into a nested structure to specify a new field
+value, e.g. an image tag.
+
+By default, an SMP _replaces_ values.  This
+usually desired when the target value is a simple
+string, but may not be desired when the target 
+value is a list.
+
+To change this 
+default behavior, add a _directive_.  Recognized 
+directives include _replace_ (the default), _merge_
+(avoid replacing a list), _delete_ and a few more
+(see [these notes][strategic-merge]).
+
+Fun fact - any resource file can be used as
+an SMP, overwriting matching fields in another
+resource with the same group/version/kind/name,
+but leaving all other fields as they were.
+
+TODO(monopole): add ptr to example.
+
+## patchJson6902
+
+A _patchJson6902_ refers to a kubernetes [resource] and
+a [JSONPatch] specifying how to change the resource.
+
+A _patchJson6902_ can do almost everything a
+_patchStrategicMerge_ can do, but with a briefer
+syntax.  See this [example][patchExampleJson6902].

 ## resource

-A _resource_, in the context of kustomize, is a path to
-a [YAML] or [JSON] file that completely defines a
-functional k8s API object, like a deployment or a
-configmap.
+A _resource_ in the context of a REST-ful API is the
+target object of an HTTP operation like _GET_, _PUT_ or
+_POST_.  k8s offers a REST-ful API surface to interact
+with clients.
+
+A _resource_, in the context of kustomization file,
+is a path to a [YAML] or [JSON] file describing
+a k8s API object, like a Deployment or a
+ConfigmMap.

 More generally, a resource can be any correct YAML file
 that [defines an object](https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/#required-fields)
 with a _kind_ and a _metadata/name_ field.


-A _resource_ in the content of a REST-ful API is the
-target of an HTTP operation like _GET_, _PUT_ or
-_POST_.  k8s offers a RESTful API surface to interact
-with clients.
-
-
 ## sub-target / sub-application / sub-package

 A _sub-whatever_ is not a thing. There are only
@@ -285,7 +344,7 @@ The _target_ is the argument to `kustomize build`, e.g.:
 >  kustomize build $target
 > ```

-`$target` must be a path to a directory that
+`$target` must be a path or a url to a directory that
 immediately contains a [kustomization].

 The target contains, or refers to, all the information
--- a/docs/kustomization.yaml
+++ b/docs/kustomization.yaml
@@ -63,13 +63,18 @@ resources:

 # Each entry in this list results in the creation of
 # one ConfigMap resource (it's a generator of n maps).
-# The example below creates a ConfigMap with the
-# names and contents of the given files.
+# The example below creates two ConfigMaps. One with the
+# names and contents of the given files, the other with
+# key/value as data.
 configMapGenerator:
 - name: myJavaServerProps
  files:
  - application.properties
  - more.properties
+- name: myJavaServerEnvVars
+  literals:	
+  - JAVA_HOME=/opt/java/jdk
+  - JAVA_TOOL_OPTIONS=-agentlib:hprof

 # Each entry in this list results in the creation of
 # one Secret resource (it's a generator of n secrets).
@@ -82,11 +87,30 @@ secretGenerator:
    tls.crt: "cat secret/tls.cert"
    tls.key: "cat secret/tls.key"
  type: "kubernetes.io/tls"
+- name: downloaded_secret
+  # timeoutSeconds specifies the number of seconds to
+  # wait for the commands below. It defaults to 5 seconds.
+  timeoutSeconds: 30
+  commands:
+    username: "curl -s https://path/to/secrets/username.yaml"
+    password: "curl -s https://path/to/secrets/password.yaml"
+  type: Opaque
+- name: env_file_secret
+  # envCommand is similar to command but outputs lines of key=val pairs
+  # i.e. a Docker .env file or a .ini file.
+  # you can only specify one envCommand per secret.
+  envCommand: printf \"DB_USERNAME=admin\nDB_PASSWORD=somepw\"
+  type: Opaque

 # Each entry in this list should resolve to a directory
 # containing a kustomization file, else the
 # customization fails.
 #
+# The entry could be a relative path pointing to a local directory
+# or a url pointing to a directory in a remote repo.
+# The url should follow hashicorp/go-getter URL format
+# https://github.com/hashicorp/go-getter#url-format
+#
 # The presence of this field means this file (the file
 # you a reading) is an _overlay_ that further
 # customizes information coming from these _bases_.
@@ -97,6 +121,9 @@ secretGenerator:
 # etc. that differ from the common base).
 bases:
 - ../../base
+- github.com/kubernetes-sigs/kustomize//examples/multibases?ref=v1.0.6
+- github.com/Liujingfang1/mysql
+- github.com/Liujingfang1/kustomize//examples/helloWorld?ref=test-branch

 # Each entry in this list should resolve to
 # a partial or complete resource definition file.
@@ -115,3 +142,122 @@ patches:
 - service_port_8888.yaml
 - deployment_increase_replicas.yaml
 - deployment_increase_memory.yaml
+
+# Each entry in this list should resolve to
+# a kubernetes object and a JSON patch that will be applied
+# to the object.
+# The JSON patch is documented at https://tools.ietf.org/html/rfc6902
+#
+# target field points to a kubernetes object within the same kustomization
+# by the object's group, version, kind, name and namespace.
+# path field is a relative file path of a JSON patch file.
+# The content in this patch file can be either in JSON format as
+#
+#  [
+#    {"op": "add", "path": "/some/new/path", "value": "value"},
+#    {"op": "replace", "path": "/some/existing/path", "value": "new value"}
+#  ]
+#
+# or in YAML format as
+#
+# - op: add
+#   path: /some/new/path
+#   value: value
+# - op:replace
+#   path: /some/existing/path
+#   value: new value
+#
+patchesJson6902:
+- target:
+    version: v1
+    kind: Deployment
+    name: my-deployment
+  path: add_init_container.yaml
+- target:
+    version: v1
+    kind: Service
+    name: my-service
+  path: add_service_annotation.yaml
+
+# Each entry in this list should be a relative path to
+# a file for custom resource definition(CRD).
+#
+# The presence of this field is to allow kustomize be
+# aware of CRDs and apply proper
+# transformation for any objects in those types.
+#
+# Typical use case: A CRD object refers to a ConfigMap object.
+# In kustomization, the ConfigMap object name may change by adding namePrefix or hashing
+# The name reference for this ConfigMap object in CRD object need to be
+# updated with namePrefix or hashing in the same way.
+crds:
+- crds/typeA.yaml
+- crds/typeB.yaml
+
+# Vars are used to insert values from resources that cannot be referenced
+# otherwise. For example if you need to pass a Service's name to the arguments
+# or environment variables of a program but without hard coding the actual name
+# of the Service you'd insert `$(MY_SERVICE_NAME)` into the value field of the
+# env var or into the command or args of the container as shown here:
+# ```
+#   containers:
+#     - image: myimage
+#       command: ["start", "--host", "$(MY_SERVICE_NAME)"]
+#       env:
+#         - name: SECRET_TOKEN
+#           value: $(SOME_SECRET_NAME)
+# ```
+#
+# Then you'll add an entry to `vars:` like shown below with the same name
+# and a reference to the resource from which to pull the field's value.
+# The actual field's path is optional and by default it will use
+# `metadata.name`. Currently only string type fields are supported, no integers
+# or booleans, etc. Also array access is currently not possible. For example getting
+# the image field of container number 2 inside of a pod can currently not be done.
+#
+# Not every location of a variable is supported. To see a complete list of locations
+# see the file [refvars.go](https://github.com/kubernetes-sigs/kustomize/blob/master/pkg/transformers/refvars.go#L20).
+#
+# An example of a situation where you'd not use vars is when you'd like to set a
+# pod's `serviceAccountName`. In that case you would just reference the ServiceAccount
+# by name and Kustomize will resolve it to the eventual name while building the manifests.
+vars:
+  - name: SOME_SECRET_NAME
+    objref:
+      kind: Secret
+      name: my-secret
+      apiVersion: v1
+  - name: MY_SERVICE_NAME
+    objref:
+      kind: Service
+      name: my-service
+      apiVersion: v1
+    fieldref:
+      fieldpath: metadata.name
+  - name: ANOTHER_DEPLOYMENTS_POD_RESTART_POLICY
+    objref:
+      kind: Deployment
+      name: my-deployment
+      apiVersion: apps/v1
+    fieldref:
+      fieldpath: spec.template.spec.restartPolicy
+
+# ImageTags modify the tags for images without creating patches.
+# E.g. Given this fragment of a Deployment:
+# ```
+#  containers:
+#    - name: myapp
+#      image: mycontainerregistry/myimage:v0
+#    - name: nginxapp
+#      image: nginx:1.7.9
+#```
+# one can change the tag of myimage to v1 and the tag of nginx to 1.8.0 with the following:
+#
+# It also supports digests. If digest is present newTag is ignored.
+imageTags:
+  - name: mycontainerregistry/myimage
+    newTag: v1
+  - name: nginx
+    newTag: 1.8.0
+  - name: alpine
+    digest: sha256:24a0c4b4a4c0eb97a1aabb8e29f18e917d05abfe1b7a7c07857230879ce7d3d3
--- a/docs/workflows.md
+++ b/docs/workflows.md
@@ -1,11 +1,11 @@
-[OTS]: glossary.md#off-the-shelf
+[OTS]: glossary.md#off-the-shelf-configuration
 [apply]: glossary.md#apply
 [applying]: glossary.md#apply
 [base]: glossary.md#base
 [fork]: https://guides.github.com/activities/forking/
 [variants]: glossary.md#variant
 [kustomization]: glossary.md#kustomization
-[off-the-shelf]: glossary.md#off-the-shelf
+[off-the-shelf]: glossary.md#off-the-shelf-configuration
 [overlays]: glossary.md#overlay
 [patch]: glossary.md#patch
 [patches]: glossary.md#patch
@@ -21,14 +21,17 @@ use and maintain a configuration.

 ## Bespoke configuration

-In this workflow, all configuration files are owned by
-the user.  No content is incorporated from version
+In this workflow, all configuration (resource YAML) files
+are owned by the user.  No content is incorporated from version
 control repositories owned by others.

 ![bespoke config workflow image][workflowBespoke]

 #### 1) create a directory in version control

+Speculate some overall cluster application called _ldap_;
+we want to keep its configuration in its own repo.
+
 > ```
 > git init ~/ldap
 > ```
--- a/examples/README.md
+++ b/examples/README.md
@@ -7,7 +7,7 @@ tests, and should work with HEAD

 <!-- @installkustomize @test -->
 ```
-go get github.com/kubernetes-sigs/kustomize
+go get sigs.k8s.io/kustomize
 ```

 * [hello world](helloWorld/README.md) - Deploy multiple
@@ -23,11 +23,25 @@ go get github.com/kubernetes-sigs/kustomize
 * [springboot](springboot/README.md) - Create a Spring Boot
   application production configuration from scratch.

- * [configGeneration](configGeneration.md) -
+ * [combineConfigs](combineConfigs.md) -
   Mixing configuration data from different owners
   (e.g. devops/SRE and developers).
+   
+ * [configGenerations](configGeneration.md) -
+   Rolling update when ConfigMapGenerator changes

 * [breakfast](breakfast.md) - Customize breakfast for
   Alice and Bob.
   
 * [container args](wordpress/README.md) - Injecting k8s runtime data into container arguments (e.g. to point wordpress to a SQL service).
+ 
+ * [image tags](imageTags.md) - Updating image tags without applying a patch.
+
+ * [multibases](multibases/README.md) - Composing three variants (dev, staging, production) with a common base.
+
+ * [remote target](remoteBuild.md) - Building a kustomization from a github URL
+ 
+ * [json patch](jsonpatch.md) - Apply a json patch in a kustomization
+ 
+ * [transformer configs](transformerconfigs/README.md) - Customize transformer configurations
+ 
--- a/examples/breakfast.md
+++ b/examples/breakfast.md
@@ -73,7 +73,7 @@ commonLabels:
  who: alice
 bases:
 - ../../base
-patches:
+patchesStrategicMerge:
 - temperature.yaml
 EOF

@@ -96,7 +96,7 @@ commonLabels:
  who: bob
 bases:
 - ../../base
-patches:
+patchesStrategicMerge:
 - topping.yaml
 EOF

--- a/examples/combineConfigs.md
+++ b/examples/combineConfigs.md
@@ -0,0 +1,298 @@
+[overlay]: ../docs/glossary.md#overlay
+[target]: ../docs/glossary.md#target
+
+# Demo: combining config data from devops and developers
+
+Scenario: you have a Java-based server storefront in
+production that various internal development teams
+(signups, checkout, search, etc.) contribute to.
+
+The server runs in different environments:
+_development_, _testing_, _staging_ and _production_,
+accepting configuration parameters from java property
+files.
+
+Using one big properties file for each environment is
+difficult to manage.  The files change frequently, and
+have to be changed by devops exclusively because
+
+  1. the files must at least partially agree on certain
+     values that devops cares about and that developers
+     ignore and
+  1. because the production
+     properties contain sensitive data like production
+     database credentials.
+
+## Property sharding
+
+With some study, we notice that the properties are
+separable into categories.
+
+### Common properties
+
+E.g. internationalization data, static data like
+physical constants, location of external services, etc.
+
+_Things that are the same regardless of environment._
+
+Only one set of values is needed.
+
+Place them in a file called
+
+ * `common.properties`
+
+(relative location defined below).
+
+### Plumbing properties
+
+E.g. serving location of static content (HTML, CSS,
+javascript), location of product and customer database
+tables, ports expected by load balancers, log sinks,
+etc.
+
+_The different values for these properties are
+precisely what sets the environments apart._
+
+Devops or SRE will want full control over the values
+used in production.  Testing will have fixed
+databases supporting testing.  Developers will want
+to do whatever they want to try scenarios under
+development.
+
+Places these values in
+
+ * `development/plumbing.properties`
+ * `staging/plumbing.properties`
+ * `production/plumbing.properties`
+
+
+### Secret properties
+
+E.g. location of actual user tables, database
+credentials, decryption keys, etc.
+
+_Things that are a subset of devops controls, that
+nobody else has (or should want) access to._
+
+Places these values in
+
+ * `development/secret.properties`
+ * `staging/secret.properties`
+ * `production/secret.properties`
+
+[kubernetes secret]: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/
+
+and control access to them with (for example) unix file
+owner and mode bits, or better yet, put them in
+a server dedicated to storing password protected
+secrets, and use a field called  `secretGenerator`
+in your _kustomization_ to create a kubernetes
+secret holding them (not covering that here).
+
+<!--
+secretGenerator:
+- name: app-tls
+  commands:
+    tls.crt: "cat tls.cert"
+    tls.key: "cat tls.key"
+  type: "kubernetes.io/tls"
+EOF
+-->
+
+## A mixin approach to management
+
+The way to create _n_ cluster environments that share
+some common information is to create _n_ overlays of a
+common base.
+
+For the rest of this example, we'll do _n==2_, just
+_development_ and _production_, since adding more
+environments follows the same pattern.
+
+A cluster environment is created by
+running `kustomize build` on a [target] that happens to
+be an [overlay].
+
+[helloworld]: helloWorld/README.md
+
+The following example will do that, but will focus on
+configMap construction, and not worry about how to
+connect the configMaps to deployments (that is covered
+in the [helloworld] example).
+
+
+All files - including the shared property files
+discussed above - will be created in a directory tree
+that is consistent with the base vs overlay file layout
+defined in the [helloworld] demo.
+
+It will all live in this work directory:
+
+<!-- @makeWorkplace @test -->
+```
+DEMO_HOME=$(mktemp -d)
+```
+
+### Create the base
+
+<!-- kubectl create configmap BOB --dry-run -o yaml --from-file db. -->
+
+Make a place to put the base configuration:
+
+<!-- @baseDir @test -->
+```
+mkdir -p $DEMO_HOME/base
+```
+
+Make the data for the base.  This direction by
+definition should hold resources common to all
+environments. Here we're only defining a java
+properties file, and a `kustomization` file that
+references it.
+
+<!-- @baseKustomization @test -->
+```
+cat <<EOF >$DEMO_HOME/base/common.properties
+color=blue
+height=10m
+EOF
+
+cat <<EOF >$DEMO_HOME/base/kustomization.yaml
+configMapGenerator:
+- name: my-configmap
+  files:
+  - common.properties
+EOF
+```
+
+
+### Create and use the overlay for _development_
+
+Make an abbreviation for the parent of the overlay
+directories:
+
+<!-- @overlays @test -->
+```
+OVERLAYS=$DEMO_HOME/overlays
+```
+
+Create the files that define the _development_ overlay:
+
+<!-- @developmentFiles @test -->
+```
+mkdir -p $OVERLAYS/development
+
+cat <<EOF >$OVERLAYS/development/plumbing.properties
+port=30000
+EOF
+
+cat <<EOF >$OVERLAYS/development/secret.properties
+dbpassword=mothersMaidenName
+EOF
+
+cat <<EOF >$OVERLAYS/development/kustomization.yaml
+bases:
+- ../../base
+namePrefix: dev-
+configMapGenerator:
+- name: my-configmap
+  behavior: merge
+  files:
+  - plumbing.properties
+  - secret.properties
+EOF
+```
+
+One can now generate the configMaps for development:
+
+<!-- @runDev @test -->
+```
+kustomize build $OVERLAYS/development
+```
+
+#### Check the ConfigMap name
+
+The name of the generated `ConfigMap` is visible in this
+output.
+
+The name should be something like `dev-my-configmap-b5m75ck895`:
+
+ * `"dev-"` comes from the `namePrefix` field,
+ * `"my-configmap"` comes from the `configMapGenerator/name` field,
+ * `"-b5m75ck895"` comes from a deterministic hash that `kustomize`
+    computes from the contents of the configMap.
+
+The hash suffix is critical.  If the configMap content
+changes, so does the configMap name, along with all
+references to that name that appear in the YAML output
+from `kustomize`.
+
+The name change means deployments will do a rolling
+restart to get new data if this YAML is applied to the
+cluster using a command like
+
+> ```
+> kustomize build $OVERLAYS/development | kubectl apply -f -
+> ```
+
+A deployment has no means to automatically know when or
+if a configMap in use by the deployment changes.
+
+If one changes a configMap without changing its name
+and all references to that name, one must imperatively
+restart the cluster to pick up the change.
+
+The best practice is to treat configMaps as immutable.
+
+Instead of editing configMaps, modify your declarative
+specification of the cluster's desired state to
+point deployments to _new_ configMaps with _new_ names.
+`kustomize` makes this easy with its
+`configMapGenerator` directive and associated naming
+controls.  A GC process in the k8s master eventually
+deletes unused configMaps.
+
+
+### Create and use the overlay for _production_
+
+Next, create the files for the _production_ overlay:
+
+
+<!-- @productionFiles @test -->
+```
+mkdir -p $OVERLAYS/production
+
+cat <<EOF >$OVERLAYS/production/plumbing.properties
+port=8080
+EOF
+
+cat <<EOF >$OVERLAYS/production/secret.properties
+dbpassword=thisShouldProbablyBeInASecretInstead
+EOF
+
+cat <<EOF >$OVERLAYS/production/kustomization.yaml
+bases:
+- ../../base
+namePrefix: prod-
+configMapGenerator:
+- name: my-configmap
+  behavior: merge
+  files:
+  - plumbing.properties
+  - secret.properties
+EOF
+```
+
+One can now generate the configMaps for production:
+
+<!-- @runProd @test -->
+```
+kustomize build $OVERLAYS/production
+```
+
+A CICD process could apply this directly to
+the cluser using:
+
+> ```
+> kustomize build $OVERLAYS/production | kubectl apply -f -
+> ```
--- a/examples/configGeneration.md
+++ b/examples/configGeneration.md
@@ -1,298 +1,208 @@
-[overlay]: ../docs/glossary.md#overlay
-[target]: ../docs/glossary.md#target
+[patch]: ../docs/glossary.md#patch
+[resource]: ../docs/glossary.md#resource
+[variant]: ../docs/glossary.md#variant

-# Demo: combining config data from devops and developers
+## ConfigMap generation and rolling updates

-Scenario: you have a Java-based server storefront in
-production that various internal development teams
-(signups, checkout, search, etc.) contribute to.
+Kustomize provides two ways of adding ConfigMap in one `kustomization`, either by declaring ConfigMap as a [resource] or declaring ConfigMap from a ConfigMapGenerator. The formats inside `kustomization.yaml` are 

-The server runs in different environments:
-_development_, _testing_, _staging_ and _production_,
-accepting configuration parameters from java property
-files.
+> ```
+> # declare ConfigMap as a resource
+> resources:
+> - configmap.yaml
+> 
+> # declare ConfigMap from a ConfigMapGenerator
+> configMapGenerator:
+> - name: a-configmap
+>   files:
+>     - configs/configfile
+>     - configs/another_configfile
+> ```

-Using one big properties file for each environment is
-difficult to manage.  The files change frequently, and
-have to be changed by devops exclusively because
+The ConfigMaps declared as [resource] are treated the same way as other resources. Kustomize doesn't append any hash to the ConfigMap name. The ConfigMap declared from a ConfigMapGenerator is treated differently. A hash is appended to the name and any change in the ConfigMap will trigger a rolling update.

-  1. the files must at least partially agree on certain
-     values that devops cares about and that developers
-     ignore and
-  1. because the production
-     properties contain sensitive data like production
-     database credentials.
+In this demo, the same [hello_world](helloWorld/README.md) is used while the ConfigMap declared as [resources] is replaced by a ConfigMap declared from a ConfigmapGenerator. The change in this ConfigMap will result in a hash change and a rolling update.

