Merge pull request #1491 from fluxcd/feat-dependon-cel

Extend the readiness evaluation of dependencies with CEL expressions
controller: Move manager to a dedicated file
2025-07-29 08:28:26 +03:00 · 2025-07-22 20:43:14 +03:00 · 2025-07-22 20:24:03 +03:00 · 2025-07-22 20:23:58 +03:00 · 2025-07-22 12:57:52 +03:00 · 2025-07-22 12:57:08 +03:00
218 changed files with 32083 additions and 4537 deletions
--- a/.github/actions/kubebuilder/Dockerfile
+++ b/.github/actions/kubebuilder/Dockerfile
@ -1,6 +0,0 @@
-FROM giantswarm/tiny-tools
-
-COPY entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
-
-ENTRYPOINT ["/entrypoint.sh"]
--- a/.github/actions/kubebuilder/action.yml
+++ b/.github/actions/kubebuilder/action.yml
@ -1,9 +0,0 @@
-name: 'kubebuilder'
-description: 'A GitHub Action to run kubebuilder commands'
-author: 'Stefan Prodan'
-branding:
-  icon: 'command'
-  color: 'blue'
-runs:
-  using: 'docker'
-  image: 'Dockerfile'
--- a/.github/actions/kubebuilder/entrypoint.sh
+++ b/.github/actions/kubebuilder/entrypoint.sh
@ -1,12 +0,0 @@
-#!/bin/sh -l
-
-VERSION=2.3.1
-
-curl -sL https://go.kubebuilder.io/dl/${VERSION}/linux/amd64 | tar -xz -C /tmp/
-
-mkdir -p $GITHUB_WORKSPACE/kubebuilder
-mv /tmp/kubebuilder_${VERSION}_linux_amd64/* $GITHUB_WORKSPACE/kubebuilder/
-ls -lh $GITHUB_WORKSPACE/kubebuilder/bin
-
-echo "::add-path::$GITHUB_WORKSPACE/kubebuilder/bin"
-echo "::add-path::$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/kubebuilder/bin"
--- a/.github/actions/kustomize/Dockerfile
+++ b/.github/actions/kustomize/Dockerfile
@ -1,6 +0,0 @@
-FROM giantswarm/tiny-tools
-
-COPY entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
-
-ENTRYPOINT ["/entrypoint.sh"]
--- a/.github/actions/kustomize/action.yml
+++ b/.github/actions/kustomize/action.yml
@ -1,9 +0,0 @@
-name: 'kustomize'
-description: 'A GitHub Action to run kustomize commands'
-author: 'Stefan Prodan'
-branding:
-  icon: 'command'
-  color: 'blue'
-runs:
-  using: 'docker'
-  image: 'Dockerfile'
--- a/.github/actions/kustomize/entrypoint.sh
+++ b/.github/actions/kustomize/entrypoint.sh
@ -1,12 +0,0 @@
-#!/bin/sh -l
-
-VERSION=3.1.0
-curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v${VERSION}/kustomize_${VERSION}_linux_amd64
-
-mkdir -p $GITHUB_WORKSPACE/bin
-cp ./kustomize $GITHUB_WORKSPACE/bin
-chmod +x $GITHUB_WORKSPACE/bin/kustomize
-ls -lh $GITHUB_WORKSPACE/bin
-
-echo "::add-path::$GITHUB_WORKSPACE/bin"
-echo "::add-path::$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/bin"
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@ -0,0 +1,34 @@
+version: 2
+
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    labels: ["dependencies"]
+    schedule:
+      interval: "monthly"
+    groups:
+      go-deps:
+        patterns:
+          - "*"
+    allow:
+      - dependency-type: "direct"
+    ignore:
+      # Kubernetes deps are updated by fluxcd/pkg
+      - dependency-name: "k8s.io/*"
+      - dependency-name: "sigs.k8s.io/*"
+      # KMS SDKs are updated by SOPS
+      - dependency-name: "github.com/Azure/*"
+      - dependency-name: "github.com/aws/*"
+      - dependency-name: "github.com/hashicorp/vault/*"
+      # Flux APIs pkg are updated at release time
+      - dependency-name: "github.com/fluxcd/kustomize-controller/api"
+      - dependency-name: "github.com/fluxcd/source-controller/api"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    labels: ["area/ci", "dependencies"]
+    groups:
+      ci:
+        patterns:
+          - "*"
+    schedule:
+      interval: "monthly"
--- a/.github/labels.yaml
+++ b/.github/labels.yaml
@ -0,0 +1,40 @@
+# Configuration file to declaratively configure labels
+# Ref: https://github.com/EndBug/label-sync#Config-files
+
+- name: area/kustomize
+  description: Kustomize related issues and pull requests
+  color: '#00e54d'
+- name: area/kstatus
+  description: Health checking related issues and pull requests
+  color: '#25D5CA'
+  aliases: ['area/health-checks']
+- name: area/sops
+  description: SOPS related issues and pull requests
+  color: '#FEE5D1'
+- name: area/server-side-apply
+  description: SSA related issues and pull requests
+  color: '#2819CB'
+- name: area/varsub
+  description: Post-build variable substitution related issues and pull requests
+  color: '#8D195D'
+- name: backport:release/v1.0.x
+  description: To be backported to release/v1.0.x
+  color: '#ffd700'
+- name: backport:release/v1.1.x
+  description: To be backported to release/v1.1.x
+  color: '#ffd700'
+- name: backport:release/v1.2.x
+  description: To be backported to release/v1.2.x
+  color: '#ffd700'
+- name: backport:release/v1.3.x
+  description: To be backported to release/v1.3.x
+  color: '#ffd700'
+- name: backport:release/v1.4.x
+  description: To be backported to release/v1.4.x
+  color: '#ffd700'
+- name: backport:release/v1.5.x
+  description: To be backported to release/v1.5.x
+  color: '#ffd700'
+- name: backport:release/v1.6.x
+  description: To be backported to release/v1.6.x
+  color: '#ffd700'
--- a/.github/workflows/backport.yaml
+++ b/.github/workflows/backport.yaml
@ -0,0 +1,34 @@
+name: backport
+
+on:
+  pull_request_target:
+    types: [closed, labeled]
+
+permissions:
+  contents: read
+
+jobs:
+  pull-request:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Create backport PRs
+        uses: korthout/backport-action@436145e922f9561fc5ea157ff406f21af2d6b363 # v3.2.0
+        # xref: https://github.com/korthout/backport-action#inputs
+        with:
+          # Use token to allow workflows to be triggered for the created PR
+          github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          # Match labels with a pattern `backport:<target-branch>`
+          label_pattern: '^backport:([^ ]+)$'
+          # A bit shorter pull-request title than the default
+          pull_title: '[${target_branch}] ${pull_title}'
+          # Simpler PR description than default
+          pull_description: |-
+            Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.
--- a/.github/workflows/cifuzz.yaml
+++ b/.github/workflows/cifuzz.yaml
@ -0,0 +1,24 @@
+name: fuzz
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read # for actions/checkout to fetch code
+
+jobs:
+  smoketest:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: Setup Go
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      with:
+        go-version: 1.24.x
+        cache-dependency-path: |
+          **/go.sum
+          **/go.mod
+    - name: Smoke test Fuzzers
+      run: make fuzz-smoketest
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@ -4,80 +4,159 @@ on:
  pull_request:
  push:
    branches:
-      - master
+      - 'main'
+      - 'release/**'
+
+permissions:
+  contents: read # for actions/checkout to fetch code

 jobs:
  kind:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Restore Go cache
-        uses: actions/cache@v1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - name: Setup Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      - name: Cache Docker layers
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        id: cache
        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-ghcache-${{ github.sha }}
          restore-keys: |
-            ${{ runner.os }}-go-
+            ${{ runner.os }}-buildx-ghcache-
      - name: Setup Go
-        uses: actions/setup-go@v2-beta
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
-          go-version: 1.14.x
+          go-version: 1.24.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
      - name: Setup Kubernetes
-        uses: engineerd/setup-kind@v0.3.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
+        with:
+          version: v0.20.0
+          cluster_name: kind
+          node_image: kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72
      - name: Setup Kustomize
-        uses: ./.github/actions/kustomize
-      - name: Setup Kubebuilder
-        uses: ./.github/actions/kubebuilder
-      - name: Run tests
-        run: make test
+        uses: fluxcd/pkg/actions/kustomize@main
+      - name: Enable integration tests
+        # Only run integration tests for main branch
+        if: github.ref == 'refs/heads/main'
+        run: |
+          echo 'GO_TEST_ARGS=-tags integration' >> $GITHUB_ENV
+      - name: Run controller tests
        env:
-          KUBEBUILDER_ASSETS: ${{ github.workspace }}/kubebuilder/bin
+          TEST_AZURE_CLIENT_ID: ${{ secrets.TEST_AZURE_CLIENT_ID }}
+          TEST_AZURE_TENANT_ID: ${{ secrets.TEST_AZURE_TENANT_ID }}
+          TEST_AZURE_CLIENT_SECRET: ${{ secrets.TEST_AZURE_CLIENT_SECRET }}
+          TEST_AZURE_VAULT_URL: ${{ secrets.TEST_AZURE_VAULT_URL }}
+          TEST_AZURE_VAULT_KEY_NAME: ${{ secrets.TEST_AZURE_VAULT_KEY_NAME }}
+          TEST_AZURE_VAULT_KEY_VERSION: ${{ secrets.TEST_AZURE_VAULT_KEY_VERSION }}
+        run: make test
      - name: Check if working tree is dirty
        run: |
          if [[ $(git diff --stat) != '' ]]; then
+            git --no-pager diff
            echo 'run make test and commit changes'
            exit 1
          fi
      - name: Build container image
-        run: make docker-build IMG=test/kustomize-controller:latest
-        env:
-          KUBEBUILDER_ASSETS: ${{ github.workspace }}/kubebuilder/bin
+        run: |
+          make docker-build IMG=test/kustomize-controller:latest \
+            BUILD_PLATFORMS=linux/amd64 \
+            BUILD_ARGS="--cache-from=type=local,src=/tmp/.buildx-cache \
+              --cache-to=type=local,dest=/tmp/.buildx-cache-new,mode=max \
+              --load"
+      - # Temp fix
+        # https://github.com/docker/build-push-action/issues/252
+        # https://github.com/moby/buildkit/issues/1896
+        name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
      - name: Load test image
        run: kind load docker-image test/kustomize-controller:latest
-      - name: Deploy source-controller
+      - name: Install CRDs
+        run: make install
+      - name: Run default status test
        run: |
-          kustomize build https://github.com/fluxcd/source-controller//config/default?ref=v0.0.1-alpha.4 | kubectl apply -f-
-          kubectl -n source-system rollout status deploy/source-controller --timeout=1m
-      - name: Deploy kustomize-controller
-        run: make dev-deploy IMG=test/kustomize-controller:latest
-        env:
-          KUBEBUILDER_ASSETS: ${{ github.workspace }}/kubebuilder/bin
+          kubectl apply -f config/testdata/status-defaults
+          RESULT=$(kubectl get kustomization status-defaults -o go-template={{.status}})
+          EXPECTED='map[observedGeneration:-1]'
+          if [ "${RESULT}" != "${EXPECTED}" ] ; then
+            echo -e "${RESULT}\n\ndoes not equal\n\n${EXPECTED}"
+            exit 1
+          fi
+          kubectl delete -f config/testdata/status-defaults
+      - name: Deploy controllers
+        run: |
+          make dev-deploy IMG=test/kustomize-controller:latest
+          kubectl -n kustomize-system rollout status deploy/source-controller --timeout=1m
+          kubectl -n kustomize-system rollout status deploy/kustomize-controller --timeout=1m
+      - name: Run tests for removing kubectl managed fields
+        run: |
+          kubectl create ns managed-fields
+          kustomize build github.com/stefanprodan/podinfo//kustomize?ref=6.3.5 > /tmp/podinfo.yaml
+          kubectl -n managed-fields apply -f /tmp/podinfo.yaml
+          kubectl -n managed-fields apply -f ./config/testdata/managed-fields
+          kubectl -n managed-fields wait kustomization/podinfo --for=condition=ready --timeout=4m
+          OUTDATA=$(kubectl -n managed-fields get deploy podinfo --show-managed-fields -oyaml)
+          if echo "$OUTDATA" | grep -q "kubectl";then
+            echo "kubectl client-side manager not removed"
+            exit 1
+          fi
+          kubectl -n managed-fields apply --server-side --force-conflicts -f /tmp/podinfo.yaml
+          kubectl -n managed-fields annotate --overwrite kustomization/podinfo reconcile.fluxcd.io/requestedAt="$(date +%s)"
+          kubectl -n managed-fields wait kustomization/podinfo --for=condition=ready --timeout=4m
+          OUTDATA=$(kubectl -n managed-fields get deploy podinfo --show-managed-fields -oyaml)
+          if echo "$OUTDATA" | grep -q "kubectl";then
+            echo "kubectl server-side manager not removed"
+            exit 1
+          fi
+          kubectl delete ns managed-fields
      - name: Run overlays tests
        run: |
-          kubectl apply -k ./config/testdata/overlays
-          kubectl wait kustomizations/webapp-staging --for=condition=ready --timeout=4m
-          kubectl wait kustomizations/webapp-production --for=condition=ready --timeout=4m
+          kubectl -n kustomize-system apply -k ./config/testdata/overlays
+          kubectl -n kustomize-system wait kustomizations/webapp-staging --for=condition=ready --timeout=4m
+          kubectl -n kustomize-system wait kustomizations/webapp-production --for=condition=ready --timeout=4m
      - name: Run dependencies tests
        run: |
-          kubectl apply -k ./config/testdata/dependencies
-          kubectl wait kustomizations/common --for=condition=ready --timeout=4m
-          kubectl wait kustomizations/backend --for=condition=ready --timeout=4m
-          kubectl wait kustomizations/frontend --for=condition=ready --timeout=4m
-      - name: Run GC tests
+          kubectl -n kustomize-system apply -k ./config/testdata/dependencies
+          kubectl -n kustomize-system wait kustomizations/common --for=condition=ready --timeout=4m
+          kubectl -n kustomize-system wait kustomizations/backend --for=condition=ready --timeout=4m
+          kubectl -n kustomize-system wait kustomizations/frontend --for=condition=ready --timeout=4m
+      - name: Run impersonation tests
        run: |
-          kubectl get ns
-          kubectl delete -k ./config/testdata/overlays
-          until kubectl get ns staging 2>&1 | grep NotFound ; do sleep 2; done
+          kubectl -n impersonation apply -f ./config/testdata/impersonation
+          kubectl -n impersonation wait kustomizations/podinfo --for=condition=ready --timeout=4m
+          kubectl -n impersonation delete kustomizations/podinfo
+          until kubectl -n impersonation get deploy/podinfo 2>&1 | grep NotFound ; do sleep 2; done
+      - name: Run OCI tests
+        run: |
+          kubectl create ns oci
+          kubectl -n oci apply -f ./config/testdata/oci
+          kubectl -n oci wait kustomizations/oci --for=condition=ready --timeout=4m
+      - name: Run CRDs + CRs tests
+        run: |
+          kubectl -n kustomize-system apply -f ./config/testdata/crds-crs
+          kubectl -n kustomize-system wait kustomizations/certs --for=condition=ready --timeout=4m
+          kubectl -n kustomizer-cert-test wait issuers/my-ca-issuer --for=condition=ready --timeout=1m
      - name: Logs
        run: |
-          kubectl -n source-system logs deploy/source-controller
+          kubectl -n kustomize-system logs deploy/source-controller
          kubectl -n kustomize-system logs deploy/kustomize-controller
      - name: Debug failure
        if: failure()
        run: |
-          kubectl get gitrepositories -oyaml
-          kubectl get kustomizations -oyaml
+          kubectl -n kustomize-system get gitrepositories -oyaml
+          kubectl -n kustomize-system get kustomizations -oyaml
          kubectl -n kustomize-system get all
-          kubectl -n source-system logs deploy/source-controller
-          kubectl -n kustomize-system logs deploy/kustomize-controller
+          kubectl -n oci get ocirepository/oci -oyaml
+          kubectl -n oci get kustomization/oci -oyaml
+          kubectl -n kustomize-system logs deploy/source-controller
+          kubectl -n kustomize-system logs deploy/kustomize-controller
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@ -0,0 +1,35 @@
+name: nightly
+on:
+  schedule:
+    - cron:  '0 0 * * *'
+  workflow_dispatch:
+
+env:
+  REPOSITORY: ${{ github.repository }}
+
+permissions:
+  contents: read # for actions/checkout to fetch code
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - name: Setup Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        with:
+          buildkitd-flags: "--debug"
+      - name: Build multi-arch container image
+        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0
+        with:
+          push: false
+          builder: ${{ steps.buildx.outputs.name }}
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm/v7,linux/arm64
+          tags: |
+            ${{ env.REPOSITORY }}:nightly
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -3,50 +3,158 @@ on:
  push:
    tags:
      - 'v*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'image tag prefix'
+        default: 'rc'
+        required: true
+
+permissions:
+  contents: read
+
+env:
+  CONTROLLER: ${{ github.event.repository.name }}

 jobs:
-  build-push:
+  release:
+    outputs:
+      hashes: ${{ steps.slsa.outputs.hashes }}
+      image_url: ${{ steps.slsa.outputs.image_url }}
+      image_digest: ${{ steps.slsa.outputs.image_digest }}
    runs-on: ubuntu-latest
+    permissions:
+      contents: write # for creating the GitHub release.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for pushing and signing container images.
    steps:
-      - uses: actions/checkout@v2
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Setup Kustomize
-        uses: ./.github/actions/kustomize
-      - name: Get version
-        id: get_version
-        run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
-      - name: Generate release asset
+        uses: fluxcd/pkg/actions/kustomize@main
+      - name: Prepare
+        id: prep
+        run: |
+          VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}"
+          if [[ $GITHUB_REF == refs/tags/* ]]; then
+            VERSION=${GITHUB_REF/refs\/tags\//}
+          fi
+          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - name: Setup Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: fluxcdbot
+          password: ${{ secrets.GHCR_TOKEN }}
+      - name: Login to Docker Hub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          username: fluxcdbot
+          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+      - name: Generate images meta
+        id: meta
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        with:
+          images: |
+            fluxcd/${{ env.CONTROLLER }}
+            ghcr.io/fluxcd/${{ env.CONTROLLER }}
+          tags: |
+            type=raw,value=${{ steps.prep.outputs.VERSION }}
+      - name: Publish images
+        id: build-push
+        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0
+        with:
+          sbom: true
+          provenance: true
+          push: true
+          builder: ${{ steps.buildx.outputs.name }}
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm/v7,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+      - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+      - name: Sign images
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          cosign sign --yes fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }}
+          cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }}
+      - name: Generate release artifacts
+        if: startsWith(github.ref, 'refs/tags/v')
        run: |
          mkdir -p config/release
-          cp config/default/* config/release
-          cd config/release
-          kustomize edit set image fluxcd/kustomize-controller=fluxcd/kustomize-controller:${{ steps.get_version.outputs.VERSION }}
-          kustomize build . > kustomize-controller.yaml
-      - name: Push image
-        uses: docker/build-push-action@v1
+          kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml
+          kustomize build ./config/manager > ./config/release/${{ env.CONTROLLER }}.deployment.yaml
+      - uses: anchore/sbom-action/download-syft@e11c554f704a0b820cbf8c51673f6945e0731532 # v0.20.0
+      - name: Create release and SBOM
+        id: run-goreleaser
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-          repository: fluxcd/kustomize-controller
-          tag_with_ref: true
-      - name: Create release
-        id: create_release
-        uses: actions/create-release@latest
+          version: latest
+          args: release --clean --skip=validate
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ github.ref }}
-          release_name: ${{ github.ref }}
-          draft: false
-          prerelease: true
-          body: |
-            [CHANGELOG](https://github.com/fluxcd/kustomize-controller/blob/master/CHANGELOG.md)
-      - name: Upload artifacts
-        id: upload-release-asset
-        uses: actions/upload-release-asset@v1
+      - name: Generate SLSA metadata
+        id: slsa
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./config/release/kustomize-controller.yaml
-          asset_name: kustomize-controller.yaml
-          asset_content_type: text/plain
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+          
+          image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
+          echo "image_url=$image_url" >> $GITHUB_OUTPUT
+          
+          image_digest=${{ steps.build-push.outputs.digest }}
+          echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
+
+  release-provenance:
+    needs: [release]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      contents: write # for uploading attestations to GitHub releases.
+    if: startsWith(github.ref, 'refs/tags/v')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    with:
+      provenance-name: "provenance.intoto.jsonl"
+      base64-subjects: "${{ needs.release.outputs.hashes }}"
+      upload-assets: true
+
+  dockerhub-provenance:
+    needs: [release]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: startsWith(github.ref, 'refs/tags/v')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ${{ needs.release.outputs.image_url }}
+      digest: ${{ needs.release.outputs.image_digest }}
+      registry-username: fluxcdbot
+    secrets:
+      registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+
+  ghcr-provenance:
+    needs: [release]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: startsWith(github.ref, 'refs/tags/v')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ghcr.io/${{ needs.release.outputs.image_url }}
+      digest: ${{ needs.release.outputs.image_digest }}
+      registry-username: fluxcdbot
+    secrets:
+      registry-password: ${{ secrets.GHCR_TOKEN }}
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@ -0,0 +1,52 @@
+name: scan
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '18 10 * * 3'
+
+permissions:
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for codeQL to write security events
+
+jobs:
+  fossa:
+    name: FOSSA
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Run FOSSA scan and upload build data
+        uses: fossa-contrib/fossa-action@3d2ef181b1820d6dcd1972f86a767d18167fa19b # v3.0.1
+        with:
+          # FOSSA Push-Only API Token
+          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
+          github-token: ${{ github.token }}
+
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: 1.24.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        with:
+          languages: go
+          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # xref: https://codeql.github.com/codeql-query-help/go/
+          queries: security-and-quality
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
--- a/.github/workflows/sync-labels.yaml
+++ b/.github/workflows/sync-labels.yaml
@ -0,0 +1,28 @@
+name: sync-labels
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - .github/labels.yaml
+
+permissions:
+  contents: read
+
+jobs:
+  labels:
+    name: Run sync
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
+        with:
+          # Configuration file
+          config-file: |
+            https://raw.githubusercontent.com/fluxcd/community/main/.github/standard-labels.yaml
+            .github/labels.yaml
+          # Strictly declarative
+          delete-other-labels: true
--- a/.gitignore
+++ b/.gitignore
@ -1,17 +1,26 @@
-# Binaries for programs and plugins
+# Binaries for programs and plugins.
 *.exe
 *.exe~
 *.dll
 *.so
 *.dylib

-# Test binary, built with `go test -c`
+# Test binary, built with `go test -c`.
 *.test

-# Output of the go coverage tool, specifically when used with LiteIDE
+# Output of the go coverage tool.
 *.out