-## Property sharding
+### Establish base and staging

-With some study, we notice that the properties are
-separable into categories.
-
-### Common properties
-
-E.g. internationalization data, static data like
-physical constants, location of external services, etc.
-
-_Things that are the same regardless of environment._
-
-Only one set of values is needed.
-
-Place them in a file called
-
- * `common.properties`
-
-(relative location defined below).
-
-### Plumbing properties
-
-E.g. serving location of static content (HTML, CSS,
-javascript), location of product and customer database
-tables, ports expected by load balancers, log sinks,
-etc.
-
-_The different values for these properties are
-precisely what sets the environments apart._
-
-Devops or SRE will want full control over the values
-used in production.  Testing will have fixed
-databases supporting testing.  Developers will want
-to do whatever they want to try scenarios under
-development.
-
-Places these values in
-
- * `development/plumbing.properties`
- * `staging/plumbing.properties`
- * `production/plumbing.properties`
-
-
-### Secret properties
-
-E.g. location of actual user tables, database
-credentials, decryption keys, etc.
-
-_Things that are a subset of devops controls, that
-nobody else has (or should want) access to._
-
-Places these values in
-
- * `development/secret.properties`
- * `staging/secret.properties`
- * `production/secret.properties`
-
-[kubernetes secret]: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/
-
-and control access to them with (for example) unix file
-owner and mode bits, or better yet, put them in
-a server dedicated to storing password protected
-secrets, and use a field called  `secretGenerator`
-in your _kustomization_ to create a kubernetes
-secret holding them (not covering that here).
-
-<!--
-secretGenerator:
- name: app-tls
-  commands:
-    tls.crt: "cat tls.cert"
-    tls.key: "cat tls.key"
-  type: "kubernetes.io/tls"
-EOF
-->
-
-## A mixin approach to management
-
-The way to create _n_ cluster environments that share
-some common information is to create _n_ overlays of a
-common base.
-
-For the rest of this example, we'll do _n==2_, just
-_development_ and _production_, since adding more
-environments follows the same pattern.
-
-A cluster environment is created by
-running `kustomize build` on a [target] that happens to
-be an [overlay].
-
-[helloworld]: helloworld.md
-
-The following example will do that, but will focus on
-configMap construction, and not worry about how to
-connect the configMaps to deployments (that is covered
-in the [helloworld] example).
-
-
-All files - including the shared property files
-discussed above - will be created in a directory tree
-that is consistent with the base vs overlay file layout
-defined in the [helloworld] demo.
-
-It will all live in this work directory:
-
-<!-- @makeWorkplace @test -->
+Establish the base with a configMapGenerator
+<!-- @establishBase @test -->
 ```
 DEMO_HOME=$(mktemp -d)
-```

-### Create the base
+BASE=$DEMO_HOME/base
+mkdir -p $BASE

-<!-- kubectl create configmap BOB --dry-run -o yaml --from-file db. -->
+curl -s -o "$BASE/#1.yaml" "https://raw.githubusercontent.com\
+/kubernetes-sigs/kustomize\
+/master/examples/helloWorld\
+/{deployment,service}.yaml"

-Make a place to put the base configuration:
-
-<!-- @baseDir @test -->
-```
-mkdir -p $DEMO_HOME/base
-```
-
-Make the data for the base.  This direction by
-definition should hold resources common to all
-environments. Here we're only defining a java
-properties file, and a `kustomization` file that
-references it.
-
-<!-- @baseKustomization @test -->
-```
-cat <<EOF >$DEMO_HOME/base/common.properties
-color=blue
-height=10m
-EOF
-
-cat <<EOF >$DEMO_HOME/base/kustomization.yaml
-configMapGenerator:
- name: my-configmap
-  files:
-  - common.properties
+cat <<'EOF' >$BASE/kustomization.yaml
+commonLabels:
+  app: hello
+resources:
+- deployment.yaml
+- service.yaml
+configMapGenerator:	
+- name: the-map	
+  literals:	
+    - altGreeting=Good Morning!	
+    - enableRisky="false"
 EOF
 ```

-
-### Create and use the overlay for _development_
-
-Make an abbreviation for the parent of the overlay
-directories:
-
-<!-- @overlays @test -->
+Establish the staging with a patch applied to the ConfigMap
+<!-- @establishStaging @test -->
 ```
 OVERLAYS=$DEMO_HOME/overlays
-```
+mkdir -p $OVERLAYS/staging

-Create the files that define the _development_ overlay:
-
-<!-- @developmentFiles @test -->
-```
-mkdir -p $OVERLAYS/development
-
-cat <<EOF >$OVERLAYS/development/plumbing.properties
-port=30000
-EOF
-
-cat <<EOF >$OVERLAYS/development/secret.properties
-dbpassword=mothersMaidenName
-EOF
-
-cat <<EOF >$OVERLAYS/development/kustomization.yaml
+cat <<'EOF' >$OVERLAYS/staging/kustomization.yaml
+namePrefix: staging-
+commonLabels:
+  variant: staging
+  org: acmeCorporation
+commonAnnotations:
+  note: Hello, I am staging!
 bases:
 - ../../base
-namePrefix: dev-
-configMapGenerator:
- name: my-configmap
-  behavior: merge
-  files:
-  - plumbing.properties
-  - secret.properties
+patchesStrategicMerge:
+- map.yaml
+EOF
+
+cat <<EOF >$OVERLAYS/staging/map.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: the-map
+data:
+  altGreeting: "Have a pineapple!"
+  enableRisky: "true"
 EOF
 ```

-One can now generate the configMaps for development:
+### Review

-<!-- @runDev @test -->
+The _hello-world_ deployment running in this cluster is
+configured with data from a configMap.
+
+The deployment refers to this map by name:
+
+
+<!-- @showDeployment @test -->
 ```
-kustomize build $OVERLAYS/development
+grep -C 2 configMapKeyRef $BASE/deployment.yaml
 ```

-#### Check the ConfigMap name
+Changing the data held by a live configMap in a cluster
+is considered bad practice. Deployments have no means
+to know that the configMaps they refer to have
+changed, so such updates have no effect.

-The name of the generated `ConfigMap` is visible in this
-output.
+The recommended way to change a deployment's
+configuration is to

-The name should be something like `dev-my-configmap-b5m75ck895`:
+ 1. create a new configMap with a new name,
+ 1. patch the _deployment_, modifying the name value of
+    the appropriate `configMapKeyRef` field.

- * `"dev-"` comes from the `namePrefix` field,
- * `"my-configmap"` comes from the `configMapGenerator/name` field,
- * `"-b5m75ck895"` comes from a deterministic hash that `kustomize`
-    computes from the contents of the configMap.
+This latter change initiates rolling update to the pods
+in the deployment.  The older configMap, when no longer
+referenced by any other resource, is eventually [garbage
+collected](https://github.com/kubernetes-sigs/kustomize/issues/242).

-The hash suffix is critical.  If the configMap content
-changes, so does the configMap name, along with all
-references to that name that appear in the YAML output
-from `kustomize`.
+### How this works with kustomize

-The name change means deployments will do a rolling
-restart to get new data if this YAML is applied to the
-cluster using a command like
+The _staging_ [variant] here has a configMap [patch]:

-> ```
-> kustomize build $OVERLAYS/development | kubectl apply -f -
-> ```
-
-A deployment has no means to automatically know when or
-if a configMap in use by the deployment changes.
-
-If one changes a configMap without changing its name
-and all references to that name, one must imperatively
-restart the cluster to pick up the change.
-
-The best practice is to treat configMaps as immutable.
-
-Instead of editing configMaps, modify your declarative
-specification of the cluster's desired state to
-point deployments to _new_ configMaps with _new_ names.
-`kustomize` makes this easy with its
-`configMapGenerator` directive and associated naming
-controls.  A GC process in the k8s master eventually
-deletes unused configMaps.
-
-
-### Create and use the overlay for _production_
-
-Next, create the files for the _production_ overlay:
-
-
-<!-- @productionFiles @test -->
+<!-- @showMapPatch @test -->
 ```
-mkdir -p $OVERLAYS/production
-
-cat <<EOF >$OVERLAYS/production/plumbing.properties
-port=8080
-EOF
-
-cat <<EOF >$OVERLAYS/production/secret.properties
-dbpassword=thisShouldProbablyBeInASecretInstead
-EOF
-
-cat <<EOF >$OVERLAYS/production/kustomization.yaml
-bases:
- ../../base
-namePrefix: prod-
-configMapGenerator:
- name: my-configmap
-  behavior: merge
-  files:
-  - plumbing.properties
-  - secret.properties
-EOF
+cat $OVERLAYS/staging/map.yaml
 ```

-One can now generate the configMaps for production:
+This patch is by definition a named but not necessarily
+complete resource spec intended to modify a complete
+resource spec.

-<!-- @runProd @test -->
+The ConfigMap it modifies is declared from a configMapGenerator.
+
+<!-- @showMapBase @test -->
 ```
-kustomize build $OVERLAYS/production
+grep -C 4 configMapGenerator $BASE/kustomization.yaml
 ```

-A CICD process could apply this directly to
-the cluser using:
+For a patch to work, the names in the `metadata/name`
+fields must match.

-> ```
-> kustomize build $OVERLAYS/production | kubectl apply -f -
-> ```
+However, the name values specified in the file are
+_not_ what gets used in the cluster.  By design,
+kustomize modifies names of ConfigMaps declared from ConfigMapGenerator.  To see the names
+ultimately used in the cluster, just run kustomize:
+
+<!-- @grepStagingName @test -->
+```
+kustomize build $OVERLAYS/staging |\
+    grep -B 8 -A 1 staging-the-map
+```
+
+The configMap name is prefixed by _staging-_, per the
+`namePrefix` field in
+`$OVERLAYS/staging/kustomization.yaml`.
+
+The suffix to the configMap name is generated from a
+hash of the maps content - in this case the name suffix
+is _hhhhkfmgmk_:
+
+<!-- @grepStagingHash @test -->
+```
+kustomize build $OVERLAYS/staging | grep hhhhkfmgmk
+```
+
+Now modify the map patch, to change the greeting
+the server will use:
+
+<!-- @changeMap @test -->
+```
+sed -i.bak 's/pineapple/kiwi/' $OVERLAYS/staging/map.yaml
+```
+
+See the new greeting:
+
+```
+kustomize build $OVERLAYS/staging |\
+  grep -B 2 -A 3 kiwi
+```
+
+Run kustomize again to see the new configMap names:
+
+<!-- @grepStagingName @test -->
+```
+kustomize build $OVERLAYS/staging |\
+    grep -B 8 -A 1 staging-the-map
+```
+
+Confirm that the change in configMap content resulted
+in three new names ending in _khk45ktkd9_ - one in the
+configMap name itself, and two in the deployment that
+uses the map:
+
+<!-- @countHashes @test -->
+```
+test 3 == \
+  $(kustomize build $OVERLAYS/staging | grep khk45ktkd9 | wc -l); \
+  echo $?
+```
+
+Applying these resources to the cluster will result in
+a rolling update of the deployments pods, retargetting
+them from the _hhhhkfmgmk_ maps to the _khk45ktkd9_
+maps.  The system will later garbage collect the
+unused maps.
+
+## Rollback
+
+To rollback, one would undo whatever edits were made to
+the configuation in source control, then rerun kustomize
+on the reverted configuration and apply it to the
+cluster.
--- a/examples/helloWorld/README.md
+++ b/examples/helloWorld/README.md
@@ -108,7 +108,7 @@ label_ applied to all resources:

 <!-- @addLabel @test -->
 ```
-sed -i 's/app: hello/app: my-hello/' \
+sed -i.bak 's/app: hello/app: my-hello/' \
    $BASE/kustomization.yaml
 ```

@@ -150,7 +150,7 @@ commonAnnotations:
  note: Hello, I am staging!
 bases:
 - ../../base
-patches:
+patchesStrategicMerge:
 - map.yaml
 EOF
 ```
@@ -191,7 +191,7 @@ commonAnnotations:
  note: Hello, I am production!
 bases:
 - ../../base
-patches:
+patchesStrategicMerge:
 - deployment.yaml
 EOF
 ```
@@ -309,122 +309,3 @@ To deploy, pipe the above commands to kubectl apply:
 > kustomize build $OVERLAYS/production |\
 >    kubectl apply -f -
 > ```
-
-## Rolling updates
-
-### Review
-
-The _hello-world_ deployment running in this cluster is
-configured with data from a configMap.
-
-The deployment refers to this map by name:
-
-
-<!-- @showDeployment @test -->
-```
-grep -C 2 configMapKeyRef $DEMO_HOME/base/deployment.yaml
-```
-
-Changing the data held by a live configMap in a cluster
-is considered bad practice. Deployments have no means
-to know that the configMaps they refer to have
-changed, so such updates have no effect.
-
-The recommended way to change a deployment's
-configuration is to
-
- 1. create a new configMap with a new name,
- 1. patch the _deployment_, modifying the name value of
-    the appropriate `configMapKeyRef` field.
-
-This latter change initiates rolling update to the pods
-in the deployment.  The older configMap, when no longer
-referenced by any other resource, is eventually garbage
-collected.
-
-### How this works with kustomize
-
-The _staging_ [variant] here has a configMap [patch]:
-
-<!-- @showMapPatch @test -->
-```
-cat $OVERLAYS/staging/map.yaml
-```
-
-This patch is by definition a named but not necessarily
-complete resource spec intended to modify a complete
-resource spec.
-
-The resource it modifies is here:
-
-<!-- @showMapBase @test -->
-```
-cat $DEMO_HOME/base/configMap.yaml
-```
-
-For a patch to work, the names in the `metadata/name`
-fields must match.
-
-However, the name values specified in the file are
-_not_ what gets used in the cluster.  By design,
-kustomize modifies these names.  To see the names
-ultimately used in the cluster, just run kustomize:
-
-<!-- @grepStagingName @test -->
-```
-kustomize build $OVERLAYS/staging |\
-    grep -B 8 -A 1 staging-the-map
-```
-
-The configMap name is prefixed by _staging-_, per the
-`namePrefix` field in
-`$OVERLAYS/staging/kustomization.yaml`.
-
-The suffix to the configMap name is generated from a
-hash of the maps content - in this case the name suffix
-is _hhhhkfmgmk_:
-
-<!-- @grepStagingHash @test -->
-```
-kustomize build $OVERLAYS/staging | grep hhhhkfmgmk
-```
-
-Now modify the map patch, to change the greeting
-the server will use:
-
-<!-- @changeMap @test -->
-```
-sed -i 's/pineapple/kiwi/' $OVERLAYS/staging/map.yaml
-```
-
-Run kustomize again to see the new names:
-
-<!-- @grepStagingName @test -->
-```
-kustomize build $OVERLAYS/staging |\
-    grep -B 8 -A 1 staging-the-map
-```
-
-Confirm that the change in configMap content resulted
-in three new names ending in _khk45ktkd9_ - one in the
-configMap name itself, and two in the deployment that
-uses the map:
-
-<!-- @countHashes @test -->
-```
-test 3 == \
-  $(kustomize build $OVERLAYS/staging | grep khk45ktkd9 | wc -l)
-```
-
-Applying these resources to the cluster will result in
-a rolling update of the deployments pods, retargetting
-them from the _hhhhkfmgmk_ maps to the _khk45ktkd9_
-maps.  The system will later garbage collect the
-unused maps.
-
-## Rollback
-
-To rollback, one would undo whatever edits were made to
-the configuation in source control, then rerun kustomize
-on the reverted configuration and apply it to the
-cluster.
--- a/examples/helloWorld/kustomization.yaml
+++ b/examples/helloWorld/kustomization.yaml
@@ -5,5 +5,5 @@ commonLabels:

 resources:
 - deployment.yaml
- configMap.yaml
 - service.yaml
+- configMap.yaml
--- a/examples/imageTags.md
+++ b/examples/imageTags.md
@@ -0,0 +1,75 @@
+# Demo: change image tags
+
+
+Define a place to work:
+
+<!-- @makeWorkplace @test -->
+```
+DEMO_HOME=$(mktemp -d)
+```
+
+Make a `kustomization` containing a pod resource
+
+<!-- @createKustomization @test -->
+```
+cat <<EOF >$DEMO_HOME/kustomization.yaml
+resources:
+- pod.yaml
+EOF
+```
+
+Declare the pod resource
+
+<!-- @createDeployment @test -->
+```
+cat <<EOF >$DEMO_HOME/pod.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod
+  labels:
+    app: myapp
+spec:
+  containers:
+  - name: myapp-container
+    image: busybox:1.29.0
+    command: ['sh', '-c', 'echo The app is running! && sleep 3600']
+  initContainers:
+  - name: init-mydb
+    image: busybox:1.29.0
+    command: ['sh', '-c', 'until nslookup mydb; do echo waiting for mydb; sleep 2; done;']
+EOF
+```
+
+The `myapp-pod` resource declares an initContainer and a container, both use the image `busybox:1.29.0`.
+The tag `1.29.0` can be changed by adding `imageTags` in `kustomization.yaml`.
+
+
+Add `imageTags`:
+<!-- @addImageTags @test -->
+```
+cd $DEMO_HOME
+kustomize edit set imagetag busybox:1.29.1
+```
+
+The `kustomization.yaml` will be added following `imageTags`.
+> ```
+> imageTags:
+> - name: busybox
+>   newTag: 1.29.1
+> ```
+
+Now build this `kustomization`
+<!-- @kustomizeBuild @test -->
+```
+kustomize build $DEMO_HOME
+```
+
+Confirm that this replaces _both_ busybox tags:
+
+<!-- @confirmTags @test -->
+```
+test 2 == \
+  $(kustomize build $DEMO_HOME | grep busybox:1.29.1 | wc -l); \
+  echo $?
+```
--- a/examples/integration_tests.sh
+++ b/examples/integration_tests.sh
@@ -48,7 +48,7 @@ function setUpEnv {
  [[ $? -eq 0 ]] || "Failed to cd to $repo"
  echo "pwd is " `pwd`

-  local expectedRepo=kubernetes-sigs/kustomize
+  local expectedRepo=sigs.k8s.io/kustomize
  if [[ `pwd` != */$expectedRepo ]]; then
    exitWith "Script must be run from $expectedRepo"
  fi
--- a/examples/jsonpatch.md
+++ b/examples/jsonpatch.md
@@ -0,0 +1,118 @@
+# Demo: applying a json patch
+
+A kustomization file supports customizing resources via [JSON patches](https://tools.ietf.org/html/rfc6902).
+
+The example below modifies an `Ingress` object with such a patch.
+
+Make a `kustomization` containing an ingress resource.
+
+<!-- @createIngress @test -->
+```
+DEMO_HOME=$(mktemp -d)
+
+cat <<EOF >$DEMO_HOME/kustomization.yaml
+resources:
+- ingress.yaml
+EOF
+
+cat <<EOF >$DEMO_HOME/ingress.yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: my-ingress
+spec:
+  rules:
+  - host: foo.bar.com
+    http:
+      paths:
+      - backend:
+          serviceName: my-api
+          servicePort: 80
+EOF
+```
+
+Declare a JSON patch file to update two fields of the Ingress object:
+
+- change host from `foo.bar.com` to `foo.bar.io`
+- change servicePort from `80` to `8080`
+
+<!-- @addJsonPatch @test -->
+```
+cat <<EOF >$DEMO_HOME/ingress_patch.json
+[
+  {"op": "replace", "path": "/spec/rules/0/host", "value": "foo.bar.io"},
+  {"op": "replace", "path": "/spec/rules/0/http/paths/0/backend/servicePort", "value": 8080}
+]
+EOF
+```
+
+You can also write the patch in YAML format. This example also shows the "add" operation:
+
+<!-- @addYamlPatch @test -->
+```
+cat <<EOF >$DEMO_HOME/ingress_patch.yaml
+- op: replace
+  path: /spec/rules/0/host
+  value: foo.bar.io
+
+- op: add
+  path: /spec/rules/0/http/paths/-
+  value:
+    path: '/test'
+    backend:
+      serviceName: my-test
+      servicePort: 8081
+EOF
+```
+
+Apply the patch by adding _patchesJson6902_ field in kustomization.yaml
+
+<!-- @applyJsonPatch @test -->
+```
+cat <<EOF >>$DEMO_HOME/kustomization.yaml
+patchesJson6902:
+- target:
+    group: extensions
+    version: v1beta1
+    kind: Ingress
+    name: my-ingress
+  path: ingress_patch.json
+EOF
+```
+
+Running `kustomize build $DEMO_HOME`, in the output confirm that host has been updated correctly.
+<!-- @confirmHost @test -->
+```
+test 1 == \
+  $(kustomize build $DEMO_HOME | grep "host: foo.bar.io" | wc -l); \
+  echo $?
+```
+Running `kustomize build $DEMO_HOME`, in the output confirm that the servicePort has been updated correctly.
+<!-- @confirmServicePort @test -->
+```
+test 1 == \
+  $(kustomize build $DEMO_HOME | grep "servicePort: 8080" | wc -l); \
+  echo $?
+```
+
+If the patch is YAML-formatted, it will be parsed correctly:
+
+<!-- @applyYamlPatch @test -->
+```
+cat <<EOF >>$DEMO_HOME/kustomization.yaml
+patchesJson6902:
+- target:
+    group: extensions
+    version: v1beta1
+    kind: Ingress
+    name: my-ingress
+  path: ingress_patch.yaml
+EOF
+```
+
+<!-- @confirmYamlPatch @test -->
+```
+test 1 == \
+  $(kustomize build $DEMO_HOME | grep "path: /test" | wc -l); \
+  echo $?
+```
--- a/examples/ldap/overlays/production/kustomization.yaml
+++ b/examples/ldap/overlays/production/kustomization.yaml
@@ -1,5 +1,5 @@
 bases:
  - ../../base
-patches:
+patchesStrategicMerge:
  - deployment.yaml
 namePrefix: production-
--- a/examples/ldap/overlays/staging/kustomization.yaml
+++ b/examples/ldap/overlays/staging/kustomization.yaml
@@ -1,6 +1,6 @@
 bases:
  - ../../base
-patches:
+patchesStrategicMerge:
  - deployment.yaml
 nameprefix: staging-
 configMapGenerator:
--- a/examples/multibases/README.md
+++ b/examples/multibases/README.md
@@ -0,0 +1,127 @@
+# Demo: multibases with a common base
+
+`kustomize` encourages defining multiple variants - e.g. dev, staging and prod, as overlays on a common base.
+
+It's possible to create an additional overlay to compose these variants together - just declare the overlays as the bases of a new kustomization.
+
+This is also a means to apply a common label or annotation across the variants, if for some reason the base isn't under your control. It also allows one to define a left-most namePrefix across the variants - something that cannot be done by modifying the common base.
+
+The following demonstrates this using a base that's just one pod.
+
+Define a place to work:
+
+<!-- @makeWorkplace @test -->
+```
+DEMO_HOME=$(mktemp -d)
+```
+
+Define a common base:
+<!-- @makeBase @test -->
+```
+BASE=$DEMO_HOME/base
+mkdir $BASE
+
+cat <<EOF >$BASE/kustomization.yaml
+resources:
+- pod.yaml
+EOF
+
+cat <<EOF >$BASE/pod.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod
+  labels:
+    app: myapp
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.7.9
+EOF
+```
+
+Define a dev variant overlaying base:
+<!-- @makeDev @test -->
+```
+DEV=$DEMO_HOME/dev
+mkdir $DEV
+
+cat <<EOF >$DEV/kustomization.yaml
+bases:
+- ./../base
+namePrefix: dev-
+EOF
+```
+
+Define a staging variant overlaying base:
+<!-- @makeStaging @test -->
+```
+STAG=$DEMO_HOME/staging
+mkdir $STAG
+
+cat <<EOF >$STAG/kustomization.yaml
+bases:
+- ./../base
+namePrefix: stag-
+EOF
+```
+
+Define a production variant overlaying base:
+<!-- @makeProd @test -->
+```
+PROD=$DEMO_HOME/production
+mkdir $PROD
+
+cat <<EOF >$PROD/kustomization.yaml
+bases:
+- ./../base
+namePrefix: prod-
+EOF
+```
+
+Then define a _Kustomization_ composing three variants together:
+<!-- @makeTopLayer @test -->
+```
+cat <<EOF >$DEMO_HOME/kustomization.yaml
+bases:
+- ./dev
+- ./staging
+- ./production
+
+namePrefix: cluster-a-
+EOF
+```
+
+Now the workspace has following directories
+> ```
+> .
+> ├── base
+> │   ├── kustomization.yaml
+> │   └── pod.yaml
+> ├── dev
+> │   └── kustomization.yaml
+> ├── kustomization.yaml
+> ├── production
+> │   └── kustomization.yaml
+> └── staging
+>     └── kustomization.yaml
+> ```
+
+Confirm that the `kustomize build` output contains three pod objects from dev, staging and production variants.
+
+<!-- @confirmVariants @test -->
+```
+test 1 == \
+  $(kustomize build $DEMO_HOME | grep cluster-a-dev-myapp-pod | wc -l); \
+  echo $?
+  
+test 1 == \
+  $(kustomize build $DEMO_HOME | grep cluster-a-stag-myapp-pod | wc -l); \
+  echo $?
+  
+test 1 == \
+  $(kustomize build $DEMO_HOME | grep cluster-a-prod-myapp-pod | wc -l); \
+  echo $?    
+```
+Similarly to adding different `namePrefix` in different variants, one can also add different `namespace` and compose those variants in
+one _kustomization_. For more details, take a look at [multi-namespaces](multi-namespace.md).
--- a/examples/multibases/base/kustomization.yaml
+++ b/examples/multibases/base/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+- pod.yaml
--- a/examples/multibases/base/pod.yaml
+++ b/examples/multibases/base/pod.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod
+  labels:
+    app: myapp
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.7.9
--- a/examples/multibases/dev/kustomization.yaml
+++ b/examples/multibases/dev/kustomization.yaml
@@ -0,0 +1,4 @@
+bases:
+- ./../base
+
+namePrefix: dev-
--- a/examples/multibases/kustomization.yaml
+++ b/examples/multibases/kustomization.yaml
@@ -0,0 +1,6 @@
+bases:
+- ./dev
+- ./staging
+- ./production
+
+namePrefix: cluster-a-
--- a/examples/multibases/multi-namespace.md
+++ b/examples/multibases/multi-namespace.md
@@ -0,0 +1,115 @@
+# Demo: multi namespaces with a common base
+
+`kustomize` supports defining multiple variants with different namespace, as overlays on a common base.
+
+It's possible to create an additional overlay to compose these variants together - just declare the overlays as the bases of a new kustomization. The following demonstrates this using a base that's just one pod.
+
+Define a place to work:
+
+<!-- @makeWorkplace @test -->
+```
+DEMO_HOME=$(mktemp -d)
+```
+
+Define a common base:
+<!-- @makeBase @test -->
+```
+BASE=$DEMO_HOME/base
+mkdir $BASE
+
+cat <<EOF >$BASE/kustomization.yaml
+resources:
+- pod.yaml
+EOF
+
+cat <<EOF >$BASE/pod.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod
+  labels:
+    app: myapp
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.7.9
+EOF
+```
+
+Define a variant in namespace-a overlaying base:
+<!-- @makeNamespaceA @test -->
+```
+NSA=$DEMO_HOME/namespace-a
+mkdir $NSA
+
+cat <<EOF >$NSA/kustomization.yaml
+bases:
+- ./../base
+resources:
+- namespace.yaml
+namespace: namespace-a
+EOF
+
+cat <<EOF >$NSA/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: namespace-a
+EOF
+```
+
+Define a variant in namespace-b overlaying base:
+<!-- @makeNamespaceB @test -->
+```
+NSB=$DEMO_HOME/namespace-b
+mkdir $NSB
+
+cat <<EOF >$NSB/kustomization.yaml
+bases:
+- ./../base
+resources:
+- namespace.yaml
+namespace: namespace-b
+EOF
+
+cat <<EOF >$NSB/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: namespace-b
+EOF
+```
+
+Then define a _Kustomization_ composing two variants together:
+<!-- @makeTopLayer @test -->
+```
+cat <<EOF >$DEMO_HOME/kustomization.yaml
+bases:
+- ./namespace-a
+- ./namespace-b
+EOF
+```
+
+Now the workspace has following directories
+> ```
+> .
+> ├── base
+> │   ├── kustomization.yaml
+> │   └── pod.yaml
+> ├── kustomization.yaml
+> ├── namespace-a
+> │   ├── kustomization.yaml
+> │   └── namespace.yaml
+> └── namespace-b
+>     ├── kustomization.yaml
+>     └── namespace.yaml
+> ```
+
+Confirm that the `kustomize build` output contains two pod objects from namespace-a and namespace-b.
+
+<!-- @confirmVariants @test -->
+```
+test 2 == \
+  $(kustomize build $DEMO_HOME| grep -B 4 "namespace: namespace-[ab]" | grep "name: myapp-pod" | wc -l); \
+  echo $?  
+```
--- a/examples/multibases/production/kustomization.yaml
+++ b/examples/multibases/production/kustomization.yaml
@@ -0,0 +1,4 @@
+bases:
+- ./../base
+
+namePrefix: prod-
--- a/examples/multibases/staging/kustomization.yaml
+++ b/examples/multibases/staging/kustomization.yaml
@@ -0,0 +1,4 @@
+bases:
+- ./../base
+
+namePrefix: staging-
--- a/examples/mySql/README.md
+++ b/examples/mySql/README.md
@@ -136,7 +136,7 @@ a label, but one can always edit `kustomization.yaml` directly:

 <!-- @customizeLabels @test -->
 ```
-sed -i 's/app: helloworld/app: prod/' \
+sed -i.bak 's/app: helloworld/app: prod/' \
    $DEMO_HOME/kustomization.yaml
 ```

@@ -150,7 +150,7 @@ Off the shelf MySQL uses `emptyDir` type volume, which
 gets wiped away if the MySQL Pod is recreated, and that
 is certainly not desirable for production
 environment. So we want to use Persistent Disk in
-production. kustomize lets you apply `patches` to the
+production. kustomize lets you apply `patchesStrategicMerge` to the
 resources.

 <!-- @createPatchFile @test -->
@@ -176,11 +176,13 @@ Add the patch file to `kustomization.yaml`:
 <!-- @specifyPatch @test -->
 ```
 cat <<'EOF' >> $DEMO_HOME/kustomization.yaml
-patches:
+patchesStrategicMerge:
 - persistent-disk.yaml
 EOF
 ```

+A `mysql-persistent-storage` persistent disk needs to exist for it to run successfully.
+
 Lets break this down:

 - In the first step, we created a YAML file named
@@ -188,7 +190,7 @@ Lets break this down:
  in deployment.yaml

 - Then we added `persistent-disk.yaml` to list of
-  `patches` in `kustomization.yaml`. `kustomize build`
+  `patchesStrategicMerge` in `kustomization.yaml`. `kustomize build`
  will apply this patch to the deployment resource with
  the name `mysql` as defined in the patch.

--- a/examples/mySql/secret.yaml
+++ b/examples/mySql/secret.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  creationTimestamp: null
-  name: mysql-pass-d2gtcm2t2k
+  name: mysql-pass
 type: Opaque
 data:
  # Default password is "admin".
--- a/examples/remoteBuild.md
+++ b/examples/remoteBuild.md
@@ -0,0 +1,69 @@
+# remote targets
+
+`kustomize build` can be run against a url. The effect is the same as cloing the repo, checking out the specified ref,
+then running `kustomize build` against the desired directory in the local copy.
+
+Take `github.com/kubernetes-sigs/kustomize//examples/multibases?ref=v1.0.6` as an example.
+According to [multibases](multibases/README.md) demo, this kustomization contains three Pod objects with names as
+`cluster-a-dev-myapp-pod`, `cluster-a-stag-myapp-pod`, `cluster-a-prod-myapp-pod`.
+Running `kustomize build` against the url gives the same output.
+
+<!-- @remoteBuild @test -->
+```
+target=github.com/kubernetes-sigs/kustomize//examples/multibases?ref=v1.0.6
+test 3 == \
+  $(kustomize build $target | grep cluster-a-.*-myapp-pod | wc -l); \
+  echo $?
+```
+
+Overlays can be remote as well:
+
+<!-- @remoteOverlayBuild @test -->
+
+```
+target=github.com/kubernetes-sigs/kustomize//examples/multibases/dev/?ref=v1.0.6
+test 1 == \
+  $(kustomize build $target | grep cluster-a-dev-myapp-pod | wc -l); \
+  echo $?
+```
+
+A base can also be specified as a URL:
+
+<!-- @createOverlay @test -->
+```
+DEMO_HOME=$(mktemp -d)
+
+cat <<EOF >$DEMO_HOME/kustomization.yaml
+bases:
+- github.com/kubernetes-sigs/kustomize//examples/multibases?ref=v1.0.6
+namePrefix: remote-
+EOF
+```
+Running `kustomize build $DEMO_HOME` and confirm the output contains three Pods and all have `remote-` prefix.
+<!-- @remoteBases @test -->
+```
+test 3 == \
+  $(kustomize build $DEMO_HOME | grep remote-.*-myapp-pod | wc -l); \
+  echo $?
+```
+
+## URL format
+The url should follow
+[hashicorp/go-getter URL format](https://github.com/hashicorp/go-getter#url-format).
+Here are some example urls pointing to Github repos following this convention.
+
+- a repo with a root level kustomization.yaml
+
+  `github.com/Liujingfang1/mysql`
+- a repo with a root level kustomization.yaml on branch test
+
+  `github.com/Liujingfang1/mysql?ref=test`
+- a subdirectory in a repo on version v1.0.6
+
+  `github.com/kubernetes-sigs/kustomize//examples/multibases?ref=v1.0.6`
+- a subdirectory in a repo on branch repoUrl2
+
+  `github.com/Liujingfang1/kustomize//examples/helloWorld?ref=repoUrl2`
+- a subdirectory in a repo on commit `7050a45134e9848fca214ad7e7007e96e5042c03`
+
+  `github.com/Liujingfang1/kustomize//examples/helloWorld?ref=7050a45134e9848fca214ad7e7007e96e5042c03`
--- a/examples/springboot/README.md
+++ b/examples/springboot/README.md
@@ -291,7 +291,7 @@ kustomize edit add patch healthcheck_patch.yaml
 `kustomization.yaml` should have patches field:

 > ```
-> patches:
+> patchesStrategicMerge:
 > - patch.yaml
 > - memorylimit_patch.yaml
 > - healthcheck_patch.yaml
--- a/examples/springboot/overlays/production/kustomization.yaml
+++ b/examples/springboot/overlays/production/kustomization.yaml
@@ -1,6 +1,6 @@
 bases:
 - ../../base
-patches:
+patchesStrategicMerge:
 - patch.yaml
 - healthcheck_patch.yaml
 - memorylimit_patch.yaml
--- a/examples/springboot/overlays/production/patch.yaml
+++ b/examples/springboot/overlays/production/patch.yaml
@@ -4,7 +4,7 @@ metadata:
  name: demo-configmap
 data:
  application.properties: |
-    app.name=Staging Kinflate Demo
+    app.name=Production Kinflate Demo
    spring.jpa.hibernate.ddl-auto=update
    spring.datasource.url=jdbc:mysql://<production_db_ip>:3306/db_example
    spring.datasource.username=root
--- a/examples/transformerconfigs/README.md
+++ b/examples/transformerconfigs/README.md
@@ -0,0 +1,96 @@
+# Transformer Configurations
+
+Kustomize computes the resources by applying a series of transformers:
+- namespace transformer
+- prefix transformer
+- label transformer
+- annotation transformer
+- name reference transformer
+- variable reference transformer
+
+Each transformer takes a list of resources and modifies certain fields. The modification is based on the transformer's rule.
+The fields to update is the transformer's configuration, which is a list of filedspec that can be represented in YAML format.
+
+## fieldSpec
+FieldSpec is a type to represent a path to a field in one kind of resources. It has following format
+```
+group: some-group
+version: some-version
+kind: some-kind
+path: path/to/the/field
+create: false
+```
+If `create` is set to true, it indicates the transformer to create the path if it is not found in the resources. This is most useful for label and annotation transformers, where the path for labels or annotations may not be set before the transformation.
+
+## prefix transformer
+Name prefix transformer adds prefix to the `metadata/name` field for all resources with following configuration:
+```
+namePrefix:
+- path: metadata/name
+```
+
+## label transformer
+Label transformer adds labels to `metadata/labels` field for all resources. It also adds labels to `spec/selector` field in all Service and to `spec/selector/matchLabels` field in all Deployment.
+```
+commonLabels:
+- path: metadata/labels
+  create: true
+
+- path: spec/selector
+  create: true
+  version: v1
+  kind: Service
+
+- path: spec/selector/matchLabels
+  create: true
+  kind: Deployment
+  (etc.)  
+```
+
+## name reference transformer
+Name reference transformer's configuration is different from all other transformers. It contains a list of namebackreferences, which represented all the possible fields that a type could be used as a reference in other types of resources. A namebackreference contains a type such as ConfigMap as well as a list of FieldSpecs where ConfigMap is referenced. Here is an example.
+```
+kind: ConfigMap
+version: v1
+FieldSpecs:
+- kind: Pod
+  version: v1
+  path: spec/volumes/configMap/name
+- kind: Deployment
+  path: spec/template/spec/volumes/configMap/name
+- kind: Job
+  path: spec/template/spec/volumes/configMap/name
+  (etc.)
+```
+Name reference transformer configuration contains a list of such namebackreferences for ConfigMap, Secret, Service, Role, ServiceAccount and so on.
+```
+nameReference:
+- kind: ConfigMap
+  version: v1
+  fieldSpecs:
+  - path: spec/volumes/configMap/name
+    version: v1
+    kind: Pod
+  - path: spec/containers/env/valueFrom/configMapKeyRef/name
+    version: v1
+    kind: Pod
+    (etc.)
+- kind: Secret
+  version: v1
+  fieldSpecs:
+  - path: spec/volumes/secret/secretName
+    version: v1
+    kind: Pod
+  - path: spec/containers/env/valueFrom/secretKeyRef/name
+    version: v1
+    kind: Pod
+    (etc.)    
+```
+
+## cusotmizing transformer configurations
+
+Kustomize has a default set of configurations. They can be saved to local directory through `kustomize config save -d`. kusotmize allows modifying those configuration files and using them in `kustomize build` through `-t`.  This tutorial shows how to customize those configurations to
+- [support a crd type](crd/README.md)
+- disabling adding commonLabels to fields in some kind of resources
+- add extra fields for variable substitution
+- add extra fields for name reference
--- a/examples/transformerconfigs/crd/README.md
+++ b/examples/transformerconfigs/crd/README.md
@@ -0,0 +1,171 @@
+## Transformer Configurations - CRD
+
+This tutorial shows how to add transformer configurations to support a CRD type.
+
+### Get Default Config
+Get the default transformer configurations by
+
+<!-- @saveConfig @test -->
+```
+kustomize config save -d ~/.kustomize/config
+```
+The default configurations are save in directory `~/.kustomize/config` as several files
+
+> ```
+>  commonannotations.yaml  commonlabels.yaml  nameprefix.yaml  namereference.yaml  namespace.yaml  varreference.yaml
+> ```
+
+### Add Config for a CRD
+All transformers will be involved for a CRD type. The default configurations already include some common fieldSpec for all types:
+
+- nameprefix is added to `.metadata.name`
+- namespace is added to `.metadata.namespace`
+- labels is added to `.metadata.labels`
+- annotations is added to `.metadata.annotations`
+
+Thus those fieldSpec don't need to be added to support a CRD type.
+Consider a CRD type `MyKind` with fields
+- `.spec.secretRef.name` reference a Secret
+- `.spec.beeRef.name` reference an instance of CRD `Bee`
+- `.spec.containers.command` as the list of container commands
+- `.spec.selectors` as the label selectors
+
+Add following file to configure the transformers for the above fields
+<!-- @addConfig @test -->
+```
+cat > ~/.kustomize/config/mykind.yaml << EOF
+
+commonLabels:
+- path: spec/selectors
+  create: true
+  kind: MyKind
+
+nameReference:
+- kind: Bee
+  fieldSpecs:
+  - path: spec/beeRef/name
+    kind: MyKind
+- kind: Secret
+  fieldSpecs:
+  - path: spec/secretRef/name
+    kind: MyKind
+
+varReference:
+- path: spec/containers/command
+  kind: MyKind
+- path: spec/beeRef/action
+  kind: MyKind
+
+EOF
+```
+
+### Apply config
+Create a kustomization with a `MyKind` instance.
+
+<!-- @createKustomization @test -->
+```
+DEMO_HOME=$(mktemp -d)
+
+cat > $DEMO_HOME/kustomization.yaml << EOF
+resources:
+- resources.yaml
+
+namePrefix: test-
+
+commonLabels:
+  foo: bar
+
+vars:
+- name: BEE_ACTION
+  objref:
+    kind: Bee
+    name: bee
+    apiVersion: v1beta1
+  fieldref:
+    fieldpath: spec.action
+EOF
+
+cat > $DEMO_HOME/resources.yaml << EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: crdsecret
+data:
+  PATH: YmJiYmJiYmIK
+---
+apiVersion: v1beta1
+kind: Bee
+metadata:
+  name: bee
+spec:
+  action: fly
+---
+apiVersion: jingfang.example.com/v1beta1
+kind: MyKind
+metadata:
+  name: mykind
+spec:
+  secretRef:
+    name: crdsecret
+  beeRef:
+    name: bee
+    action: \$(BEE_ACTION)
+  containers:
+  - command:
+    - "echo"
+    - "\$(BEE_ACTION)"
+    image: myapp
+EOF
+```
+
+Run `kustomize build` with customized transformer configurations and verify that
+the namereference is correctly resolved.
+
+<!-- @build @test -->
+```
+test 2 == \
+$(kustomize build $DEMO_HOME -t ~/.kustomize/config | grep -A 2 ".*Ref" | grep "test-" | wc -l); \
+echo $?    
+```
+
+Run `kustomize build` with customized transformer configurations and verify that
+the vars correctly resolved.
+
+<!-- @verify @test -->
+```
+test 0 == \
+$(kustomize build $DEMO_HOME -t ~/.kustomize/config | grep "BEE_ACTION" | wc -l); \
+echo $?    
+```
+
+To understand this better, compare the output using default transformer configurations.
+
+<!-- @compareOutput -->
+```
+diff \
+ <(kustomize build $DEMO_HOME) \
+ <(kustomize build $DEMO_HOME -t ~/.kustomize/config ) |\
+ more
+```
+
+The difference output should look something like
+> ```
+> 20,21c20,21
+> <     action: $(BEE_ACTION)
+> <     name: bee
+> ---
+> >     action: fly
+> >     name: test-bee
+> 25c25
+> <     - $(BEE_ACTION)
+> ---
+> >     - fly
+> 28c28,30
+> <     name: crdsecret
+> ---
+> >     name: test-crdsecret
+> >   selectors:
+> >     foo: bar
+> ```
+
+
--- a/examples/transformerconfigs/crd/kustomization.yaml
+++ b/examples/transformerconfigs/crd/kustomization.yaml
@@ -0,0 +1,16 @@
+resources:
+- resources.yaml
+
+namePrefix: test-
+
+commonLabels:
+  foo: bar
+
+vars:
+- name: BEE_ACTION
+  objref:
+    kind: Bee
+    name: bee
+    apiVersion: v1beta1
+  fieldref:
+    fieldpath: spec.action
--- a/examples/transformerconfigs/crd/resources.yaml
+++ b/examples/transformerconfigs/crd/resources.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: crdsecret
+data:
+  PATH: YmJiYmJiYmIK
+---
+apiVersion: v1beta1
+kind: Bee
+metadata:
+  name: bee
+spec:
+  action: fly
+---
+apiVersion: jingfang.example.com/v1beta1
+kind: MyKind
+metadata:
+  name: mykind
+spec:
+  secretRef:
+    name: crdsecret
+  beeRef:
+    name: bee
+    action: $(BEE_ACTION)
+  containers:
+  - command:
+    - "echo"
+    - "$(BEE_ACTION)"
+    image: myapp
--- a/examples/wordpress/README.md
+++ b/examples/wordpress/README.md
@@ -53,6 +53,8 @@ bases:
  - wordpress
  - mysql
 namePrefix: demo-
+patchesStrategicMerge:
+  - patch.yaml
 EOF
 ```

@@ -65,7 +67,7 @@ In the new kustomization, apply a patch for wordpress deployment. The patch does
 ```
 CONTENT="https://raw.githubusercontent.com\
 /kubernetes-sigs/kustomize\
-/master/examples/patch.yaml"
+/master/examples/wordpress"

 curl -s -o "$DEMO_HOME/#1.yaml" \
  "$CONTENT/{patch}.yaml"
@@ -89,7 +91,7 @@ The patch has following content
 >       - name: wordpress
 >         env:
 >         - name: WORDPRESS_DB_HOST
->           value: mysql
+>           value: $(MYSQL_SERVICE)
 >         - name: WORDPRESS_DB_PASSWORD
 >           valueFrom:
 >             secretKeyRef:
--- a/examples/wordpress/kustomization.yaml
+++ b/examples/wordpress/kustomization.yaml
@@ -1,7 +1,7 @@
 bases:
  - wordpress
  - mysql
-patches:
+patchesStrategicMerge:
  - patch.yaml
 namePrefix: demo-