-# Dependency directories (remove the comment below to include it)
-# vendor/
+# Build tools downloaded at runtime.
 bin/
+
+# Release manifests generated at runtime.
 config/release/
+config/crd/bases/ocirepositories.yaml
+config/crd/bases/gitrepositories.yaml
+config/crd/bases/buckets.yaml
+
+build/
+
+# CRDs for fuzzing tests.
+internal/controllers/testdata/crd
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -0,0 +1,57 @@
+project_name: kustomize-controller
+
+builds:
+  - skip: true
+
+release:
+  extra_files:
+    - glob: config/release/*.yaml
+  prerelease: "auto"
+  header: |
+    ## Changelog
+
+    [{{.Tag}} changelog](https://github.com/fluxcd/{{.ProjectName}}/blob/{{.Tag}}/CHANGELOG.md)
+  footer: |
+    ## Container images
+    
+    - `docker.io/fluxcd/{{.ProjectName}}:{{.Tag}}`
+    - `ghcr.io/fluxcd/{{.ProjectName}}:{{.Tag}}`
+    
+    Supported architectures: `linux/amd64`, `linux/arm64` and `linux/arm/v7`.
+    
+    The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
+    To verify the images and their provenance (SLSA level 3), please see the [security documentation](https://fluxcd.io/flux/security/).
+
+changelog:
+  disable: true
+
+checksum:
+  extra_files:
+    - glob: config/release/*.yaml
+
+source:
+  enabled: true
+  name_template: "{{ .ProjectName }}_{{ .Version }}_source_code"
+
+sboms:
+  - id: source
+    artifacts: source
+    documents:
+      - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
+
+# signs the checksum file
+# all files (including the sboms) are included in the checksum
+# https://goreleaser.com/customization/sign
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: "${artifact}.pem"
+    args:
+      - sign-blob
+      - "--yes"
+      - "--output-certificate=${certificate}"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+    artifacts: checksum
+    output: true
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,73 +0,0 @@
-# Contributing
-
-Kustomize Controller is [Apache 2.0 licensed](LICENSE) and accepts contributions
-via GitHub pull requests. This document outlines some of the conventions on
-to make it easier to get your contribution accepted.
-
-We gratefully welcome improvements to issues and documentation as well as to
-code.
-
-## Certificate of Origin
-
-By contributing to this project you agree to the Developer Certificate of
-Origin (DCO). This document was created by the Linux Kernel community and is a
-simple statement that you, as a contributor, have the legal right to make the
-contribution. No action from you is required, but it's a good idea to see the
-[DCO](DCO) file for details before you start contributing code to Kustomize
-Controller.
-
-## Communications
-
-The project uses Slack: To join the conversation, simply join the
-[CNCF](https://slack.cncf.io/) Slack workspace and use the
-[#flux](https://cloud-native.slack.com/messages/flux/) channel.
-
-The developers use a mailing list to discuss development as well.
-Simply subscribe to [flux-dev on cncf.io](https://lists.cncf.io/g/cncf-flux-dev)
-to join the conversation (this will also add an invitation to your
-Google calendar for our [Flux
-meeting](https://docs.google.com/document/d/1l_M0om0qUEN_NNiGgpqJ2tvsF2iioHkaARDeh6b70B0/edit#)).
-
-### How to run the test suite
-
-Prerequisites:
-* go >= 1.13
-* kubebuilder >= 2.3
-* kustomize >= 3.1
-
-You can run the unit tests by simply doing
-
-```bash
-make test
-```
-
-## Acceptance policy
-
-These things will make a PR more likely to be accepted:
-
- a well-described requirement
- tests for new code
- tests for old code!
- new code and tests follow the conventions in old code and tests
- a good commit message (see below)
- all code must abide [Go Code Review Comments](https://github.com/golang/go/wiki/CodeReviewComments)
- names should abide [What's in a name](https://talks.golang.org/2014/names.slide#1)
- code must build on both Linux and Darwin, via plain `go build`
- code should have appropriate test coverage and tests should be written
-  to work with `go test`
-
-In general, we will merge a PR once one maintainer has endorsed it.
-For substantial changes, more people may become involved, and you might
-get asked to resubmit the PR or divide the changes into more than one PR.
-
-### Format of the Commit Message
-
-For Kustomize Controller we prefer the following rules for good commit messages:
-
- Limit the subject to 50 characters and write as the continuation
-  of the sentence "If applied, this commit will ..."
- Explain what and why in the body, if more than a trivial change;
-  wrap it at 72 characters.
-
-The [following article](https://chris.beams.io/posts/git-commit/#seven-rules)
-has some more helpful advice on documenting your work.
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@ -0,0 +1,94 @@
+# Development
+
+> **Note:** Please take a look at <https://fluxcd.io/contributing/flux/>
+> to find out about how to contribute to Flux and how to interact with the
+> Flux Development team.
+
+## Installing required dependencies
+
+There are a number of dependencies required to be able to run the controller and its test suite locally:
+
+- [Install Go](https://golang.org/doc/install)
+- [Install Kustomize](https://kubernetes-sigs.github.io/kustomize/installation/)
+- [Install Docker](https://docs.docker.com/engine/install/)
+- (Optional) [Install Kubebuilder](https://book.kubebuilder.io/quick-start.html#installation)
+
+## How to run the test suite
+
+Prerequisites:
+* Go >= 1.24
+
+You can run the test suite by simply doing
+
+```sh
+make test
+```
+
+## How to run the controller locally
+
+Install the controller's CRDs on your test cluster:
+
+```sh
+make install
+```
+
+Note that `kustomize-controller` depends on [source-controller](https://github.com/fluxcd/source-controller) to acquire its artifacts. If `source-controller` is not running on your test cluster, you need to tell `kustomize-controller` where to find it. 
+
+Port forward to source-controller artifacts server:
+
+```sh
+kubectl -n flux-system port-forward svc/source-controller 8080:80
+```
+
+Export the local address as `SOURCE_CONTROLLER_LOCALHOST`:
+
+```sh
+export SOURCE_CONTROLLER_LOCALHOST=localhost:8080
+```
+
+Alternatively, if your test cluster is already running `source-controller` and `kustomize-controller`, you need to scale down the in-cluster `kustomize-controller`:
+
+```
+kubectl -n flux-system scale deployment/kustomize-controller --replicas=0
+```
+
+Run the controller locally:
+
+```sh
+make run
+```
+
+## How to install the controller
+
+### Building the container image
+
+Set the name of the container image to be created from the source code. This will be used when building, pushing and referring to the image on YAML files:
+
+```sh
+export IMG=registry-path/kustomize-controller:latest
+```
+
+Build the container image, tagging it as `$(IMG)`:
+
+```sh
+make docker-build
+```
+
+Push the image into the repository:
+
+```sh
+make docker-push
+```
+
+**Note**: `make docker-build` will build an image for the `amd64` architecture.
+
+
+### Deploying into a cluster
+
+Deploy `kustomize-controller` into the cluster that is configured in the local kubeconfig file (i.e. `~/.kube/config`):
+
+```sh
+make deploy
+```
+
+Running the above will also deploy `source-controller` and its CRDs to the cluster.
--- a/40
+++ b/40
@ -1,15 +1,19 @@
-FROM golang:1.13 as builder
+ARG GO_VERSION=1.24
+ARG XX_VERSION=1.6.1
+
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
+
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS builder
+
+# Copy the build utilities.
+COPY --from=xx / /
+
+ARG TARGETPLATFORM

 WORKDIR /workspace

-RUN kustomize_ver=3.5.4 && \
-kustomize_url=https://github.com/kubernetes-sigs/kustomize/releases/download && \
-curl -sL ${kustomize_url}/kustomize%2Fv${kustomize_ver}/kustomize_v${kustomize_ver}_linux_amd64.tar.gz | \
-tar xz && mv kustomize /usr/local/bin/kustomize
-
-RUN kubectl_ver=1.18.2 && \
-curl -sL https://storage.googleapis.com/kubernetes-release/release/v${kubectl_ver}/bin/linux/amd64/kubectl \
-o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl
+# copy api submodule
+COPY api/ api/

 # copy modules manifests
 COPY go.mod go.mod
@ -20,23 +24,23 @@ RUN go mod download

 # copy source code
 COPY main.go main.go
-COPY api/ api/
-COPY controllers/ controllers/
 COPY internal/ internal/

 # build
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o kustomize-controller main.go
+ENV CGO_ENABLED=0
+RUN xx-go build -trimpath -a -o kustomize-controller main.go

-FROM alpine:3.11
+FROM alpine:3.21

-RUN apk add --no-cache openssh-client ca-certificates tar tini 'git>=2.12.0' socat curl bash
+ARG TARGETPLATFORM
+
+RUN apk --no-cache add ca-certificates tini git openssh-client gnupg \
+  && update-ca-certificates

-COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/
-COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/
 COPY --from=builder /workspace/kustomize-controller /usr/local/bin/

-RUN addgroup -S controller && adduser -S -g controller controller
+USER 65534:65534

-USER controller
+ENV GNUPGHOME=/tmp

 ENTRYPOINT [ "/sbin/tini", "--", "kustomize-controller" ]
--- a/5
+++ b/5
@ -2,6 +2,7 @@ The maintainers are generally available in Slack at
 https://cloud-native.slack.com in #flux (https://cloud-native.slack.com/messages/CLAJ40HV3)
 (obtain an invitation at https://slack.cncf.io/).

-In alphabetical order:
+This project shares maintainers from the main Flux v2 git repository,
+as listed in

-Stefan Prodan, Weaveworks <stefan@weave.works> (github: @stefanprodan, slack: stefanprodan)
+    https://github.com/fluxcd/flux2/blob/main/MAINTAINERS
--- a/190
+++ b/190
@ -1,29 +1,101 @@
-
 # Image URL to use all building/pushing image targets
 IMG ?= fluxcd/kustomize-controller:latest
-# Produce CRDs that work back to Kubernetes 1.13
-CRD_OPTIONS ?= crd
+# Produce CRDs that work back to Kubernetes 1.16
+CRD_OPTIONS ?= crd:crdVersions=v1
+SOURCE_VER ?= $(shell go list -m all | grep github.com/fluxcd/source-controller/api | awk '{print $$2}')

-# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
+# Use the same version of SOPS already referenced on go.mod
+SOPS_VER := $(shell go list -m all | grep github.com/getsops/sops | awk '{print $$2}')
+
+# Repository root based on Git metadata
+REPOSITORY_ROOT := $(shell git rev-parse --show-toplevel)
+BUILD_DIR := $(REPOSITORY_ROOT)/build
+
+# FUZZ_TIME defines the max amount of time, in Go Duration,
+# each fuzzer should run for.
+FUZZ_TIME ?= 1m
+
+# If gobin not set, create one on ./build and add to path.
 ifeq (,$(shell go env GOBIN))
-GOBIN=$(shell go env GOPATH)/bin
+GOBIN=$(BUILD_DIR)/gobin
 else
 GOBIN=$(shell go env GOBIN)
 endif
+export PATH:=$(GOBIN):${PATH}
+
+# Allows for defining additional Go test args, e.g. '-tags integration'.
+GO_TEST_ARGS ?=
+
+# Allows for defining additional Docker buildx arguments, e.g. '--push'.
+BUILD_ARGS ?= --load
+# Architectures to build images for.
+BUILD_PLATFORMS ?= linux/amd64
+
+# Architecture to use envtest with
+ENVTEST_ARCH ?= amd64
+
+# Paths to download the CRD dependencies at.
+GITREPO_CRD ?= config/crd/bases/gitrepositories.yaml
+BUCKET_CRD ?= config/crd/bases/buckets.yaml
+OCIREPO_CRD ?= config/crd/bases/ocirepositories.yaml
+
+# Keep a record of the version of the downloaded source CRDs. It is used to
+# detect and download new CRDs when the SOURCE_VER changes.
+SOURCE_CRD_VER=$(BUILD_DIR)/.src-crd-$(SOURCE_VER)
+
+# API (doc) generation utilities
+CONTROLLER_GEN_VERSION ?= v0.16.1
+GEN_API_REF_DOCS_VERSION ?= e327d0730470cbd61b06300f81c5fcf91c23c113

 all: manager

-# Run tests
-test: generate fmt vet manifests
-	go test ./... -coverprofile cover.out
+# Download the envtest binaries to testbin
+ENVTEST_ASSETS_DIR=$(BUILD_DIR)/testbin
+ENVTEST_KUBERNETES_VERSION?=latest
+install-envtest: setup-envtest
+	mkdir -p ${ENVTEST_ASSETS_DIR}
+	$(ENVTEST) use $(ENVTEST_KUBERNETES_VERSION) --arch=$(ENVTEST_ARCH) --bin-dir=$(ENVTEST_ASSETS_DIR)
+
+SOPS = $(GOBIN)/sops
+$(SOPS): ## Download latest sops binary if none is found.
+	$(call go-install-tool,$(SOPS),github.com/getsops/sops/v3/cmd/sops@$(SOPS_VER))
+
+# Run controller tests
+KUBEBUILDER_ASSETS?="$(shell $(ENVTEST) --arch=$(ENVTEST_ARCH) use -i $(ENVTEST_KUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR) -p path)"
+test: tidy generate fmt vet manifests api-docs download-crd-deps install-envtest $(SOPS)
+	KUBEBUILDER_ASSETS=$(KUBEBUILDER_ASSETS) go test ./... $(GO_TEST_ARGS) -v -coverprofile cover.out

 # Build manager binary
 manager: generate fmt vet
-	go build -o bin/manager main.go
+	go build -o $(BUILD_DIR)/bin/manager main.go

 # Run against the configured Kubernetes cluster in ~/.kube/config
 run: generate fmt vet manifests
-	go run ./main.go
+	go run ./main.go --metrics-addr=:8089
+
+# Delete previously downloaded CRDs and record the new version of the source
+# CRDs.
+$(SOURCE_CRD_VER):
+	rm -f $(BUILD_DIR)/.src-crd*
+	$(MAKE) cleanup-crd-deps
+	if ! test -d "$(BUILD_DIR)"; then mkdir -p $(BUILD_DIR); fi
+	touch $(SOURCE_CRD_VER)
+
+$(GITREPO_CRD):
+	curl -s https://raw.githubusercontent.com/fluxcd/source-controller/${SOURCE_VER}/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml -o $(GITREPO_CRD)
+
+$(BUCKET_CRD):
+	curl -s https://raw.githubusercontent.com/fluxcd/source-controller/${SOURCE_VER}/config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml -o $(BUCKET_CRD)
+
+$(OCIREPO_CRD):
+	curl -s https://raw.githubusercontent.com/fluxcd/source-controller/${SOURCE_VER}/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml -o $(OCIREPO_CRD)
+
+# Download the CRDs the controller depends on
+download-crd-deps: $(SOURCE_CRD_VER) $(GITREPO_CRD) $(BUCKET_CRD) $(OCIREPO_CRD)
+
+# Delete the downloaded CRD dependencies.
+cleanup-crd-deps:
+	rm -f $(GITREPO_CRD) $(BUCKET_CRD) $(OCIREPO_CRD)

 # Install CRDs into a cluster
 install: manifests
@ -54,41 +126,101 @@ dev-cleanup: manifests

 # Generate manifests e.g. CRD, RBAC etc.
 manifests: controller-gen
-	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role paths="./..." output:crd:artifacts:config="config/crd/bases"
+	cd api; $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role paths="./..." output:crd:artifacts:config="../config/crd/bases"
+
+# Generate API reference documentation
+api-docs: gen-crd-api-reference-docs
+	$(GEN_CRD_API_REFERENCE_DOCS) -api-dir=./api/v1 -config=./hack/api-docs/config.json -template-dir=./hack/api-docs/template -out-file=./docs/api/v1/kustomize.md
+
+# Run go mod tidy
+tidy:
+	cd api; rm -f go.sum; go mod tidy -compat=1.24
+	rm -f go.sum; go mod tidy -compat=1.24

 # Run go fmt against code
 fmt:
 	go fmt ./...
+	cd api; go fmt ./...

 # Run go vet against code
 vet:
 	go vet ./...
+	cd api; go vet ./...

 # Generate code
 generate: controller-gen
-	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..."
+	cd api; $(CONTROLLER_GEN) object:headerFile="../hack/boilerplate.go.txt" paths="./..."

 # Build the docker image
 docker-build:
-	docker build . -t ${IMG}
+	docker buildx build \
+	--platform=$(BUILD_PLATFORMS) \
+	-t ${IMG} \
+	${BUILD_ARGS} .

 # Push the docker image
 docker-push:
 	docker push ${IMG}

-# find or download controller-gen
-# download controller-gen if necessary
-controller-gen:
-ifeq (, $(shell which controller-gen))
-	@{ \
-	set -e ;\
-	CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
-	cd $$CONTROLLER_GEN_TMP_DIR ;\
-	go mod init tmp ;\
-	go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.5 ;\
-	rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
-	}
-CONTROLLER_GEN=$(GOBIN)/controller-gen
-else
-CONTROLLER_GEN=$(shell which controller-gen)
-endif
+# Set the docker image in-cluster
+docker-deploy:
+	kubectl -n flux-system set image deployment/kustomize-controller manager=${IMG}
+
+# Find or download controller-gen
+CONTROLLER_GEN = $(GOBIN)/controller-gen
+.PHONY: controller-gen
+controller-gen: ## Download controller-gen locally if necessary.
+	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
+
+# Find or download gen-crd-api-reference-docs
+GEN_CRD_API_REFERENCE_DOCS = $(GOBIN)/gen-crd-api-reference-docs
+.PHONY: gen-crd-api-reference-docs
+gen-crd-api-reference-docs: ## Download gen-crd-api-reference-docs locally if necessary
+	$(call go-install-tool,$(GEN_CRD_API_REFERENCE_DOCS),github.com/ahmetb/gen-crd-api-reference-docs@$(GEN_API_REF_DOCS_VERSION))
+
+ENVTEST = $(GOBIN)/setup-envtest
+.PHONY: envtest
+setup-envtest: ## Download envtest-setup locally if necessary.
+	$(call go-install-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
+
+# go-install-tool will 'go install' any package $2 and install it to $1.
+PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
+define go-install-tool
+@[ -f $(1) ] || { \
+set -e ;\
+TMP_DIR=$$(mktemp -d) ;\
+cd $$TMP_DIR ;\
+go mod init tmp ;\
+echo "Downloading $(2)" ;\
+GOBIN=$(GOBIN) go install $(2) ;\
+rm -rf $$TMP_DIR ;\
+}
+endef
+
+# Build fuzzers used by oss-fuzz.
+fuzz-build:
+	rm -rf $(BUILD_DIR)/fuzz/
+	mkdir -p $(BUILD_DIR)/fuzz/out/
+
+	docker build . --pull --tag local-fuzzing:latest -f tests/fuzz/Dockerfile.builder
+	docker run --rm \
+		-e FUZZING_LANGUAGE=go -e SANITIZER=address \
+		-e CIFUZZ_DEBUG='True' -e OSS_FUZZ_PROJECT_NAME=fluxcd \
+		-v "$(shell go env GOMODCACHE):/root/go/pkg/mod" \
+		-v "$(BUILD_DIR)/fuzz/out":/out \
+		local-fuzzing:latest
+
+# Run each fuzzer once to ensure they will work when executed by oss-fuzz.
+fuzz-smoketest: fuzz-build
+	docker run --rm \
+		-v "$(BUILD_DIR)/fuzz/out":/out \
+		-v "$(shell pwd)/tests/fuzz/oss_fuzz_run.sh":/runner.sh \
+		local-fuzzing:latest \
+		bash -c "/runner.sh"
+
+# Run fuzz tests for the duration set in FUZZ_TIME.
+fuzz-native: 
+	KUBEBUILDER_ASSETS=$(KUBEBUILDER_ASSETS) \
+	FUZZ_TIME=$(FUZZ_TIME) \
+		./tests/fuzz/native_go_run.sh
--- a/11
+++ b/11
@ -1,10 +1,13 @@
-domain: fluxcd.io
+domain: toolkit.fluxcd.io
 repo: github.com/fluxcd/kustomize-controller
 resources:
 - group: kustomize
  kind: Kustomization
-  version: v1alpha1
+  version: v1
 - group: kustomize
-  kind: Profile
-  version: v1alpha1
+  kind: Kustomization
+  version: v1beta2
+- group: kustomize
+  kind: Kustomization
+  version: v1beta1
 version: "2"
--- a/README.md
+++ b/README.md
@ -1,299 +1,55 @@
 # kustomize-controller

+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4787/badge)](https://bestpractices.coreinfrastructure.org/projects/4787)
 [![e2e](https://github.com/fluxcd/kustomize-controller/workflows/e2e/badge.svg)](https://github.com/fluxcd/kustomize-controller/actions)
 [![report](https://goreportcard.com/badge/github.com/fluxcd/kustomize-controller)](https://goreportcard.com/report/github.com/fluxcd/kustomize-controller)
-[![license](https://img.shields.io/github/license/fluxcd/kustomize-controller.svg)](https://github.com/fluxcd/kustomize-controller/blob/master/LICENSE)
+[![license](https://img.shields.io/github/license/fluxcd/kustomize-controller.svg)](https://github.com/fluxcd/kustomize-controller/blob/main/LICENSE)
 [![release](https://img.shields.io/github/release/fluxcd/kustomize-controller/all.svg)](https://github.com/fluxcd/kustomize-controller/releases)

-The kustomize-controller is a Kubernetes operator, specialized in running 
-continuous delivery pipelines for infrastructure and workloads
+The kustomize-controller is a [Flux](https://github.com/fluxcd/flux2) component,
+specialized in running continuous delivery pipelines for infrastructure and workloads
 defined with Kubernetes manifests and assembled with Kustomize.

+The cluster desired state is described through a Kubernetes Custom Resource named `Kustomization`.
+Based on the creation, mutation or removal of a `Kustomization` resource in the cluster,
+the controller performs actions to reconcile the cluster current state with the desired state.
+
 ![overview](docs/diagrams/kustomize-controller-overview.png)

-Features:
+## Features
+
 * watches for `Kustomization` objects
 * fetches artifacts produced by [source-controller](https://github.com/fluxcd/source-controller) from `Source` objects 
 * watches `Source` objects for revision changes 
 * generates the `kustomization.yaml` file if needed
-* generates Kubernetes manifests with kustomize build
-* validates the build output with client-side or APIServer dry-run
-* applies the generated manifests on the cluster
+* generates Kubernetes manifests with Kustomize SDK
+* decrypts Kubernetes secrets with Mozilla SOPS and KMS
+* validates the generated manifests with Kubernetes server-side apply dry-run
+- detects drift between the desired and state and cluster state
+- corrects drift by patching objects with Kubernetes server-side apply
 * prunes the Kubernetes objects removed from source
 * checks the health of the deployed workloads
 * runs `Kustomizations` in a specific order, taking into account the depends-on relationship 
-* reports on Slack or Discord whenever a `Kustomization` status changes
+* notifies whenever a `Kustomization` status changes

-Specifications:
-* [API](docs/spec/v1alpha1/README.md)
+## Specifications
+
+* [API](docs/spec/v1/README.md)
 * [Controller](docs/spec/README.md)

-## Usage
+## Guides

-The kustomize-controller is part of a composable GitOps toolkit and depends on
-[source-controller](https://github.com/fluxcd/source-controller) to provide the raw Kubernetes
-manifests and `kustomization.yaml` file.
+* [Get started with Flux](https://fluxcd.io/flux/get-started/)
+* [Setup Notifications](https://fluxcd.io/flux/guides/notifications/)
+* [Manage Kubernetes secrets with Flux and SOPS](https://fluxcd.io/flux/guides/mozilla-sops/)
+* [How to build, publish and consume OCI Artifacts with Flux](https://fluxcd.io/flux/cheatsheets/oci-artifacts/)
+* [Flux and Kustomize FAQ](https://fluxcd.io/flux/faq/#kustomize-questions)

-### Install the controllers
+## Roadmap

-Install source-controller with:
+The roadmap for the Flux family of projects can be found at <https://fluxcd.io/roadmap/>.