--- a/examples/wordpress/patch.yaml
+++ b/examples/wordpress/patch.yaml
@@ -15,7 +15,7 @@ spec:
      - name: wordpress
        env:
        - name: WORDPRESS_DB_HOST
-          value: mysql
+          value: $(MYSQL_SERVICE)
        - name: WORDPRESS_DB_PASSWORD
          valueFrom:
            secretKeyRef:
--- a/internal/k8sdeps/configmapandsecret/configmapfactory.go
+++ b/internal/k8sdeps/configmapandsecret/configmapfactory.go
@@ -0,0 +1,190 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package configmapandsecret generates configmaps and secrets per generator rules.
+package configmapandsecret
+
+import (
+	"fmt"
+	"path"
+	"strings"
+
+	"github.com/pkg/errors"
+	"k8s.io/api/core/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/validation"
+	"sigs.k8s.io/kustomize/pkg/fs"
+	"sigs.k8s.io/kustomize/pkg/ifc"
+	"sigs.k8s.io/kustomize/pkg/types"
+)
+
+// ConfigMapFactory makes ConfigMaps.
+type ConfigMapFactory struct {
+	fSys fs.FileSystem
+	ldr  ifc.Loader
+}
+
+// NewConfigMapFactory returns a new ConfigMapFactory.
+func NewConfigMapFactory(
+	fSys fs.FileSystem, l ifc.Loader) *ConfigMapFactory {
+	return &ConfigMapFactory{fSys: fSys, ldr: l}
+}
+
+func (f *ConfigMapFactory) makeFreshConfigMap(
+	args *types.ConfigMapArgs) *corev1.ConfigMap {
+	cm := &corev1.ConfigMap{}
+	cm.APIVersion = "v1"
+	cm.Kind = "ConfigMap"
+	cm.Name = args.Name
+	cm.Data = map[string]string{}
+	return cm
+}
+
+// MakeConfigMap returns a new ConfigMap, or nil and an error.
+func (f *ConfigMapFactory) MakeConfigMap(
+	args *types.ConfigMapArgs, options *types.GeneratorOptions) (*corev1.ConfigMap, error) {
+	var all []kvPair
+	var err error
+	cm := f.makeFreshConfigMap(args)
+
+	pairs, err := keyValuesFromEnvFile(f.ldr, args.EnvSource)
+	if err != nil {
+		return nil, errors.Wrap(err, fmt.Sprintf(
+			"env source file: %s",
+			args.EnvSource))
+	}
+	all = append(all, pairs...)
+
+	pairs, err = keyValuesFromLiteralSources(args.LiteralSources)
+	if err != nil {
+		return nil, errors.Wrap(err, fmt.Sprintf(
+			"literal sources %v", args.LiteralSources))
+	}
+	all = append(all, pairs...)
+
+	pairs, err = keyValuesFromFileSources(f.ldr, args.FileSources)
+	if err != nil {
+		return nil, errors.Wrap(err, fmt.Sprintf(
+			"file sources: %v", args.FileSources))
+	}
+	all = append(all, pairs...)
+
+	for _, kv := range all {
+		err = addKvToConfigMap(cm, kv.key, kv.value)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if options != nil {
+		cm.SetLabels(options.Labels)
+		cm.SetAnnotations(options.Annotations)
+	}
+	return cm, nil
+}
+
+func keyValuesFromLiteralSources(sources []string) ([]kvPair, error) {
+	var kvs []kvPair
+	for _, s := range sources {
+		k, v, err := parseLiteralSource(s)
+		if err != nil {
+			return nil, err
+		}
+		kvs = append(kvs, kvPair{key: k, value: v})
+	}
+	return kvs, nil
+}
+
+func keyValuesFromFileSources(ldr ifc.Loader, sources []string) ([]kvPair, error) {
+	var kvs []kvPair
+	for _, s := range sources {
+		k, fPath, err := parseFileSource(s)
+		if err != nil {
+			return nil, err
+		}
+		content, err := ldr.Load(fPath)
+		if err != nil {
+			return nil, err
+		}
+		kvs = append(kvs, kvPair{key: k, value: string(content)})
+	}
+	return kvs, nil
+}
+
+func keyValuesFromEnvFile(l ifc.Loader, path string) ([]kvPair, error) {
+	if path == "" {
+		return nil, nil
+	}
+	content, err := l.Load(path)
+	if err != nil {
+		return nil, err
+	}
+	return keyValuesFromLines(content)
+}
+
+// addKvToConfigMap adds the given key and data to the given config map.
+// Error if key invalid, or already exists.
+func addKvToConfigMap(configMap *v1.ConfigMap, keyName, data string) error {
+	// Note, the rules for ConfigMap keys are the exact same as the ones for SecretKeys.
+	if errs := validation.IsConfigMapKey(keyName); len(errs) != 0 {
+		return fmt.Errorf("%q is not a valid key name for a ConfigMap: %s", keyName, strings.Join(errs, ";"))
+	}
+	if _, entryExists := configMap.Data[keyName]; entryExists {
+		return fmt.Errorf("cannot add key %s, another key by that name already exists: %v", keyName, configMap.Data)
+	}
+	configMap.Data[keyName] = data
+	return nil
+}
+
+// parseFileSource parses the source given.
+//
+//  Acceptable formats include:
+//   1.  source-path: the basename will become the key name
+//   2.  source-name=source-path: the source-name will become the key name and
+//       source-path is the path to the key file.
+//
+// Key names cannot include '='.
+func parseFileSource(source string) (keyName, filePath string, err error) {
+	numSeparators := strings.Count(source, "=")
+	switch {
+	case numSeparators == 0:
+		return path.Base(source), source, nil
+	case numSeparators == 1 && strings.HasPrefix(source, "="):
+		return "", "", fmt.Errorf("key name for file path %v missing", strings.TrimPrefix(source, "="))
+	case numSeparators == 1 && strings.HasSuffix(source, "="):
+		return "", "", fmt.Errorf("file path for key name %v missing", strings.TrimSuffix(source, "="))
+	case numSeparators > 1:
+		return "", "", errors.New("key names or file paths cannot contain '='")
+	default:
+		components := strings.Split(source, "=")
+		return components[0], components[1], nil
+	}
+}
+
+// parseLiteralSource parses the source key=val pair into its component pieces.
+// This functionality is distinguished from strings.SplitN(source, "=", 2) since
+// it returns an error in the case of empty keys, values, or a missing equals sign.
+func parseLiteralSource(source string) (keyName, value string, err error) {
+	// leading equal is invalid
+	if strings.Index(source, "=") == 0 {
+		return "", "", fmt.Errorf("invalid literal source %v, expected key=value", source)
+	}
+	// split after the first equal (so values can have the = character)
+	items := strings.SplitN(source, "=", 2)
+	if len(items) != 2 {
+		return "", "", fmt.Errorf("invalid literal source %v, expected key=value", source)
+	}
+	return items[0], strings.Trim(items[1], "\"'"), nil
+}
--- a/internal/k8sdeps/configmapandsecret/configmapfactory_test.go
+++ b/internal/k8sdeps/configmapandsecret/configmapfactory_test.go
@@ -0,0 +1,144 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package configmapandsecret
+
+import (
+	"reflect"
+	"testing"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/kustomize/pkg/fs"
+	"sigs.k8s.io/kustomize/pkg/loader"
+	"sigs.k8s.io/kustomize/pkg/types"
+)
+
+func makeEnvConfigMap(name string) *corev1.ConfigMap {
+	return &corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Data: map[string]string{
+			"DB_USERNAME": "admin",
+			"DB_PASSWORD": "somepw",
+		},
+	}
+}
+
+func makeFileConfigMap(name string) *corev1.ConfigMap {
+	return &corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Data: map[string]string{
+			"app-init.ini": `FOO=bar
+BAR=baz
+`,
+		},
+	}
+}
+
+func makeLiteralConfigMap(name string) *corev1.ConfigMap {
+	cm := &corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Data: map[string]string{
+			"a": "x",
+			"b": "y",
+			"c": "Hello World",
+			"d": "true",
+		},
+	}
+	cm.SetLabels(map[string]string{"foo": "bar"})
+	return cm
+}
+
+func TestConstructConfigMap(t *testing.T) {
+	type testCase struct {
+		description string
+		input       types.ConfigMapArgs
+		options     *types.GeneratorOptions
+		expected    *corev1.ConfigMap
+	}
+
+	testCases := []testCase{
+		{
+			description: "construct config map from env",
+			input: types.ConfigMapArgs{
+				Name: "envConfigMap",
+				DataSources: types.DataSources{
+					EnvSource: "configmap/app.env",
+				},
+			},
+			options:  nil,
+			expected: makeEnvConfigMap("envConfigMap"),
+		},
+		{
+			description: "construct config map from file",
+			input: types.ConfigMapArgs{
+				Name: "fileConfigMap",
+				DataSources: types.DataSources{
+					FileSources: []string{"configmap/app-init.ini"},
+				},
+			},
+			options:  nil,
+			expected: makeFileConfigMap("fileConfigMap"),
+		},
+		{
+			description: "construct config map from literal",
+			input: types.ConfigMapArgs{
+				Name: "literalConfigMap",
+				DataSources: types.DataSources{
+					LiteralSources: []string{"a=x", "b=y", "c=\"Hello World\"", "d='true'"},
+				},
+			},
+			options: &types.GeneratorOptions{
+				Labels: map[string]string{
+					"foo": "bar",
+				},
+			},
+			expected: makeLiteralConfigMap("literalConfigMap"),
+		},
+	}
+
+	fSys := fs.MakeFakeFS()
+	fSys.WriteFile("configmap/app.env", []byte("DB_USERNAME=admin\nDB_PASSWORD=somepw\n"))
+	fSys.WriteFile("configmap/app-init.ini", []byte("FOO=bar\nBAR=baz\n"))
+	f := NewConfigMapFactory(fSys, loader.NewFileLoader(fSys))
+	for _, tc := range testCases {
+		cm, err := f.MakeConfigMap(&tc.input, tc.options)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if !reflect.DeepEqual(*cm, *tc.expected) {
+			t.Fatalf("in testcase: %q updated:\n%#v\ndoesn't match expected:\n%#v\n", tc.description, *cm, tc.expected)
+		}
+	}
+}
--- a/internal/k8sdeps/configmapandsecret/kv.go
+++ b/internal/k8sdeps/configmapandsecret/kv.go
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package resmap
+package configmapandsecret

 import (
 	"bufio"
@@ -28,14 +28,14 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation"
 )

-var utf8bom = []byte{0xEF, 0xBB, 0xBF}
-
 // kvPair represents a key value pair.
 type kvPair struct {
 	key   string
 	value string
 }

+var utf8bom = []byte{0xEF, 0xBB, 0xBF}
+
 // keyValuesFromLines parses given content in to a list of key-value pairs.
 func keyValuesFromLines(content []byte) ([]kvPair, error) {
 	var kvs []kvPair
--- a/internal/k8sdeps/configmapandsecret/kv_test.go
+++ b/internal/k8sdeps/configmapandsecret/kv_test.go
@@ -13,7 +13,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-package resmap
+
+package configmapandsecret

 import (
 	"reflect"
--- a/internal/k8sdeps/configmapandsecret/secretfactory.go
+++ b/internal/k8sdeps/configmapandsecret/secretfactory.go
@@ -0,0 +1,162 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package configmapandsecret
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/validation"
+	"sigs.k8s.io/kustomize/pkg/fs"
+	"sigs.k8s.io/kustomize/pkg/types"
+)
+
+const (
+	defaultCommandTimeout = 5 * time.Second
+)
+
+// SecretFactory makes Secrets.
+type SecretFactory struct {
+	fSys fs.FileSystem
+	wd   string
+}
+
+// NewSecretFactory returns a new SecretFactory.
+func NewSecretFactory(fSys fs.FileSystem, wd string) *SecretFactory {
+	return &SecretFactory{fSys: fSys, wd: wd}
+}
+
+func (f *SecretFactory) makeFreshSecret(args *types.SecretArgs) *corev1.Secret {
+	s := &corev1.Secret{}
+	s.APIVersion = "v1"
+	s.Kind = "Secret"
+	s.Name = args.Name
+	s.Type = corev1.SecretType(args.Type)
+	if s.Type == "" {
+		s.Type = corev1.SecretTypeOpaque
+	}
+	s.Data = map[string][]byte{}
+	return s
+}
+
+// MakeSecret returns a new secret.
+func (f *SecretFactory) MakeSecret(args *types.SecretArgs, options *types.GeneratorOptions) (*corev1.Secret, error) {
+	var all []kvPair
+	var err error
+	s := f.makeFreshSecret(args)
+
+	timeout := defaultCommandTimeout
+	if args.TimeoutSeconds != nil {
+		log.Println("SecretArgs.TimeoutSeconds will be deprected in next release. Please use GeneratorOptions.TimeoutSeconds instread.")
+		timeout = time.Duration(*args.TimeoutSeconds) * time.Second
+	}
+
+	pairs, err := f.keyValuesFromEnvFileCommand(args.EnvCommand, timeout, options)
+	if err != nil {
+		return nil, errors.Wrap(err, fmt.Sprintf(
+			"env source file: %s",
+			args.EnvCommand))
+	}
+	all = append(all, pairs...)
+
+	pairs, err = f.keyValuesFromCommands(args.Commands, timeout, options)
+	if err != nil {
+		return nil, errors.Wrap(err, fmt.Sprintf(
+			"commands %v", args.Commands))
+	}
+	all = append(all, pairs...)
+
+	for _, kv := range all {
+		err = addKvToSecret(s, kv.key, kv.value)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if options != nil {
+		s.SetLabels(options.Labels)
+		s.SetAnnotations(options.Annotations)
+	}
+	return s, nil
+}
+
+func addKvToSecret(secret *corev1.Secret, keyName, data string) error {
+	// Note, the rules for SecretKeys  keys are the exact same as the ones for ConfigMap.
+	if errs := validation.IsConfigMapKey(keyName); len(errs) != 0 {
+		return fmt.Errorf("%q is not a valid key name for a Secret: %s", keyName, strings.Join(errs, ";"))
+	}
+	if _, entryExists := secret.Data[keyName]; entryExists {
+		return fmt.Errorf("cannot add key %s, another key by that name already exists", keyName)
+	}
+	secret.Data[keyName] = []byte(data)
+	return nil
+}
+
+func (f *SecretFactory) keyValuesFromEnvFileCommand(cmd string, timeout time.Duration, options *types.GeneratorOptions) ([]kvPair, error) {
+	content, err := f.createSecretKey(cmd, timeout, options)
+	if err != nil {
+		return nil, err
+	}
+	return keyValuesFromLines(content)
+}
+
+func (f *SecretFactory) keyValuesFromCommands(sources map[string]string, timeout time.Duration, options *types.GeneratorOptions) ([]kvPair, error) {
+	var kvs []kvPair
+	for k, cmd := range sources {
+		content, err := f.createSecretKey(cmd, timeout, options)
+		if err != nil {
+			return nil, err
+		}
+		kvs = append(kvs, kvPair{key: k, value: string(content)})
+	}
+	return kvs, nil
+}
+
+// Run a command, return its output as the secret.
+func (f *SecretFactory) createSecretKey(command string, timeout time.Duration, options *types.GeneratorOptions) ([]byte, error) {
+	if !f.fSys.IsDir(f.wd) {
+		f.wd = filepath.Dir(f.wd)
+		if !f.fSys.IsDir(f.wd) {
+			return nil, errors.New("not a directory: " + f.wd)
+		}
+	}
+
+	if options != nil && options.TimeoutSeconds != nil {
+		t := time.Duration(*options.TimeoutSeconds) * time.Second
+		if t > timeout {
+			timeout = t
+		}
+	}
+
+	var commands []string
+	if options == nil || len(options.Shell) == 0 {
+		commands = []string{"sh", "-c", command}
+	} else {
+		commands = append(options.Shell, command)
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+	cmd := exec.CommandContext(ctx, commands[0], commands[1:]...)
+	cmd.Dir = f.wd
+	return cmd.Output()
+}
--- a/internal/k8sdeps/doc.go
+++ b/internal/k8sdeps/doc.go
@@ -0,0 +1,76 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// It's possible that kustomize's features will be vendored into
+// the kubernetes/kubernetes repo and made available to kubectl
+// commands, while at the same time the kustomize program will
+// continue to exist as an independent CLI.  Vendoring snapshots
+// would be taken just before a kubectl release.
+//
+// This creates a problem in that freestanding-kustomize depends on
+// (for example):
+//
+//   https://github.com/kubernetes/apimachinery/
+//       tree/master/pkg/util/yaml
+//
+// It vendors that package into
+//   sigs.k8s.io/kustomize/vendor/k8s.io/apimachinery/
+//
+// Whereas kubectl-kustomize would have to depend on the "staging"
+// version of this code, located at
+//
+//   https://github.com/kubernetes/kubernetes/
+//       blob/master/staging/src/k8s.io/apimachinery/pkg/util/yaml
+//
+// which is "vendored" via symlinks:
+//   k8s.io/kubernetes/vendor/k8s.io/apimachinery
+// is a symlink to
+//   ../../staging/src/k8s.io/apimachinery
+//
+// The staging version is the canonical, under-development
+// version of the code that kubectl depends on, whereas the packages
+// at kubernetes/apimachinery are periodic snapshots of staging made
+// for outside tools to depend on.
+//
+// apimachinery isn't the only package that poses this problem, just
+// using it as a specific example.
+//
+// The kubectl binary cannot vendor in kustomize code that in
+// turn vendors in the non-staging packages.
+//
+// One way to fix some of this would be to copy code - a hard fork.
+// This has all the problems associated with a hard forking.
+//
+// Another way would be to break the kustomize repo into three:
+//
+// (1) kustomize - repo with the main() function,
+//     vendoring (2) and (3).
+//
+// (2) kustomize-libs - packages used by (1) with no
+//     apimachinery dependence.
+//
+// (3) kustomize-k8sdeps - A thin code layer that depends
+//     on (vendors) apimachinery to provide thin implementations
+//     to interfaces used in (2).
+//
+// The kubectl repo would then vendor from (2) only, and have
+// a local implementation of (3).  With that in mind, it's clear
+// that (3) doesn't have to be a repo; the kustomize version of
+// the thin layer can live directly in (1).
+//
+// This package is the code in (3), meant for kustomize.
+
+package k8sdeps
--- a/internal/k8sdeps/factory.go
+++ b/internal/k8sdeps/factory.go
@@ -0,0 +1,34 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package k8sdeps provides kustomize factory with k8s dependencies
+package k8sdeps
+
+import (
+	"sigs.k8s.io/kustomize/internal/k8sdeps/kunstruct"
+	"sigs.k8s.io/kustomize/internal/k8sdeps/transformer"
+	"sigs.k8s.io/kustomize/internal/k8sdeps/validator"
+	"sigs.k8s.io/kustomize/pkg/factory"
+)
+
+// NewFactory creates an instance of KustFactory using k8sdeps factories
+func NewFactory() *factory.KustFactory {
+	return factory.NewKustFactory(
+		kunstruct.NewKunstructuredFactoryImpl(),
+		validator.NewKustValidator(),
+		transformer.NewFactoryImpl(),
+	)
+}
--- a/internal/k8sdeps/kunstruct/factory.go
+++ b/internal/k8sdeps/kunstruct/factory.go
@@ -0,0 +1,96 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kunstruct
+
+import (
+	"bytes"
+	"io"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/util/yaml"
+	"sigs.k8s.io/kustomize/internal/k8sdeps/configmapandsecret"
+	"sigs.k8s.io/kustomize/pkg/fs"
+	"sigs.k8s.io/kustomize/pkg/ifc"
+	"sigs.k8s.io/kustomize/pkg/types"
+)
+
+// KunstructurerFactoryImpl hides construction using apimachinery types.
+type KunstructurerFactoryImpl struct {
+	cmfactory  *configmapandsecret.ConfigMapFactory
+	secfactory *configmapandsecret.SecretFactory
+}
+
+var _ ifc.KunstructuredFactory = &KunstructurerFactoryImpl{}
+
+// NewKunstructuredFactoryImpl returns a factory.
+func NewKunstructuredFactoryImpl() ifc.KunstructuredFactory {
+	return &KunstructurerFactoryImpl{}
+}
+
+// SliceFromBytes returns a slice of Kunstructured.
+func (kf *KunstructurerFactoryImpl) SliceFromBytes(
+	in []byte) ([]ifc.Kunstructured, error) {
+	decoder := yaml.NewYAMLOrJSONDecoder(bytes.NewReader(in), 1024)
+	var result []ifc.Kunstructured
+	var err error
+	for err == nil || isEmptyYamlError(err) {
+		var out unstructured.Unstructured
+		err = decoder.Decode(&out)
+		if err == nil {
+			result = append(result, &UnstructAdapter{Unstructured: out})
+		}
+	}
+	if err != io.EOF {
+		return nil, err
+	}
+	return result, nil
+}
+
+func isEmptyYamlError(err error) bool {
+	return strings.Contains(err.Error(), "is missing in 'null'")
+}
+
+// FromMap returns an instance of Kunstructured.
+func (kf *KunstructurerFactoryImpl) FromMap(
+	m map[string]interface{}) ifc.Kunstructured {
+	return &UnstructAdapter{Unstructured: unstructured.Unstructured{Object: m}}
+}
+
+// MakeConfigMap returns an instance of Kunstructured for ConfigMap
+func (kf *KunstructurerFactoryImpl) MakeConfigMap(args *types.ConfigMapArgs, options *types.GeneratorOptions) (ifc.Kunstructured, error) {
+	cm, err := kf.cmfactory.MakeConfigMap(args, options)
+	if err != nil {
+		return nil, err
+	}
+	return NewKunstructuredFromObject(cm)
+}
+
+// MakeSecret returns an instance of Kunstructured for Secret
+func (kf *KunstructurerFactoryImpl) MakeSecret(args *types.SecretArgs, options *types.GeneratorOptions) (ifc.Kunstructured, error) {
+	sec, err := kf.secfactory.MakeSecret(args, options)
+	if err != nil {
+		return nil, err
+	}
+	return NewKunstructuredFromObject(sec)
+}
+
+// Set sets loader, filesystem and workdirectory
+func (kf *KunstructurerFactoryImpl) Set(fs fs.FileSystem, ldr ifc.Loader) {
+	kf.cmfactory = configmapandsecret.NewConfigMapFactory(fs, ldr)
+	kf.secfactory = configmapandsecret.NewSecretFactory(fs, ldr.Root())
+}
--- a/internal/k8sdeps/kunstruct/factory_test.go
+++ b/internal/k8sdeps/kunstruct/factory_test.go
@@ -0,0 +1,124 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kunstruct
+
+import (
+	"reflect"
+	"testing"
+
+	"sigs.k8s.io/kustomize/pkg/ifc"
+)
+
+func TestSliceFromBytes(t *testing.T) {
+	factory := NewKunstructuredFactoryImpl()
+	testConfigMap := factory.FromMap(
+		map[string]interface{}{
+			"apiVersion": "v1",
+			"kind":       "ConfigMap",
+			"metadata": map[string]interface{}{
+				"name": "winnie",
+			},
+		})
+
+	tests := []struct {
+		name        string
+		input       []byte
+		expectedOut []ifc.Kunstructured
+		expectedErr bool
+	}{
+		{
+			name:        "garbage",
+			input:       []byte("garbageIn: garbageOut"),
+			expectedOut: []ifc.Kunstructured{},
+			expectedErr: true,
+		},
+		{
+			name:        "noBytes",
+			input:       []byte{},
+			expectedOut: []ifc.Kunstructured{},
+			expectedErr: false,
+		},
+		{
+			name: "goodJson",
+			input: []byte(`
+{"apiVersion":"v1","kind":"ConfigMap","metadata":{"name":"winnie"}}
+`),
+			expectedOut: []ifc.Kunstructured{testConfigMap},
+			expectedErr: false,
+		},
+		{
+			name: "goodYaml1",
+			input: []byte(`
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: winnie
+`),
+			expectedOut: []ifc.Kunstructured{testConfigMap},
+			expectedErr: false,
+		},
+		{
+			name: "goodYaml2",
+			input: []byte(`
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: winnie
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: winnie
+`),
+			expectedOut: []ifc.Kunstructured{testConfigMap, testConfigMap},
+			expectedErr: false,
+		},
+		{
+			name: "garbageInOneOfTwoObjects",
+			input: []byte(`
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: winnie
+---
+WOOOOOOOOOOOOOOOOOOOOOOOOT:  woot
+`),
+			expectedOut: []ifc.Kunstructured{},
+			expectedErr: true,
+		},
+	}
+
+	for _, test := range tests {
+		rs, err := factory.SliceFromBytes(test.input)
+		if test.expectedErr && err == nil {
+			t.Fatalf("%v: should return error", test.name)
+		}
+		if !test.expectedErr && err != nil {
+			t.Fatalf("%v: unexpected error: %s", test.name, err)
+		}
+		if len(rs) != len(test.expectedOut) {
+			t.Fatalf("%s: length mismatch %d != %d",
+				test.name, len(rs), len(test.expectedOut))
+		}
+		for i := range rs {
+			if !reflect.DeepEqual(test.expectedOut[i], rs[i]) {
+				t.Fatalf("%s: Got: %v\nexpected:%v",
+					test.name, test.expectedOut[i], rs[i])
+			}
+		}
+	}
+}
--- a/internal/k8sdeps/kunstruct/kunstruct.go
+++ b/internal/k8sdeps/kunstruct/kunstruct.go
@@ -0,0 +1,89 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package kunstruct provides unstructured from api machinery and factory for creating unstructured
+package kunstruct
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/kustomize/pkg/gvk"
+	"sigs.k8s.io/kustomize/pkg/ifc"
+)
+
+var _ ifc.Kunstructured = &UnstructAdapter{}
+
+// UnstructAdapter wraps unstructured.Unstructured from
+// https://github.com/kubernetes/apimachinery/blob/master/
+//     pkg/apis/meta/v1/unstructured/unstructured.go
+// to isolate dependence on apimachinery.
+type UnstructAdapter struct {
+	unstructured.Unstructured
+}
+
+// NewKunstructuredFromObject returns a new instance of Kunstructured.
+func NewKunstructuredFromObject(obj runtime.Object) (ifc.Kunstructured, error) {
+	// Convert obj to a byte stream, then convert that to JSON (Unstructured).
+	marshaled, err := json.Marshal(obj)
+	if err != nil {
+		return &UnstructAdapter{}, err
+	}
+	var u unstructured.Unstructured
+	err = u.UnmarshalJSON(marshaled)
+	// creationTimestamp always 'null', remove it
+	u.SetCreationTimestamp(metav1.Time{})
+	return &UnstructAdapter{Unstructured: u}, err
+}
+
+// GetGvk returns the Gvk name of the object.
+func (fs *UnstructAdapter) GetGvk() gvk.Gvk {
+	x := fs.GroupVersionKind()
+	return gvk.Gvk{
+		Group:   x.Group,
+		Version: x.Version,
+		Kind:    x.Kind,
+	}
+}
+
+// Copy provides a copy behind an interface.
+func (fs *UnstructAdapter) Copy() ifc.Kunstructured {
+	return &UnstructAdapter{*fs.DeepCopy()}
+}
+
+// Map returns the unstructured content map.
+func (fs *UnstructAdapter) Map() map[string]interface{} {
+	return fs.Object
+}
+
+// SetMap overrides the unstructured content map.
+func (fs *UnstructAdapter) SetMap(m map[string]interface{}) {
+	fs.Object = m
+}
+
+// GetFieldValue returns value at the given fieldpath.
+func (fs *UnstructAdapter) GetFieldValue(path string) (string, error) {
+	s, found, err := unstructured.NestedString(
+		fs.UnstructuredContent(), strings.Split(path, ".")...)
+	if found || err != nil {
+		return s, err
+	}
+	return "", fmt.Errorf("no field named '%s'", path)
+}
--- a/internal/k8sdeps/kunstruct/kunstruct_test.go
+++ b/internal/k8sdeps/kunstruct/kunstruct_test.go
@@ -0,0 +1,148 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kunstruct
+
+import (
+	"testing"
+)
+
+func TestGetFieldValue(t *testing.T) {
+	factory := NewKunstructuredFactoryImpl()
+	kunstructured := factory.FromMap(map[string]interface{}{
+		"Kind": "Service",
+		"metadata": map[string]interface{}{
+			"labels": map[string]string{
+				"app": "application-name",
+			},
+			"name": "service-name",
+		},
+		"spec": map[string]interface{}{
+			"ports": map[string]interface{}{
+				"port": "80",
+			},
+		},
+		"this": map[string]interface{}{
+			"is": map[string]interface{}{
+				"aNumber":    1000,
+				"aNilValue":  nil,
+				"anEmptyMap": map[string]interface{}{},
+				"unrecognizable": testing.InternalExample{
+					Name: "fooBar",
+				},
+			},
+		},
+	})
+
+	tests := []struct {
+		name          string
+		pathToField   string
+		expectedValue string
+		errorExpected bool
+		errorMsg      string
+	}{
+		{
+			name:          "oneField",
+			pathToField:   "Kind",
+			expectedValue: "Service",
+			errorExpected: false,
+		},
+		{
+			name:          "twoFields",
+			pathToField:   "metadata.name",
+			expectedValue: "service-name",
+			errorExpected: false,
+		},
+		{
+			name:          "threeFields",
+			pathToField:   "spec.ports.port",
+			expectedValue: "80",
+			errorExpected: false,
+		},
+		{
+			name:          "empty",
+			pathToField:   "",
+			errorExpected: true,
+			errorMsg:      "no field named ''",
+		},
+		{
+			name:          "emptyDotEmpty",
+			pathToField:   ".",
+			errorExpected: true,
+			errorMsg:      "no field named '.'",
+		},
+		{
+			name:          "twoFieldsOneMissing",
+			pathToField:   "metadata.banana",
+			errorExpected: true,
+			errorMsg:      "no field named 'metadata.banana'",
+		},
+		{
+			name:          "deeperMissingField",
+			pathToField:   "this.is.aDeep.field.that.does.not.exist",
+			errorExpected: true,
+			errorMsg:      "no field named 'this.is.aDeep.field.that.does.not.exist'",
+		},
+		{
+			name:          "emptyMap",
+			pathToField:   "this.is.anEmptyMap",
+			errorExpected: true,
+			errorMsg:      ".this.is.anEmptyMap accessor error: map[] is of the type map[string]interface {}, expected string",
+		},
+		{
+			name:          "numberAsValue",
+			pathToField:   "this.is.aNumber",
+			errorExpected: true,
+			errorMsg:      ".this.is.aNumber accessor error: 1000 is of the type int, expected string",
+		},
+		{
+			name:          "nilAsValue",
+			pathToField:   "this.is.aNilValue",
+			errorExpected: true,
+			errorMsg:      ".this.is.aNilValue accessor error: <nil> is of the type <nil>, expected string",
+		},
+		{
+			name:          "unrecognizable",
+			pathToField:   "this.is.unrecognizable.Name",
+			errorExpected: true,
+			errorMsg:      ".this.is.unrecognizable.Name accessor error: {fooBar <nil>  false} is of the type testing.InternalExample, expected map[string]interface{}",
+		},
+	}
+
+	for _, test := range tests {
+		s, err := kunstructured.GetFieldValue(test.pathToField)
+		if test.errorExpected {
+			if err == nil {
+				t.Fatalf("%q; path %q - should return error, but no error returned",
+					test.name, test.pathToField)
+			}
+			if test.errorMsg != err.Error() {
+				t.Fatalf("%q; path %q - expected error: \"%s\", got error: \"%v\"",
+					test.name, test.pathToField, test.errorMsg, err.Error())
+			}
+			continue
+		}
+		if err != nil {
+			t.Fatalf("%q; path %q - unexpected error %v",
+				test.name, test.pathToField, err)
+		}
+		if test.expectedValue != s {
+			t.Fatalf("%q; Got: %s expected: %s",
+				test.name, s, test.expectedValue)
+		}
+
+	}
+}
--- a/internal/k8sdeps/transformer/factory.go
+++ b/internal/k8sdeps/transformer/factory.go
@@ -0,0 +1,43 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package transformer provides transformer factory
+package transformer
+
+import (
+	"sigs.k8s.io/kustomize/internal/k8sdeps/transformer/hash"
+	"sigs.k8s.io/kustomize/internal/k8sdeps/transformer/patch"
+	"sigs.k8s.io/kustomize/pkg/resource"
+	"sigs.k8s.io/kustomize/pkg/transformers"
+)
+
+// FactoryImpl makes patch transformer and name hash transformer
+type FactoryImpl struct{}
+
+// NewFactoryImpl makes a new factoryImpl instance
+func NewFactoryImpl() *FactoryImpl {
+	return &FactoryImpl{}
+}
+
+// MakePatchTransformer makes a new patch transformer
+func (p *FactoryImpl) MakePatchTransformer(slice []*resource.Resource, rf *resource.Factory) (transformers.Transformer, error) {
+	return patch.NewPatchTransformer(slice, rf)
+}
+
+// MakeHashTransformer makes a new name hash transformer
+func (p *FactoryImpl) MakeHashTransformer() transformers.Transformer {
+	return hash.NewNameHashTransformer()
+}
--- a/internal/k8sdeps/transformer/hash/hash.go
+++ b/internal/k8sdeps/transformer/hash/hash.go
@@ -14,7 +14,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-// Package hash generates hash strings from configmaps and secrets.
 package hash

 import (
@@ -23,8 +22,42 @@ import (
 	"fmt"

 	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )

+// KustHash compute hash for unstructured objects
+type KustHash struct{}
+
+// NewKustHash returns a KustHash object
+func NewKustHash() *KustHash {
+	return &KustHash{}
+}
+
+// Hash returns a hash of either a ConfigMap or a Secret
+func (h *KustHash) Hash(m map[string]interface{}) (string, error) {
+	u := unstructured.Unstructured{
+		Object: m,
+	}
+	kind := u.GetKind()
+	switch kind {
+	case "ConfigMap":
+		cm, err := unstructuredToConfigmap(u)
+		if err != nil {
+			return "", err
+		}
+		return ConfigMapHash(cm)
+	case "Secret":
+		sec, err := unstructuredToSecret(u)
+
+		if err != nil {
+			return "", err
+		}
+		return SecretHash(sec)
+	default:
+		return "", fmt.Errorf("type %s is supported for hashing in %v", kind, m)
+	}
+}
+
 // ConfigMapHash returns a hash of the ConfigMap.
 // The Data, Kind, and Name are taken into account.
 func ConfigMapHash(cm *v1.ConfigMap) (string, error) {
@@ -113,3 +146,23 @@ func encodeHash(hex string) (string, error) {
 func hash(data string) string {
 	return fmt.Sprintf("%x", sha256.Sum256([]byte(data)))
 }
+
+func unstructuredToConfigmap(u unstructured.Unstructured) (*v1.ConfigMap, error) {
+	marshaled, err := json.Marshal(u.Object)
+	if err != nil {
+		return nil, err
+	}
+	var out v1.ConfigMap
+	err = json.Unmarshal(marshaled, &out)
+	return &out, err
+}
+
+func unstructuredToSecret(u unstructured.Unstructured) (*v1.Secret, error) {
+	marshaled, err := json.Marshal(u.Object)
+	if err != nil {
+		return nil, err
+	}
+	var out v1.Secret
+	err = json.Unmarshal(marshaled, &out)
+	return &out, err
+}
--- a/internal/k8sdeps/transformer/hash/hash_test.go
+++ b/internal/k8sdeps/transformer/hash/hash_test.go
@@ -22,8 +22,14 @@ import (
 	"testing"

 	"k8s.io/api/core/v1"
+	"sigs.k8s.io/kustomize/pkg/gvk"
 )

+var service = gvk.Gvk{Version: "v1", Kind: "Service"}
+var secret = gvk.Gvk{Version: "v1", Kind: "Secret"}
+var cmap = gvk.Gvk{Version: "v1", Kind: "ConfigMap"}
+var deploy = gvk.Gvk{Group: "apps", Version: "v1", Kind: "Deployment"}
+
 func TestConfigMapHash(t *testing.T) {
 	cases := []struct {
 		desc string
@@ -96,15 +102,19 @@ func TestEncodeConfigMap(t *testing.T) {
 		// one key
 		{"one key", &v1.ConfigMap{Data: map[string]string{"one": ""}}, `{"data":{"one":""},"kind":"ConfigMap","name":""}`, ""},
 		// three keys (tests sorting order)
-		{"three keys", &v1.ConfigMap{Data: map[string]string{"two": "2", "one": "", "three": "3"}}, `{"data":{"one":"","three":"3","two":"2"},"kind":"ConfigMap","name":""}`, ""},
+		{"three keys", &v1.ConfigMap{Data: map[string]string{"two": "2", "one": "", "three": "3"}},
+			`{"data":{"one":"","three":"3","two":"2"},"kind":"ConfigMap","name":""}`, ""},
 		// empty binary map
 		{"empty data", &v1.ConfigMap{BinaryData: map[string][]byte{}}, `{"data":null,"kind":"ConfigMap","name":""}`, ""},
 		// one key with binary data
-		{"one key", &v1.ConfigMap{BinaryData: map[string][]byte{"one": []byte("")}}, `{"binaryData":{"one":""},"data":null,"kind":"ConfigMap","name":""}`, ""},
+		{"one key", &v1.ConfigMap{BinaryData: map[string][]byte{"one": []byte("")}},
+			`{"binaryData":{"one":""},"data":null,"kind":"ConfigMap","name":""}`, ""},
 		// three keys with binary data (tests sorting order)
-		{"three keys", &v1.ConfigMap{BinaryData: map[string][]byte{"two": []byte("2"), "one": []byte(""), "three": []byte("3")}}, `{"binaryData":{"one":"","three":"Mw==","two":"Mg=="},"data":null,"kind":"ConfigMap","name":""}`, ""},
+		{"three keys", &v1.ConfigMap{BinaryData: map[string][]byte{"two": []byte("2"), "one": []byte(""), "three": []byte("3")}},
+			`{"binaryData":{"one":"","three":"Mw==","two":"Mg=="},"data":null,"kind":"ConfigMap","name":""}`, ""},
 		// two keys, one string and one binary values
-		{"two keys with one each", &v1.ConfigMap{Data: map[string]string{"one": ""}, BinaryData: map[string][]byte{"two": []byte("")}}, `{"binaryData":{"two":""},"data":{"one":""},"kind":"ConfigMap","name":""}`, ""},
+		{"two keys with one each", &v1.ConfigMap{Data: map[string]string{"one": ""}, BinaryData: map[string][]byte{"two": []byte("")}},
+			`{"binaryData":{"two":""},"data":{"one":""},"kind":"ConfigMap","name":""}`, ""},
 	}
 	for _, c := range cases {
 		s, err := encodeConfigMap(c.cm)
@@ -129,7 +139,11 @@ func TestEncodeSecret(t *testing.T) {
 		// one key
 		{"one key", &v1.Secret{Type: "my-type", Data: map[string][]byte{"one": []byte("")}}, `{"data":{"one":""},"kind":"Secret","name":"","type":"my-type"}`, ""},
 		// three keys (tests sorting order) - note json.Marshal base64 encodes the values because they come in as []byte
-		{"three keys", &v1.Secret{Type: "my-type", Data: map[string][]byte{"two": []byte("2"), "one": []byte(""), "three": []byte("3")}}, `{"data":{"one":"","three":"Mw==","two":"Mg=="},"kind":"Secret","name":"","type":"my-type"}`, ""},
+		{"three keys", &v1.Secret{
+			Type: "my-type",
+			Data: map[string][]byte{"two": []byte("2"), "one": []byte(""), "three": []byte("3")},
+		},
+			`{"data":{"one":"","three":"Mw==","two":"Mg=="},"kind":"Secret","name":"","type":"my-type"}`, ""},
 	}
 	for _, c := range cases {
 		s, err := encodeSecret(c.secret)
--- a/internal/k8sdeps/transformer/hash/namehash.go
+++ b/internal/k8sdeps/transformer/hash/namehash.go
@@ -0,0 +1,57 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package hash
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/pkg/resmap"
+	"sigs.k8s.io/kustomize/pkg/resource"
+	"sigs.k8s.io/kustomize/pkg/transformers"
+)
+
+type nameHashTransformer struct{}
+
+var _ transformers.Transformer = &nameHashTransformer{}
+
+// NewNameHashTransformer construct a nameHashTransformer.
+func NewNameHashTransformer() transformers.Transformer {
+	return &nameHashTransformer{}
+}
+
+// Transform appends hash to configmaps and secrets.
+func (o *nameHashTransformer) Transform(m resmap.ResMap) error {
+	for _, res := range m {
+		if res.IsGenerated() {
+			err := o.appendHash(res)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (o *nameHashTransformer) appendHash(res *resource.Resource) error {
+	h, err := NewKustHash().Hash(res.Map())
+	if err != nil {
+		return err
+	}
+	nameWithHash := fmt.Sprintf("%s-%s", res.GetName(), h)
+	res.SetName(nameWithHash)
+	return nil
+}
--- a/internal/k8sdeps/transformer/hash/namehash_test.go
+++ b/internal/k8sdeps/transformer/hash/namehash_test.go
@@ -14,19 +14,24 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package transformers
+package hash

 import (
 	"reflect"
 	"testing"

-	"github.com/kubernetes-sigs/kustomize/pkg/resmap"
-	"github.com/kubernetes-sigs/kustomize/pkg/resource"
+	"sigs.k8s.io/kustomize/internal/k8sdeps/kunstruct"
+	"sigs.k8s.io/kustomize/pkg/ifc"
+	"sigs.k8s.io/kustomize/pkg/resid"
+	"sigs.k8s.io/kustomize/pkg/resmap"
+	"sigs.k8s.io/kustomize/pkg/resource"
 )

 func TestNameHashTransformer(t *testing.T) {
+	rf := resource.NewFactory(
+		kunstruct.NewKunstructuredFactoryImpl())
 	objs := resmap.ResMap{
-		resource.NewResId(cmap, "cm1"): resource.NewResourceFromMap(
+		resid.NewResId(cmap, "cm1"): rf.FromMap(
 			map[string]interface{}{
 				"apiVersion": "v1",
 				"kind":       "ConfigMap",
@@ -34,7 +39,7 @@ func TestNameHashTransformer(t *testing.T) {
 					"name": "cm1",
 				},
 			}),
-		resource.NewResId(deploy, "deploy1"): resource.NewResourceFromMap(
+		resid.NewResId(deploy, "deploy1"): rf.FromMap(
 			map[string]interface{}{
 				"group":      "apps",
 				"apiVersion": "v1",
@@ -60,7 +65,7 @@ func TestNameHashTransformer(t *testing.T) {
 					},
 				},
 			}),
-		resource.NewResId(service, "svc1"): resource.NewResourceFromMap(
+		resid.NewResId(service, "svc1"): rf.FromMap(
 			map[string]interface{}{
 				"apiVersion": "v1",
 				"kind":       "Service",
@@ -76,26 +81,26 @@ func TestNameHashTransformer(t *testing.T) {
 					},
 				},
 			}),
-		resource.NewResId(secret, "secret1"): resource.NewResourceFromMap(
+		resid.NewResId(secret, "secret1"): rf.FromMap(
 			map[string]interface{}{
 				"apiVersion": "v1",
 				"kind":       "Secret",
 				"metadata": map[string]interface{}{
 					"name": "secret1",
 				},
-			}),
+			}).SetBehavior(ifc.BehaviorCreate),
 	}

 	expected := resmap.ResMap{
-		resource.NewResId(cmap, "cm1"): resource.NewResourceFromMap(
+		resid.NewResId(cmap, "cm1"): rf.FromMap(
 			map[string]interface{}{
 				"apiVersion": "v1",
 				"kind":       "ConfigMap",
 				"metadata": map[string]interface{}{
-					"name": "cm1-m462kdfb68",
+					"name": "cm1",
 				},
 			}),
-		resource.NewResId(deploy, "deploy1"): resource.NewResourceFromMap(
+		resid.NewResId(deploy, "deploy1"): rf.FromMap(
 			map[string]interface{}{
 				"group":      "apps",
 				"apiVersion": "v1",
@@ -121,7 +126,7 @@ func TestNameHashTransformer(t *testing.T) {
 					},
 				},
 			}),
-		resource.NewResId(service, "svc1"): resource.NewResourceFromMap(
+		resid.NewResId(service, "svc1"): rf.FromMap(
 			map[string]interface{}{
 				"apiVersion": "v1",
 				"kind":       "Service",
@@ -137,14 +142,14 @@ func TestNameHashTransformer(t *testing.T) {
 					},
 				},
 			}),
-		resource.NewResId(secret, "secret1"): resource.NewResourceFromMap(
+		resid.NewResId(secret, "secret1"): rf.FromMap(
 			map[string]interface{}{
 				"apiVersion": "v1",
 				"kind":       "Secret",
 				"metadata": map[string]interface{}{
 					"name": "secret1-7kc45hd5f7",
 				},
-			}),
+			}).SetBehavior(ifc.BehaviorCreate),
 	}

 	tran := NewNameHashTransformer()
--- a/internal/k8sdeps/transformer/patch/patch.go
+++ b/internal/k8sdeps/transformer/patch/patch.go
@@ -14,34 +14,38 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package transformers
+package patch

 import (
 	"encoding/json"
 	"fmt"

-	jsonpatch "github.com/evanphx/json-patch"
-
-	"github.com/kubernetes-sigs/kustomize/pkg/resmap"
-	"github.com/kubernetes-sigs/kustomize/pkg/resource"
+	"github.com/evanphx/json-patch"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/strategicpatch"
 	"k8s.io/client-go/kubernetes/scheme"
+	"sigs.k8s.io/kustomize/pkg/gvk"
+	"sigs.k8s.io/kustomize/pkg/resmap"
+	"sigs.k8s.io/kustomize/pkg/resource"
+	"sigs.k8s.io/kustomize/pkg/transformers"
 )

 // patchTransformer applies patches.
 type patchTransformer struct {
 	patches []*resource.Resource
+	rf      *resource.Factory
 }

-var _ Transformer = &patchTransformer{}
+var _ transformers.Transformer = &patchTransformer{}

 // NewPatchTransformer constructs a patchTransformer.
-func NewPatchTransformer(slice []*resource.Resource) (Transformer, error) {
+func NewPatchTransformer(
+	slice []*resource.Resource, rf *resource.Factory) (transformers.Transformer, error) {
 	if len(slice) == 0 {
-		return NewNoOpTransformer(), nil
+		return transformers.NewNoOpTransformer(), nil
 	}
-	return &patchTransformer{slice}, nil
+	return &patchTransformer{patches: slice, rf: rf}, nil
 }