-```bash
-kustomize build https://github.com/fluxcd/source-controller//config/default?ref=v0.0.1-alpha.4 \
-kubectl apply -f-
-```
+## Contributing

-Install kustomize-controller with:
-
-```bash
-kustomize build https://github.com/fluxcd/kustomize-controller//config/default?ref=v0.0.1-alpha.7 \
-kubectl apply -f-
-```
-
-### Define a Git repository source
-
-Create a source object that points to a Git repository containing Kubernetes and Kustomize manifests:
-
-```yaml
-apiVersion: source.fluxcd.io/v1alpha1
-kind: GitRepository
-metadata:
-  name: podinfo
-  namespace: default
-spec:
-  interval: 1m
-  url: https://github.com/stefanprodan/podinfo-deploy
-  ref:
-    branch: master
-```
-
-For private repositories, SSH or token based authentication can be
-[configured with Kubernetes secrets](https://github.com/fluxcd/source-controller/blob/master/docs/spec/v1alpha1/gitrepositories.md).
-
-Save the above file and apply it on the cluster.
-You can wait for the source controller to assemble an artifact from the head of the repo master branch with:
-
-```bash
-kubectl wait gitrepository/podinfo --for=condition=ready
-```
-
-The source controller will check for new commits in the master branch every minute. You can force a git sync with:
-
-```bash
-kubectl annotate --overwrite gitrepository/podinfo source.fluxcd.io/syncAt="$(date +%s)"
-```
-
-### Define a kustomization
-
-Create a kustomization object that uses the git repository defined above:
-
-```yaml
-apiVersion: kustomize.fluxcd.io/v1alpha1
-kind: Kustomization
-metadata:
-  name: podinfo-dev
-spec:
-  interval: 5m
-  path: "./overlays/dev/"
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: podinfo
-  validation: client
-  healthChecks:
-    - kind: Deployment
-      name: podinfo
-      namespace: dev
-  timeout: 80s
-```
-
-> **Note** that if your repository contains only plain Kubernetes manifests,
-> the controller will
-> [automatically generate](docs/spec/v1alpha1/kustomization.md#generate-kustomizationyaml)
-> a kustomization.yaml file inside the specified path.
-
-A detailed explanation of the Kustomization object and its fields
-can be found in the [specification doc](docs/spec/v1alpha1/README.md). 
-
-Based on the above definition, the kustomize-controller fetches the Git repository content from source-controller,
-generates Kubernetes manifests by running kustomize build inside `./overlays/dev/`,
-and validates them with a dry-run apply. If the manifests pass validation, the controller will apply them 
-on the cluster and starts the health assessment of the deployed workload. If the health checks are passing, the
-Kustomization object status transitions to a ready state.
-
-![workflow](docs/diagrams/kustomize-controller-flow.png)
-
-You can wait for the kustomize controller to complete the deployment with:
-
-```bash
-kubectl wait kustomization/podinfo-dev --for=condition=ready
-```
-
-When the controller finishes the reconciliation, it will log the applied objects:
-
-```bash
-kubectl -n kustomize-system logs deploy/kustomize-controller | jq .
-```
-
-```json
-{
-  "level": "info",
-  "ts": 1587195448.071468,
-  "logger": "controllers.Kustomization",
-  "msg": "Kustomization applied in 1.436096591s",
-  "kustomization": "default/podinfo-dev",
-  "output": {
-    "namespace/dev": "created",
-    "service/podinfo": "created",
-    "deployment.apps/podinfo": "created",
-    "horizontalpodautoscaler.autoscaling/podinfo": "created"
-  }
-}
-```
-
-You can trigger a kustomize build and apply any time with:
-
-```bash
-kubectl annotate --overwrite kustomization/podinfo-dev kustomize.fluxcd.io/syncAt="$(date +%s)"
-```
-
-When the source controller pulls a new Git revision, the kustomize controller will detect that the
-source revision changed, and will apply those changes right away.
-
-If the kustomization build or apply fails, the controller sets the ready condition to `false` and logs the error:
-
-```yaml
-status:
-  conditions:
-  - lastTransitionTime: "2020-04-16T07:27:58Z"
-    message: 'apply failed'
-    reason: ApplyFailed
-    status: "False"
-    type: Ready
-``` 
-
-```json
-{
-  "kustomization": "default/podinfo-dev",
-  "error": "Error from server (NotFound): error when creating \"podinfo-dev.yaml\": namespaces \"dev\" not found\n"
-}
-```
-
-### Control the execution order
-
-When running a kustomization, you may need to make sure other kustomizations have been 
-successfully applied beforehand. A kustomization can specify a list of dependencies with `spec.dependsOn`.
-When combined with health assessment, a kustomization will run after all its dependencies health checks are passing.
-
-For example, a service mesh proxy injector should be running before deploying applications inside the mesh:
-
-```yaml
-apiVersion: kustomize.fluxcd.io/v1alpha1
-kind: Kustomization
-metadata:
-  name: istio
-spec:
-  interval: 10m
-  path: "./profiles/default/"
-  sourceRef:
-    kind: GitRepository
-    name: istio
-  healthChecks:
-    - kind: Deployment
-      name: istiod
-      namespace: istio-system
-  timeout: 2m
---
-apiVersion: kustomize.fluxcd.io/v1alpha1
-kind: Kustomization
-metadata:
-  name: podinfo-dev
-spec:
-  dependsOn:
-    - istio
-  interval: 5m
-  path: "./overlays/dev/"
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: podinfo
-```
-
-### Deploy releases to production
-
-For production deployments, instead of synchronizing with a branch you can use a semver range to target stable releases:
-
-```yaml
-apiVersion: source.fluxcd.io/v1alpha1
-kind: GitRepository
-metadata:
-  name: podinfo-releases
-spec:
-  interval: 5m
-  url: https://github.com/stefanprodan/podinfo-deploy
-  ref:
-    semver: ">=0.0.1-rc.1 <1.0.0"
-```
-
-With `ref.semver` we configure source controller to pull the Git tags and create an artifact from the most recent tag
-that matches the semver range.
-
-Create a production kustomization and reference the git source that follows the latest semver release:
-
-```yaml
-apiVersion: kustomize.fluxcd.io/v1alpha1
-kind: Kustomization
-metadata:
-  name: podinfo-production
-spec:
-  interval: 10m
-  path: "./overlays/production/"
-  sourceRef:
-    kind: GitRepository
-    name: podinfo-releases
-```
-
-Based on the above definition, the kustomize controller will build and apply a kustomization that matches the semver range
-set in the Git repository manifest.
-
-### Configure alerting
-
-The kustomize controller can post message to Slack or Discord whenever a kustomization status changes.
-
-Alerting can be configured by creating a profile that targets a list of kustomizations:
-
-```yaml
-apiVersion: kustomize.fluxcd.io/v1alpha1
-kind: Profile
-metadata:
-  name: default
-spec:
-  alert:
-    type: slack
-    verbosity: info
-    address: https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK
-    username: kustomize-controller
-    channel: general
-  kustomizations:
-    - '*'
-```
-
-The alert provider type can be: `slack` or `discord` and the verbosity can be set to `info` or `error`.
-
-The `*` wildcard tells the controller to use this profile for all kustomizations that are present
-in the same namespace as the profile.
-Multiple profiles can be used to send alerts to different channels or Slack organizations.
-
-When the verbosity is set to `error`, the controller will alert on any error encountered during the
-reconciliation process. This includes kustomize build and validation errors, apply errors and
-health check failures.
-
-![error alert](docs/diagrams/slack-error-alert.png)
-
-When the verbosity is set to `info`, the controller will alert if:
-* a Kubernetes object was created, updated or deleted
-* heath checks are passing
-* a dependency is delaying the execution
-* an error occurs
-
-![info alert](docs/diagrams/slack-info-alert.png)
+This project is Apache 2.0 licensed and accepts contributions via GitHub pull requests.
+To start contributing please see the [development guide](DEVELOPMENT.md).
--- a/api/go.mod
+++ b/api/go.mod
@ -0,0 +1,36 @@
+module github.com/fluxcd/kustomize-controller/api
+
+go 1.24.0
+
+require (
+	github.com/fluxcd/pkg/apis/kustomize v1.11.0
+	github.com/fluxcd/pkg/apis/meta v1.18.0
+	k8s.io/apiextensions-apiserver v0.33.2
+	k8s.io/apimachinery v0.33.2
+	sigs.k8s.io/controller-runtime v0.21.0
+)
+
+// Fix CVE-2022-28948
+replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
+
+require (
+	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	golang.org/x/net v0.41.0 // indirect
+	golang.org/x/text v0.27.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
+	sigs.k8s.io/yaml v1.5.0 // indirect
+)
--- a/api/go.sum
+++ b/api/go.sum
@ -0,0 +1,121 @@
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fluxcd/pkg/apis/kustomize v1.11.0 h1:0IzDgxZkc4v+5SDNCvgZhfwfkdkQLPXCner7TNaJFWE=
+github.com/fluxcd/pkg/apis/kustomize v1.11.0/go.mod h1:j302mJGDww8cn9qvMsRQ0LJ1HPAPs/IlX7CSsoJV7BI=
+github.com/fluxcd/pkg/apis/meta v1.18.0 h1:ACHrMIjlcioE9GKS7NGk62KX4NshqNewr8sBwMcXABs=
+github.com/fluxcd/pkg/apis/meta v1.18.0/go.mod h1:97l3hTwBpJbXBY+wetNbqrUsvES8B1jGioKcBUxmqd8=
+github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU=
+github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
+github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg=
+github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.36.1 h1:bJDPBO7ibjxcbHMgSCoo4Yj18UWbKDlLwX1x9sybDcw=
+github.com/onsi/gomega v1.36.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
+go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v3 v3.0.3 h1:bXOww4E/J3f66rav3pX3m8w6jDE4knZjGOw8b5Y6iNE=
+go.yaml.in/yaml/v3 v3.0.3/go.mod h1:tBHosrYAkRZjRAOREWbDnBXUf08JOwYq++0QNwQiWzI=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
+golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
+golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
+golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/api v0.33.2 h1:YgwIS5jKfA+BZg//OQhkJNIfie/kmRsO0BmNaVSimvY=
+k8s.io/api v0.33.2/go.mod h1:fhrbphQJSM2cXzCWgqU29xLDuks4mu7ti9vveEnpSXs=
+k8s.io/apiextensions-apiserver v0.33.2 h1:6gnkIbngnaUflR3XwE1mCefN3YS8yTD631JXQhsU6M8=
+k8s.io/apiextensions-apiserver v0.33.2/go.mod h1:IvVanieYsEHJImTKXGP6XCOjTwv2LUMos0YWc9O+QP8=
+k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY=
+k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e h1:KqK5c/ghOm8xkHYhlodbp6i6+r+ChV2vuAuVRdFbLro=
+k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8=
+sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
+sigs.k8s.io/yaml v1.5.0 h1:M10b2U7aEUY6hRtU870n2VTPgR5RZiL/I6Lcc2F4NUQ=
+sigs.k8s.io/yaml v1.5.0/go.mod h1:wZs27Rbxoai4C0f8/9urLZtZtF3avA3gKvGyPdDqTO4=
--- a/api/v1/doc.go
+++ b/api/v1/doc.go
@ -0,0 +1,21 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1 contains API Schema definitions for the kustomize.toolkit.fluxcd.io
+// v1 API group.
+// +kubebuilder:object:generate=true
+// +groupName=kustomize.toolkit.fluxcd.io
+package v1
--- a/api/v1/groupversion_info.go
+++ b/api/v1/groupversion_info.go
@ -0,0 +1,33 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects.
+	GroupVersion = schema.GroupVersion{Group: "kustomize.toolkit.fluxcd.io", Version: "v1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)
--- a/api/v1/inventory_types.go
+++ b/api/v1/inventory_types.go
@ -0,0 +1,34 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+// ResourceInventory contains a list of Kubernetes resource object references
+// that have been applied by a Kustomization.
+type ResourceInventory struct {
+	// Entries of Kubernetes resource object references.
+	Entries []ResourceRef `json:"entries"`
+}
+
+// ResourceRef contains the information necessary to locate a resource within a cluster.
+type ResourceRef struct {
+	// ID is the string representation of the Kubernetes resource object's metadata,
+	// in the format '<namespace>_<name>_<group>_<kind>'.
+	ID string `json:"id"`
+
+	// Version is the API version of the Kubernetes resource object's kind.
+	Version string `json:"v"`
+}
--- a/api/v1/kustomization_types.go
+++ b/api/v1/kustomization_types.go
@ -0,0 +1,391 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"time"
+
+	"github.com/fluxcd/pkg/apis/kustomize"
+	"github.com/fluxcd/pkg/apis/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	KustomizationKind         = "Kustomization"
+	KustomizationFinalizer    = "finalizers.fluxcd.io"
+	MaxConditionMessageLength = 20000
+	EnabledValue              = "enabled"
+	DisabledValue             = "disabled"
+	MergeValue                = "Merge"
+	IfNotPresentValue         = "IfNotPresent"
+	IgnoreValue               = "Ignore"
+
+	DeletionPolicyMirrorPrune        = "MirrorPrune"
+	DeletionPolicyDelete             = "Delete"
+	DeletionPolicyWaitForTermination = "WaitForTermination"
+	DeletionPolicyOrphan             = "Orphan"
+)
+
+// KustomizationSpec defines the configuration to calculate the desired state
+// from a Source using Kustomize.
+type KustomizationSpec struct {
+	// CommonMetadata specifies the common labels and annotations that are
+	// applied to all resources. Any existing label or annotation will be
+	// overridden if its key matches a common one.
+	// +optional
+	CommonMetadata *CommonMetadata `json:"commonMetadata,omitempty"`
+
+	// DependsOn may contain a DependencyReference slice
+	// with references to Kustomization resources that must be ready before this
+	// Kustomization can be reconciled.
+	// +optional
+	DependsOn []DependencyReference `json:"dependsOn,omitempty"`
+
+	// Decrypt Kubernetes secrets before applying them on the cluster.
+	// +optional
+	Decryption *Decryption `json:"decryption,omitempty"`
+
+	// The interval at which to reconcile the Kustomization.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +required
+	Interval metav1.Duration `json:"interval"`
+
+	// The interval at which to retry a previously failed reconciliation.
+	// When not specified, the controller uses the KustomizationSpec.Interval
+	// value to retry failures.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +optional
+	RetryInterval *metav1.Duration `json:"retryInterval,omitempty"`
+
+	// The KubeConfig for reconciling the Kustomization on a remote cluster.
+	// When used in combination with KustomizationSpec.ServiceAccountName,
+	// forces the controller to act on behalf of that Service Account at the
+	// target cluster.
+	// If the --default-service-account flag is set, its value will be used as
+	// a controller level fallback for when KustomizationSpec.ServiceAccountName
+	// is empty.
+	// +optional
+	KubeConfig *meta.KubeConfigReference `json:"kubeConfig,omitempty"`
+
+	// Path to the directory containing the kustomization.yaml file, or the
+	// set of plain YAMLs a kustomization.yaml should be generated for.
+	// Defaults to 'None', which translates to the root path of the SourceRef.
+	// +optional
+	Path string `json:"path,omitempty"`
+
+	// PostBuild describes which actions to perform on the YAML manifest
+	// generated by building the kustomize overlay.
+	// +optional
+	PostBuild *PostBuild `json:"postBuild,omitempty"`
+
+	// Prune enables garbage collection.
+	// +required
+	Prune bool `json:"prune"`
+
+	// DeletionPolicy can be used to control garbage collection when this
+	// Kustomization is deleted. Valid values are ('MirrorPrune', 'Delete',
+	// 'WaitForTermination', 'Orphan'). 'MirrorPrune' mirrors the Prune field
+	// (orphan if false, delete if true). Defaults to 'MirrorPrune'.
+	// +kubebuilder:validation:Enum=MirrorPrune;Delete;WaitForTermination;Orphan
+	// +optional
+	DeletionPolicy string `json:"deletionPolicy,omitempty"`
+
+	// A list of resources to be included in the health assessment.
+	// +optional
+	HealthChecks []meta.NamespacedObjectKindReference `json:"healthChecks,omitempty"`
+
+	// NamePrefix will prefix the names of all managed resources.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=200
+	// +kubebuilder:validation:Optional
+	// +optional
+	NamePrefix string `json:"namePrefix,omitempty" yaml:"namePrefix,omitempty"`
+
+	// NameSuffix will suffix the names of all managed resources.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=200
+	// +kubebuilder:validation:Optional
+	// +optional
+	NameSuffix string `json:"nameSuffix,omitempty" yaml:"nameSuffix,omitempty"`
+
+	// Strategic merge and JSON patches, defined as inline YAML objects,
+	// capable of targeting objects based on kind, label and annotation selectors.
+	// +optional
+	Patches []kustomize.Patch `json:"patches,omitempty"`
+
+	// Images is a list of (image name, new name, new tag or digest)
+	// for changing image names, tags or digests. This can also be achieved with a
+	// patch, but this operator is simpler to specify.
+	// +optional
+	Images []kustomize.Image `json:"images,omitempty"`
+
+	// The name of the Kubernetes service account to impersonate
+	// when reconciling this Kustomization.
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+
+	// Reference of the source where the kustomization file is.
+	// +required
+	SourceRef CrossNamespaceSourceReference `json:"sourceRef"`
+
+	// This flag tells the controller to suspend subsequent kustomize executions,
+	// it does not apply to already started executions. Defaults to false.
+	// +optional
+	Suspend bool `json:"suspend,omitempty"`
+
+	// TargetNamespace sets or overrides the namespace in the
+	// kustomization.yaml file.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=63
+	// +kubebuilder:validation:Optional
+	// +optional
+	TargetNamespace string `json:"targetNamespace,omitempty"`
+
+	// Timeout for validation, apply and health checking operations.
+	// Defaults to 'Interval' duration.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +optional
+	Timeout *metav1.Duration `json:"timeout,omitempty"`
+
+	// Force instructs the controller to recreate resources
+	// when patching fails due to an immutable field change.
+	// +kubebuilder:default:=false
+	// +optional
+	Force bool `json:"force,omitempty"`
+
+	// Wait instructs the controller to check the health of all the reconciled
+	// resources. When enabled, the HealthChecks are ignored. Defaults to false.
+	// +optional
+	Wait bool `json:"wait,omitempty"`
+
+	// Components specifies relative paths to specifications of other Components.
+	// +optional
+	Components []string `json:"components,omitempty"`
+
+	// HealthCheckExprs is a list of healthcheck expressions for evaluating the
+	// health of custom resources using Common Expression Language (CEL).
+	// The expressions are evaluated only when Wait or HealthChecks are specified.
+	// +optional
+	HealthCheckExprs []kustomize.CustomHealthCheck `json:"healthCheckExprs,omitempty"`
+}
+
+// CommonMetadata defines the common labels and annotations.
+type CommonMetadata struct {
+	// Annotations to be added to the object's metadata.
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+
+	// Labels to be added to the object's metadata.
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+}
+
+// Decryption defines how decryption is handled for Kubernetes manifests.
+type Decryption struct {
+	// Provider is the name of the decryption engine.
+	// +kubebuilder:validation:Enum=sops
+	// +required
+	Provider string `json:"provider"`
+
+	// ServiceAccountName is the name of the service account used to
+	// authenticate with KMS services from cloud providers. If a
+	// static credential for a given cloud provider is defined
+	// inside the Secret referenced by SecretRef, that static
+	// credential takes priority.
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+
+	// The secret name containing the private OpenPGP keys used for decryption.
+	// A static credential for a cloud provider defined inside the Secret
+	// takes priority to secret-less authentication with the ServiceAccountName
+	// field.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+}
+
+// PostBuild describes which actions to perform on the YAML manifest
+// generated by building the kustomize overlay.
+type PostBuild struct {
+	// Substitute holds a map of key/value pairs.
+	// The variables defined in your YAML manifests that match any of the keys
+	// defined in the map will be substituted with the set value.
+	// Includes support for bash string replacement functions
+	// e.g. ${var:=default}, ${var:position} and ${var/substring/replacement}.
+	// +optional
+	Substitute map[string]string `json:"substitute,omitempty"`
+
+	// SubstituteFrom holds references to ConfigMaps and Secrets containing
+	// the variables and their values to be substituted in the YAML manifests.
+	// The ConfigMap and the Secret data keys represent the var names, and they
+	// must match the vars declared in the manifests for the substitution to
+	// happen.
+	// +optional
+	SubstituteFrom []SubstituteReference `json:"substituteFrom,omitempty"`
+}
+
+// SubstituteReference contains a reference to a resource containing
+// the variables name and value.
+type SubstituteReference struct {
+	// Kind of the values referent, valid values are ('Secret', 'ConfigMap').
+	// +kubebuilder:validation:Enum=Secret;ConfigMap
+	// +required
+	Kind string `json:"kind"`
+
+	// Name of the values referent. Should reside in the same namespace as the
+	// referring resource.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +required
+	Name string `json:"name"`
+
+	// Optional indicates whether the referenced resource must exist, or whether to
+	// tolerate its absence. If true and the referenced resource is absent, proceed
+	// as if the resource was present but empty, without any variables defined.
+	// +kubebuilder:default:=false
+	// +optional
+	Optional bool `json:"optional,omitempty"`
+}
+
+// KustomizationStatus defines the observed state of a kustomization.
+type KustomizationStatus struct {
+	meta.ReconcileRequestStatus `json:",inline"`
+
+	// ObservedGeneration is the last reconciled generation.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// The last successfully applied revision.
+	// Equals the Revision of the applied Artifact from the referenced Source.
+	// +optional
+	LastAppliedRevision string `json:"lastAppliedRevision,omitempty"`
+
+	// The last successfully applied origin revision.
+	// Equals the origin revision of the applied Artifact from the referenced Source.
+	// Usually present on the Metadata of the applied Artifact and depends on the
+	// Source type, e.g. for OCI it's the value associated with the key
+	// "org.opencontainers.image.revision".
+	// +optional
+	LastAppliedOriginRevision string `json:"lastAppliedOriginRevision,omitempty"`
+
+	// LastAttemptedRevision is the revision of the last reconciliation attempt.
+	// +optional
+	LastAttemptedRevision string `json:"lastAttemptedRevision,omitempty"`
+
+	// Inventory contains the list of Kubernetes resource object references that
+	// have been successfully applied.
+	// +optional
+	Inventory *ResourceInventory `json:"inventory,omitempty"`
+}
+
+// GetTimeout returns the timeout with default.
+func (in Kustomization) GetTimeout() time.Duration {
+	duration := in.Spec.Interval.Duration - 30*time.Second
+	if in.Spec.Timeout != nil {
+		duration = in.Spec.Timeout.Duration
+	}
+	if duration < 30*time.Second {
+		return 30 * time.Second
+	}
+	return duration
+}
+
+// GetRetryInterval returns the retry interval
+func (in Kustomization) GetRetryInterval() time.Duration {
+	if in.Spec.RetryInterval != nil {
+		return in.Spec.RetryInterval.Duration
+	}
+	return in.GetRequeueAfter()
+}
+
+// GetRequeueAfter returns the duration after which the Kustomization must be
+// reconciled again.
+func (in Kustomization) GetRequeueAfter() time.Duration {
+	return in.Spec.Interval.Duration
+}
+
+// GetDeletionPolicy returns the deletion policy and default value if not specified.
+func (in Kustomization) GetDeletionPolicy() string {
+	if in.Spec.DeletionPolicy == "" {
+		return DeletionPolicyMirrorPrune
+	}
+	return in.Spec.DeletionPolicy
+}
+
+// GetDependsOn returns the dependencies as a list of meta.NamespacedObjectReference.
+//
+// This function makes the Kustomization type conformant with the meta.ObjectWithDependencies interface
+// and allows the controller-runtime to index Kustomizations by their dependencies.
+func (in Kustomization) GetDependsOn() []meta.NamespacedObjectReference {
+	deps := make([]meta.NamespacedObjectReference, len(in.Spec.DependsOn))
+	for i := range in.Spec.DependsOn {
+		deps[i] = meta.NamespacedObjectReference{
+			Name:      in.Spec.DependsOn[i].Name,
+			Namespace: in.Spec.DependsOn[i].Namespace,
+		}
+	}
+	return deps
+}
+
+// GetConditions returns the status conditions of the object.
+func (in Kustomization) GetConditions() []metav1.Condition {
+	return in.Status.Conditions
+}
+
+// SetConditions sets the status conditions on the object.
+func (in *Kustomization) SetConditions(conditions []metav1.Condition) {
+	in.Status.Conditions = conditions
+}
+
+// +genclient
+// +kubebuilder:storageversion
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=ks
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
+
+// Kustomization is the Schema for the kustomizations API.
+type Kustomization struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec KustomizationSpec `json:"spec,omitempty"`
+	// +kubebuilder:default:={"observedGeneration":-1}
+	Status KustomizationStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// KustomizationList contains a list of kustomizations.
+type KustomizationList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Kustomization `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Kustomization{}, &KustomizationList{})
+}
--- a/api/v1/reference_types.go
+++ b/api/v1/reference_types.go
@ -0,0 +1,72 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"fmt"
+)
+
+// CrossNamespaceSourceReference contains enough information to let you locate the
+// typed Kubernetes resource object at cluster level.
+type CrossNamespaceSourceReference struct {
+	// API version of the referent.
+	// +optional
+	APIVersion string `json:"apiVersion,omitempty"`
+
+	// Kind of the referent.
+	// +kubebuilder:validation:Enum=OCIRepository;GitRepository;Bucket
+	// +required
+	Kind string `json:"kind"`
+
+	// Name of the referent.
+	// +required
+	Name string `json:"name"`
+
+	// Namespace of the referent, defaults to the namespace of the Kubernetes
+	// resource object that contains the reference.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// String returns a string representation of the CrossNamespaceSourceReference
+// in the format "Kind/Name" or "Kind/Namespace/Name" if Namespace is set.
+func (s *CrossNamespaceSourceReference) String() string {
+	if s.Namespace != "" {
+		return fmt.Sprintf("%s/%s/%s", s.Kind, s.Namespace, s.Name)
+	}
+	return fmt.Sprintf("%s/%s", s.Kind, s.Name)
+}
+
+// DependencyReference defines a Kustomization dependency on another Kustomization resource.
+type DependencyReference struct {
+	// Name of the referent.
+	// +required
+	Name string `json:"name"`
+
+	// Namespace of the referent, defaults to the namespace of the Kustomization
+	// resource object that contains the reference.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+
+	// ReadyExpr is a CEL expression that can be used to assess the readiness
+	// of a dependency. When specified, the built-in readiness check
+	// is replaced by the logic defined in the CEL expression.
+	// To make the CEL expression additive to the built-in readiness check,
+	// the feature gate `AdditiveCELDependencyCheck` must be set to `true`.
+	// +optional
+	ReadyExpr string `json:"readyExpr,omitempty"`
+}
--- a/api/v1/zz_generated.deepcopy.go
+++ b/api/v1/zz_generated.deepcopy.go
@ -0,0 +1,350 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	"github.com/fluxcd/pkg/apis/kustomize"
+	"github.com/fluxcd/pkg/apis/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CommonMetadata) DeepCopyInto(out *CommonMetadata) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommonMetadata.
+func (in *CommonMetadata) DeepCopy() *CommonMetadata {
+	if in == nil {
+		return nil
+	}
+	out := new(CommonMetadata)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CrossNamespaceSourceReference) DeepCopyInto(out *CrossNamespaceSourceReference) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CrossNamespaceSourceReference.
+func (in *CrossNamespaceSourceReference) DeepCopy() *CrossNamespaceSourceReference {
+	if in == nil {
+		return nil
+	}
+	out := new(CrossNamespaceSourceReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Decryption) DeepCopyInto(out *Decryption) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Decryption.
+func (in *Decryption) DeepCopy() *Decryption {
+	if in == nil {
+		return nil
+	}
+	out := new(Decryption)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DependencyReference) DeepCopyInto(out *DependencyReference) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DependencyReference.
+func (in *DependencyReference) DeepCopy() *DependencyReference {
+	if in == nil {
+		return nil
+	}
+	out := new(DependencyReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Kustomization) DeepCopyInto(out *Kustomization) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Kustomization.
+func (in *Kustomization) DeepCopy() *Kustomization {
+	if in == nil {
+		return nil
+	}
+	out := new(Kustomization)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Kustomization) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KustomizationList) DeepCopyInto(out *KustomizationList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Kustomization, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KustomizationList.
+func (in *KustomizationList) DeepCopy() *KustomizationList {
+	if in == nil {
+		return nil
+	}
+	out := new(KustomizationList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *KustomizationList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KustomizationSpec) DeepCopyInto(out *KustomizationSpec) {
+	*out = *in
+	if in.CommonMetadata != nil {
+		in, out := &in.CommonMetadata, &out.CommonMetadata
+		*out = new(CommonMetadata)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.DependsOn != nil {
+		in, out := &in.DependsOn, &out.DependsOn
+		*out = make([]DependencyReference, len(*in))
+		copy(*out, *in)
+	}
+	if in.Decryption != nil {
+		in, out := &in.Decryption, &out.Decryption
+		*out = new(Decryption)
+		(*in).DeepCopyInto(*out)
+	}
+	out.Interval = in.Interval
+	if in.RetryInterval != nil {
+		in, out := &in.RetryInterval, &out.RetryInterval
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	if in.KubeConfig != nil {
+		in, out := &in.KubeConfig, &out.KubeConfig
+		*out = new(meta.KubeConfigReference)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.PostBuild != nil {
+		in, out := &in.PostBuild, &out.PostBuild
+		*out = new(PostBuild)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.HealthChecks != nil {
+		in, out := &in.HealthChecks, &out.HealthChecks
+		*out = make([]meta.NamespacedObjectKindReference, len(*in))
+		copy(*out, *in)
+	}
+	if in.Patches != nil {
+		in, out := &in.Patches, &out.Patches
+		*out = make([]kustomize.Patch, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Images != nil {
+		in, out := &in.Images, &out.Images
+		*out = make([]kustomize.Image, len(*in))
+		copy(*out, *in)
+	}
+	out.SourceRef = in.SourceRef
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	if in.Components != nil {
+		in, out := &in.Components, &out.Components
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.HealthCheckExprs != nil {
+		in, out := &in.HealthCheckExprs, &out.HealthCheckExprs
+		*out = make([]kustomize.CustomHealthCheck, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KustomizationSpec.
+func (in *KustomizationSpec) DeepCopy() *KustomizationSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(KustomizationSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KustomizationStatus) DeepCopyInto(out *KustomizationStatus) {
+	*out = *in
+	out.ReconcileRequestStatus = in.ReconcileRequestStatus
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Inventory != nil {
+		in, out := &in.Inventory, &out.Inventory
+		*out = new(ResourceInventory)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KustomizationStatus.
+func (in *KustomizationStatus) DeepCopy() *KustomizationStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(KustomizationStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PostBuild) DeepCopyInto(out *PostBuild) {
+	*out = *in
+	if in.Substitute != nil {
+		in, out := &in.Substitute, &out.Substitute
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.SubstituteFrom != nil {
+		in, out := &in.SubstituteFrom, &out.SubstituteFrom
+		*out = make([]SubstituteReference, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostBuild.
+func (in *PostBuild) DeepCopy() *PostBuild {
+	if in == nil {
+		return nil
+	}
+	out := new(PostBuild)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceInventory) DeepCopyInto(out *ResourceInventory) {
+	*out = *in
+	if in.Entries != nil {
+		in, out := &in.Entries, &out.Entries
+		*out = make([]ResourceRef, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceInventory.
+func (in *ResourceInventory) DeepCopy() *ResourceInventory {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceInventory)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceRef) DeepCopyInto(out *ResourceRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceRef.
+func (in *ResourceRef) DeepCopy() *ResourceRef {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SubstituteReference) DeepCopyInto(out *SubstituteReference) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubstituteReference.
+func (in *SubstituteReference) DeepCopy() *SubstituteReference {
+	if in == nil {
+		return nil
+	}
+	out := new(SubstituteReference)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/api/v1alpha1/condition_types.go
+++ b/api/v1alpha1/condition_types.go
@ -1,90 +0,0 @@
-/*
-Copyright 2020 The Flux CD contributors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// Condition contains condition information for a kustomization.
-type Condition struct {
-	// Type of the condition, currently ('Ready').
-	// +required
-	Type string `json:"type"`
-
-	// Status of the condition, one of ('True', 'False', 'Unknown').
-	// +required
-	Status corev1.ConditionStatus `json:"status"`
-
-	// LastTransitionTime is the timestamp corresponding to the last status
-	// change of this condition.
-	// +required
-	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
-
-	// Reason is a brief machine readable explanation for the condition's last
-	// transition.
-	// +required
-	Reason string `json:"reason,omitempty"`
-
-	// Message is a human readable description of the details of the last
-	// transition, complementing reason.
-	// +optional
-	Message string `json:"message,omitempty"`
-}
-
-const (
-	// ReadyCondition represents the fact that a given kustomization has passed
-	// validation and was successfully applied on the cluster.
-	ReadyCondition string = "Ready"
-)
-
-const (
-	// ApplySucceedReason represents the fact that the kustomization apply succeed.
-	ApplySucceedReason string = "ApplySucceed"
-
-	// ApplyFailedReason represents the fact that the kustomization apply failed.
-	ApplyFailedReason string = "ApplyFailed"
-
-	// PruneFailedReason represents the fact that the kustomization pruning failed.
-	PruneFailedReason string = "PruneFailed"
-
-	// ArtifactFailedReason represents the fact that the artifact download failed.
-	ArtifactFailedReason string = "ArtifactFailed"
-
-	// BuildFailedReason represents the fact that the kustomize build command failed.
-	BuildFailedReason string = "BuildFailed"
-
-	// DependencyNotReady represents the fact that the one of the dependencies is not ready.
-	DependencyNotReadyReason string = "DependencyNotReady"
-
-	// HealthCheckFailedReason represents the fact that the one of the health check failed.
-	HealthCheckFailedReason string = "HealthCheckFailed"
-
-	// InitializedReason represents the fact that a given resource has been initialized.
-	InitializedReason string = "Initialized"
-
-	// ProgressingReason represents the fact that a kustomization reconciliation
-	// is underway.
-	ProgressingReason string = "Progressing"
-
-	// SuspendedReason represents the fact that the kustomization execution is suspended.
-	SuspendedReason string = "Suspended"
-
-	// ValidationFailedReason represents the fact that the dry-run apply failed.
-	ValidationFailedReason string = "ValidationFailed"
-)
--- a/api/v1alpha1/kustomization_types.go
+++ b/api/v1alpha1/kustomization_types.go
@ -1,225 +0,0 @@
-/*
-Copyright 2020 The Flux CD contributors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	"time"
-
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// KustomizationSpec defines the desired state of a kustomization.
-type KustomizationSpec struct {
-	// A list of kustomizations that must be ready before this
-	// kustomization can be applied.
-	// +optional
-	DependsOn []string `json:"dependsOn,omitempty"`
-
-	// The interval at which to apply the kustomization.
-	// +required
-	Interval metav1.Duration `json:"interval"`
-
-	// Path to the directory containing the kustomization file.
-	// +kubebuilder:validation:Pattern="^\\./"
-	// +required
-	Path string `json:"path"`
-
-	// Enables garbage collection.
-	// +required
-	Prune bool `json:"prune"`
-
-	// A list of workloads (Deployments, DaemonSets and StatefulSets)
-	// to be included in the health assessment.
-	// +optional
-	HealthChecks []WorkloadReference `json:"healthChecks,omitempty"`
-
-	// The Kubernetes service account used for applying the kustomization.
-	// +optional
-	ServiceAccount *ServiceAccount `json:"serviceAccount,omitempty"`
-
-	// Reference of the source where the kustomization file is.
-	// +required
-	SourceRef corev1.TypedLocalObjectReference `json:"sourceRef"`
-
-	// This flag tells the controller to suspend subsequent kustomize executions,
-	// it does not apply to already started executions. Defaults to false.
-	// +optional
-	Suspend bool `json:"suspend,omitempty"`
-
-	// Timeout for validation, apply and health checking operations.
-	// Defaults to 'Interval' duration.
-	// +optional
-	Timeout *metav1.Duration `json:"timeout,omitempty"`
-
-	// Validate the Kubernetes objects before applying them on the cluster.
-	// The validation strategy can be 'client' (local dry-run) or 'server' (APIServer dry-run).
-	// +kubebuilder:validation:Enum=client;server
-	// +optional
-	Validation string `json:"validation,omitempty"`
-}
-
-// WorkloadReference defines a reference to a Deployment, DaemonSet or StatefulSet.
-type WorkloadReference struct {
-	// Kind is the type of resource being referenced.
-	// +kubebuilder:validation:Enum=Deployment;DaemonSet;StatefulSet
-	// +required
-	Kind string `json:"kind"`
-
-	// Name is the name of resource being referenced.
-	// +required
-	Name string `json:"name"`
-
-	// Namespace is the namespace of resource being referenced.
-	// +required
-	Namespace string `json:"namespace"`
-}
-
-// ServiceAccount defines a reference to a Kubernetes service account.
-type ServiceAccount struct {
-	// Name is the name of the service account being referenced.
-	// +required
-	Name string `json:"name"`
-
-	// Namespace is the namespace of the service account being referenced.
-	// +required
-	Namespace string `json:"namespace"`
-}
-
-// KustomizationStatus defines the observed state of a kustomization.
-type KustomizationStatus struct {
-	// +optional
-	Conditions []Condition `json:"conditions,omitempty"`
-
-	// The last successfully applied revision.
-	// The revision format for Git sources is <branch|tag>/<commit-sha>.
-	// +optional
-	LastAppliedRevision string `json:"lastAppliedRevision,omitempty"`
-
-	// The last successfully applied revision metadata.
-	// +optional
-	Snapshot *Snapshot `json:"snapshot,omitempty"`
-}
-
-func KustomizationReady(kustomization Kustomization, snapshot *Snapshot, revision, reason, message string) Kustomization {
-	kustomization.Status.Conditions = []Condition{
-		{
-			Type:               ReadyCondition,
-			Status:             corev1.ConditionTrue,
-			LastTransitionTime: metav1.Now(),
-			Reason:             reason,
-			Message:            message,
-		},
-	}
-	kustomization.Status.Snapshot = snapshot
-	kustomization.Status.LastAppliedRevision = revision
-	return kustomization
-}
-
-func KustomizationProgressing(kustomization Kustomization) Kustomization {
-	kustomization.Status.Conditions = []Condition{
-		{
-			Type:               ReadyCondition,
-			Status:             corev1.ConditionUnknown,
-			LastTransitionTime: metav1.Now(),
-			Reason:             ProgressingReason,
-			Message:            "reconciliation in progress",
-		},
-	}
-	return kustomization
-}
-
-func KustomizationNotReady(kustomization Kustomization, reason, message string) Kustomization {
-	kustomization.Status.Conditions = []Condition{
-		{
-			Type:               ReadyCondition,
-			Status:             corev1.ConditionFalse,
-			LastTransitionTime: metav1.Now(),
-			Reason:             reason,
-			Message:            message,
-		},
-	}
-	return kustomization
-}
-
-func KustomizationNotReadySnapshot(kustomization Kustomization, snapshot *Snapshot, reason, message string) Kustomization {
-	kustomization.Status.Conditions = []Condition{
-		{
-			Type:               ReadyCondition,
-			Status:             corev1.ConditionFalse,
-			LastTransitionTime: metav1.Now(),
-			Reason:             reason,
-			Message:            message,
-		},
-	}
-	kustomization.Status.Snapshot = snapshot
-	return kustomization
-}
-
-// GetTimeout returns the timeout with default
-func (in *Kustomization) GetTimeout() time.Duration {
-	duration := in.Spec.Interval.Duration
-	if in.Spec.Timeout != nil {
-		duration = in.Spec.Timeout.Duration
-	}
-	if duration < time.Minute {
-		return time.Minute
-	}
-	return duration
-}
-
-const (
-	// SyncAtAnnotation is the annotation used for triggering a
-	// sync outside of the specified schedule.
-	SyncAtAnnotation string = "kustomize.fluxcd.io/syncAt"
-
-	// SourceIndexKey is the key used for indexing kustomizations
-	// based on their sources.
-	SourceIndexKey string = ".metadata.source"
-
-	// DependencyIndexKey is the key used for indexing kustomizations
-	// based on their dependencies.
-	DependencyIndexKey string = ".metadata.dependency"
-)
-
-// +kubebuilder:object:root=true
-// +kubebuilder:subresource:status
-// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
-// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
-
-// Kustomization is the Schema for the kustomizations API.
-type Kustomization struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   KustomizationSpec   `json:"spec,omitempty"`
-	Status KustomizationStatus `json:"status,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// KustomizationList contains a list of kustomizations.
-type KustomizationList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []Kustomization `json:"items"`
-}
-
-func init() {
-	SchemeBuilder.Register(&Kustomization{}, &KustomizationList{})
-}
--- a/api/v1alpha1/profile_types.go
+++ b/api/v1alpha1/profile_types.go
@ -1,91 +0,0 @@
-/*
-Copyright 2020 The Flux CD contributors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// ProfileSpec defines the desired state of Profile
-type ProfileSpec struct {
-	// Alerting configuration of the kustomizations targeted by this profile.
-	// +optional
-	Alert *AlertProvider `json:"alert"`
-
-	// The list of kustomizations that this profile applies to.
-	// +required
-	Kustomizations []string `json:"kustomizations"`
-}
-
-// Alert is the configuration of alerting for a specific provider
-type AlertProvider struct {
-	// HTTP(S) webhook address of this provider
-	// +required
-	Address string `json:"address"`
-
-	// Alert channel for this provider
-	// +required
-	Channel string `json:"channel"`
-
-	// Bot username for this provider
-	// +required
-	Username string `json:"username"`
-
-	// Filter alerts based on verbosity level, defaults to ('error').
-	// +kubebuilder:validation:Enum=info;error
-	// +optional
-	Verbosity string `json:"verbosity,omitempty"`
-
-	// Type of provider
-	// +kubebuilder:validation:Enum=slack;discord
-	// +required
-	Type string `json:"type"`
-}
-
-// ProfileStatus defines the observed state of Profile
-type ProfileStatus struct {
-	// +optional
-	Conditions []Condition `json:"conditions,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-// +kubebuilder:subresource:status
-// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
-// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
-
-// Profile is the Schema for the profiles API
-type Profile struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   ProfileSpec   `json:"spec,omitempty"`
-	Status ProfileStatus `json:"status,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// ProfileList contains a list of Profile
-type ProfileList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []Profile `json:"items"`
-}
-
-func init() {
-	SchemeBuilder.Register(&Profile{}, &ProfileList{})
-}
--- a/api/v1beta1/condition_types.go
+++ b/api/v1beta1/condition_types.go
@ -0,0 +1,43 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+const (
+	// HealthyCondition is the condition type used
+	// to record the last health assessment result.
+	HealthyCondition string = "Healthy"
+
+	// PruneFailedReason represents the fact that the
+	// pruning of the Kustomization failed.
+	PruneFailedReason string = "PruneFailed"
+
+	// ArtifactFailedReason represents the fact that the
+	// artifact download of the kustomization failed.
+	ArtifactFailedReason string = "ArtifactFailed"
+
+	// BuildFailedReason represents the fact that the
+	// kustomize build of the Kustomization failed.
+	BuildFailedReason string = "BuildFailed"
+
+	// HealthCheckFailedReason represents the fact that
+	// one of the health checks of the Kustomization failed.
+	HealthCheckFailedReason string = "HealthCheckFailed"
+
+	// ValidationFailedReason represents the fact that the
+	// validation of the Kustomization manifests has failed.
+	ValidationFailedReason string = "ValidationFailed"
+)
--- a/api/v1beta1/doc.go
+++ b/api/v1beta1/doc.go
@ -0,0 +1,20 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1beta1 contains API Schema definitions for the kustomize v1beta1 API group
+// +kubebuilder:object:generate=true
+// +groupName=kustomize.toolkit.fluxcd.io
+package v1beta1
--- a/api/v1alpha1/groupversion_info.go
+++ b/api/v1alpha1/groupversion_info.go
@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Flux CD contributors.
+Copyright 2020 The Flux authors