 // Transform apply the patches on top of the base resources.
@@ -56,21 +60,26 @@ func (pt *patchTransformer) Transform(baseResourceMap resmap.ResMap) error {
 	for _, patch := range patches {
 		// Merge patches with base resource.
 		id := patch.Id()
-		base, found := baseResourceMap[id]
-		if !found {
+		matchedIds := baseResourceMap.FindByGVKN(id)
+		if len(matchedIds) == 0 {
 			return fmt.Errorf("failed to find an object with %#v to apply the patch", id.Gvk())
 		}
+		if len(matchedIds) > 1 {
+			return fmt.Errorf("found multiple objects %#v targeted by patch %#v (ambiguous)", matchedIds, id)
+		}
+		id = matchedIds[0]
+		base := baseResourceMap[id]
 		merged := map[string]interface{}{}
-		versionedObj, err := scheme.Scheme.New(id.Gvk())
+		versionedObj, err := scheme.Scheme.New(toSchemaGvk(id.Gvk()))
 		baseName := base.GetName()
 		switch {
 		case runtime.IsNotRegisteredError(err):
 			// Use JSON merge patch to handle types w/o schema
-			baseBytes, err := json.Marshal(base)
+			baseBytes, err := json.Marshal(base.Map())
 			if err != nil {
 				return err
 			}
-			patchBytes, err := json.Marshal(patch)
+			patchBytes, err := json.Marshal(patch.Map())
 			if err != nil {
 				return err
 			}
@@ -88,21 +97,21 @@ func (pt *patchTransformer) Transform(baseResourceMap resmap.ResMap) error {
 			// Use Strategic-Merge-Patch to handle types w/ schema
 			// TODO: Change this to use the new Merge package.
 			// Store the name of the base object, because this name may have been munged.
-			// Apply this name to the StrategicMergePatched object.
+			// Apply this name to the patched object.
 			lookupPatchMeta, err := strategicpatch.NewPatchMetaFromStruct(versionedObj)
 			if err != nil {
 				return err
 			}
 			merged, err = strategicpatch.StrategicMergeMapPatchUsingLookupPatchMeta(
-				base.Object,
-				patch.Object,
+				base.Map(),
+				patch.Map(),
 				lookupPatchMeta)
 			if err != nil {
 				return err
 			}
 		}
 		base.SetName(baseName)
-		baseResourceMap[id].Object = merged
+		baseResourceMap[id].SetMap(merged)
 	}
 	return nil
 }
@@ -119,15 +128,15 @@ func (pt *patchTransformer) mergePatches() (resmap.ResMap, error) {
 			continue
 		}

-		versionedObj, err := scheme.Scheme.New(id.Gvk())
+		versionedObj, err := scheme.Scheme.New(toSchemaGvk(id.Gvk()))
 		if err != nil && !runtime.IsNotRegisteredError(err) {
 			return nil, err
 		}
 		var cd conflictDetector
 		if err != nil {
-			cd = newJMPConflictDetector()
+			cd = newJMPConflictDetector(pt.rf)
 		} else {
-			cd, err = newSMPConflictDetector(versionedObj)
+			cd, err = newSMPConflictDetector(versionedObj, pt.rf)
 			if err != nil {
 				return nil, err
 			}
@@ -142,7 +151,9 @@ func (pt *patchTransformer) mergePatches() (resmap.ResMap, error) {
 			if err != nil {
 				return nil, err
 			}
-			return nil, fmt.Errorf("there is conflict between %#v and %#v", conflictingPatch.Object, patch.Object)
+			return nil, fmt.Errorf(
+				"conflict between %#v and %#v",
+				conflictingPatch.Map(), patch.Map())
 		}
 		merged, err := cd.mergePatches(existing, patch)
 		if err != nil {
@@ -152,3 +163,12 @@ func (pt *patchTransformer) mergePatches() (resmap.ResMap, error) {
 	}
 	return rc, nil
 }
+
+// toSchemaGvk converts to a schema.GroupVersionKind.
+func toSchemaGvk(x gvk.Gvk) schema.GroupVersionKind {
+	return schema.GroupVersionKind{
+		Group:   x.Group,
+		Version: x.Version,
+		Kind:    x.Kind,
+	}
+}
--- a/internal/k8sdeps/transformer/patch/patch_test.go
+++ b/internal/k8sdeps/transformer/patch/patch_test.go
@@ -14,20 +14,28 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package transformers
+package patch

 import (
 	"reflect"
 	"strings"
 	"testing"

-	"github.com/kubernetes-sigs/kustomize/pkg/resmap"
-	"github.com/kubernetes-sigs/kustomize/pkg/resource"
+	"sigs.k8s.io/kustomize/internal/k8sdeps/kunstruct"
+	"sigs.k8s.io/kustomize/pkg/gvk"
+	"sigs.k8s.io/kustomize/pkg/resid"
+	"sigs.k8s.io/kustomize/pkg/resmap"
+	"sigs.k8s.io/kustomize/pkg/resource"
 )

+var rf = resource.NewFactory(
+	kunstruct.NewKunstructuredFactoryImpl())
+var deploy = gvk.Gvk{Group: "apps", Version: "v1", Kind: "Deployment"}
+var foo = gvk.Gvk{Group: "example.com", Version: "v1", Kind: "Foo"}
+
 func TestOverlayRun(t *testing.T) {
 	base := resmap.ResMap{
-		resource.NewResId(deploy, "deploy1"): resource.NewResourceFromMap(
+		resid.NewResId(deploy, "deploy1"): rf.FromMap(
 			map[string]interface{}{
 				"apiVersion": "apps/v1",
 				"kind":       "Deployment",
@@ -54,7 +62,7 @@ func TestOverlayRun(t *testing.T) {
 			}),
 	}
 	patch := []*resource.Resource{
-		resource.NewResourceFromMap(map[string]interface{}{
+		rf.FromMap(map[string]interface{}{
 			"apiVersion": "apps/v1",
 			"kind":       "Deployment",
 			"metadata": map[string]interface{}{
@@ -87,7 +95,7 @@ func TestOverlayRun(t *testing.T) {
 		),
 	}
 	expected := resmap.ResMap{
-		resource.NewResId(deploy, "deploy1"): resource.NewResourceFromMap(
+		resid.NewResId(deploy, "deploy1"): rf.FromMap(
 			map[string]interface{}{
 				"apiVersion": "apps/v1",
 				"kind":       "Deployment",
@@ -120,7 +128,7 @@ func TestOverlayRun(t *testing.T) {
 				},
 			}),
 	}
-	lt, err := NewPatchTransformer(patch)
+	lt, err := NewPatchTransformer(patch, rf)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -136,7 +144,7 @@ func TestOverlayRun(t *testing.T) {

 func TestMultiplePatches(t *testing.T) {
 	base := resmap.ResMap{
-		resource.NewResId(deploy, "deploy1"): resource.NewResourceFromMap(
+		resid.NewResId(deploy, "deploy1"): rf.FromMap(
 			map[string]interface{}{
 				"apiVersion": "apps/v1",
 				"kind":       "Deployment",
@@ -158,7 +166,7 @@ func TestMultiplePatches(t *testing.T) {
 			}),
 	}
 	patch := []*resource.Resource{
-		resource.NewResourceFromMap(map[string]interface{}{
+		rf.FromMap(map[string]interface{}{
 			"apiVersion": "apps/v1",
 			"kind":       "Deployment",
 			"metadata": map[string]interface{}{
@@ -184,7 +192,7 @@ func TestMultiplePatches(t *testing.T) {
 			},
 		},
 		),
-		resource.NewResourceFromMap(map[string]interface{}{
+		rf.FromMap(map[string]interface{}{
 			"apiVersion": "apps/v1",
 			"kind":       "Deployment",
 			"metadata": map[string]interface{}{
@@ -215,7 +223,7 @@ func TestMultiplePatches(t *testing.T) {
 		),
 	}
 	expected := resmap.ResMap{
-		resource.NewResId(deploy, "deploy1"): resource.NewResourceFromMap(
+		resid.NewResId(deploy, "deploy1"): rf.FromMap(
 			map[string]interface{}{
 				"apiVersion": "apps/v1",
 				"kind":       "Deployment",
@@ -250,7 +258,7 @@ func TestMultiplePatches(t *testing.T) {
 				},
 			}),
 	}
-	lt, err := NewPatchTransformer(patch)
+	lt, err := NewPatchTransformer(patch, rf)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -266,7 +274,7 @@ func TestMultiplePatches(t *testing.T) {

 func TestMultiplePatchesWithConflict(t *testing.T) {
 	base := resmap.ResMap{
-		resource.NewResId(deploy, "deploy1"): resource.NewResourceFromMap(
+		resid.NewResId(deploy, "deploy1"): rf.FromMap(
 			map[string]interface{}{
 				"apiVersion": "apps/v1",
 				"kind":       "Deployment",
@@ -288,7 +296,7 @@ func TestMultiplePatchesWithConflict(t *testing.T) {
 			}),
 	}
 	patch := []*resource.Resource{
-		resource.NewResourceFromMap(map[string]interface{}{
+		rf.FromMap(map[string]interface{}{
 			"apiVersion": "apps/v1",
 			"kind":       "Deployment",
 			"metadata": map[string]interface{}{
@@ -314,7 +322,7 @@ func TestMultiplePatchesWithConflict(t *testing.T) {
 			},
 		},
 		),
-		resource.NewResourceFromMap(map[string]interface{}{
+		rf.FromMap(map[string]interface{}{
 			"apiVersion": "apps/v1",
 			"kind":       "Deployment",
 			"metadata": map[string]interface{}{
@@ -336,7 +344,7 @@ func TestMultiplePatchesWithConflict(t *testing.T) {
 		),
 	}

-	lt, err := NewPatchTransformer(patch)
+	lt, err := NewPatchTransformer(patch, rf)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -351,7 +359,7 @@ func TestMultiplePatchesWithConflict(t *testing.T) {

 func TestNoSchemaOverlayRun(t *testing.T) {
 	base := resmap.ResMap{
-		resource.NewResId(foo, "my-foo"): resource.NewResourceFromMap(
+		resid.NewResId(foo, "my-foo"): rf.FromMap(
 			map[string]interface{}{
 				"apiVersion": "example.com/v1",
 				"kind":       "Foo",
@@ -367,7 +375,7 @@ func TestNoSchemaOverlayRun(t *testing.T) {
 			}),
 	}
 	patch := []*resource.Resource{
-		resource.NewResourceFromMap(map[string]interface{}{
+		rf.FromMap(map[string]interface{}{
 			"apiVersion": "example.com/v1",
 			"kind":       "Foo",
 			"metadata": map[string]interface{}{
@@ -383,7 +391,7 @@ func TestNoSchemaOverlayRun(t *testing.T) {
 		),
 	}
 	expected := resmap.ResMap{
-		resource.NewResId(foo, "my-foo"): resource.NewResourceFromMap(
+		resid.NewResId(foo, "my-foo"): rf.FromMap(
 			map[string]interface{}{
 				"apiVersion": "example.com/v1",
 				"kind":       "Foo",
@@ -399,7 +407,7 @@ func TestNoSchemaOverlayRun(t *testing.T) {
 			}),
 	}

-	lt, err := NewPatchTransformer(patch)
+	lt, err := NewPatchTransformer(patch, rf)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -414,7 +422,7 @@ func TestNoSchemaOverlayRun(t *testing.T) {

 func TestNoSchemaMultiplePatches(t *testing.T) {
 	base := resmap.ResMap{
-		resource.NewResId(foo, "my-foo"): resource.NewResourceFromMap(
+		resid.NewResId(foo, "my-foo"): rf.FromMap(
 			map[string]interface{}{
 				"apiVersion": "example.com/v1",
 				"kind":       "Foo",
@@ -430,7 +438,7 @@ func TestNoSchemaMultiplePatches(t *testing.T) {
 			}),
 	}
 	patch := []*resource.Resource{
-		resource.NewResourceFromMap(map[string]interface{}{
+		rf.FromMap(map[string]interface{}{
 			"apiVersion": "example.com/v1",
 			"kind":       "Foo",
 			"metadata": map[string]interface{}{
@@ -444,7 +452,7 @@ func TestNoSchemaMultiplePatches(t *testing.T) {
 			},
 		},
 		),
-		resource.NewResourceFromMap(map[string]interface{}{
+		rf.FromMap(map[string]interface{}{
 			"apiVersion": "example.com/v1",
 			"kind":       "Foo",
 			"metadata": map[string]interface{}{
@@ -463,7 +471,7 @@ func TestNoSchemaMultiplePatches(t *testing.T) {
 		),
 	}
 	expected := resmap.ResMap{
-		resource.NewResId(foo, "my-foo"): resource.NewResourceFromMap(
+		resid.NewResId(foo, "my-foo"): rf.FromMap(
 			map[string]interface{}{
 				"apiVersion": "example.com/v1",
 				"kind":       "Foo",
@@ -483,7 +491,7 @@ func TestNoSchemaMultiplePatches(t *testing.T) {
 			}),
 	}

-	lt, err := NewPatchTransformer(patch)
+	lt, err := NewPatchTransformer(patch, rf)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -498,7 +506,7 @@ func TestNoSchemaMultiplePatches(t *testing.T) {

 func TestNoSchemaMultiplePatchesWithConflict(t *testing.T) {
 	base := resmap.ResMap{
-		resource.NewResId(foo, "my-foo"): resource.NewResourceFromMap(
+		resid.NewResId(foo, "my-foo"): rf.FromMap(
 			map[string]interface{}{
 				"apiVersion": "example.com/v1",
 				"kind":       "Foo",
@@ -514,7 +522,7 @@ func TestNoSchemaMultiplePatchesWithConflict(t *testing.T) {
 			}),
 	}
 	patch := []*resource.Resource{
-		resource.NewResourceFromMap(map[string]interface{}{
+		rf.FromMap(map[string]interface{}{
 			"apiVersion": "example.com/v1",
 			"kind":       "Foo",
 			"metadata": map[string]interface{}{
@@ -527,7 +535,7 @@ func TestNoSchemaMultiplePatchesWithConflict(t *testing.T) {
 				},
 			},
 		}),
-		resource.NewResourceFromMap(map[string]interface{}{
+		rf.FromMap(map[string]interface{}{
 			"apiVersion": "example.com/v1",
 			"kind":       "Foo",
 			"metadata": map[string]interface{}{
@@ -541,7 +549,7 @@ func TestNoSchemaMultiplePatchesWithConflict(t *testing.T) {
 		}),
 	}

-	lt, err := NewPatchTransformer(patch)
+	lt, err := NewPatchTransformer(patch, rf)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
--- a/internal/k8sdeps/transformer/patch/patchconflictdetector.go
+++ b/internal/k8sdeps/transformer/patch/patchconflictdetector.go
@@ -14,16 +14,16 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package transformers
+package patch

 import (
 	"encoding/json"

-	jsonpatch "github.com/evanphx/json-patch"
-	"github.com/kubernetes-sigs/kustomize/pkg/resource"
+	"github.com/evanphx/json-patch"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/mergepatch"
 	"k8s.io/apimachinery/pkg/util/strategicpatch"
+	"sigs.k8s.io/kustomize/pkg/resource"
 )

 type conflictDetector interface {
@@ -32,28 +32,33 @@ type conflictDetector interface {
 	mergePatches(patch1, patch2 *resource.Resource) (*resource.Resource, error)
 }

-type jsonMergePatch struct{}
+type jsonMergePatch struct {
+	rf *resource.Factory
+}

 var _ conflictDetector = &jsonMergePatch{}

-func newJMPConflictDetector() conflictDetector {
-	return &jsonMergePatch{}
+func newJMPConflictDetector(rf *resource.Factory) conflictDetector {
+	return &jsonMergePatch{rf: rf}
 }

-func (jmp *jsonMergePatch) hasConflict(patch1, patch2 *resource.Resource) (bool, error) {
-	return mergepatch.HasConflicts(patch1.Object, patch2.Object)
+func (jmp *jsonMergePatch) hasConflict(
+	patch1, patch2 *resource.Resource) (bool, error) {
+	return mergepatch.HasConflicts(patch1.Map(), patch2.Map())
 }

-func (jmp *jsonMergePatch) findConflict(conflictingPatchIdx int, patches []*resource.Resource) (*resource.Resource, error) {
+func (jmp *jsonMergePatch) findConflict(
+	conflictingPatchIdx int, patches []*resource.Resource) (*resource.Resource, error) {
 	for i, patch := range patches {
 		if i == conflictingPatchIdx {
 			continue
 		}
-		if patches[conflictingPatchIdx].GroupVersionKind() != patch.GroupVersionKind() ||
-			patches[conflictingPatchIdx].GetName() != patch.GetName() {
+		if !patches[conflictingPatchIdx].Id().GvknEquals(patch.Id()) {
 			continue
 		}
-		conflict, err := mergepatch.HasConflicts(patch.Object, patches[conflictingPatchIdx].Object)
+		conflict, err := mergepatch.HasConflicts(
+			patch.Map(),
+			patches[conflictingPatchIdx].Map())
 		if err != nil {
 			return nil, err
 		}
@@ -64,14 +69,13 @@ func (jmp *jsonMergePatch) findConflict(conflictingPatchIdx int, patches []*reso
 	return nil, nil
 }

-func (jmp *jsonMergePatch) mergePatches(patch1, patch2 *resource.Resource) (*resource.Resource, error) {
-	var merged resource.Resource
-	var mergedMap map[string]interface{}
-	baseBytes, err := json.Marshal(patch1.Object)
+func (jmp *jsonMergePatch) mergePatches(
+	patch1, patch2 *resource.Resource) (*resource.Resource, error) {
+	baseBytes, err := json.Marshal(patch1.Map())
 	if err != nil {
 		return nil, err
 	}
-	patchBytes, err := json.Marshal(patch2.Object)
+	patchBytes, err := json.Marshal(patch2.Map())
 	if err != nil {
 		return nil, err
 	}
@@ -79,37 +83,43 @@ func (jmp *jsonMergePatch) mergePatches(patch1, patch2 *resource.Resource) (*res
 	if err != nil {
 		return nil, err
 	}
+	mergedMap := make(map[string]interface{})
 	err = json.Unmarshal(mergedBytes, &mergedMap)
-	merged.SetUnstructuredContent(mergedMap)
-	return &merged, err
+	return jmp.rf.FromMap(mergedMap), err
 }

 type strategicMergePatch struct {
 	lookupPatchMeta strategicpatch.LookupPatchMeta
+	rf              *resource.Factory
 }

 var _ conflictDetector = &strategicMergePatch{}

-func newSMPConflictDetector(versionedObj runtime.Object) (conflictDetector, error) {
+func newSMPConflictDetector(
+	versionedObj runtime.Object,
+	rf *resource.Factory) (conflictDetector, error) {
 	lookupPatchMeta, err := strategicpatch.NewPatchMetaFromStruct(versionedObj)
-	return &strategicMergePatch{lookupPatchMeta: lookupPatchMeta}, err
+	return &strategicMergePatch{lookupPatchMeta: lookupPatchMeta, rf: rf}, err
 }

-func (smp *strategicMergePatch) hasConflict(patch1, patch2 *resource.Resource) (bool, error) {
-	return strategicpatch.MergingMapsHaveConflicts(patch1.Object, patch2.Object, smp.lookupPatchMeta)
+func (smp *strategicMergePatch) hasConflict(p1, p2 *resource.Resource) (bool, error) {
+	return strategicpatch.MergingMapsHaveConflicts(
+		p1.Map(), p2.Map(), smp.lookupPatchMeta)
 }

-func (smp *strategicMergePatch) findConflict(conflictingPatchIdx int, patches []*resource.Resource) (*resource.Resource, error) {
+func (smp *strategicMergePatch) findConflict(
+	conflictingPatchIdx int, patches []*resource.Resource) (*resource.Resource, error) {
 	for i, patch := range patches {
 		if i == conflictingPatchIdx {
 			continue
 		}
-		if patches[conflictingPatchIdx].GroupVersionKind() != patch.GroupVersionKind() ||
-			patches[conflictingPatchIdx].GetName() != patch.GetName() {
+		if !patches[conflictingPatchIdx].Id().GvknEquals(patch.Id()) {
 			continue
 		}
 		conflict, err := strategicpatch.MergingMapsHaveConflicts(
-			patch.Object, patches[conflictingPatchIdx].Object, smp.lookupPatchMeta)
+			patch.Map(),
+			patches[conflictingPatchIdx].Map(),
+			smp.lookupPatchMeta)
 		if err != nil {
 			return nil, err
 		}
@@ -121,9 +131,7 @@ func (smp *strategicMergePatch) findConflict(conflictingPatchIdx int, patches []
 }

 func (smp *strategicMergePatch) mergePatches(patch1, patch2 *resource.Resource) (*resource.Resource, error) {
-	merged := resource.Resource{}
-	mergeJsonMap, err := strategicpatch.MergeStrategicMergeMapPatchUsingLookupPatchMeta(
-		smp.lookupPatchMeta, patch1.Object, patch2.Object)
-	merged.SetUnstructuredContent(mergeJsonMap)
-	return &merged, err
+	mergeJSONMap, err := strategicpatch.MergeStrategicMergeMapPatchUsingLookupPatchMeta(
+		smp.lookupPatchMeta, patch1.Map(), patch2.Map())
+	return smp.rf.FromMap(mergeJSONMap), err
 }
--- a/internal/k8sdeps/validator/validators.go
+++ b/internal/k8sdeps/validator/validators.go
@@ -0,0 +1,61 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package validator provides functions to validate labels, annotations, namespace using apimachinery
+package validator
+
+import (
+	"errors"
+	apivalidation "k8s.io/apimachinery/pkg/api/validation"
+	v1validation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
+	"k8s.io/apimachinery/pkg/util/validation"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// KustValidator validates Labels and annotations by apimachinery
+type KustValidator struct{}
+
+// NewKustValidator returns a KustValidator object
+func NewKustValidator() *KustValidator {
+	return &KustValidator{}
+}
+
+// MakeAnnotationValidator returns a MapValidatorFunc using apimachinery.
+func (v *KustValidator) MakeAnnotationValidator() func(map[string]string) error {
+	return func(x map[string]string) error {
+		errs := apivalidation.ValidateAnnotations(x, field.NewPath("field"))
+		if len(errs) > 0 {
+			return errors.New(errs.ToAggregate().Error())
+		}
+		return nil
+	}
+}
+
+// MakeLabelValidator returns a MapValidatorFunc using apimachinery.
+func (v *KustValidator) MakeLabelValidator() func(map[string]string) error {
+	return func(x map[string]string) error {
+		errs := v1validation.ValidateLabels(x, field.NewPath("field"))
+		if len(errs) > 0 {
+			return errors.New(errs.ToAggregate().Error())
+		}
+		return nil
+	}
+}
+
+// ValidateNamespace validates a string is a valid namespace using apimachinery.
+func (v *KustValidator) ValidateNamespace(s string) []string {
+	return validation.IsDNS1123Label(s)
+}
--- a/kustomize.go
+++ b/kustomize.go
@@ -20,14 +20,14 @@ import (
 	"os"

 	"github.com/golang/glog"
-
-	"github.com/kubernetes-sigs/kustomize/pkg/commands"
+	"sigs.k8s.io/kustomize/internal/k8sdeps"
+	"sigs.k8s.io/kustomize/pkg/commands"
 )

 func main() {
 	defer glog.Flush()

-	if err := commands.NewDefaultCommand().Execute(); err != nil {
+	if err := commands.NewDefaultCommand(k8sdeps.NewFactory()).Execute(); err != nil {
 		os.Exit(1)
 	}
 	os.Exit(0)
--- a/pkg/app/application.go
+++ b/pkg/app/application.go
@@ -1,310 +0,0 @@
-/*
-Copyright 2018 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package app implements state for the set of all resources being customized.
-// Should rename this - there's nothing "app"y about it.
-package app
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-
-	"github.com/ghodss/yaml"
-	"github.com/golang/glog"
-
-	"github.com/kubernetes-sigs/kustomize/pkg/constants"
-	interror "github.com/kubernetes-sigs/kustomize/pkg/internal/error"
-	"github.com/kubernetes-sigs/kustomize/pkg/loader"
-	"github.com/kubernetes-sigs/kustomize/pkg/resmap"
-	"github.com/kubernetes-sigs/kustomize/pkg/resource"
-	"github.com/kubernetes-sigs/kustomize/pkg/transformers"
-	"github.com/kubernetes-sigs/kustomize/pkg/types"
-	"github.com/pkg/errors"
-)
-
-// Application implements the guts of the kustomize 'build' command.
-// TODO: Change name, as "application" is overloaded and somewhat
-// misleading (one can customize an RBAC policy).  Perhaps "Target"
-// https://github.com/kubernetes-sigs/kustomize/blob/master/docs/glossary.md#target
-type Application struct {
-	kustomization *types.Kustomization
-	loader        loader.Loader
-}
-
-// NewApplication returns a new instance of Application primed with a Loader.
-func NewApplication(loader loader.Loader) (*Application, error) {
-	content, err := loader.Load(constants.KustomizationFileName)
-	if err != nil {
-		return nil, err
-	}
-
-	var m types.Kustomization
-	err = unmarshal(content, &m)
-	if err != nil {
-		return nil, err
-	}
-	return &Application{kustomization: &m, loader: loader}, nil
-}
-
-func unmarshal(y []byte, o interface{}) error {
-	j, err := yaml.YAMLToJSON(y)
-	if err != nil {
-		return err
-	}
-
-	dec := json.NewDecoder(bytes.NewReader(j))
-	dec.DisallowUnknownFields()
-	return dec.Decode(o)
-}
-
-// MakeCustomizedResMap creates a ResMap per kustomization instructions.
-// The Resources in the returned ResMap are fully customized.
-func (a *Application) MakeCustomizedResMap() (resmap.ResMap, error) {
-	m, err := a.loadCustomizedResMap()
-	if err != nil {
-		return nil, err
-	}
-	return a.resolveRefsToGeneratedResources(m)
-}
-
-// MakeUncustomizedResMap purports to create a ResMap without customization.
-// The Resources in the returned ResMap include all resources mentioned
-// in the kustomization file and transitively reachable via its Bases,
-// and all generated secrets and configMaps.
-// Meant for use in generating a diff against customized resources.
-// TODO: See https://github.com/kubernetes-sigs/kustomize/issues/85
-func (a *Application) MakeUncustomizedResMap() (resmap.ResMap, error) {
-	m, err := a.loadResMapFromBasesAndResources()
-	if err != nil {
-		return nil, err
-	}
-	return a.resolveRefsToGeneratedResources(m)
-}
-
-// resolveRefsToGeneratedResources fixes all name references.
-func (a *Application) resolveRefsToGeneratedResources(m resmap.ResMap) (resmap.ResMap, error) {
-	r := []transformers.Transformer{transformers.NewNameHashTransformer()}
-
-	t, err := transformers.NewDefaultingNameReferenceTransformer()
-	if err != nil {
-		return nil, err
-	}
-	r = append(r, t)
-
-	refVars, err := a.resolveRefVars(m)
-	if err != nil {
-		return nil, err
-	}
-	t, err = transformers.NewRefVarTransformer(refVars)
-	if err != nil {
-		return nil, err
-	}
-	r = append(r, t)
-
-	err = transformers.NewMultiTransformer(r).Transform(m)
-	if err != nil {
-		return nil, err
-	}
-	return m, nil
-}
-
-// loadCustomizedResMap loads and customizes resources to build a ResMap.
-func (a *Application) loadCustomizedResMap() (resmap.ResMap, error) {
-	errs := &interror.KustomizationErrors{}
-	result, err := a.loadResMapFromBasesAndResources()
-	if err != nil {
-		errs.Append(errors.Wrap(err, "rawResources"))
-	}
-
-	cms, err := resmap.NewResMapFromConfigMapArgs(a.loader, a.kustomization.ConfigMapGenerator)
-	if err != nil {
-		errs.Append(errors.Wrap(err, "NewResMapFromConfigMapArgs"))
-	}
-	secrets, err := resmap.NewResMapFromSecretArgs(a.loader.Root(), a.kustomization.SecretGenerator)
-	if err != nil {
-		errs.Append(errors.Wrap(err, "NewResMapFromSecretArgs"))
-	}
-	res, err := resmap.MergeWithoutOverride(cms, secrets)
-	if err != nil {
-		return nil, errors.Wrap(err, "Merge")
-	}
-
-	result, err = resmap.MergeWithOverride(result, res)
-	if err != nil {
-		return nil, err
-	}
-
-	patches, err := resmap.NewResourceSliceFromPatches(a.loader, a.kustomization.Patches)
-	if err != nil {
-		errs.Append(errors.Wrap(err, "NewResourceSliceFromPatches"))
-	}
-
-	if len(errs.Get()) > 0 {
-		return nil, errs
-	}
-	t, err := a.newTransformer(patches)
-	if err != nil {
-		return nil, err
-	}
-	err = t.Transform(result)
-	if err != nil {
-		return nil, err
-	}
-	return result, nil
-}
-
-// Gets Bases and Resources as advertised.
-func (a *Application) loadResMapFromBasesAndResources() (resmap.ResMap, error) {
-	bases, errs := a.loadCustomizedBases()
-	resources, err := resmap.NewResMapFromFiles(a.loader, a.kustomization.Resources)
-	if err != nil {
-		errs.Append(errors.Wrap(err, "rawResources failed to read Resources"))
-	}
-	if len(errs.Get()) > 0 {
-		return nil, errs
-	}
-	return resmap.MergeWithoutOverride(resources, bases)
-}
-
-// Loop through the Bases of this kustomization recursively loading resources.
-// Combine into one ResMap, demanding unique Ids for each resource.
-func (a *Application) loadCustomizedBases() (resmap.ResMap, *interror.KustomizationErrors) {
-	list := []resmap.ResMap{}
-	errs := &interror.KustomizationErrors{}
-	for _, path := range a.kustomization.Bases {
-		loader, err := a.loader.New(path)
-		if err != nil {
-			errs.Append(errors.Wrap(err, "couldn't make loader for "+path))
-			continue
-		}
-		app, err := NewApplication(loader)
-		if err != nil {
-			errs.Append(errors.Wrap(err, "couldn't make app for "+path))
-			continue
-		}
-		resMap, err := app.loadCustomizedResMap()
-		if err != nil {
-			errs.Append(errors.Wrap(err, "SemiResources"))
-			continue
-		}
-		list = append(list, resMap)
-	}
-	result, err := resmap.MergeWithoutOverride(list...)
-	if err != nil {
-		errs.Append(errors.Wrap(err, "Merge failed"))
-	}
-	return result, errs
-}
-
-func (a *Application) loadBasesAsFlatList() ([]*Application, error) {
-	var result []*Application
-	errs := &interror.KustomizationErrors{}
-	for _, path := range a.kustomization.Bases {
-		loader, err := a.loader.New(path)
-		if err != nil {
-			errs.Append(err)
-			continue
-		}
-		a, err := NewApplication(loader)
-		if err != nil {
-			errs.Append(err)
-			continue
-		}
-		result = append(result, a)
-	}
-	if len(errs.Get()) > 0 {
-		return nil, errs
-	}
-	return result, nil
-}
-
-// newTransformer makes a Transformer that does everything except resolve generated names.
-func (a *Application) newTransformer(patches []*resource.Resource) (transformers.Transformer, error) {
-	r := []transformers.Transformer{}
-	t, err := transformers.NewPatchTransformer(patches)
-	if err != nil {
-		return nil, err
-	}
-	r = append(r, t)
-	r = append(r, transformers.NewNamespaceTransformer(string(a.kustomization.Namespace)))
-	t, err = transformers.NewDefaultingNamePrefixTransformer(string(a.kustomization.NamePrefix))
-	if err != nil {
-		return nil, err
-	}
-	r = append(r, t)
-	t, err = transformers.NewDefaultingLabelsMapTransformer(a.kustomization.CommonLabels)
-	if err != nil {
-		return nil, err
-	}
-	r = append(r, t)
-	t, err = transformers.NewDefaultingAnnotationsMapTransformer(a.kustomization.CommonAnnotations)
-	if err != nil {
-		return nil, err
-	}
-	r = append(r, t)
-	return transformers.NewMultiTransformer(r), nil
-}
-
-func (a *Application) resolveRefVars(m resmap.ResMap) (map[string]string, error) {
-	result := map[string]string{}
-	vars, err := a.getAllVars()
-	if err != nil {
-		return result, err
-	}
-	for _, v := range vars {
-		id := resource.NewResId(v.ObjRef.GroupVersionKind(), v.ObjRef.Name)
-		if r, found := m[id]; found {
-			s, err := r.GetFieldValue(v.FieldRef.FieldPath)
-			if err != nil {
-				return nil, fmt.Errorf("failed to resolve referred var: %+v", v)
-			}
-			result[v.Name] = s
-		} else {
-			glog.Infof("couldn't resolve v: %v", v)
-		}
-	}
-	return result, nil
-}
-
-// getAllVars returns all the "environment" style Var instances defined in the app.
-func (a *Application) getAllVars() ([]types.Var, error) {
-	result := []types.Var{}
-	errs := &interror.KustomizationErrors{}
-
-	bases, err := a.loadBasesAsFlatList()
-	if err != nil {
-		return nil, err
-	}
-
-	// TODO: computing vars and resources for bases can be combined
-	for _, b := range bases {
-		vars, err := b.getAllVars()
-		if err != nil {
-			errs.Append(err)
-			continue
-		}
-		result = append(result, vars...)
-	}
-	for _, v := range a.kustomization.Vars {
-		v.Defaulting()
-		result = append(result, v)
-	}
-	if len(errs.Get()) > 0 {
-		return nil, errs
-	}
-	return result, nil
-}
--- a/pkg/app/application_test.go
+++ b/pkg/app/application_test.go
@@ -1,340 +0,0 @@
-/*
-Copyright 2018 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package app
-
-import (
-	"encoding/base64"
-	"os"
-	"reflect"
-	"testing"
-
-	"github.com/kubernetes-sigs/kustomize/pkg/constants"
-	"github.com/kubernetes-sigs/kustomize/pkg/internal/loadertest"
-	"github.com/kubernetes-sigs/kustomize/pkg/loader"
-	"github.com/kubernetes-sigs/kustomize/pkg/resmap"
-	"github.com/kubernetes-sigs/kustomize/pkg/resource"
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-)
-
-const (
-	kustomizationContent1 = `
-namePrefix: foo-
-namespace: ns1
-commonLabels:
-  app: nginx
-commonAnnotations:
-  note: This is a test annotation
-resources:
-  - deployment.yaml
-  - namespace.yaml
-configMapGenerator:
- name: literalConfigMap
-  literals:
-  - DB_USERNAME=admin
-  - DB_PASSWORD=somepw
-secretGenerator:
- name: secret
-  commands:
-    DB_USERNAME: "printf admin"
-    DB_PASSWORD: "printf somepw"
-  type: Opaque
-`
-	deploymentContent = `apiVersion: apps/v1
-metadata:
-  name: dply1
-kind: Deployment
-`
-	namespaceContent = `apiVersion: v1
-kind: Namespace
-metadata:
-  name: ns1
-`
-)
-
-func makeLoader1(t *testing.T) loader.Loader {
-	loader := loadertest.NewFakeLoader("/testpath")
-	err := loader.AddFile("/testpath/"+constants.KustomizationFileName, []byte(kustomizationContent1))
-	if err != nil {
-		t.Fatalf("Failed to setup fake loader.")
-	}
-	err = loader.AddFile("/testpath/deployment.yaml", []byte(deploymentContent))
-	if err != nil {
-		t.Fatalf("Failed to setup fake loader.")
-	}
-	err = loader.AddFile("/testpath/namespace.yaml", []byte(namespaceContent))
-	if err != nil {
-		t.Fatalf("Failed to setup fake loader.")
-	}
-	return loader
-}
-
-var deploy = schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"}
-var cmap = schema.GroupVersionKind{Version: "v1", Kind: "ConfigMap"}
-var secret = schema.GroupVersionKind{Version: "v1", Kind: "Secret"}
-var ns = schema.GroupVersionKind{Version: "v1", Kind: "Namespace"}
-var svc = schema.GroupVersionKind{Version: "v1", Kind: "Service"}
-
-func TestResources1(t *testing.T) {
-	expected := resmap.ResMap{
-		resource.NewResId(deploy, "dply1"): resource.NewResourceFromMap(
-			map[string]interface{}{
-				"apiVersion": "apps/v1",
-				"kind":       "Deployment",
-				"metadata": map[string]interface{}{
-					"name":      "foo-dply1",
-					"namespace": "ns1",
-					"labels": map[string]interface{}{
-						"app": "nginx",
-					},
-					"annotations": map[string]interface{}{
-						"note": "This is a test annotation",
-					},
-				},
-				"spec": map[string]interface{}{
-					"selector": map[string]interface{}{
-						"matchLabels": map[string]interface{}{
-							"app": "nginx",
-						},
-					},
-					"template": map[string]interface{}{
-						"metadata": map[string]interface{}{
-							"annotations": map[string]interface{}{
-								"note": "This is a test annotation",
-							},
-							"labels": map[string]interface{}{
-								"app": "nginx",
-							},
-						},
-					},
-				},
-			}),
-		resource.NewResId(cmap, "literalConfigMap"): resource.NewResourceFromMap(
-			map[string]interface{}{
-				"apiVersion": "v1",
-				"kind":       "ConfigMap",
-				"metadata": map[string]interface{}{
-					"name":      "foo-literalConfigMap-mc92bgcbh5",
-					"namespace": "ns1",
-					"labels": map[string]interface{}{
-						"app": "nginx",
-					},
-					"annotations": map[string]interface{}{
-						"note": "This is a test annotation",
-					},
-					"creationTimestamp": nil,
-				},
-				"data": map[string]interface{}{
-					"DB_USERNAME": "admin",
-					"DB_PASSWORD": "somepw",
-				},
-			}),
-		resource.NewResId(secret, "secret"): resource.NewResourceFromMap(
-			map[string]interface{}{
-				"apiVersion": "v1",
-				"kind":       "Secret",
-				"metadata": map[string]interface{}{
-					"name":      "foo-secret-877fcfhgt5",
-					"namespace": "ns1",
-					"labels": map[string]interface{}{
-						"app": "nginx",
-					},
-					"annotations": map[string]interface{}{
-						"note": "This is a test annotation",
-					},
-					"creationTimestamp": nil,
-				},
-				"type": string(corev1.SecretTypeOpaque),
-				"data": map[string]interface{}{
-					"DB_USERNAME": base64.StdEncoding.EncodeToString([]byte("admin")),
-					"DB_PASSWORD": base64.StdEncoding.EncodeToString([]byte("somepw")),
-				},
-			}),
-		resource.NewResId(ns, "ns1"): resource.NewResourceFromMap(
-			map[string]interface{}{
-				"apiVersion": "v1",
-				"kind":       "Namespace",
-				"metadata": map[string]interface{}{
-					"name": "foo-ns1",
-					"labels": map[string]interface{}{
-						"app": "nginx",
-					},
-					"annotations": map[string]interface{}{
-						"note": "This is a test annotation",
-					},
-				},
-			}),
-	}
-	l := makeLoader1(t)
-	app, err := NewApplication(l)
-	if err != nil {
-		t.Fatalf("Unexpected construction error %v", err)
-	}
-	actual, err := app.MakeCustomizedResMap()
-	if err != nil {
-		t.Fatalf("Unexpected Resources error %v", err)
-	}
-
-	if !reflect.DeepEqual(actual, expected) {
-		err = expected.ErrorIfNotEqual(actual)
-		t.Fatalf("unexpected inequality: %v", err)
-	}
-}
-
-func TestRawResources1(t *testing.T) {
-	expected := resmap.ResMap{
-		resource.NewResId(deploy, "dply1"): resource.NewResourceFromMap(
-			map[string]interface{}{
-				"apiVersion": "apps/v1",
-				"kind":       "Deployment",
-				"metadata": map[string]interface{}{
-					"name": "dply1",
-				},
-			}),
-		resource.NewResId(ns, "ns1"): resource.NewResourceFromMap(
-			map[string]interface{}{
-				"apiVersion": "v1",
-				"kind":       "Namespace",
-				"metadata": map[string]interface{}{
-					"name": "ns1",
-				},
-			}),
-	}
-	l := makeLoader1(t)
-	app, err := NewApplication(l)
-	if err != nil {
-		t.Fatalf("Unexpected construction error %v", err)
-	}
-	actual, err := app.MakeUncustomizedResMap()
-	if err != nil {
-		t.Fatalf("Unexpected RawResources error %v", err)
-	}
-
-	if err := expected.ErrorIfNotEqual(actual); err != nil {
-		t.Fatalf("unexpected inequality: %v", err)
-	}
-}
-
-const (
-	kustomizationContentBase = `
-namePrefix: foo-
-commonLabels:
-  app: banana
-resources:
-  - deployment.yaml
-`
-	kustomizationContentOverlay = `
-commonLabels:
-  env: staging
-resources:
-  - service.yaml
-bases:
-  - base
-`
-	serviceContent = `apiVersion: v1
-kind: Service
-metadata:
-  name: svc
-spec:
-  type: LoadBalancer
-`
-)
-
-func makeLoader2(t *testing.T) loader.Loader {
-	loader := loadertest.NewFakeLoader("/testpath")
-	err := loader.AddFile("/testpath/"+constants.KustomizationFileName, []byte(kustomizationContentOverlay))
-	if err != nil {
-		t.Fatal(err)
-	}
-	err = loader.AddFile("/testpath/service.yaml", []byte(serviceContent))
-	if err != nil {
-		t.Fatalf("Failed to setup fake loader.")
-	}
-	err = loader.AddDirectory("/testpath/base", os.ModeDir)
-	if err != nil {
-		t.Fatalf("Failed to setup fake loader.")
-	}
-	err = loader.AddFile("/testpath/base/"+constants.KustomizationFileName, []byte(kustomizationContentBase))
-	if err != nil {
-		t.Fatalf("Failed to setup fake loader.")
-	}
-	err = loader.AddFile("/testpath/base/deployment.yaml", []byte(deploymentContent))
-	if err != nil {
-		t.Fatalf("Failed to setup fake loader.")
-	}
-	return loader
-}
-
-// TODO: This test covers incorrect behavior; it should not pass.
-// It asks for raw resources.  The Service resource is returned in raw form,
-// but the resources in the base are modified to have the banana label,
-// the 'foo' name prefix, etc.  This method exists only to support the
-// diff command comparing customized to non-customized resources;
-// perhaps it's not worth supporting the command.
-func TestRawResources2(t *testing.T) {
-	expected := resmap.ResMap{
-		resource.NewResId(deploy, "dply1"): resource.NewResourceFromMap(
-			map[string]interface{}{
-				"apiVersion": "apps/v1",
-				"kind":       "Deployment",
-				"metadata": map[string]interface{}{
-					"name": "foo-dply1",
-					"labels": map[string]interface{}{
-						"app": "banana",
-					},
-				},
-				"spec": map[string]interface{}{
-					"selector": map[string]interface{}{
-						"matchLabels": map[string]interface{}{
-							"app": "banana",
-						},
-					},
-					"template": map[string]interface{}{
-						"metadata": map[string]interface{}{
-							"labels": map[string]interface{}{
-								"app": "banana",
-							},
-						},
-					},
-				},
-			}),
-		resource.NewResId(svc, "svc"): resource.NewResourceFromMap(
-			map[string]interface{}{
-				"apiVersion": "v1",
-				"kind":       "Service",
-				"metadata": map[string]interface{}{
-					"name": "svc",
-				},
-				"spec": map[string]interface{}{
-					"type": "LoadBalancer",
-				},
-			}),
-	}
-	l := makeLoader2(t)
-	app, err := NewApplication(l)
-	if err != nil {
-		t.Fatalf("Unexpected construction error %v", err)
-	}
-	actual, err := app.MakeUncustomizedResMap()
-	if err != nil {
-		t.Fatalf("Unexpected RawResources error %v", err)
-	}
-
-	if err := expected.ErrorIfNotEqual(actual); err != nil {
-		t.Fatalf("unexpected inequality: %v", err)
-	}
-}
--- a/pkg/commands/build.go
+++ b/pkg/commands/build.go
@@ -1,102 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package commands
-
-import (
-	"io"
-	"path/filepath"
-
-	"github.com/spf13/cobra"
-
-	"errors"
-
-	"github.com/kubernetes-sigs/kustomize/pkg/app"
-	"github.com/kubernetes-sigs/kustomize/pkg/constants"
-	"github.com/kubernetes-sigs/kustomize/pkg/fs"
-	"github.com/kubernetes-sigs/kustomize/pkg/loader"
-)
-
-type buildOptions struct {
-	kustomizationPath string
-}
-
-// newCmdBuild creates a new build command.
-func newCmdBuild(out, errOut io.Writer, fs fs.FileSystem) *cobra.Command {
-	var o buildOptions
-
-	cmd := &cobra.Command{
-		Use:   "build [path]",
-		Short: "Print current configuration per contents of " + constants.KustomizationFileName,
-		Example: "Use the file somedir/" + constants.KustomizationFileName +
-			" to generate a set of api resources:\nbuild somedir/",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			err := o.Validate(args)
-			if err != nil {
-				return err
-			}
-			return o.RunBuild(out, errOut, fs)
-		},
-	}
-	return cmd
-}
-
-// Validate validates build command.
-func (o *buildOptions) Validate(args []string) error {
-	if len(args) > 1 {
-		return errors.New("specify one path to " + constants.KustomizationFileName)
-	}
-	if len(args) == 0 {
-		o.kustomizationPath = "./"
-		return nil
-	}
-	o.kustomizationPath = args[0]
-	return nil
-}
-
-// RunBuild runs build command.
-func (o *buildOptions) RunBuild(out, errOut io.Writer, fs fs.FileSystem) error {
-	l := loader.Init([]loader.SchemeLoader{loader.NewFileLoader(fs)})
-
-	absPath, err := filepath.Abs(o.kustomizationPath)
-	if err != nil {
-		return err
-	}
-
-	rootLoader, err := l.New(absPath)
-	if err != nil {
-		return err
-	}
-
-	application, err := app.NewApplication(rootLoader)
-	if err != nil {
-		return err
-	}
-
-	allResources, err := application.MakeCustomizedResMap()
-
-	if err != nil {
-		return err
-	}
-
-	// Output the objects.
-	res, err := allResources.EncodeAsYaml()
-	if err != nil {
-		return err
-	}
-	_, err = out.Write(res)
-	return err
-}
--- a/pkg/commands/build/build.go
+++ b/pkg/commands/build/build.go
@@ -0,0 +1,170 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package build
+
+import (
+	"io"
+	"strings"
+
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"sigs.k8s.io/kustomize/pkg/constants"
+	"sigs.k8s.io/kustomize/pkg/fs"
+	"sigs.k8s.io/kustomize/pkg/ifc/transformer"
+	"sigs.k8s.io/kustomize/pkg/loader"
+	"sigs.k8s.io/kustomize/pkg/resmap"
+	"sigs.k8s.io/kustomize/pkg/target"
+	"sigs.k8s.io/kustomize/pkg/transformers/config"
+)
+
+type buildOptions struct {
+	kustomizationPath      string
+	outputPath             string
+	transformerconfigPaths []string
+}
+
+var examples = `
+Use the file somedir/kustomization.yaml to generate a set of api resources:
+    build somedir
+
+Use a url pointing to a remote directory/kustomization.yaml to generate a set of api resources:
+    build url
+The url should follow hashicorp/go-getter URL format described in
+https://github.com/hashicorp/go-getter#url-format
+
+url examples:
+  sigs.k8s.io/kustomize//examples/multibases?ref=v1.0.6
+  github.com/Liujingfang1/mysql
+  github.com/Liujingfang1/kustomize//examples/helloWorld?ref=repoUrl2
+
+Advanced usage:
+Use different transformer configurations by passing files to kustomize
+    build somedir -t someconfigdir
+    build somedir -t some-transformer-configfile,another-transformer-configfile
+`
+
+// NewCmdBuild creates a new build command.
+func NewCmdBuild(
+	out io.Writer, fs fs.FileSystem,
+	rf *resmap.Factory,
+	ptf transformer.Factory) *cobra.Command {
+	var o buildOptions
+	var p string
+
+	cmd := &cobra.Command{
+		Use:          "build [path]",
+		Short:        "Print current configuration per contents of " + constants.KustomizationFileName,
+		Example:      examples,
+		SilenceUsage: true,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			err := o.Validate(args, p, fs)
+			if err != nil {
+				return err
+			}
+			return o.RunBuild(out, fs, rf, ptf)
+		},
+	}
+	cmd.Flags().StringVarP(
+		&o.outputPath,
+		"output", "o", "",
+		"If specified, write the build output to this path.")
+	cmd.Flags().StringVarP(
+		&p,
+		"transformer-config", "t", "",
+		"If specified, use the transformer configs load from these files.")
+	return cmd
+}
+
+// Validate validates build command.
+func (o *buildOptions) Validate(args []string, p string, fs fs.FileSystem) error {
+	if len(args) > 1 {
+		return errors.New("specify one path to " + constants.KustomizationFileName)
+	}
+	if len(args) == 0 {
+		o.kustomizationPath = "./"
+		return nil
+	}
+	o.kustomizationPath = args[0]
+
+	if p == "" {
+		return nil
+	}
+
+	if fs.IsDir(p) {
+		paths, err := fs.Glob(p + "/*")
+		if err != nil {
+			return err
+		}
+		o.transformerconfigPaths = paths
+	} else {
+		o.transformerconfigPaths = strings.Split(p, ",")
+	}
+
+	return nil
+}
+
+// RunBuild runs build command.
+func (o *buildOptions) RunBuild(
+	out io.Writer, fSys fs.FileSystem,
+	rf *resmap.Factory,
+	ptf transformer.Factory) error {
+	rootLoader, err := loader.NewLoader(o.kustomizationPath, "", fSys)
+	if err != nil {
+		return err
+	}
+	tc, err := makeTransformerconfig(fSys, o.transformerconfigPaths)
+	if err != nil {
+		return err
+	}
+	defer rootLoader.Cleanup()
+	kt, err := target.NewKustTarget(
+		rootLoader, fSys,
+		rf,
+		ptf, tc)
+	if err != nil {
+		return err
+	}
+	allResources, err := kt.MakeCustomizedResMap()
+	if err != nil {
+		return err
+	}
+	// Output the objects.
+	res, err := allResources.EncodeAsYaml()
+	if err != nil {
+		return err
+	}
+	if o.outputPath != "" {
+		return fSys.WriteFile(o.outputPath, res)
+	}
+	_, err = out.Write(res)
+	return err
+}
+
+// makeTransformerConfig returns a complete TransformerConfig object from either files
+// or the default configs
+func makeTransformerconfig(
+	fSys fs.FileSystem, paths []string) (*config.TransformerConfig, error) {
+	if paths == nil || len(paths) == 0 {
+		return config.NewFactory(nil).DefaultConfig(), nil
+	}
+	ldr, err := loader.NewLoader(".", "", fSys)
+	if err != nil {
+		return nil, errors.Wrap(
+			err, "cannot create transformer configuration loader")
+	}
+	return config.NewFactory(ldr).FromFiles(paths)
+}
--- a/pkg/commands/build/build_test.go
+++ b/pkg/commands/build/build_test.go
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package commands
+package build