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -14,10 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-// Package v1alpha1 contains API Schema definitions for the kustomize v1alpha1 API group
-// +kubebuilder:object:generate=true
-// +groupName=kustomize.fluxcd.io
-package v1alpha1
+package v1beta1

 import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
@ -26,7 +23,7 @@ import (

 var (
 	// GroupVersion is group version used to register these objects
-	GroupVersion = schema.GroupVersion{Group: "kustomize.fluxcd.io", Version: "v1alpha1"}
+	GroupVersion = schema.GroupVersion{Group: "kustomize.toolkit.fluxcd.io", Version: "v1beta1"}

 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
--- a/api/v1beta1/kustomization_types.go
+++ b/api/v1beta1/kustomization_types.go
@ -0,0 +1,311 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"time"
+
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	"github.com/fluxcd/pkg/apis/kustomize"
+	"github.com/fluxcd/pkg/apis/meta"
+)
+
+const (
+	KustomizationKind         = "Kustomization"
+	KustomizationFinalizer    = "finalizers.fluxcd.io"
+	MaxConditionMessageLength = 20000
+	DisabledValue             = "disabled"
+)
+
+// KustomizationSpec defines the desired state of a kustomization.
+type KustomizationSpec struct {
+	// DependsOn may contain a meta.NamespacedObjectReference slice
+	// with references to Kustomization resources that must be ready before this
+	// Kustomization can be reconciled.
+	// +optional
+	DependsOn []meta.NamespacedObjectReference `json:"dependsOn,omitempty"`
+
+	// Decrypt Kubernetes secrets before applying them on the cluster.
+	// +optional
+	Decryption *Decryption `json:"decryption,omitempty"`
+
+	// The interval at which to reconcile the Kustomization.
+	// +required
+	Interval metav1.Duration `json:"interval"`
+
+	// The interval at which to retry a previously failed reconciliation.
+	// When not specified, the controller uses the KustomizationSpec.Interval
+	// value to retry failures.
+	// +optional
+	RetryInterval *metav1.Duration `json:"retryInterval,omitempty"`
+
+	// The KubeConfig for reconciling the Kustomization on a remote cluster.
+	// When specified, KubeConfig takes precedence over ServiceAccountName.
+	// +optional
+	KubeConfig *KubeConfig `json:"kubeConfig,omitempty"`
+
+	// Path to the directory containing the kustomization.yaml file, or the
+	// set of plain YAMLs a kustomization.yaml should be generated for.
+	// Defaults to 'None', which translates to the root path of the SourceRef.
+	// +optional
+	Path string `json:"path,omitempty"`
+
+	// PostBuild describes which actions to perform on the YAML manifest
+	// generated by building the kustomize overlay.
+	// +optional
+	PostBuild *PostBuild `json:"postBuild,omitempty"`
+
+	// Prune enables garbage collection.
+	// +required
+	Prune bool `json:"prune"`
+
+	// A list of resources to be included in the health assessment.
+	// +optional
+	HealthChecks []meta.NamespacedObjectKindReference `json:"healthChecks,omitempty"`
+
+	// Strategic merge and JSON patches, defined as inline YAML objects,
+	// capable of targeting objects based on kind, label and annotation selectors.
+	// +optional
+	Patches []kustomize.Patch `json:"patches,omitempty"`
+
+	// Strategic merge patches, defined as inline YAML objects.
+	// +optional
+	PatchesStrategicMerge []apiextensionsv1.JSON `json:"patchesStrategicMerge,omitempty"`
+
+	// JSON 6902 patches, defined as inline YAML objects.
+	// +optional
+	PatchesJSON6902 []kustomize.JSON6902Patch `json:"patchesJson6902,omitempty"`
+
+	// Images is a list of (image name, new name, new tag or digest)
+	// for changing image names, tags or digests. This can also be achieved with a
+	// patch, but this operator is simpler to specify.
+	// +optional
+	Images []kustomize.Image `json:"images,omitempty"`
+
+	// The name of the Kubernetes service account to impersonate
+	// when reconciling this Kustomization.
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+
+	// Reference of the source where the kustomization file is.
+	// +required
+	SourceRef CrossNamespaceSourceReference `json:"sourceRef"`
+
+	// This flag tells the controller to suspend subsequent kustomize executions,
+	// it does not apply to already started executions. Defaults to false.
+	// +optional
+	Suspend bool `json:"suspend,omitempty"`
+
+	// TargetNamespace sets or overrides the namespace in the
+	// kustomization.yaml file.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=63
+	// +kubebuilder:validation:Optional
+	// +optional
+	TargetNamespace string `json:"targetNamespace,omitempty"`
+
+	// Timeout for validation, apply and health checking operations.
+	// Defaults to 'Interval' duration.
+	// +optional
+	Timeout *metav1.Duration `json:"timeout,omitempty"`
+
+	// Validate the Kubernetes objects before applying them on the cluster.
+	// The validation strategy can be 'client' (local dry-run), 'server'
+	// (APIServer dry-run) or 'none'.
+	// When 'Force' is 'true', validation will fallback to 'client' if set to
+	// 'server' because server-side validation is not supported in this scenario.
+	// +kubebuilder:validation:Enum=none;client;server
+	// +optional
+	Validation string `json:"validation,omitempty"`
+
+	// Force instructs the controller to recreate resources
+	// when patching fails due to an immutable field change.
+	// +kubebuilder:default:=false
+	// +optional
+	Force bool `json:"force,omitempty"`
+}
+
+// Decryption defines how decryption is handled for Kubernetes manifests.
+type Decryption struct {
+	// Provider is the name of the decryption engine.
+	// +kubebuilder:validation:Enum=sops
+	// +required
+	Provider string `json:"provider"`
+
+	// The secret name containing the private OpenPGP keys used for decryption.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+}
+
+// KubeConfig references a Kubernetes secret that contains a kubeconfig file.
+type KubeConfig struct {
+	// SecretRef holds the name to a secret that contains a 'value' key with
+	// the kubeconfig file as the value. It must be in the same namespace as
+	// the Kustomization.
+	// It is recommended that the kubeconfig is self-contained, and the secret
+	// is regularly updated if credentials such as a cloud-access-token expire.
+	// Cloud specific `cmd-path` auth helpers will not function without adding
+	// binaries and credentials to the Pod that is responsible for reconciling
+	// the Kustomization.
+	// +required
+	SecretRef meta.LocalObjectReference `json:"secretRef,omitempty"`
+}
+
+// PostBuild describes which actions to perform on the YAML manifest
+// generated by building the kustomize overlay.
+type PostBuild struct {
+	// Substitute holds a map of key/value pairs.
+	// The variables defined in your YAML manifests
+	// that match any of the keys defined in the map
+	// will be substituted with the set value.
+	// Includes support for bash string replacement functions
+	// e.g. ${var:=default}, ${var:position} and ${var/substring/replacement}.
+	// +optional
+	Substitute map[string]string `json:"substitute,omitempty"`
+
+	// SubstituteFrom holds references to ConfigMaps and Secrets containing
+	// the variables and their values to be substituted in the YAML manifests.
+	// The ConfigMap and the Secret data keys represent the var names and they
+	// must match the vars declared in the manifests for the substitution to happen.
+	// +optional
+	SubstituteFrom []SubstituteReference `json:"substituteFrom,omitempty"`
+}
+
+// SubstituteReference contains a reference to a resource containing
+// the variables name and value.
+type SubstituteReference struct {
+	// Kind of the values referent, valid values are ('Secret', 'ConfigMap').
+	// +kubebuilder:validation:Enum=Secret;ConfigMap
+	// +required
+	Kind string `json:"kind"`
+
+	// Name of the values referent. Should reside in the same namespace as the
+	// referring resource.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +required
+	Name string `json:"name"`
+}
+
+// KustomizationStatus defines the observed state of a kustomization.
+type KustomizationStatus struct {
+	// ObservedGeneration is the last reconciled generation.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// The last successfully applied revision.
+	// The revision format for Git sources is <branch|tag>/<commit-sha>.
+	// +optional
+	LastAppliedRevision string `json:"lastAppliedRevision,omitempty"`
+
+	// LastAttemptedRevision is the revision of the last reconciliation attempt.
+	// +optional
+	LastAttemptedRevision string `json:"lastAttemptedRevision,omitempty"`
+
+	meta.ReconcileRequestStatus `json:",inline"`
+
+	// The last successfully applied revision metadata.
+	// +optional
+	Snapshot *Snapshot `json:"snapshot,omitempty"`
+}
+
+// GetTimeout returns the timeout with default.
+func (in Kustomization) GetTimeout() time.Duration {
+	duration := in.Spec.Interval.Duration
+	if in.Spec.Timeout != nil {
+		duration = in.Spec.Timeout.Duration
+	}
+	if duration < time.Minute {
+		return time.Minute
+	}
+	return duration
+}
+
+// GetRetryInterval returns the retry interval
+func (in Kustomization) GetRetryInterval() time.Duration {
+	if in.Spec.RetryInterval != nil {
+		return in.Spec.RetryInterval.Duration
+	}
+	return in.Spec.Interval.Duration
+}
+
+func (in Kustomization) GetDependsOn() (types.NamespacedName, []meta.NamespacedObjectReference) {
+	return types.NamespacedName{
+		Namespace: in.Namespace,
+		Name:      in.Name,
+	}, in.Spec.DependsOn
+}
+
+// GetStatusConditions returns a pointer to the Status.Conditions slice
+func (in *Kustomization) GetStatusConditions() *[]metav1.Condition {
+	return &in.Status.Conditions
+}
+
+const (
+	// GitRepositoryIndexKey is the key used for indexing kustomizations
+	// based on their Git sources.
+	GitRepositoryIndexKey string = ".metadata.gitRepository"
+	// BucketIndexKey is the key used for indexing kustomizations
+	// based on their S3 sources.
+	BucketIndexKey string = ".metadata.bucket"
+)
+
+// +genclient
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=ks
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
+// +kubebuilder:deprecatedversion:warning="v1beta1 Kustomization is deprecated, upgrade to v1"
+
+// Kustomization is the Schema for the kustomizations API.
+type Kustomization struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec KustomizationSpec `json:"spec,omitempty"`
+	// +kubebuilder:default:={"observedGeneration":-1}
+	Status KustomizationStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// KustomizationList contains a list of kustomizations.
+type KustomizationList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Kustomization `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Kustomization{}, &KustomizationList{})
+}
+
+func trimString(str string, limit int) string {
+	if len(str) <= limit {
+		return str
+	}
+
+	return str[0:limit] + "..."
+}
--- a/api/v1beta1/reference_types.go
+++ b/api/v1beta1/reference_types.go
@ -0,0 +1,47 @@
+/*
+Copyright 2020 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import "fmt"
+
+// CrossNamespaceSourceReference contains enough information to let you locate the
+// typed referenced object at cluster level
+type CrossNamespaceSourceReference struct {
+	// API version of the referent
+	// +optional
+	APIVersion string `json:"apiVersion,omitempty"`
+
+	// Kind of the referent
+	// +kubebuilder:validation:Enum=GitRepository;Bucket
+	// +required
+	Kind string `json:"kind"`
+
+	// Name of the referent
+	// +required
+	Name string `json:"name"`
+
+	// Namespace of the referent, defaults to the Kustomization namespace
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+}
+
+func (s *CrossNamespaceSourceReference) String() string {
+	if s.Namespace != "" {
+		return fmt.Sprintf("%s/%s/%s", s.Kind, s.Namespace, s.Name)
+	}
+	return fmt.Sprintf("%s/%s", s.Kind, s.Name)
+}
--- a/api/v1alpha1/snapshot_types.go
+++ b/api/v1alpha1/snapshot_types.go
@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Flux CD contributors.
+Copyright 2020 The Flux authors

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -14,23 +14,25 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package v1alpha1
+package v1beta1

 import (
 	"bytes"
 	"io"
+	"strings"

 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/yaml"
 )

 // Snapshot holds the metadata of the Kubernetes objects
 // generated for a source revision
 type Snapshot struct {
-	// The source revision.
+	// The manifests sha1 checksum.
 	// +required
-	Revision string `json:"revision"`
+	Checksum string `json:"checksum"`

 	// A list of Kubernetes kinds grouped by namespace.
 	// +required
@ -49,9 +51,9 @@ type SnapshotEntry struct {
 	Kinds map[string]string `json:"kinds"`
 }

-func NewSnapshot(manifests []byte, revision string) (*Snapshot, error) {
+func NewSnapshot(manifests []byte, checksum string) (*Snapshot, error) {
 	snapshot := Snapshot{
-		Revision: revision,
+		Checksum: checksum,
 		Entries:  []SnapshotEntry{},
 	}

@ -84,7 +86,7 @@ func (s *Snapshot) addEntry(item *unstructured.Unstructured) {
 	found := false
 	for _, tracker := range s.Entries {
 		if tracker.Namespace == item.GetNamespace() {
-			tracker.Kinds[item.GetKind()] = item.GetAPIVersion()
+			tracker.Kinds[item.GroupVersionKind().String()] = item.GetKind()
 			found = true
 			break
 		}
@ -93,31 +95,42 @@ func (s *Snapshot) addEntry(item *unstructured.Unstructured) {
 		s.Entries = append(s.Entries, SnapshotEntry{
 			Namespace: item.GetNamespace(),
 			Kinds: map[string]string{
-				item.GetKind(): item.GetAPIVersion(),
+				item.GroupVersionKind().String(): item.GetKind(),
 			},
 		})
 	}
 }

-func (s *Snapshot) NonNamespacedKinds() []string {
-	kinds := make([]string, 0)
+func (s *Snapshot) NonNamespacedKinds() []schema.GroupVersionKind {
+	kinds := make([]schema.GroupVersionKind, 0)
+
 	for _, tracker := range s.Entries {
 		if tracker.Namespace == "" {
-			for k, _ := range tracker.Kinds {
-				kinds = append(kinds, k)
+			for gvk, kind := range tracker.Kinds {
+				if strings.Contains(gvk, ",") {
+					gv, err := schema.ParseGroupVersion(strings.Split(gvk, ",")[0])
+					if err == nil {
+						kinds = append(kinds, gv.WithKind(kind))
+					}
+				}
 			}
 		}
 	}
 	return kinds
 }

-func (s *Snapshot) NamespacedKinds() map[string][]string {
-	nsk := make(map[string][]string)
+func (s *Snapshot) NamespacedKinds() map[string][]schema.GroupVersionKind {
+	nsk := make(map[string][]schema.GroupVersionKind)
 	for _, tracker := range s.Entries {
 		if tracker.Namespace != "" {
-			var kinds []string
-			for k, _ := range tracker.Kinds {
-				kinds = append(kinds, k)
+			var kinds []schema.GroupVersionKind
+			for gvk, kind := range tracker.Kinds {
+				if strings.Contains(gvk, ",") {
+					gv, err := schema.ParseGroupVersion(strings.Split(gvk, ",")[0])
+					if err == nil {
+						kinds = append(kinds, gv.WithKind(kind))
+					}
+				}
 			}
 			nsk[tracker.Namespace] = kinds
 		}
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@ -1,7 +1,7 @@
-// +build !ignore_autogenerated
+//go:build !ignore_autogenerated

 /*
-Copyright 2020 The Flux CD contributors.
+Copyright 2023 The Flux authors

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@ -18,40 +18,63 @@ limitations under the License.

 // Code generated by controller-gen. DO NOT EDIT.

-package v1alpha1
+package v1beta1

 import (
+	"github.com/fluxcd/pkg/apis/kustomize"
+	"github.com/fluxcd/pkg/apis/meta"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )

 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AlertProvider) DeepCopyInto(out *AlertProvider) {
+func (in *CrossNamespaceSourceReference) DeepCopyInto(out *CrossNamespaceSourceReference) {
 	*out = *in
 }

-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlertProvider.
-func (in *AlertProvider) DeepCopy() *AlertProvider {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CrossNamespaceSourceReference.
+func (in *CrossNamespaceSourceReference) DeepCopy() *CrossNamespaceSourceReference {
 	if in == nil {
 		return nil
 	}
-	out := new(AlertProvider)
+	out := new(CrossNamespaceSourceReference)
 	in.DeepCopyInto(out)
 	return out
 }

 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Condition) DeepCopyInto(out *Condition) {
+func (in *Decryption) DeepCopyInto(out *Decryption) {
 	*out = *in
-	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
 }

-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
-func (in *Condition) DeepCopy() *Condition {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Decryption.
+func (in *Decryption) DeepCopy() *Decryption {
 	if in == nil {
 		return nil
 	}
-	out := new(Condition)
+	out := new(Decryption)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubeConfig) DeepCopyInto(out *KubeConfig) {
+	*out = *in
+	out.SecretRef = in.SecretRef
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeConfig.
+func (in *KubeConfig) DeepCopy() *KubeConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(KubeConfig)
 	in.DeepCopyInto(out)
 	return out
 }
@ -120,21 +143,62 @@ func (in *KustomizationSpec) DeepCopyInto(out *KustomizationSpec) {
 	*out = *in
 	if in.DependsOn != nil {
 		in, out := &in.DependsOn, &out.DependsOn
-		*out = make([]string, len(*in))
+		*out = make([]meta.NamespacedObjectReference, len(*in))
 		copy(*out, *in)
 	}
+	if in.Decryption != nil {
+		in, out := &in.Decryption, &out.Decryption
+		*out = new(Decryption)
+		(*in).DeepCopyInto(*out)
+	}
 	out.Interval = in.Interval
-	if in.HealthChecks != nil {
-		in, out := &in.HealthChecks, &out.HealthChecks
-		*out = make([]WorkloadReference, len(*in))
-		copy(*out, *in)
-	}
-	if in.ServiceAccount != nil {
-		in, out := &in.ServiceAccount, &out.ServiceAccount
-		*out = new(ServiceAccount)
+	if in.RetryInterval != nil {
+		in, out := &in.RetryInterval, &out.RetryInterval
+		*out = new(v1.Duration)
 		**out = **in
 	}
-	in.SourceRef.DeepCopyInto(&out.SourceRef)
+	if in.KubeConfig != nil {
+		in, out := &in.KubeConfig, &out.KubeConfig
+		*out = new(KubeConfig)
+		**out = **in
+	}
+	if in.PostBuild != nil {
+		in, out := &in.PostBuild, &out.PostBuild
+		*out = new(PostBuild)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.HealthChecks != nil {
+		in, out := &in.HealthChecks, &out.HealthChecks
+		*out = make([]meta.NamespacedObjectKindReference, len(*in))
+		copy(*out, *in)
+	}
+	if in.Patches != nil {
+		in, out := &in.Patches, &out.Patches
+		*out = make([]kustomize.Patch, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PatchesStrategicMerge != nil {
+		in, out := &in.PatchesStrategicMerge, &out.PatchesStrategicMerge
+		*out = make([]apiextensionsv1.JSON, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PatchesJSON6902 != nil {
+		in, out := &in.PatchesJSON6902, &out.PatchesJSON6902
+		*out = make([]kustomize.JSON6902Patch, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Images != nil {
+		in, out := &in.Images, &out.Images
+		*out = make([]kustomize.Image, len(*in))
+		copy(*out, *in)
+	}
+	out.SourceRef = in.SourceRef
 	if in.Timeout != nil {
 		in, out := &in.Timeout, &out.Timeout
 		*out = new(v1.Duration)
@ -157,11 +221,12 @@ func (in *KustomizationStatus) DeepCopyInto(out *KustomizationStatus) {
 	*out = *in
 	if in.Conditions != nil {
 		in, out := &in.Conditions, &out.Conditions
-		*out = make([]Condition, len(*in))
+		*out = make([]v1.Condition, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	out.ReconcileRequestStatus = in.ReconcileRequestStatus
 	if in.Snapshot != nil {
 		in, out := &in.Snapshot, &out.Snapshot
 		*out = new(Snapshot)
@ -180,122 +245,28 @@ func (in *KustomizationStatus) DeepCopy() *KustomizationStatus {
 }

 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Profile) DeepCopyInto(out *Profile) {
+func (in *PostBuild) DeepCopyInto(out *PostBuild) {
 	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Profile.
-func (in *Profile) DeepCopy() *Profile {
-	if in == nil {
-		return nil
-	}
-	out := new(Profile)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *Profile) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ProfileList) DeepCopyInto(out *ProfileList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]Profile, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
+	if in.Substitute != nil {
+		in, out := &in.Substitute, &out.Substitute
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
 		}
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProfileList.
-func (in *ProfileList) DeepCopy() *ProfileList {
-	if in == nil {
-		return nil
-	}
-	out := new(ProfileList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ProfileList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ProfileSpec) DeepCopyInto(out *ProfileSpec) {
-	*out = *in
-	if in.Alert != nil {
-		in, out := &in.Alert, &out.Alert
-		*out = new(AlertProvider)
-		**out = **in
-	}
-	if in.Kustomizations != nil {
-		in, out := &in.Kustomizations, &out.Kustomizations
-		*out = make([]string, len(*in))
+	if in.SubstituteFrom != nil {
+		in, out := &in.SubstituteFrom, &out.SubstituteFrom
+		*out = make([]SubstituteReference, len(*in))
 		copy(*out, *in)
 	}
 }

-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProfileSpec.
-func (in *ProfileSpec) DeepCopy() *ProfileSpec {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostBuild.
+func (in *PostBuild) DeepCopy() *PostBuild {
 	if in == nil {
 		return nil
 	}
-	out := new(ProfileSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ProfileStatus) DeepCopyInto(out *ProfileStatus) {
-	*out = *in
-	if in.Conditions != nil {
-		in, out := &in.Conditions, &out.Conditions
-		*out = make([]Condition, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProfileStatus.
-func (in *ProfileStatus) DeepCopy() *ProfileStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(ProfileStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ServiceAccount) DeepCopyInto(out *ServiceAccount) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccount.
-func (in *ServiceAccount) DeepCopy() *ServiceAccount {
-	if in == nil {
-		return nil
-	}
-	out := new(ServiceAccount)
+	out := new(PostBuild)
 	in.DeepCopyInto(out)
 	return out
 }
@ -345,16 +316,16 @@ func (in *SnapshotEntry) DeepCopy() *SnapshotEntry {
 }

 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WorkloadReference) DeepCopyInto(out *WorkloadReference) {
+func (in *SubstituteReference) DeepCopyInto(out *SubstituteReference) {
 	*out = *in
 }