 import (
 	"bytes"
@@ -26,10 +26,10 @@ import (
 	"testing"

 	"github.com/ghodss/yaml"
-
-	"github.com/kubernetes-sigs/kustomize/pkg/constants"
-	"github.com/kubernetes-sigs/kustomize/pkg/fs"
-	"k8s.io/apimachinery/pkg/util/sets"
+	"sigs.k8s.io/kustomize/internal/k8sdeps"
+	"sigs.k8s.io/kustomize/pkg/commands/kustfile"
+	"sigs.k8s.io/kustomize/pkg/constants"
+	"sigs.k8s.io/kustomize/pkg/fs"
 )

 type buildTestCase struct {
@@ -56,7 +56,7 @@ func TestBuildValidate(t *testing.T) {
 	}
 	for _, mycase := range cases {
 		opts := buildOptions{}
-		e := opts.Validate(mycase.args)
+		e := opts.Validate(mycase.args, "", nil)
 		if len(mycase.erMsg) > 0 {
 			if e == nil {
 				t.Errorf("%s: Expected an error %v", mycase.name, mycase.erMsg)
@@ -79,9 +79,9 @@ func TestBuildValidate(t *testing.T) {
 func TestBuild(t *testing.T) {
 	const updateEnvVar = "UPDATE_KUSTOMIZE_EXPECTED_DATA"
 	updateKustomizeExpected := os.Getenv(updateEnvVar) == "true"
-	fs := fs.MakeRealFS()
+	fSys := fs.MakeRealFS()

-	testcases := sets.NewString()
+	var testcases []string
 	filepath.Walk("testdata", func(path string, info os.FileInfo, err error) error {
 		if err != nil {
 			return err
@@ -92,24 +92,27 @@ func TestBuild(t *testing.T) {
 		name := filepath.Base(path)
 		if info.IsDir() {
 			if strings.HasPrefix(name, "testcase-") {
-				testcases.Insert(strings.TrimPrefix(name, "testcase-"))
+				testcases = append(testcases, strings.TrimPrefix(name, "testcase-"))
 			}
 			return filepath.SkipDir
 		}
 		return nil
 	})
 	// sanity check that we found the right folder
-	if !testcases.Has("simple") {
+	if !kustfile.StringInSlice("simple", testcases) {
 		t.Fatalf("Error locating testcases")
 	}

-	for _, testcaseName := range testcases.List() {
-		t.Run(testcaseName, func(t *testing.T) { runBuildTestCase(t, testcaseName, updateKustomizeExpected, fs) })
+	for _, testcaseName := range testcases {
+		t.Run(testcaseName,
+			func(t *testing.T) {
+				runBuildTestCase(t, testcaseName, updateKustomizeExpected, fSys)
+			})
 	}

 }

-func runBuildTestCase(t *testing.T, testcaseName string, updateKustomizeExpected bool, fs fs.FileSystem) {
+func runBuildTestCase(t *testing.T, testcaseName string, updateKustomizeExpected bool, fSys fs.FileSystem) {
 	name := testcaseName
 	testcase := buildTestCase{}
 	testcaseDir := filepath.Join("testdata", "testcase-"+name)
@@ -125,7 +128,11 @@ func runBuildTestCase(t *testing.T, testcaseName string, updateKustomizeExpected
 		kustomizationPath: testcase.Filename,
 	}
 	buf := bytes.NewBuffer([]byte{})
-	err = ops.RunBuild(buf, os.Stderr, fs)
+	f := k8sdeps.NewFactory()
+	err = ops.RunBuild(
+		buf, fSys,
+		f.ResmapF,
+		f.TransformerF)
 	switch {
 	case err != nil && len(testcase.ExpectedError) == 0:
 		t.Errorf("unexpected error: %v", err)
@@ -145,7 +152,7 @@ func runBuildTestCase(t *testing.T, testcaseName string, updateKustomizeExpected
 			t.Errorf("unexpected error: %v", err)
 		}
 		if !reflect.DeepEqual(actualBytes, expectedBytes) {
-			t.Errorf("%s\ndoesn't equal expected:\n%s\n", actualBytes, expectedBytes)
+			t.Errorf("\n**** Actual:\n\n%s\n\n**** doesn't equal expected:\n\n%s\n\n", actualBytes, expectedBytes)
 		}
 	} else {
 		ioutil.WriteFile(testcase.ExpectedStdout, actualBytes, 0644)
--- a/pkg/commands/build/testdata/testcase-base-only/expected.diff
+++ b/pkg/commands/build/testdata/testcase-base-only/expected.diff
@@ -32,6 +32,33 @@ diff -u -N /tmp/noop/apps_v1beta2_Deployment_nginx.yaml /tmp/transformed/apps_v1
     spec:
       containers:
       - image: nginx
+diff -u -N /tmp/noop/networking.k8s.io_v1_NetworkPolicy_nginx.yaml /tmp/transformed/networking.k8s.io_v1_NetworkPolicy_nginx.yaml
+--- /tmp/noop/networking.k8s.io_v1_NetworkPolicy_nginx.yaml	YYYY-MM-DD HH:MM:SS
+++ /tmp/transformed/networking.k8s.io_v1_NetworkPolicy_nginx.yaml	YYYY-MM-DD HH:MM:SS
+@@ -1,13 +1,21 @@
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+-  name: nginx
+  annotations:
+    note: This is a test annotation
+  labels:
+    app: mynginx
+    org: example.com
+    team: foo
+  name: team-foo-nginx
+ spec:
+   ingress:
+   - from:
+     - podSelector:
+         matchLabels:
+-          app: nginx
+          app: mynginx
+          org: example.com
+          team: foo
+   podSelector:
+     matchExpressions:
+     - key: app
 diff -u -N /tmp/noop/v1_Service_nginx.yaml /tmp/transformed/v1_Service_nginx.yaml
 --- /tmp/noop/v1_Service_nginx.yaml	YYYY-MM-DD HH:MM:SS
 +++ /tmp/transformed/v1_Service_nginx.yaml	YYYY-MM-DD HH:MM:SS
--- a/pkg/commands/build/testdata/testcase-base-only/expected.yaml
+++ b/pkg/commands/build/testdata/testcase-base-only/expected.yaml
@@ -44,3 +44,28 @@ spec:
      containers:
      - image: nginx
        name: nginx
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  annotations:
+    note: This is a test annotation
+  labels:
+    app: mynginx
+    org: example.com
+    team: foo
+  name: team-foo-nginx
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: mynginx
+          org: example.com
+          team: foo
+  podSelector:
+    matchExpressions:
+    - key: app
+      operator: In
+      values:
+      - test
--- a/pkg/commands/build/testdata/testcase-base-only/in/kustomization.yaml
+++ b/pkg/commands/build/testdata/testcase-base-only/in/kustomization.yaml
@@ -6,5 +6,6 @@ commonLabels:
 commonAnnotations:
  note: This is a test annotation
 resources:
-  - deployment.yaml
-  - service.yaml
+  - resources/deployment.yaml
+  - resources/networkpolicy.yaml
+  - resources/service.yaml
--- a/pkg/commands/build/testdata/testcase-base-only/in/resources/deployment.yaml
+++ b/pkg/commands/build/testdata/testcase-base-only/in/resources/deployment.yaml
--- a/pkg/commands/build/testdata/testcase-base-only/in/resources/networkpolicy.yaml
+++ b/pkg/commands/build/testdata/testcase-base-only/in/resources/networkpolicy.yaml
@@ -0,0 +1,13 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: nginx
+spec:
+  podSelector:
+    matchExpressions:
+      - {key: app, operator: In, values: [test]}
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: nginx
--- a/pkg/commands/build/testdata/testcase-base-only/in/resources/service.yaml
+++ b/pkg/commands/build/testdata/testcase-base-only/in/resources/service.yaml
--- a/pkg/commands/build/testdata/testcase-base-only/test.yaml
+++ b/pkg/commands/build/testdata/testcase-base-only/test.yaml
--- a/pkg/commands/build/testdata/testcase-configmaps/base/myapp/mycomponent/kustomization.yaml
+++ b/pkg/commands/build/testdata/testcase-configmaps/base/myapp/mycomponent/kustomization.yaml
--- a/pkg/commands/build/testdata/testcase-configmaps/base/myapp/mycomponent2/kustomization.yaml
+++ b/pkg/commands/build/testdata/testcase-configmaps/base/myapp/mycomponent2/kustomization.yaml
--- a/pkg/commands/build/testdata/testcase-configmaps/expected.diff
+++ b/pkg/commands/build/testdata/testcase-configmaps/expected.diff
--- a/pkg/commands/build/testdata/testcase-configmaps/expected.yaml
+++ b/pkg/commands/build/testdata/testcase-configmaps/expected.yaml
@@ -6,7 +6,6 @@ data:
 kind: ConfigMap
 metadata:
  annotations: {}
-  creationTimestamp: null
  labels: {}
  name: p1-com1-dhbbm922gd
 ---
@@ -16,6 +15,5 @@ data:
 kind: ConfigMap
 metadata:
  annotations: {}
-  creationTimestamp: null
  labels: {}
  name: p2-com2-c4b8md75k9
--- a/pkg/commands/build/testdata/testcase-configmaps/overlay/dev/kustomization.yaml
+++ b/pkg/commands/build/testdata/testcase-configmaps/overlay/dev/kustomization.yaml
--- a/pkg/commands/build/testdata/testcase-configmaps/overlay/dev/myapp/mycomponent/kustomization.yaml
+++ b/pkg/commands/build/testdata/testcase-configmaps/overlay/dev/myapp/mycomponent/kustomization.yaml
--- a/pkg/commands/build/testdata/testcase-configmaps/overlay/dev/myapp/mycomponent2/kustomization.yaml
+++ b/pkg/commands/build/testdata/testcase-configmaps/overlay/dev/myapp/mycomponent2/kustomization.yaml
--- a/pkg/commands/build/testdata/testcase-configmaps/test.yaml
+++ b/pkg/commands/build/testdata/testcase-configmaps/test.yaml
--- a/pkg/commands/build/testdata/testcase-crds/crd/bee.yaml
+++ b/pkg/commands/build/testdata/testcase-crds/crd/bee.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1beta1
+kind: Bee
+metadata:
+  name: bee
+spec:
+  action: fly
--- a/pkg/commands/build/testdata/testcase-crds/crd/kustomization.yaml
+++ b/pkg/commands/build/testdata/testcase-crds/crd/kustomization.yaml
@@ -0,0 +1,9 @@
+crds:
+- mycrd.json
+
+resources:
+- secret.yaml
+- mykind.yaml
+- bee.yaml
+
+namePrefix: test-
--- a/pkg/commands/build/testdata/testcase-crds/crd/mycrd.json
+++ b/pkg/commands/build/testdata/testcase-crds/crd/mycrd.json
@@ -0,0 +1,170 @@
+{
+  "github.com/example/pkg/apis/jingfang/v1beta1.Bee": {
+    "Schema": {
+      "description": "Bee",
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources",
+          "type": "string"
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"
+        },
+        "spec": {
+          "$ref": "github.com/example/pkg/apis/jingfang/v1beta1.BeeSpec"
+        },
+        "status": {
+          "$ref": "github.com/example/pkg/apis/jingfang/v1beta1.BeeStatus"
+        }
+      }
+    },
+    "Dependencies": [
+      "github.com/example/pkg/apis/jingfang/v1beta1.BeeSpec",
+      "github.com/example/pkg/apis/jingfang/v1beta1.BeeStatus",
+      "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"
+    ]
+  },
+  "github.com/example/pkg/apis/jingfang/v1beta1.BeeList": {
+    "Schema": {
+      "required": [
+        "items"
+      ],
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources",
+          "type": "string"
+        },
+        "items": {
+          "type": "array",
+          "items": {
+            "$ref": "github.com/example/pkg/apis/jingfang/v1beta1.Bee"
+          }
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"
+        }
+      }
+    },
+    "Dependencies": [
+      "github.com/example/pkg/apis/jingfang/v1beta1.Bee",
+      "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"
+    ]
+  },
+  "github.com/example/pkg/apis/jingfang/v1beta1.BeeObjectReference": {
+    "Schema": {
+      "properties": {
+        "name": {
+          "type": "string"
+        }
+      }
+    },
+    "Dependencies": []
+  },
+  "github.com/example/pkg/apis/jingfang/v1beta1.BeeSpec": {
+    "Schema": {
+      "description": "BeeSpec defines the desired state of Bee"
+    },
+    "Dependencies": []
+  },
+  "github.com/example/pkg/apis/jingfang/v1beta1.BeeStatus": {
+    "Schema": {
+      "description": "BeeStatus defines the observed state of Bee"
+    },
+    "Dependencies": []
+  },
+  "github.com/example/pkg/apis/jingfang/v1beta1.MyKind": {
+    "Schema": {
+      "description": "MyKind",
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources",
+          "type": "string"
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"
+        },
+        "spec": {
+          "$ref": "github.com/example/pkg/apis/jingfang/v1beta1.MyKindSpec"
+        },
+        "status": {
+          "$ref": "github.com/example/pkg/apis/jingfang/v1beta1.MyKindStatus"
+        }
+      }
+    },
+    "Dependencies": [
+      "github.com/example/pkg/apis/jingfang/v1beta1.MyKindSpec",
+      "github.com/example/pkg/apis/jingfang/v1beta1.MyKindStatus",
+      "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"
+    ]
+  },
+  "github.com/example/pkg/apis/jingfang/v1beta1.MyKindList": {
+    "Schema": {
+      "required": [
+        "items"
+      ],
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources",
+          "type": "string"
+        },
+        "items": {
+          "type": "array",
+          "items": {
+            "$ref": "github.com/example/pkg/apis/jingfang/v1beta1.MyKind"
+          }
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"
+        }
+      }
+    },
+    "Dependencies": [
+      "github.com/example/pkg/apis/jingfang/v1beta1.MyKind",
+      "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"
+    ]
+  },
+  "github.com/example/pkg/apis/jingfang/v1beta1.MyKindSpec": {
+    "Schema": {
+      "description": "MyKindSpec defines the desired state of MyKind",
+      "properties": {
+        "beeRef": {
+          "x-kubernetes-object-ref-api-version": "v1beta1",
+          "x-kubernetes-object-ref-kind": "Bee",
+          "$ref": "github.com/example/pkg/apis/jingfang/v1beta1.BeeObjectReference"
+        },
+        "secretRef": {
+          "description": "If defined, we use this secret for configuring the MYSQL_ROOT_PASSWORD If it is not set we generate a secret dynamically",
+          "x-kubernetes-object-ref-api-version": "v1",
+          "x-kubernetes-object-ref-kind": "Secret",
+          "$ref": "k8s.io/api/core/v1.LocalObjectReference"
+        }
+      }
+    },
+    "Dependencies": [
+      "github.com/example/pkg/apis/jingfang/v1beta1.BeeObjectReference",
+      "k8s.io/api/core/v1.LocalObjectReference"
+    ]
+  },
+  "github.com/example/pkg/apis/jingfang/v1beta1.MyKindStatus": {
+    "Schema": {
+      "description": "MyKindStatus defines the observed state of MyKind"
+    },
+    "Dependencies": []
+  }
+}
--- a/pkg/commands/build/testdata/testcase-crds/crd/mykind.yaml
+++ b/pkg/commands/build/testdata/testcase-crds/crd/mykind.yaml
@@ -0,0 +1,9 @@
+apiVersion: jingfang.example.com/v1beta1
+kind: MyKind
+metadata:
+  name: mykind
+spec:
+  secretRef:
+    name: crdsecret
+  beeRef:
+    name: bee
--- a/pkg/commands/build/testdata/testcase-crds/crd/secret.yaml
+++ b/pkg/commands/build/testdata/testcase-crds/crd/secret.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: crdsecret
+data:
+  PATH: YmJiYmJiYmIK
--- a/pkg/commands/build/testdata/testcase-crds/expected.diff
+++ b/pkg/commands/build/testdata/testcase-crds/expected.diff
@@ -0,0 +1,36 @@
+diff -u -N /tmp/noop/jingfang.example.com_v1beta1_MyKind_mykind.yaml /tmp/transformed/jingfang.example.com_v1beta1_MyKind_mykind.yaml
+--- /tmp/noop/jingfang.example.com_v1beta1_MyKind_mykind.yaml	YYYY-MM-DD HH:MM:SS
+++ /tmp/transformed/jingfang.example.com_v1beta1_MyKind_mykind.yaml	YYYY-MM-DD HH:MM:SS
+@@ -1,9 +1,9 @@
+ apiVersion: jingfang.example.com/v1beta1
+ kind: MyKind
+ metadata:
+-  name: mykind
+  name: test-mykind
+ spec:
+   beeRef:
+-    name: bee
+    name: test-bee
+   secretRef:
+-    name: crdsecret
+    name: test-crdsecret
+diff -u -N /tmp/noop/v1beta1_Bee_bee.yaml /tmp/transformed/v1beta1_Bee_bee.yaml
+--- /tmp/noop/v1beta1_Bee_bee.yaml	YYYY-MM-DD HH:MM:SS
+++ /tmp/transformed/v1beta1_Bee_bee.yaml	YYYY-MM-DD HH:MM:SS
+@@ -1,6 +1,6 @@
+ apiVersion: v1beta1
+ kind: Bee
+ metadata:
+-  name: bee
+  name: test-bee
+ spec:
+   action: fly
+diff -u -N /tmp/noop/v1_Secret_crdsecret.yaml /tmp/transformed/v1_Secret_crdsecret.yaml
+--- /tmp/noop/v1_Secret_crdsecret.yaml	YYYY-MM-DD HH:MM:SS
+++ /tmp/transformed/v1_Secret_crdsecret.yaml	YYYY-MM-DD HH:MM:SS
+@@ -3,4 +3,4 @@
+   PATH: YmJiYmJiYmIK
+ kind: Secret
+ metadata:
+-  name: crdsecret
+  name: test-crdsecret
--- a/Show More
+++ b/Show More