-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadReference.
-func (in *WorkloadReference) DeepCopy() *WorkloadReference {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubstituteReference.
+func (in *SubstituteReference) DeepCopy() *SubstituteReference {
 	if in == nil {
 		return nil
 	}
-	out := new(WorkloadReference)
+	out := new(SubstituteReference)
 	in.DeepCopyInto(out)
 	return out
 }
--- a/api/v1beta2/condition_types.go
+++ b/api/v1beta2/condition_types.go
@ -0,0 +1,55 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+const (
+	// HealthyCondition represents the last recorded
+	// health assessment result.
+	HealthyCondition string = "Healthy"
+
+	// PruneFailedReason represents the fact that the
+	// pruning of the Kustomization failed.
+	PruneFailedReason string = "PruneFailed"
+
+	// ArtifactFailedReason represents the fact that the
+	// source artifact download failed.
+	ArtifactFailedReason string = "ArtifactFailed"
+
+	// BuildFailedReason represents the fact that the
+	// kustomize build failed.
+	BuildFailedReason string = "BuildFailed"
+
+	// HealthCheckFailedReason represents the fact that
+	// one of the health checks failed.
+	HealthCheckFailedReason string = "HealthCheckFailed"
+
+	// DependencyNotReadyReason represents the fact that
+	// one of the dependencies is not ready.
+	DependencyNotReadyReason string = "DependencyNotReady"
+
+	// ReconciliationSucceededReason represents the fact that
+	// the reconciliation succeeded.
+	ReconciliationSucceededReason string = "ReconciliationSucceeded"
+
+	// ReconciliationFailedReason represents the fact that
+	// the reconciliation failed.
+	ReconciliationFailedReason string = "ReconciliationFailed"
+
+	// ProgressingWithRetryReason represents the fact that
+	// the reconciliation encountered an error that will be retried.
+	ProgressingWithRetryReason string = "ProgressingWithRetry"
+)
--- a/api/v1beta2/doc.go
+++ b/api/v1beta2/doc.go
@ -0,0 +1,20 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1beta2 contains API Schema definitions for the kustomize.toolkit.fluxcd.io v1beta2 API group.
+// +kubebuilder:object:generate=true
+// +groupName=kustomize.toolkit.fluxcd.io
+package v1beta2
--- a/api/v1beta2/groupversion_info.go
+++ b/api/v1beta2/groupversion_info.go
@ -0,0 +1,33 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects.
+	GroupVersion = schema.GroupVersion{Group: "kustomize.toolkit.fluxcd.io", Version: "v1beta2"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)
--- a/api/v1beta2/inventory_types.go
+++ b/api/v1beta2/inventory_types.go
@ -0,0 +1,33 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+// ResourceInventory contains a list of Kubernetes resource object references that have been applied by a Kustomization.
+type ResourceInventory struct {
+	// Entries of Kubernetes resource object references.
+	Entries []ResourceRef `json:"entries"`
+}
+
+// ResourceRef contains the information necessary to locate a resource within a cluster.
+type ResourceRef struct {
+	// ID is the string representation of the Kubernetes resource object's metadata,
+	// in the format '<namespace>_<name>_<group>_<kind>'.
+	ID string `json:"id"`
+
+	// Version is the API version of the Kubernetes resource object's kind.
+	Version string `json:"v"`
+}
--- a/api/v1beta2/kustomization_types.go
+++ b/api/v1beta2/kustomization_types.go
@ -0,0 +1,336 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+import (
+	"time"
+
+	"github.com/fluxcd/pkg/apis/kustomize"
+	"github.com/fluxcd/pkg/apis/meta"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	KustomizationKind         = "Kustomization"
+	KustomizationFinalizer    = "finalizers.fluxcd.io"
+	MaxConditionMessageLength = 20000
+	EnabledValue              = "enabled"
+	DisabledValue             = "disabled"
+	MergeValue                = "merge"
+)
+
+// KustomizationSpec defines the configuration to calculate the desired state from a Source using Kustomize.
+type KustomizationSpec struct {
+	// CommonMetadata specifies the common labels and annotations that are applied to all resources.
+	// Any existing label or annotation will be overridden if its key matches a common one.
+	// +optional
+	CommonMetadata *CommonMetadata `json:"commonMetadata,omitempty"`
+
+	// DependsOn may contain a meta.NamespacedObjectReference slice
+	// with references to Kustomization resources that must be ready before this
+	// Kustomization can be reconciled.
+	// +optional
+	DependsOn []meta.NamespacedObjectReference `json:"dependsOn,omitempty"`
+
+	// Decrypt Kubernetes secrets before applying them on the cluster.
+	// +optional
+	Decryption *Decryption `json:"decryption,omitempty"`
+
+	// The interval at which to reconcile the Kustomization.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +required
+	Interval metav1.Duration `json:"interval"`
+
+	// The interval at which to retry a previously failed reconciliation.
+	// When not specified, the controller uses the KustomizationSpec.Interval
+	// value to retry failures.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +optional
+	RetryInterval *metav1.Duration `json:"retryInterval,omitempty"`
+
+	// The KubeConfig for reconciling the Kustomization on a remote cluster.
+	// When used in combination with KustomizationSpec.ServiceAccountName,
+	// forces the controller to act on behalf of that Service Account at the
+	// target cluster.
+	// If the --default-service-account flag is set, its value will be used as
+	// a controller level fallback for when KustomizationSpec.ServiceAccountName
+	// is empty.
+	// +optional
+	KubeConfig *meta.KubeConfigReference `json:"kubeConfig,omitempty"`
+
+	// Path to the directory containing the kustomization.yaml file, or the
+	// set of plain YAMLs a kustomization.yaml should be generated for.
+	// Defaults to 'None', which translates to the root path of the SourceRef.
+	// +optional
+	Path string `json:"path,omitempty"`
+
+	// PostBuild describes which actions to perform on the YAML manifest
+	// generated by building the kustomize overlay.
+	// +optional
+	PostBuild *PostBuild `json:"postBuild,omitempty"`
+
+	// Prune enables garbage collection.
+	// +required
+	Prune bool `json:"prune"`
+
+	// A list of resources to be included in the health assessment.
+	// +optional
+	HealthChecks []meta.NamespacedObjectKindReference `json:"healthChecks,omitempty"`
+
+	// Strategic merge and JSON patches, defined as inline YAML objects,
+	// capable of targeting objects based on kind, label and annotation selectors.
+	// +optional
+	Patches []kustomize.Patch `json:"patches,omitempty"`
+
+	// Strategic merge patches, defined as inline YAML objects.
+	// Deprecated: Use Patches instead.
+	// +optional
+	PatchesStrategicMerge []apiextensionsv1.JSON `json:"patchesStrategicMerge,omitempty"`
+
+	// JSON 6902 patches, defined as inline YAML objects.
+	// Deprecated: Use Patches instead.
+	// +optional
+	PatchesJSON6902 []kustomize.JSON6902Patch `json:"patchesJson6902,omitempty"`
+
+	// Images is a list of (image name, new name, new tag or digest)
+	// for changing image names, tags or digests. This can also be achieved with a
+	// patch, but this operator is simpler to specify.
+	// +optional
+	Images []kustomize.Image `json:"images,omitempty"`
+
+	// The name of the Kubernetes service account to impersonate
+	// when reconciling this Kustomization.
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+
+	// Reference of the source where the kustomization file is.
+	// +required
+	SourceRef CrossNamespaceSourceReference `json:"sourceRef"`
+
+	// This flag tells the controller to suspend subsequent kustomize executions,
+	// it does not apply to already started executions. Defaults to false.
+	// +optional
+	Suspend bool `json:"suspend,omitempty"`
+
+	// TargetNamespace sets or overrides the namespace in the
+	// kustomization.yaml file.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=63
+	// +kubebuilder:validation:Optional
+	// +optional
+	TargetNamespace string `json:"targetNamespace,omitempty"`
+
+	// Timeout for validation, apply and health checking operations.
+	// Defaults to 'Interval' duration.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +optional
+	Timeout *metav1.Duration `json:"timeout,omitempty"`
+
+	// Force instructs the controller to recreate resources
+	// when patching fails due to an immutable field change.
+	// +kubebuilder:default:=false
+	// +optional
+	Force bool `json:"force,omitempty"`
+
+	// Wait instructs the controller to check the health of all the reconciled resources.
+	// When enabled, the HealthChecks are ignored. Defaults to false.
+	// +optional
+	Wait bool `json:"wait,omitempty"`
+
+	// Components specifies relative paths to specifications of other Components.
+	// +optional
+	Components []string `json:"components,omitempty"`
+
+	// Deprecated: Not used in v1beta2.
+	// +kubebuilder:validation:Enum=none;client;server
+	// +optional
+	Validation string `json:"validation,omitempty"`
+}
+
+// CommonMetadata defines the common labels and annotations.
+type CommonMetadata struct {
+	// Annotations to be added to the object's metadata.
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+
+	// Labels to be added to the object's metadata.
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+}
+
+// Decryption defines how decryption is handled for Kubernetes manifests.
+type Decryption struct {
+	// Provider is the name of the decryption engine.
+	// +kubebuilder:validation:Enum=sops
+	// +required
+	Provider string `json:"provider"`
+
+	// The secret name containing the private OpenPGP keys used for decryption.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+}
+
+// PostBuild describes which actions to perform on the YAML manifest
+// generated by building the kustomize overlay.
+type PostBuild struct {
+	// Substitute holds a map of key/value pairs.
+	// The variables defined in your YAML manifests
+	// that match any of the keys defined in the map
+	// will be substituted with the set value.
+	// Includes support for bash string replacement functions
+	// e.g. ${var:=default}, ${var:position} and ${var/substring/replacement}.
+	// +optional
+	Substitute map[string]string `json:"substitute,omitempty"`
+
+	// SubstituteFrom holds references to ConfigMaps and Secrets containing
+	// the variables and their values to be substituted in the YAML manifests.
+	// The ConfigMap and the Secret data keys represent the var names and they
+	// must match the vars declared in the manifests for the substitution to happen.
+	// +optional
+	SubstituteFrom []SubstituteReference `json:"substituteFrom,omitempty"`
+}
+
+// SubstituteReference contains a reference to a resource containing
+// the variables name and value.
+type SubstituteReference struct {
+	// Kind of the values referent, valid values are ('Secret', 'ConfigMap').
+	// +kubebuilder:validation:Enum=Secret;ConfigMap
+	// +required
+	Kind string `json:"kind"`
+
+	// Name of the values referent. Should reside in the same namespace as the
+	// referring resource.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +required
+	Name string `json:"name"`
+
+	// Optional indicates whether the referenced resource must exist, or whether to
+	// tolerate its absence. If true and the referenced resource is absent, proceed
+	// as if the resource was present but empty, without any variables defined.
+	// +kubebuilder:default:=false
+	// +optional
+	Optional bool `json:"optional,omitempty"`
+}
+
+// KustomizationStatus defines the observed state of a kustomization.
+type KustomizationStatus struct {
+	meta.ReconcileRequestStatus `json:",inline"`
+
+	// ObservedGeneration is the last reconciled generation.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// The last successfully applied revision.
+	// Equals the Revision of the applied Artifact from the referenced Source.
+	// +optional
+	LastAppliedRevision string `json:"lastAppliedRevision,omitempty"`
+
+	// LastAttemptedRevision is the revision of the last reconciliation attempt.
+	// +optional
+	LastAttemptedRevision string `json:"lastAttemptedRevision,omitempty"`
+
+	// Inventory contains the list of Kubernetes resource object references that have been successfully applied.
+	// +optional
+	Inventory *ResourceInventory `json:"inventory,omitempty"`
+}
+
+// GetTimeout returns the timeout with default.
+func (in Kustomization) GetTimeout() time.Duration {
+	duration := in.Spec.Interval.Duration - 30*time.Second
+	if in.Spec.Timeout != nil {
+		duration = in.Spec.Timeout.Duration
+	}
+	if duration < 30*time.Second {
+		return 30 * time.Second
+	}
+	return duration
+}
+
+// GetRetryInterval returns the retry interval
+func (in Kustomization) GetRetryInterval() time.Duration {
+	if in.Spec.RetryInterval != nil {
+		return in.Spec.RetryInterval.Duration
+	}
+	return in.GetRequeueAfter()
+}
+
+// GetRequeueAfter returns the duration after which the Kustomization must be
+// reconciled again.
+func (in Kustomization) GetRequeueAfter() time.Duration {
+	return in.Spec.Interval.Duration
+}
+
+// GetDependsOn returns the list of dependencies across-namespaces.
+func (in Kustomization) GetDependsOn() []meta.NamespacedObjectReference {
+	return in.Spec.DependsOn
+}
+
+// GetConditions returns the status conditions of the object.
+func (in Kustomization) GetConditions() []metav1.Condition {
+	return in.Status.Conditions
+}
+
+// SetConditions sets the status conditions on the object.
+func (in *Kustomization) SetConditions(conditions []metav1.Condition) {
+	in.Status.Conditions = conditions
+}
+
+// GetStatusConditions returns a pointer to the Status.Conditions slice.
+// Deprecated: use GetConditions instead.
+func (in *Kustomization) GetStatusConditions() *[]metav1.Condition {
+	return &in.Status.Conditions
+}
+
+// +genclient
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=ks
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
+// +kubebuilder:deprecatedversion:warning="v1beta2 Kustomization is deprecated, upgrade to v1"
+
+// Kustomization is the Schema for the kustomizations API.
+type Kustomization struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec KustomizationSpec `json:"spec,omitempty"`
+	// +kubebuilder:default:={"observedGeneration":-1}
+	Status KustomizationStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// KustomizationList contains a list of kustomizations.
+type KustomizationList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Kustomization `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Kustomization{}, &KustomizationList{})
+}
--- a/api/v1beta2/reference_types.go
+++ b/api/v1beta2/reference_types.go
@ -0,0 +1,47 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+import "fmt"
+
+// CrossNamespaceSourceReference contains enough information to let you locate the
+// typed Kubernetes resource object at cluster level.
+type CrossNamespaceSourceReference struct {
+	// API version of the referent.
+	// +optional
+	APIVersion string `json:"apiVersion,omitempty"`
+
+	// Kind of the referent.
+	// +kubebuilder:validation:Enum=OCIRepository;GitRepository;Bucket
+	// +required
+	Kind string `json:"kind"`
+
+	// Name of the referent.
+	// +required
+	Name string `json:"name"`
+
+	// Namespace of the referent, defaults to the namespace of the Kubernetes resource object that contains the reference.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+}
+
+func (s *CrossNamespaceSourceReference) String() string {
+	if s.Namespace != "" {
+		return fmt.Sprintf("%s/%s/%s", s.Kind, s.Namespace, s.Name)
+	}
+	return fmt.Sprintf("%s/%s", s.Kind, s.Name)
+}
--- a/api/v1beta2/zz_generated.deepcopy.go
+++ b/api/v1beta2/zz_generated.deepcopy.go
@ -0,0 +1,345 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1beta2
+
+import (
+	"github.com/fluxcd/pkg/apis/kustomize"
+	"github.com/fluxcd/pkg/apis/meta"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CommonMetadata) DeepCopyInto(out *CommonMetadata) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommonMetadata.
+func (in *CommonMetadata) DeepCopy() *CommonMetadata {
+	if in == nil {
+		return nil
+	}
+	out := new(CommonMetadata)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CrossNamespaceSourceReference) DeepCopyInto(out *CrossNamespaceSourceReference) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CrossNamespaceSourceReference.
+func (in *CrossNamespaceSourceReference) DeepCopy() *CrossNamespaceSourceReference {
+	if in == nil {
+		return nil
+	}
+	out := new(CrossNamespaceSourceReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Decryption) DeepCopyInto(out *Decryption) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Decryption.
+func (in *Decryption) DeepCopy() *Decryption {
+	if in == nil {
+		return nil
+	}
+	out := new(Decryption)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Kustomization) DeepCopyInto(out *Kustomization) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Kustomization.
+func (in *Kustomization) DeepCopy() *Kustomization {
+	if in == nil {
+		return nil
+	}
+	out := new(Kustomization)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Kustomization) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KustomizationList) DeepCopyInto(out *KustomizationList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Kustomization, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KustomizationList.
+func (in *KustomizationList) DeepCopy() *KustomizationList {
+	if in == nil {
+		return nil
+	}
+	out := new(KustomizationList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *KustomizationList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KustomizationSpec) DeepCopyInto(out *KustomizationSpec) {
+	*out = *in
+	if in.CommonMetadata != nil {
+		in, out := &in.CommonMetadata, &out.CommonMetadata
+		*out = new(CommonMetadata)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.DependsOn != nil {
+		in, out := &in.DependsOn, &out.DependsOn
+		*out = make([]meta.NamespacedObjectReference, len(*in))
+		copy(*out, *in)
+	}
+	if in.Decryption != nil {
+		in, out := &in.Decryption, &out.Decryption
+		*out = new(Decryption)
+		(*in).DeepCopyInto(*out)
+	}
+	out.Interval = in.Interval
+	if in.RetryInterval != nil {
+		in, out := &in.RetryInterval, &out.RetryInterval
+		*out = new(v1.Duration)
+		**out = **in
+	}
+	if in.KubeConfig != nil {
+		in, out := &in.KubeConfig, &out.KubeConfig
+		*out = new(meta.KubeConfigReference)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.PostBuild != nil {
+		in, out := &in.PostBuild, &out.PostBuild
+		*out = new(PostBuild)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.HealthChecks != nil {
+		in, out := &in.HealthChecks, &out.HealthChecks
+		*out = make([]meta.NamespacedObjectKindReference, len(*in))
+		copy(*out, *in)
+	}
+	if in.Patches != nil {
+		in, out := &in.Patches, &out.Patches
+		*out = make([]kustomize.Patch, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PatchesStrategicMerge != nil {
+		in, out := &in.PatchesStrategicMerge, &out.PatchesStrategicMerge
+		*out = make([]apiextensionsv1.JSON, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PatchesJSON6902 != nil {
+		in, out := &in.PatchesJSON6902, &out.PatchesJSON6902
+		*out = make([]kustomize.JSON6902Patch, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Images != nil {
+		in, out := &in.Images, &out.Images
+		*out = make([]kustomize.Image, len(*in))
+		copy(*out, *in)
+	}
+	out.SourceRef = in.SourceRef
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(v1.Duration)
+		**out = **in
+	}
+	if in.Components != nil {
+		in, out := &in.Components, &out.Components
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KustomizationSpec.
+func (in *KustomizationSpec) DeepCopy() *KustomizationSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(KustomizationSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KustomizationStatus) DeepCopyInto(out *KustomizationStatus) {
+	*out = *in
+	out.ReconcileRequestStatus = in.ReconcileRequestStatus
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Inventory != nil {
+		in, out := &in.Inventory, &out.Inventory
+		*out = new(ResourceInventory)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KustomizationStatus.
+func (in *KustomizationStatus) DeepCopy() *KustomizationStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(KustomizationStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PostBuild) DeepCopyInto(out *PostBuild) {
+	*out = *in
+	if in.Substitute != nil {
+		in, out := &in.Substitute, &out.Substitute
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.SubstituteFrom != nil {
+		in, out := &in.SubstituteFrom, &out.SubstituteFrom
+		*out = make([]SubstituteReference, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostBuild.
+func (in *PostBuild) DeepCopy() *PostBuild {
+	if in == nil {
+		return nil
+	}
+	out := new(PostBuild)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceInventory) DeepCopyInto(out *ResourceInventory) {
+	*out = *in
+	if in.Entries != nil {
+		in, out := &in.Entries, &out.Entries
+		*out = make([]ResourceRef, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceInventory.
+func (in *ResourceInventory) DeepCopy() *ResourceInventory {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceInventory)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceRef) DeepCopyInto(out *ResourceRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceRef.
+func (in *ResourceRef) DeepCopy() *ResourceRef {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SubstituteReference) DeepCopyInto(out *SubstituteReference) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubstituteReference.
+func (in *SubstituteReference) DeepCopy() *SubstituteReference {
+	if in == nil {
+		return nil
+	}
+	out := new(SubstituteReference)
+	in.DeepCopyInto(out)
+	return out
+}
--- a/config/crd/bases/kustomize.fluxcd.io_kustomizations.yaml
+++ b/config/crd/bases/kustomize.fluxcd.io_kustomizations.yaml
@ -1,222 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.2.5
-  creationTimestamp: null
-  name: kustomizations.kustomize.fluxcd.io
-spec:
-  additionalPrinterColumns:
-  - JSONPath: .status.conditions[?(@.type=="Ready")].status
-    name: Ready
-    type: string
-  - JSONPath: .status.conditions[?(@.type=="Ready")].message
-    name: Status
-    type: string
-  - JSONPath: .metadata.creationTimestamp
-    name: Age
-    type: date
-  group: kustomize.fluxcd.io
-  names:
-    kind: Kustomization
-    listKind: KustomizationList
-    plural: kustomizations
-    singular: kustomization
-  scope: Namespaced
-  subresources:
-    status: {}
-  validation:
-    openAPIV3Schema:
-      description: Kustomization is the Schema for the kustomizations API.
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: KustomizationSpec defines the desired state of a kustomization.
-          properties:
-            dependsOn:
-              description: A list of kustomizations that must be ready before this
-                kustomization can be applied.
-              items:
-                type: string
-              type: array
-            healthChecks:
-              description: A list of workloads (Deployments, DaemonSets and StatefulSets)
-                to be included in the health assessment.
-              items:
-                description: WorkloadReference defines a reference to a Deployment,
-                  DaemonSet or StatefulSet.
-                properties:
-                  kind:
-                    description: Kind is the type of resource being referenced.
-                    enum:
-                    - Deployment
-                    - DaemonSet
-                    - StatefulSet
-                    type: string
-                  name:
-                    description: Name is the name of resource being referenced.
-                    type: string
-                  namespace:
-                    description: Namespace is the namespace of resource being referenced.
-                    type: string
-                required:
-                - kind
-                - name
-                - namespace
-                type: object
-              type: array
-            interval:
-              description: The interval at which to apply the kustomization.
-              type: string
-            path:
-              description: Path to the directory containing the kustomization file.
-              pattern: ^\./
-              type: string
-            prune:
-              description: Enables garbage collection.
-              type: boolean
-            serviceAccount:
-              description: The Kubernetes service account used for applying the kustomization.
-              properties:
-                name:
-                  description: Name is the name of the service account being referenced.
-                  type: string
-                namespace:
-                  description: Namespace is the namespace of the service account being
-                    referenced.
-                  type: string
-              required:
-              - name
-              - namespace
-              type: object
-            sourceRef:
-              description: Reference of the source where the kustomization file is.
-              properties:
-                apiGroup:
-                  description: APIGroup is the group for the resource being referenced.
-                    If APIGroup is not specified, the specified Kind must be in the
-                    core API group. For any other third-party types, APIGroup is required.
-                  type: string
-                kind:
-                  description: Kind is the type of resource being referenced
-                  type: string
-                name:
-                  description: Name is the name of resource being referenced
-                  type: string
-              required:
-              - kind
-              - name
-              type: object
-            suspend:
-              description: This flag tells the controller to suspend subsequent kustomize
-                executions, it does not apply to already started executions. Defaults
-                to false.
-              type: boolean
-            timeout:
-              description: Timeout for validation, apply and health checking operations.
-                Defaults to 'Interval' duration.
-              type: string
-            validation:
-              description: Validate the Kubernetes objects before applying them on
-                the cluster. The validation strategy can be 'client' (local dry-run)
-                or 'server' (APIServer dry-run).
-              enum:
-              - client
-              - server
-              type: string
-          required:
-          - interval
-          - path
-          - prune
-          - sourceRef
-          type: object
-        status:
-          description: KustomizationStatus defines the observed state of a kustomization.
-          properties:
-            conditions:
-              items:
-                description: Condition contains condition information for a kustomization.
-                properties:
-                  lastTransitionTime:
-                    description: LastTransitionTime is the timestamp corresponding
-                      to the last status change of this condition.
-                    format: date-time
-                    type: string
-                  message:
-                    description: Message is a human readable description of the details
-                      of the last transition, complementing reason.
-                    type: string
-                  reason:
-                    description: Reason is a brief machine readable explanation for
-                      the condition's last transition.
-                    type: string
-                  status:
-                    description: Status of the condition, one of ('True', 'False',
-                      'Unknown').
-                    type: string
-                  type:
-                    description: Type of the condition, currently ('Ready').
-                    type: string
-                required:
-                - status
-                - type
-                type: object
-              type: array
-            lastAppliedRevision:
-              description: The last successfully applied revision. The revision format
-                for Git sources is <branch|tag>/<commit-sha>.
-              type: string
-            snapshot:
-              description: The last successfully applied revision metadata.
-              properties:
-                entries:
-                  description: A list of Kubernetes kinds grouped by namespace.
-                  items:
-                    description: Snapshot holds the metadata of namespaced Kubernetes
-                      objects
-                    properties:
-                      kinds:
-                        additionalProperties:
-                          type: string
-                        description: The list of Kubernetes kinds.
-                        type: object
-                      namespace:
-                        description: The namespace of this entry.
-                        type: string
-                    required:
-                    - kinds
-                    type: object
-                  type: array
-                revision:
-                  description: The source revision.
-                  type: string
-              required:
-              - entries
-              - revision
-              type: object
-          type: object
-      type: object
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crd/bases/kustomize.fluxcd.io_profiles.yaml
+++ b/config/crd/bases/kustomize.fluxcd.io_profiles.yaml
@ -1,133 +0,0 @@
-
---
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.2.5
-  creationTimestamp: null
-  name: profiles.kustomize.fluxcd.io
-spec:
-  additionalPrinterColumns:
-  - JSONPath: .status.conditions[?(@.type=="Ready")].status
-    name: Ready
-    type: string
-  - JSONPath: .status.conditions[?(@.type=="Ready")].message
-    name: Status
-    type: string
-  - JSONPath: .metadata.creationTimestamp
-    name: Age
-    type: date
-  group: kustomize.fluxcd.io
-  names:
-    kind: Profile
-    listKind: ProfileList
-    plural: profiles
-    singular: profile
-  scope: Namespaced
-  subresources:
-    status: {}
-  validation:
-    openAPIV3Schema:
-      description: Profile is the Schema for the profiles API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: ProfileSpec defines the desired state of Profile
-          properties:
-            alert:
-              description: Alerting configuration of the kustomizations targeted by
-                this profile.
-              properties:
-                address:
-                  description: HTTP(S) webhook address of this provider
-                  type: string
-                channel:
-                  description: Alert channel for this provider
-                  type: string
-                type:
-                  description: Type of provider
-                  enum:
-                  - slack
-                  - discord
-                  type: string
-                username:
-                  description: Bot username for this provider
-                  type: string
-                verbosity:
-                  description: Filter alerts based on verbosity level, defaults to
-                    ('error').
-                  enum:
-                  - info
-                  - error
-                  type: string
-              required:
-              - address
-              - channel
-              - type
-              - username
-              type: object
-            kustomizations:
-              description: The list of kustomizations that this profile applies to.
-              items:
-                type: string
-              type: array
-          required:
-          - kustomizations
-          type: object
-        status:
-          description: ProfileStatus defines the observed state of Profile
-          properties:
-            conditions:
-              items:
-                description: Condition contains condition information for a kustomization.
-                properties:
-                  lastTransitionTime:
-                    description: LastTransitionTime is the timestamp corresponding
-                      to the last status change of this condition.
-                    format: date-time
-                    type: string
-                  message:
-                    description: Message is a human readable description of the details
-                      of the last transition, complementing reason.
-                    type: string
-                  reason:
-                    description: Reason is a brief machine readable explanation for
-                      the condition's last transition.
-                    type: string
-                  status:
-                    description: Status of the condition, one of ('True', 'False',
-                      'Unknown').
-                    type: string
-                  type:
-                    description: Type of the condition, currently ('Ready').
-                    type: string
-                required:
-                - status
-                - type
-                type: object
-              type: array
-          type: object
-      type: object
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
--- a/config/crd/bases/kustomize.toolkit.fluxcd.io_kustomizations.yaml
+++ b/config/crd/bases/kustomize.toolkit.fluxcd.io_kustomizations.yaml
--- a/config/crd/kustomization.yaml
+++ b/config/crd/kustomization.yaml
@ -1,7 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- bases/kustomize.fluxcd.io_kustomizations.yaml
- bases/kustomize.fluxcd.io_profiles.yaml
+- bases/kustomize.toolkit.fluxcd.io_kustomizations.yaml
 # +kubebuilder:scaffold:crdkustomizeresource

--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@ -1,10 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kustomize-system
-bases:
+resources:
+- https://github.com/fluxcd/source-controller/releases/download/v1.6.0/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v1.6.0/source-controller.deployment.yaml
 - ../crd
 - ../rbac
 - ../manager
-resources:
-  - namespace.yaml
-
+- namespace.yaml
--- a/config/manager/deployment.yaml
+++ b/config/manager/deployment.yaml
@ -15,9 +15,13 @@ spec:
        app: kustomize-controller
      annotations:
        prometheus.io/scrape: "true"
-        prometheus.io/port: "8282"
+        prometheus.io/port: "8080"
    spec:
-      terminationGracePeriodSeconds: 10
+      terminationGracePeriodSeconds: 60
+      # Required for AWS IAM Role bindings
+      # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
+      securityContext:
+        fsGroup: 1337
      containers:
      - name: manager
        image: fluxcd/kustomize-controller
@ -25,16 +29,37 @@ spec:
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop: [ "ALL" ]
+          seccompProfile:
+            type: RuntimeDefault
+
        ports:
-          - containerPort: 8282
+          - containerPort: 8080
            name: http-prom
+            protocol: TCP
+          - containerPort: 9440
+            name: healthz
+            protocol: TCP
+        env:
+          - name: RUNTIME_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        args:
+          - --watch-all-namespaces
+          - --log-level=info
+          - --log-encoding=json
+          - --enable-leader-election
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: healthz
        livenessProbe:
          httpGet:
-            port: http-prom
-            path: /metrics
-        args:
-        - --enable-leader-election
-        - --log-json
+            path: /healthz
+            port: healthz
        resources:
          limits:
            cpu: 1000m
--- a/config/manager/kustomization.yaml
+++ b/config/manager/kustomization.yaml
@ -5,4 +5,4 @@ resources:
 images:
  - name: fluxcd/kustomize-controller
    newName: fluxcd/kustomize-controller
-    newTag: v0.0.1-alpha.7
+    newTag: v1.6.0
--- a/config/rbac/kustomization_editor_role.yaml
+++ b/config/rbac/kustomization_editor_role.yaml
@ -5,7 +5,7 @@ metadata:
  name: kustomization-editor-role
 rules:
 - apiGroups:
-  - kustomize.fluxcd.io
+  - kustomize.toolkit.fluxcd.io
  resources:
  - kustomizations
  verbs:
@ -17,7 +17,7 @@ rules:
  - update
  - watch
 - apiGroups:
-  - kustomize.fluxcd.io
+  - kustomize.toolkit.fluxcd.io
  resources:
  - kustomizations/status
  verbs:
--- a/config/rbac/kustomization_viewer_role.yaml
+++ b/config/rbac/kustomization_viewer_role.yaml
@ -5,7 +5,7 @@ metadata:
  name: kustomization-viewer-role
 rules:
 - apiGroups:
-  - kustomize.fluxcd.io
+  - kustomize.toolkit.fluxcd.io
  resources:
  - kustomizations
  verbs:
@ -13,7 +13,7 @@ rules:
  - list
  - watch
 - apiGroups:
-  - kustomize.fluxcd.io
+  - kustomize.toolkit.fluxcd.io
  resources:
  - kustomizations/status
  verbs:
--- a/config/rbac/leader_election_role.yaml
+++ b/config/rbac/leader_election_role.yaml
@ -4,29 +4,41 @@ kind: Role
 metadata:
  name: leader-election-role
 rules:
- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
- apiGroups:
-  - ""
-  resources:
-  - configmaps/status
-  verbs:
-  - get
-  - update
-  - patch
- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps/status
+    verbs:
+      - get
+      - update
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+  - apiGroups:
+      - "coordination.k8s.io"
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
--- a/config/rbac/profile_editor_role.yaml
+++ b/config/rbac/profile_editor_role.yaml
@ -1,24 +0,0 @@
-# permissions for end users to edit profiles.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: profile-editor-role
-rules:
- apiGroups:
-  - kustomize.fluxcd.io
-  resources:
-  - profiles
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
- apiGroups:
-  - kustomize.fluxcd.io
-  resources:
-  - profiles/status
-  verbs:
-  - get
--- a/config/rbac/profile_viewer_role.yaml
+++ b/config/rbac/profile_viewer_role.yaml
@ -1,20 +0,0 @@
-# permissions for end users to view profiles.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: profile-viewer-role
-rules:
- apiGroups:
-  - kustomize.fluxcd.io
-  resources:
-  - profiles
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - kustomize.fluxcd.io
-  resources:
-  - profiles/status
-  verbs:
-  - get
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@ -1,13 +1,34 @@
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
  name: manager-role
 rules:
 - apiGroups:
-  - kustomize.fluxcd.io
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+- apiGroups:
+  - kustomize.toolkit.fluxcd.io
  resources:
  - kustomizations
  verbs:
@ -19,7 +40,17 @@ rules:
  - update
  - watch
 - apiGroups:
-  - kustomize.fluxcd.io
+  - kustomize.toolkit.fluxcd.io
+  resources:
+  - kustomizations/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - patch
+  - update
+- apiGroups:
+  - kustomize.toolkit.fluxcd.io
  resources:
  - kustomizations/status
  verbs:
@ -27,36 +58,20 @@ rules:
  - patch
  - update
 - apiGroups:
-  - kustomize.fluxcd.io
-  resources:
-  - profiles
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
- apiGroups:
-  - kustomize.fluxcd.io
-  resources:
-  - profiles/status
-  verbs:
-  - get
-  - patch
-  - update
- apiGroups:
-  - source.fluxcd.io
+  - source.toolkit.fluxcd.io
  resources:
+  - buckets
  - gitrepositories
+  - ocirepositories
  verbs:
  - get
  - list
  - watch
 - apiGroups:
-  - source.fluxcd.io
+  - source.toolkit.fluxcd.io
  resources:
+  - buckets/status
  - gitrepositories/status
+  - ocirepositories/status
  verbs:
  - get
--- a/config/samples/kustomize_v1alpha1_kustomization.yaml
+++ b/config/samples/kustomize_v1alpha1_kustomization.yaml
@ -1,4 +1,4 @@
-apiVersion: kustomize.fluxcd.io/v1alpha1
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: webapp-dev
@ -9,17 +9,10 @@ spec:
  sourceRef:
    kind: GitRepository
    name: webapp-latest
-  validation: client
-  healthChecks:
-    - kind: Deployment
-      name: backend
-      namespace: webapp
-    - kind: Deployment
-      name: frontend
-      namespace: webapp
+  wait: true
  timeout: 2m
 ---
-apiVersion: kustomize.fluxcd.io/v1alpha1
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: webapp-production
@ -30,7 +23,6 @@ spec:
  sourceRef:
    kind: GitRepository
    name: webapp-releases
-  validation: client
  healthChecks:
    - kind: Deployment
      name: backend
--- a/config/samples/kustomize_v1alpha1_profile.yaml
+++ b/config/samples/kustomize_v1alpha1_profile.yaml
@ -1,13 +0,0 @@
-apiVersion: kustomize.fluxcd.io/v1alpha1
-kind: Profile
-metadata:
-  name: default
-spec:
-  alert:
-    type: slack
-    address: https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK
-    username: kustomize-controller
-    channel: general
-    verbosity: info
-  kustomizations:
-    - '*'
--- a/config/samples/source_v1alpha1_gitrepository.yaml
+++ b/config/samples/source_v1alpha1_gitrepository.yaml
@ -1,4 +1,4 @@
-apiVersion: source.fluxcd.io/v1alpha1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
  name: webapp-latest
@ -8,7 +8,7 @@ spec:
  ref:
    branch: master
 ---
-apiVersion: source.fluxcd.io/v1alpha1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
  name: webapp-releases
--- a/config/testdata/crds-crs/cert-manager.yaml
+++ b/config/testdata/crds-crs/cert-manager.yaml
@ -0,0 +1,23 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: certs
+spec:
+  interval: 15m
+  url: https://github.com/stefanprodan/kustomizer
+  ref:
+    tag: "v1.1.0"
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: certs
+spec:
+  interval: 10m
+  path: "./testdata/certs"
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: certs
+  wait: true
+  timeout: 2m
--- a/config/testdata/dependencies/backend.yaml
+++ b/config/testdata/dependencies/backend.yaml
@ -1,19 +1,18 @@
-apiVersion: kustomize.fluxcd.io/v1alpha1
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: backend
 spec:
  dependsOn:
-    - common
+    - name: common
  interval: 5m
  path: "./deploy/webapp/backend/"
  prune: true
  sourceRef:
    kind: GitRepository
    name: webapp
-  validate: server
  healthChecks:
    - kind: Deployment
      name: backend
      namespace: webapp
-  timeout: 2m
+  timeout: 2m
--- a/config/testdata/dependencies/common.yaml
+++ b/config/testdata/dependencies/common.yaml
@ -1,4 +1,4 @@
-apiVersion: kustomize.fluxcd.io/v1alpha1
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: common
@ -9,4 +9,3 @@ spec:
  sourceRef:
    kind: GitRepository
    name: webapp
-  validate: client
--- a/config/testdata/dependencies/frontend.yaml
+++ b/config/testdata/dependencies/frontend.yaml
@ -1,20 +1,19 @@
-apiVersion: kustomize.fluxcd.io/v1alpha1
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: frontend
 spec:
  dependsOn:
-    - common
-    - backend
+    - name: common
+    - name: backend
  interval: 5m
  path: "./deploy/webapp/frontend/"
  prune: true
  sourceRef:
    kind: GitRepository
    name: webapp
-  validate: server
  healthChecks:
    - kind: Deployment
      name: frontend
      namespace: webapp
-  timeout: 2m
+  timeout: 2m
--- a/config/testdata/dependencies/source.yaml
+++ b/config/testdata/dependencies/source.yaml
@ -1,4 +1,4 @@
-apiVersion: source.fluxcd.io/v1alpha1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
  name: webapp
@ -6,4 +6,4 @@ spec:
  interval: 10m
  url: https://github.com/stefanprodan/podinfo
  ref:
-    semver: ">=3.2.3"
+    semver: ">=6.3.5"
--- a/config/testdata/impersonation/test.yaml
+++ b/config/testdata/impersonation/test.yaml
@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: impersonation
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gotk-reconciler
+  namespace: impersonation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: gotk-reconciler
+  namespace: impersonation
+rules:
+  - apiGroups: ['*']
+    resources: ['*']
+    verbs: ['*']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gotk-reconciler
+  namespace: impersonation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: gotk-reconciler
+subjects:
+  - kind: ServiceAccount
+    name: gotk-reconciler
+    namespace: impersonation
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: podinfo
+  namespace: impersonation
+spec:
+  interval: 5m
+  url: https://github.com/stefanprodan/podinfo
+  ref:
+    tag: "6.3.5"
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: podinfo
+  namespace: impersonation
+spec:
+  targetNamespace: impersonation
+  serviceAccountName: gotk-reconciler
+  interval: 5m
+  path: "./kustomize"
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: podinfo
+  patches:
+    - patch: |
+        apiVersion: autoscaling/v2
+        kind: HorizontalPodAutoscaler
+        metadata:
+          name: podinfo
+        spec:
+          minReplicas: 1
+      target:
+        kind: HorizontalPodAutoscaler
+  wait: true
+  timeout: 1m
--- a/config/testdata/managed-fields/podinfo.yaml
+++ b/config/testdata/managed-fields/podinfo.yaml
@ -0,0 +1,23 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: podinfo
+spec:
+  interval: 15m
+  path: "./kustomize/"
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: podinfo
+  timeout: 1m
+  targetNamespace: managed-fields
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: podinfo
+spec:
+  interval: 5m
+  url: https://github.com/stefanprodan/podinfo
+  ref:
+    semver: "6.3.5"
--- a/config/testdata/oci/podinfo.yaml
+++ b/config/testdata/oci/podinfo.yaml
@ -0,0 +1,37 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: oci
+  namespace: oci
+spec:
+  interval: 10m
+  url: oci://ghcr.io/stefanprodan/manifests/podinfo
+  ref:
+    tag: "6.3.5"
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: oci
+  namespace: oci
+spec:
+  targetNamespace: oci
+  interval: 10m
+  path: "./"
+  prune: true
+  sourceRef:
+    kind: OCIRepository
+    name: oci
+  wait: true
+  timeout: 2m
+  patches:
+    - patch: |-
+        apiVersion: autoscaling/v2
+        kind: HorizontalPodAutoscaler
+        metadata:
+          name: podinfo
+        spec:
+          minReplicas: 1
+      target:
+        name: podinfo
+        kind: HorizontalPodAutoscaler
--- a/config/testdata/overlays/production.yaml
+++ b/config/testdata/overlays/production.yaml
@ -1,4 +1,4 @@
-apiVersion: kustomize.fluxcd.io/v1alpha1
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: webapp-production
@ -9,7 +9,6 @@ spec:
  sourceRef:
    kind: GitRepository
    name: webapp-releases
-  validation: client
  healthChecks:
    - kind: Deployment
      name: backend
@ -19,7 +18,7 @@ spec:
      namespace: production
  timeout: 2m
 ---
-apiVersion: source.fluxcd.io/v1alpha1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
  name: webapp-releases
@ -27,4 +26,4 @@ spec:
  interval: 5m
  url: https://github.com/stefanprodan/podinfo
  ref:
-    semver: ">=3.2.3"
+    semver: ">=6.3.5"
--- a/config/testdata/overlays/staging.yaml
+++ b/config/testdata/overlays/staging.yaml
@ -1,4 +1,4 @@
-apiVersion: kustomize.fluxcd.io/v1alpha1
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: webapp-staging
@ -9,7 +9,6 @@ spec:
  sourceRef:
    kind: GitRepository
    name: webapp-releases
-  validation: client
  healthChecks:
    - kind: Deployment
      name: backend
@ -19,7 +18,7 @@ spec:
      namespace: staging
  timeout: 2m
 ---
-apiVersion: source.fluxcd.io/v1alpha1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
  name: webapp-latest
--- a/config/testdata/status-defaults/empty-kustomization.yaml
+++ b/config/testdata/status-defaults/empty-kustomization.yaml
@ -0,0 +1,4 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: status-defaults
--- a/controllers/gitrepository_controller.go
+++ b/controllers/gitrepository_controller.go
@ -1,119 +0,0 @@
-/*
-Copyright 2020 The Flux CD contributors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controllers
-
-import (
-	"context"
-	"strings"
-	"time"
-
-	"github.com/go-logr/logr"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/util/retry"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1alpha1"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1alpha1"
-)
-
-// KustomizationReconciler watches a GitRepository object
-type GitRepositoryWatcher struct {
-	client.Client
-	Log    logr.Logger
-	Scheme *runtime.Scheme
-}
-
-// +kubebuilder:rbac:groups=source.fluxcd.io,resources=gitrepositories,verbs=get;list;watch
-// +kubebuilder:rbac:groups=source.fluxcd.io,resources=gitrepositories/status,verbs=get
-
-func (r *GitRepositoryWatcher) Reconcile(req ctrl.Request) (ctrl.Result, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
-	defer cancel()
-
-	var repo sourcev1.GitRepository
-	if err := r.Get(ctx, req.NamespacedName, &repo); err != nil {
-		return ctrl.Result{}, client.IgnoreNotFound(err)
-	}
-
-	log := r.Log.WithValues(strings.ToLower(repo.Kind), req.NamespacedName)
-	log.Info("New artifact detected")
-
-	// get the list of kustomizations that are using this Git repository
-	var list kustomizev1.KustomizationList
-	if err := r.List(ctx, &list, client.InNamespace(req.Namespace),
-		client.MatchingFields{kustomizev1.SourceIndexKey: req.Name}); err != nil {
-		log.Error(err, "unable to list kustomizations")
-		return ctrl.Result{}, err
-	}
-
-	// trigger apply for each kustomization using this Git repository
-	for _, kustomization := range list.Items {
-		if err := r.updateKustomization(kustomization); err != nil {
-			log.Error(err, "unable to annotate kustomization", "kustomization", kustomization.GetName())
-		}
-		log.Info("Run kustomization", "kustomization", kustomization.GetName())
-	}
-
-	return ctrl.Result{}, nil
-}
-
-func (r *GitRepositoryWatcher) SetupWithManager(mgr ctrl.Manager) error {
-	// create a kustomization index based on Git repository name
-	err := mgr.GetFieldIndexer().IndexField(&kustomizev1.Kustomization{}, kustomizev1.SourceIndexKey,
-		func(rawObj runtime.Object) []string {
-			k := rawObj.(*kustomizev1.Kustomization)
-			if k.Spec.SourceRef.Kind == "GitRepository" {
-				return []string{k.Spec.SourceRef.Name}
-			}
-			return nil
-		},
-	)
-	if err != nil {
-		return err
-	}
-
-	return ctrl.NewControllerManagedBy(mgr).
-		For(&sourcev1.GitRepository{}).
-		WithEventFilter(GitRepositoryRevisionChangePredicate{}).
-		Complete(r)
-}
-
-func (r *GitRepositoryWatcher) updateKustomization(kustomization kustomizev1.Kustomization) error {
-	firstTry := true
-	return retry.RetryOnConflict(retry.DefaultBackoff, func() (err error) {
-		if !firstTry {
-			if err := r.Get(context.TODO(),
-				types.NamespacedName{Namespace: kustomization.Namespace, Name: kustomization.Name},
-				&kustomization,
-			); err != nil {
-				return err
-			}
-		}
-
-		firstTry = false
-		kustomization.Annotations[kustomizev1.SyncAtAnnotation] = metav1.Now().String()
-		if kustomization.Spec.SourceRef.APIGroup == nil {
-			emptyAPIGroup := ""
-			kustomization.Spec.SourceRef.APIGroup = &emptyAPIGroup
-		}
-		err = r.Update(context.TODO(), &kustomization)
-		return
-	})
-}
--- a/controllers/gitrepository_predicate.go
+++ b/controllers/gitrepository_predicate.go
@ -1,63 +0,0 @@
-/*
-Copyright 2020 The Flux CD contributors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controllers
-
-import (
-	"sigs.k8s.io/controller-runtime/pkg/event"
-	"sigs.k8s.io/controller-runtime/pkg/predicate"
-
-	sourcev1 "github.com/fluxcd/source-controller/api/v1alpha1"
-)
-
-type GitRepositoryRevisionChangePredicate struct {
-	predicate.Funcs
-}
-
-func (GitRepositoryRevisionChangePredicate) Update(e event.UpdateEvent) bool {
-	if e.MetaOld == nil || e.MetaNew == nil {
-		return false
-	}
-
-	oldRepo, ok := e.ObjectOld.(*sourcev1.GitRepository)
-	if !ok {
-		return false
-	}
-
-	newRepo, ok := e.ObjectNew.(*sourcev1.GitRepository)
-	if !ok {
-		return false
-	}
-
-	if oldRepo.GetArtifact() == nil && newRepo.GetArtifact() != nil {
-		return true
-	}
-
-	if oldRepo.GetArtifact() != nil && newRepo.GetArtifact() != nil &&
-		oldRepo.GetArtifact().Revision != newRepo.GetArtifact().Revision {
-		return true
-	}
-
-	return false
-}
-
-func (GitRepositoryRevisionChangePredicate) Create(e event.CreateEvent) bool {
-	return false
-}
-
-func (GitRepositoryRevisionChangePredicate) Delete(e event.DeleteEvent) bool {
-	return false
-}
--- a/controllers/kustomization_controller.go
+++ b/controllers/kustomization_controller.go
@ -1,654 +0,0 @@
-/*
-Copyright 2020 The Flux CD contributors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controllers
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"sigs.k8s.io/yaml"
-	"strings"
-	"time"
-
-	"github.com/go-logr/logr"
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/controller"
-	kustypes "sigs.k8s.io/kustomize/api/types"
-
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1alpha1"
-	"github.com/fluxcd/kustomize-controller/internal/alert"
-	"github.com/fluxcd/kustomize-controller/internal/lockedfile"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1alpha1"
-)
-
-// KustomizationReconciler reconciles a Kustomization object
-type KustomizationReconciler struct {
-	client.Client
-	Log    logr.Logger
-	Scheme *runtime.Scheme
-}
-
-// +kubebuilder:rbac:groups=kustomize.fluxcd.io,resources=kustomizations,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=kustomize.fluxcd.io,resources=kustomizations/status,verbs=get;update;patch
-
-func (r *KustomizationReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
-	ctx := context.Background()
-	syncStart := time.Now()
-
-	var kustomization kustomizev1.Kustomization
-	if err := r.Get(ctx, req.NamespacedName, &kustomization); err != nil {
-		return ctrl.Result{}, client.IgnoreNotFound(err)
-	}
-
-	log := r.Log.WithValues(strings.ToLower(kustomization.Kind), req.NamespacedName)
-
-	kustomization = kustomizev1.KustomizationProgressing(kustomization)
-	if err := r.Status().Update(ctx, &kustomization); err != nil {
-		log.Error(err, "unable to update Kustomization status")
-		return ctrl.Result{Requeue: true}, err
-	}
-
-	if kustomization.Spec.Suspend {
-		msg := "Kustomization is suspended, skipping execution"
-		kustomization = kustomizev1.KustomizationNotReady(kustomization, kustomizev1.SuspendedReason, msg)
-		if err := r.Status().Update(ctx, &kustomization); err != nil {
-			log.Error(err, "unable to update Kustomization status")
-			return ctrl.Result{Requeue: true}, err
-		}
-		log.Info(msg)
-		return ctrl.Result{}, nil
-	}
-
-	var source sourcev1.Source
-
-	// get artifact source from Git repository
-	if kustomization.Spec.SourceRef.Kind == "GitRepository" {
-		var repository sourcev1.GitRepository
-		repositoryName := types.NamespacedName{
-			Namespace: kustomization.GetNamespace(),
-			Name:      kustomization.Spec.SourceRef.Name,
-		}
-		err := r.Client.Get(ctx, repositoryName, &repository)
-		if err != nil {
-			log.Error(err, "GitRepository not found", "gitrepository", repositoryName)
-			return ctrl.Result{Requeue: true}, err
-		}
-		source = &repository
-	}
-
-	if source == nil {
-		err := fmt.Errorf("source `%s` kind '%s' not supported",
-			kustomization.Spec.SourceRef.Name, kustomization.Spec.SourceRef.Kind)
-		return ctrl.Result{}, err
-	}
-
-	// check source readiness
-	if source.GetArtifact() == nil {
-		msg := "Source is not ready"
-		kustomization = kustomizev1.KustomizationNotReady(kustomization, kustomizev1.ArtifactFailedReason, msg)
-		if err := r.Status().Update(ctx, &kustomization); err != nil {
-			log.Error(err, "unable to update Kustomization status")
-			return ctrl.Result{Requeue: true}, err
-		}
-		log.Info(msg)
-		return ctrl.Result{}, nil
-	}
-
-	// check dependencies
-	if len(kustomization.Spec.DependsOn) > 0 {
-		if err := r.checkDependencies(kustomization); err != nil {
-			kustomization = kustomizev1.KustomizationNotReady(kustomization, kustomizev1.DependencyNotReadyReason, err.Error())
-			if err := r.Status().Update(ctx, &kustomization); err != nil {
-				log.Error(err, "unable to update Kustomization status")
-				return ctrl.Result{Requeue: true}, err
-			}
-			// we can't rely on exponential backoff because it will prolong the execution too much,
-			// instead we requeue every half a minute.
-			requeueAfter := 30 * time.Second
-			msg := fmt.Sprintf("Dependencies do not meet ready condition, retrying in %s", requeueAfter.String())
-			log.Error(err, msg)
-			r.alert(kustomization, msg, "info")
-			return ctrl.Result{RequeueAfter: requeueAfter}, nil
-		}
-		log.Info("All dependencies area ready, proceeding with apply")
-	}
-
-	// try sync
-	syncedKustomization, err := r.sync(*kustomization.DeepCopy(), source)
-	if err != nil {
-		log.Error(err, "Kustomization apply failed", "revision", source.GetArtifact().Revision)
-		r.alert(kustomization, err.Error(), "error")
-	}
-
-	// update status
-	if err := r.Status().Update(ctx, &syncedKustomization); err != nil {
-		log.Error(err, "unable to update Kustomization status after sync")
-		return ctrl.Result{Requeue: true}, err
-	}
-
-	// log sync duration
-	log.Info(fmt.Sprintf("Kustomization sync finished in %s, next run in %s",
-		time.Now().Sub(syncStart).String(),
-		kustomization.Spec.Interval.Duration.String(),
-	))
-
-	// requeue kustomization
-	return ctrl.Result{RequeueAfter: kustomization.Spec.Interval.Duration}, nil
-}
-
-func (r *KustomizationReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
-		For(&kustomizev1.Kustomization{}).
-		WithEventFilter(KustomizationGarbageCollectPredicate{Log: r.Log}).
-		WithEventFilter(KustomizationSyncAtPredicate{}).
-		WithOptions(controller.Options{MaxConcurrentReconciles: 4}).
-		Complete(r)
-}
-
-func (r *KustomizationReconciler) sync(
-	kustomization kustomizev1.Kustomization,
-	source sourcev1.Source) (kustomizev1.Kustomization, error) {
-	// acquire lock
-	unlock, err := r.lock(fmt.Sprintf("%s-%s", kustomization.GetName(), kustomization.GetNamespace()))
-	if err != nil {
-		err = fmt.Errorf("tmp dir error: %w", err)
-		return kustomizev1.KustomizationNotReady(kustomization, sourcev1.StorageOperationFailedReason, err.Error()), err
-	}
-	defer unlock()
-
-	// create tmp dir
-	tmpDir, err := ioutil.TempDir("", kustomization.Name)
-	if err != nil {
-		err = fmt.Errorf("tmp dir error: %w", err)
-		return kustomizev1.KustomizationNotReady(kustomization, sourcev1.StorageOperationFailedReason, err.Error()), err
-	}
-	defer os.RemoveAll(tmpDir)
-
-	// download artifact and extract files
-	err = r.download(kustomization, source.GetArtifact().URL, tmpDir)
-	if err != nil {
-		return kustomizev1.KustomizationNotReady(
-			kustomization,
-			kustomizev1.ArtifactFailedReason,
-			"artifact acquisition failed",
-		), err
-	}
-
-	dirPath := path.Join(tmpDir, kustomization.Spec.Path)
-	// check build path exists
-	if _, err := os.Stat(dirPath); err != nil {
-		err = fmt.Errorf("kustomization path not found: %w", err)
-		return kustomizev1.KustomizationNotReady(
-			kustomization,
-			kustomizev1.ArtifactFailedReason,
-			err.Error(),
-		), err
-	}
-
-	// generate kustomization.yaml
-	err = r.generate(kustomization, source.GetArtifact().Revision, dirPath)
-	if err != nil {
-		return kustomizev1.KustomizationNotReady(
-			kustomization,
-			kustomizev1.BuildFailedReason,
-			"kustomize create failed",
-		), err
-	}
-
-	// kustomize build
-	snapshot, err := r.build(kustomization, source.GetArtifact().Revision, dirPath)
-	if err != nil {
-		return kustomizev1.KustomizationNotReady(
-			kustomization,
-			kustomizev1.BuildFailedReason,
-			"kustomize build failed",
-		), err
-	}
-
-	// dry-run apply
-	err = r.validate(kustomization, dirPath)
-	if err != nil {
-		return kustomizev1.KustomizationNotReady(
-			kustomization,
-			kustomizev1.ValidationFailedReason,
-			fmt.Sprintf("%s-side validation failed", kustomization.Spec.Validation),
-		), err
-	}
-
-	// apply
-	err = r.apply(kustomization, dirPath)
-	if err != nil {
-		return kustomizev1.KustomizationNotReady(
-			kustomization,
-			kustomizev1.ApplyFailedReason,
-			"apply failed",
-		), err
-	}
-
-	// prune
-	err = r.prune(kustomization, snapshot)
-	if err != nil {
-		return kustomizev1.KustomizationNotReady(
-			kustomization,
-			kustomizev1.PruneFailedReason,
-			err.Error(),
-		), err
-	}
-
-	// health assessment
-	err = r.checkHealth(kustomization)
-	if err != nil {
-		return kustomizev1.KustomizationNotReadySnapshot(
-			kustomization,
-			snapshot,
-			kustomizev1.HealthCheckFailedReason,
-			"health check failed",
-		), err
-	}
-
-	return kustomizev1.KustomizationReady(
-		kustomization,
-		snapshot,
-		source.GetArtifact().Revision,
-		kustomizev1.ApplySucceedReason,
-		"kustomization was successfully applied",
-	), nil
-}
-
-func (r *KustomizationReconciler) download(kustomization kustomizev1.Kustomization, url string, tmpDir string) error {
-	timeout := kustomization.GetTimeout() + (time.Second * 1)
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	cmd := fmt.Sprintf("cd %s && curl -sL %s -o artifact.tar.gz && tar -xzf artifact.tar.gz --strip-components=1 -C .",
-		tmpDir, url)
-	command := exec.CommandContext(ctx, "/bin/sh", "-c", cmd)
-	output, err := command.CombinedOutput()
-	if err != nil {
-		if errors.Is(err, context.DeadlineExceeded) {
-			return err
-		}
-		return fmt.Errorf("artifact `%s` download failed: %s", url, string(output))
-	}
-	return nil
-}
-
-func (r *KustomizationReconciler) generate(kustomization kustomizev1.Kustomization, revision, dirPath string) error {
-	kfile := filepath.Join(dirPath, kustomizationFileName)
-
-	if _, err := os.Stat(kfile); err != nil {
-		timeout := kustomization.GetTimeout() + (time.Second * 1)
-		ctx, cancel := context.WithTimeout(context.Background(), timeout)
-		defer cancel()
-
-		cmd := fmt.Sprintf("cd %s && kustomize create --autodetect --recursive", dirPath)
-		command := exec.CommandContext(ctx, "/bin/sh", "-c", cmd)
-		output, err := command.CombinedOutput()
-		if err != nil {
-			if errors.Is(err, context.DeadlineExceeded) {
-				return err
-			}
-			return fmt.Errorf("kustomize create failed: %s", string(output))
-		}
-	}
-
-	if err := r.generateLabelTransformer(kustomization, revision, dirPath); err != nil {
-		return err
-	}
-
-	data, err := ioutil.ReadFile(kfile)
-	if err != nil {
-		return err
-	}
-
-	kus := kustypes.Kustomization{
-		TypeMeta: kustypes.TypeMeta{
-			APIVersion: kustypes.KustomizationVersion,
-			Kind:       kustypes.KustomizationKind,
-		},
-	}
-
-	if err := yaml.Unmarshal(data, &kus); err != nil {
-		return err
-	}
-
-	if len(kus.Transformers) == 0 {
-		kus.Transformers = []string{transformerFileName}
-	} else {
-		var exists bool
-		for _, transformer := range kus.Transformers {
-			if transformer == transformerFileName {
-				exists = true
-				break
-			}
-		}
-		if !exists {
-			kus.Transformers = append(kus.Transformers, transformerFileName)
-		}
-	}
-
-	kd, err := yaml.Marshal(kus)
-	if err != nil {
-		return err
-	}
-
-	return ioutil.WriteFile(kfile, kd, os.ModePerm)
-}
-
-func (r *KustomizationReconciler) generateLabelTransformer(kustomization kustomizev1.Kustomization, revision, dirPath string) error {
-	var lt = struct {
-		ApiVersion string `json:"apiVersion" yaml:"apiVersion"`
-		Kind       string `json:"kind" yaml:"kind"`
-		Metadata   struct {
-			Name string `json:"name" yaml:"name"`
-		} `json:"metadata" yaml:"metadata"`
-		Labels     map[string]string    `json:"labels,omitempty" yaml:"labels,omitempty"`
-		FieldSpecs []kustypes.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
-	}{
-		ApiVersion: "builtin",
-		Kind:       "LabelTransformer",
-		Metadata: struct {
-			Name string `json:"name" yaml:"name"`
-		}{
-			Name: kustomization.GetName(),
-		},
-		Labels: gcLabels(kustomization.GetName(), kustomization.GetNamespace(), revision),
-		FieldSpecs: []kustypes.FieldSpec{
-			{Path: "metadata/labels", CreateIfNotPresent: true},
-		},
-	}
-
-	data, err := yaml.Marshal(lt)
-	if err != nil {
-		return err
-	}
-
-	labelsFile := filepath.Join(dirPath, transformerFileName)
-	if err := ioutil.WriteFile(labelsFile, data, os.ModePerm); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (r *KustomizationReconciler) build(kustomization kustomizev1.Kustomization, revision, dirPath string) (*kustomizev1.Snapshot, error) {
-	timeout := kustomization.GetTimeout() + (time.Second * 1)
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	cmd := fmt.Sprintf("cd %s && kustomize build . > %s.yaml",
-		dirPath, kustomization.GetUID())
-	command := exec.CommandContext(ctx, "/bin/sh", "-c", cmd)
-	output, err := command.CombinedOutput()
-	if err != nil {
-		if errors.Is(err, context.DeadlineExceeded) {
-			return nil, err
-		}
-		return nil, fmt.Errorf("kustomize build failed: %s", string(output))
-	}
-
-	manifestsFile := filepath.Join(dirPath, fmt.Sprintf("%s.yaml", kustomization.GetUID()))
-	data, err := ioutil.ReadFile(manifestsFile)
-	if err != nil {
-		return nil, err
-	}
-
-	return kustomizev1.NewSnapshot(data, revision)
-}
-
-func (r *KustomizationReconciler) validate(kustomization kustomizev1.Kustomization, dirPath string) error {
-	if kustomization.Spec.Validation == "" {
-		return nil
-	}
-
-	timeout := kustomization.GetTimeout() + (time.Second * 1)
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	cmd := fmt.Sprintf("cd %s && kubectl apply -f %s.yaml --timeout=%s --dry-run=%s",
-		dirPath, kustomization.GetUID(), kustomization.GetTimeout().String(), kustomization.Spec.Validation)
-	command := exec.CommandContext(ctx, "/bin/sh", "-c", cmd)
-	output, err := command.CombinedOutput()
-	if err != nil {
-		if errors.Is(err, context.DeadlineExceeded) {
-			return fmt.Errorf("validation timeout: %w", err)
-		}
-		return fmt.Errorf("validation failed: %s", string(output))
-	}
-	return nil
-}
-
-func (r *KustomizationReconciler) apply(kustomization kustomizev1.Kustomization, dirPath string) error {
-	start := time.Now()
-	timeout := kustomization.GetTimeout() + (time.Second * 1)
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	cmd := fmt.Sprintf("cd %s && kubectl apply -f %s.yaml --timeout=%s",
-		dirPath, kustomization.GetUID(), kustomization.Spec.Interval.Duration.String())
-
-	// impersonate SA
-	if sa := kustomization.Spec.ServiceAccount; sa != nil {
-		cmd = fmt.Sprintf("%s --as system:serviceaccount:%s:%s", cmd, sa.Namespace, sa.Name)
-	}
-
-	command := exec.CommandContext(ctx, "/bin/sh", "-c", cmd)
-	output, err := command.CombinedOutput()
-	if err != nil {
-		if errors.Is(err, context.DeadlineExceeded) {
-			return fmt.Errorf("apply timeout: %w", err)
-		}
-		return fmt.Errorf("apply failed: %s", string(output))
-	}
-
-	resources := r.parseApplyOutput(output)
-	r.Log.WithValues(
-		strings.ToLower(kustomization.Kind),
-		fmt.Sprintf("%s/%s", kustomization.GetNamespace(), kustomization.GetName()),
-	).Info(
-		fmt.Sprintf("Kustomization applied in %s",
-			time.Now().Sub(start).String()),
-		"output", resources,
-	)
-
-	var diff bool
-	for _, action := range resources {
-		if action != "unchanged" {
-			diff = true
-			break
-		}
-	}
-	if diff {
-		r.alert(kustomization, string(output), "info")
-	}
-	return nil
-}
-
-func (r *KustomizationReconciler) prune(kustomization kustomizev1.Kustomization, snapshot *kustomizev1.Snapshot) error {
-	if kustomization.Status.Snapshot == nil || snapshot == nil {
-		return nil
-	}
-	if kustomization.Status.Snapshot.Revision == snapshot.Revision {
-		return nil
-	}
-
-	if !prune(kustomization.GetTimeout(),
-		kustomization.GetName(),
-		kustomization.GetNamespace(),
-		kustomization.Status.Snapshot,
-		r.Log,
-	) {
-		return fmt.Errorf("pruning failed")
-	}
-	return nil
-}
-
-func (r *KustomizationReconciler) checkHealth(kustomization kustomizev1.Kustomization) error {
-	timeout := kustomization.GetTimeout() + (time.Second * 1)
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-	var alerts string
-
-	for _, check := range kustomization.Spec.HealthChecks {
-		cmd := fmt.Sprintf("kubectl -n %s rollout status %s %s --timeout=%s",
-			check.Namespace, check.Kind, check.Name, kustomization.GetTimeout())
-		command := exec.CommandContext(ctx, "/bin/sh", "-c", cmd)
-		output, err := command.CombinedOutput()
-		if err != nil {
-			if errors.Is(err, context.DeadlineExceeded) {
-				return fmt.Errorf("health check timeout for %s '%s/%s': %w",
-					check.Kind, check.Namespace, check.Name, err)
-			}
-			return fmt.Errorf("health check failed for %s '%s/%s': %s",
-				check.Kind, check.Namespace, check.Name, string(output))
-		} else {
-			msg := fmt.Sprintf("Health check passed for %s '%s/%s'",
-				check.Kind, check.Namespace, check.Name)
-			r.Log.WithValues(
-				strings.ToLower(kustomization.Kind),
-				fmt.Sprintf("%s/%s", kustomization.GetNamespace(), kustomization.GetName()),
-			).Info(msg)
-			alerts += msg + "\n"
-		}
-	}
-
-	if alerts != "" {
-		r.alert(kustomization, alerts, "info")
-	}
-	return nil
-}
-
-func (r *KustomizationReconciler) lock(name string) (unlock func(), err error) {
-	lockFile := path.Join(os.TempDir(), name+".lock")
-	mutex := lockedfile.MutexAt(lockFile)
-	return mutex.Lock()
-}
-
-func (r *KustomizationReconciler) parseApplyOutput(in []byte) map[string]string {
-	result := make(map[string]string)
-	input := strings.Split(string(in), "\n")
-	if len(input) == 0 {
-		return result
-	}
-	var parts []string
-	for _, str := range input {
-		if str != "" {
-			parts = append(parts, str)
-		}
-	}
-	for _, str := range parts {
-		kv := strings.Split(str, " ")
-		if len(kv) > 1 {
-			result[kv[0]] = kv[1]
-		}
-	}
-	return result
-}
-
-func (r *KustomizationReconciler) checkDependencies(kustomization kustomizev1.Kustomization) error {
-	for _, dep := range kustomization.Spec.DependsOn {
-		depName := types.NamespacedName{
-			Namespace: kustomization.GetNamespace(),
-			Name:      dep,
-		}
-		var k kustomizev1.Kustomization
-		err := r.Get(context.Background(), depName, &k)
-		if err != nil {
-			return fmt.Errorf("unable to get '%s' dependency: %w", depName, err)
-		}
-
-		if len(k.Status.Conditions) == 0 {
-			return fmt.Errorf("dependency '%s' is not ready", depName)
-		}
-
-		for _, condition := range k.Status.Conditions {
-			if condition.Type == kustomizev1.ReadyCondition && condition.Status != corev1.ConditionTrue {
-				return fmt.Errorf("dependency '%s' is not ready", depName)
-			}
-		}
-	}
-
-	return nil
-}
-
-func (r *KustomizationReconciler) getProfiles(kustomization kustomizev1.Kustomization) ([]kustomizev1.Profile, error) {
-	list := make([]kustomizev1.Profile, 0)
-	var profiles kustomizev1.ProfileList
-	err := r.List(context.TODO(), &profiles, client.InNamespace(kustomization.GetNamespace()))
-	if err != nil {
-		return list, err
-	}
-
-	// filter profiles that match this kustomization taking into account '*' wildcard
-	for _, profile := range profiles.Items {
-		for _, name := range profile.Spec.Kustomizations {
-			if name == kustomization.GetName() || name == "*" {
-				list = append(list, profile)
-				break
-			}
-		}
-	}
-
-	return list, nil
-}
-
-func (r *KustomizationReconciler) alert(kustomization kustomizev1.Kustomization, msg string, verbosity string) {
-	profiles, err := r.getProfiles(kustomization)
-	if err != nil {
-		r.Log.WithValues(
-			strings.ToLower(kustomization.Kind),
-			fmt.Sprintf("%s/%s", kustomization.GetNamespace(), kustomization.GetName()),
-		).Error(err, "unable to list profiles")
-		return
-	}
-
-	for _, profile := range profiles {
-		if settings := profile.Spec.Alert; settings != nil {
-			provider, err := alert.NewProvider(settings.Type, settings.Address, settings.Username, settings.Channel)
-			if err != nil {
-				r.Log.WithValues(
-					strings.ToLower(kustomization.Kind),
-					fmt.Sprintf("%s/%s", kustomization.GetNamespace(), kustomization.GetName()),
-				).Error(err, "unable to configure alert provider")
-				continue
-			}
-			if settings.Verbosity == verbosity || verbosity == "error" {
-				err = provider.Post(kustomization.GetName(), kustomization.GetNamespace(), msg, verbosity)
-				if err != nil {
-					r.Log.WithValues(
-						strings.ToLower(kustomization.Kind),
-						fmt.Sprintf("%s/%s", kustomization.GetNamespace(), kustomization.GetName()),
-					).Error(err, "unable to send alert")
-				}
-			}
-		}
-	}
-}
-
-var (
-	kustomizationFileName = "kustomization.yaml"
-	transformerFileName   = "kustomization-gc-labels.yaml"
-)
--- a/controllers/kustomization_predicate.go
+++ b/controllers/kustomization_predicate.go
@ -1,157 +0,0 @@
-/*
-Copyright 2020 The Flux CD contributors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controllers
-
-import (
-	"context"
-	"crypto/sha1"
-	"fmt"
-	"os/exec"
-	"strings"
-	"time"
-
-	"github.com/go-logr/logr"
-	"sigs.k8s.io/controller-runtime/pkg/event"
-	"sigs.k8s.io/controller-runtime/pkg/predicate"
-
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1alpha1"
-)
-
-type KustomizationSyncAtPredicate struct {
-	predicate.Funcs
-}
-
-func (KustomizationSyncAtPredicate) Update(e event.UpdateEvent) bool {
-	if e.MetaOld == nil || e.MetaNew == nil {
-		// ignore objects without metadata
-		return false
-	}
-	if e.MetaNew.GetGeneration() != e.MetaOld.GetGeneration() {
-		// reconcile on spec changes
-		return true
-	}
-
-	// handle syncAt annotation
-	if val, ok := e.MetaNew.GetAnnotations()[kustomizev1.SyncAtAnnotation]; ok {
-		if valOld, okOld := e.MetaOld.GetAnnotations()[kustomizev1.SyncAtAnnotation]; okOld {
-			if val != valOld {
-				return true
-			}
-		} else {
-			return true
-		}
-	}
-
-	return false
-}
-
-type KustomizationGarbageCollectPredicate struct {
-	predicate.Funcs
-	Log logr.Logger
-}
-
-// Delete removes all Kubernetes objects based on the prune label selector.
-func (gc KustomizationGarbageCollectPredicate) Delete(e event.DeleteEvent) bool {
-	if k, ok := e.Object.(*kustomizev1.Kustomization); ok {
-		if k.Spec.Prune && !k.Spec.Suspend && k.Status.Snapshot != nil {
-			gc.Log.Info("Garbage collection started",
-				"kustomization", fmt.Sprintf("%s/%s", k.GetNamespace(), k.GetName()))
-
-			prune(k.GetTimeout(), k.GetName(), k.GetNamespace(), k.Status.Snapshot, gc.Log)
-		}
-	}
-
-	return true
-}
-
-func prune(timeout time.Duration, name string, namespace string, snapshot *kustomizev1.Snapshot, log logr.Logger) bool {
-	selector := gcSelectors(name, namespace, snapshot.Revision)
-	ok := true
-	outInfo := ""
-	outErr := ""
-	for ns, kinds := range snapshot.NamespacedKinds() {
-		for _, kind := range kinds {
-			if output, err := deleteByKind(timeout, kind, ns, selector); err != nil {
-				outErr += " " + err.Error()
-				ok = false
-			} else {
-				outInfo += " " + output
-			}
-		}
-	}
-	if outErr == "" {
-		log.Info("Garbage collection for namespaced objects completed",
-			"kustomization", fmt.Sprintf("%s/%s", namespace, name),
-			"output", outInfo)
-	} else {
-		log.Error(fmt.Errorf(outErr), "Garbage collection for namespaced objects failed",
-			"kustomization", fmt.Sprintf("%s/%s", namespace, name))
-	}
-
-	outInfo = ""
-	outErr = ""
-	for _, kind := range snapshot.NonNamespacedKinds() {
-		if output, err := deleteByKind(timeout, kind, "", selector); err != nil {
-			outErr += " " + err.Error()
-			ok = false
-		} else {
-			outInfo += " " + output
-		}
-	}
-	if outErr == "" {
-		log.Info("Garbage collection for non-namespaced objects completed",
-			"kustomization", fmt.Sprintf("%s/%s", namespace, name),
-			"output", outInfo)
-	} else {
-		log.Error(fmt.Errorf(outErr), "Garbage collection for non-namespaced objects failed",
-			"kustomization", fmt.Sprintf("%s/%s", namespace, name))
-	}
-
-	return ok
-}
-
-func deleteByKind(timeout time.Duration, kind, namespace, selector string) (string, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout+time.Second)
-	defer cancel()
-
-	cmd := fmt.Sprintf("kubectl delete %s -l %s", kind, selector)
-	if namespace != "" {
-		cmd = fmt.Sprintf("%s -n=%s", cmd, namespace)
-	}
-
-	command := exec.CommandContext(ctx, "/bin/sh", "-c", cmd)
-	if output, err := command.CombinedOutput(); err != nil {
-		return "", fmt.Errorf("%s", string(output))
-	} else {
-		return strings.TrimSuffix(string(output), "\n"), nil
-	}
-}
-
-func gcLabels(name, namespace, revision string) map[string]string {
-	return map[string]string{
-		"kustomization/name":     fmt.Sprintf("%s-%s", name, namespace),
-		"kustomization/revision": checksum(revision),
-	}
-}
-
-func gcSelectors(name, namespace, revision string) string {
-	return fmt.Sprintf("kustomization/name=%s-%s,kustomization/revision=%s", name, namespace, checksum(revision))
-}
-
-func checksum(in string) string {
-	return fmt.Sprintf("%x", sha1.Sum([]byte(in)))
-}
--- a/controllers/profile_controller.go
+++ b/controllers/profile_controller.go
@ -1,84 +0,0 @@
-/*
-Copyright 2020 The Flux CD contributors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controllers
-
-import (
-	"context"
-	"strings"
-
-	"github.com/go-logr/logr"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1alpha1"
-)
-
-// ProfileReconciler reconciles a Profile object
-type ProfileReconciler struct {
-	client.Client
-	Log    logr.Logger
-	Scheme *runtime.Scheme
-}
-
-// +kubebuilder:rbac:groups=kustomize.fluxcd.io,resources=profiles,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=kustomize.fluxcd.io,resources=profiles/status,verbs=get;update;patch
-
-func (r *ProfileReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
-	ctx := context.Background()
-
-	var profile kustomizev1.Profile
-	if err := r.Get(ctx, req.NamespacedName, &profile); err != nil {
-		return ctrl.Result{}, client.IgnoreNotFound(err)
-	}
-
-	log := r.Log.WithValues(strings.ToLower(profile.Kind), req.NamespacedName)
-
-	init := true
-	for _, condition := range profile.Status.Conditions {
-		if condition.Type == kustomizev1.ReadyCondition && condition.Status == corev1.ConditionTrue {
-			init = false
-			break
-		}
-	}
-
-	if init {
-		profile.Status.Conditions = []kustomizev1.Condition{
-			{
-				Type:               kustomizev1.ReadyCondition,
-				Status:             corev1.ConditionTrue,
-				LastTransitionTime: metav1.Now(),
-				Reason:             kustomizev1.InitializedReason,
-				Message:            kustomizev1.InitializedReason,
-			},
-		}
-		if err := r.Status().Update(ctx, &profile); err != nil {
-			return ctrl.Result{Requeue: true}, err
-		}
-		log.Info("Profile initialised")
-	}
-
-	return ctrl.Result{}, nil
-}
-
-func (r *ProfileReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
-		For(&kustomizev1.Profile{}).
-		Complete(r)
-}
--- a/controllers/suite_test.go
+++ b/controllers/suite_test.go
@ -1,81 +0,0 @@
-/*
-
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controllers
-
-import (
-	"path/filepath"
-	"testing"
-
-	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/gomega"
-	"k8s.io/client-go/kubernetes/scheme"
-	"k8s.io/client-go/rest"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/envtest"
-	"sigs.k8s.io/controller-runtime/pkg/envtest/printer"
-	logf "sigs.k8s.io/controller-runtime/pkg/log"
-	"sigs.k8s.io/controller-runtime/pkg/log/zap"
-
-	kustomizev1alpha1 "github.com/fluxcd/kustomize-controller/api/v1alpha1"
-	// +kubebuilder:scaffold:imports
-)
-
-// These tests use Ginkgo (BDD-style Go testing framework). Refer to
-// http://onsi.github.io/ginkgo/ to learn more about Ginkgo.
-
-var cfg *rest.Config
-var k8sClient client.Client
-var testEnv *envtest.Environment
-
-func TestAPIs(t *testing.T) {
-	RegisterFailHandler(Fail)
-
-	RunSpecsWithDefaultAndCustomReporters(t,
-		"Controller Suite",
-		[]Reporter{printer.NewlineReporter{}})
-}
-
-var _ = BeforeSuite(func(done Done) {
-	logf.SetLogger(zap.LoggerTo(GinkgoWriter, true))
-
-	By("bootstrapping test environment")
-	testEnv = &envtest.Environment{
-		CRDDirectoryPaths: []string{filepath.Join("..", "config", "crd", "bases")},
-	}
-
-	var err error
-	cfg, err = testEnv.Start()
-	Expect(err).ToNot(HaveOccurred())
-	Expect(cfg).ToNot(BeNil())
-
-	err = kustomizev1alpha1.AddToScheme(scheme.Scheme)
-	Expect(err).NotTo(HaveOccurred())
-
-	// +kubebuilder:scaffold:scheme
-
-	k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme})
-	Expect(err).ToNot(HaveOccurred())
-	Expect(k8sClient).ToNot(BeNil())
-
-	close(done)
-}, 60)
-
-var _ = AfterSuite(func() {
-	By("tearing down the test environment")
-	err := testEnv.Stop()
-	Expect(err).ToNot(HaveOccurred())
-})
--- a/docs/api/v1/kustomize.md
+++ b/docs/api/v1/kustomize.md
--- a/docs/diagrams/kustomize-controller-overview.png
+++ b/docs/diagrams/kustomize-controller-overview.png
--- a/docs/diagrams/slack-error-alert.png
+++ b/docs/diagrams/slack-error-alert.png
--- a/docs/diagrams/slack-info-alert.png
+++ b/docs/diagrams/slack-info-alert.png
--- a/docs/internal/release.md
+++ b/docs/internal/release.md
@ -2,12 +2,14 @@

 To release a new version the following steps should be followed:

-1. Create a new branch from `master` i.e. `release-<next semver>`. This
+1. Create a `api/<next semver>` tag and push it to remote.
+1. Create a new branch from `main` i.e. `release-<next semver>`. This
   will function as your release preparation branch.
+1. Update the `github.com/fluxcd/kustomize-controller/api` version in `go.mod`
 1. Add an entry to the `CHANGELOG.md` for the new release and change the
   `newTag` value in ` config/manager/kustomization.yaml` to that of the
   semver release you are going to make. Commit and push your changes.
-1. Create a PR for your release branch and get it merged into `master`.
-1. Create a `<next semver>` tag for the merge commit in `master` and
+1. Create a PR for your release branch and get it merged into `main`.
+1. Create a `<next semver>` tag for the merge commit in `main` and
   push it to remote.
 1. Confirm CI builds and releases the newly tagged version.
--- a/docs/spec/README.md
+++ b/docs/spec/README.md
@ -1,206 +1,7 @@
 # Kustomize Controller

-The Kustomize Controller is a Kubernetes operator, specialized in running 
-continuous delivery pipelines for infrastructure and workloads
-defined with Kubernetes manifests and assembled with Kustomize.
-
-## Motivation
-
-The main goal is to provide an automated operator that can
-bootstrap and continuously reconcile the cluster state
-from multiple sources (e.g. infrastructure and application repositories).
-
-When provisioning a new cluster, one may wish to install workloads in a specific order,
-for example a validation controller such as OPA Gatekeeper should be up and running before 
-applying other manifests on the cluster. Another example is a service mesh admission controller,
-the proxy injector must be functional before deploying applications into the mesh.
-
-When operating a cluster, different teams may wish to receive notification about the status
-of their CD pipelines. For example, the on-call team would receive alerts about all
-failures in the prod namespace, while the frontend team may wish to be alerted when a new version 
-of the frontend app was deployed and if the deployment is healthy, no matter the namespace.
-
-When dealing with an incident, one may wish to suspend the reconciliation of some workloads and
-pin the reconciliation of others to a specific Git revision, without having to stop the reconciler
-and affect the whole cluster.
-
-## Design
-
-The reconciliation process can be defined with a Kubernetes custom resource
-that describes a pipeline such as:
- **check** if depends-on conditions are meet  
- **fetch** manifests from Git repository X
- **generate** a kustomization if needed
- **build** the manifest using kustomization X
- **validate** the resulting objects 
- **apply** the objects 
- **prune** the objects removed from source
- **verify** the deployment status
- **alert** if something went wrong
- **notify** if the cluster state changed 
-
-The controller that runs these pipelines relies on
-[source-controller](https://github.com/fluxcd/source-controller)
-for providing the raw manifests from Git repositories or any
-other source that source-controller could support in the future. 
-
-If a Git repository contains no Kustomize manifests, the controller can
-generate the `kustomization.yaml` file automatically and label
-the objects for garbage collection (GC).
-
-A pipeline runs on-a-schedule and ca be triggered manually by a
-cluster admin or automatically by a source event such as a Git revision change.
-
-When a pipeline is removed from the cluster, the controller's GC terminates
-all the objects previously created by that pipeline.
-
-A pipeline can be suspended, while in suspension the controller
-stops the scheduler and ignores any source events.
-Deleting a suspended pipeline does not trigger garbage collection.
-
-Alerting can be configured with a Kubernetes custom resource
-that specifies a webhook address, and a group of pipelines to be monitored.
-
-The API design of the controller can be found at [kustomize.fluxcd.io/v1alpha1](v1alpha1/README.md).
-
-## Backward compatibility
-
-| Feature                                      | Kustomize Controller    | Flux               |
-| -------------------------------------------- | ----------------------- | ------------------ |
-| Plain Kubernetes manifests sync              | :heavy_check_mark:      | :heavy_check_mark: |
-| Kustomize build sync                         | :heavy_check_mark:      | :heavy_check_mark: |
-| Garbage collection                           | :heavy_check_mark:      | :heavy_check_mark: |
-| Container image updates                      | :x:                     | :heavy_check_mark: |
-| Generate manifests with shell scripts        | :x:                     | :heavy_check_mark: |
-
-Syncing will not support the `.flux.yaml` mechanism as running shell scripts and binaries to
-generate manifests is not in the scope of Kustomize controller.
-
-Container registry scanning and automated image updates is not in the scope of Kustomize controller,
-could be implemented by a dedicated controller.
-
-## Example
-
-After installing kustomize-controller and its companion source-controller, we
-can create a series of pipelines for deploying Istio, and an application made of
-multiple services.
-
-Create a source that points to where the Istio control plane manifests are,
-and a kustomization for installing/upgrading Istio:
-
-```yaml
-apiVersion: source.fluxcd.io/v1alpha1
-kind: GitRepository
-metadata:
-  name: istio
-  namespace: kustomize-system
-spec:
-  interval: 5m
-  url: https://github.com/stefanprodan/gitops-istio
-  ref:
-    branch: master
---
-apiVersion: kustomize.fluxcd.io/v1alpha1
-kind: Kustomization
-metadata:
-  name: istio
-  namespace: kustomize-system
-spec:
-  interval: 10m
-  path: "./istio/"
-  sourceRef:
-    kind: GitRepository
-    name: istio
-  healthChecks:
-    - kind: Deployment
-      name: istiod
-      namespace: istio-system
-  timeout: 2m
-```
-
-Create a source for the app repo, a kustomization for each service defining depends-on relationships:
-
-```yaml
-apiVersion: source.fluxcd.io/v1alpha1
-kind: GitRepository
-metadata:
-  name: webapp
-  namespace: kustomize-system
-spec:
-  interval: 1m
-  url: https://github.com/stefanprodan/podinfo-deploy
-  ref:
-    branch: master
---
-apiVersion: kustomize.fluxcd.io/v1alpha1
-kind: Kustomization
-metadata:
-  name: webapp-common
-  namespace: kustomize-system
-spec:
-  dependsOn:
-    - istio
-  interval: 5m
-  path: "./webapp/common/"
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: webapp
-  validate: client
---
-apiVersion: kustomize.fluxcd.io/v1alpha1
-kind: Kustomization
-metadata:
-  name: webapp-backend
-  namespace: kustomize-system
-spec:
-  dependsOn:
-    - webapp-common
-  interval: 5m
-  path: "./webapp/backend/"
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: webapp
-  validate: server
-  healthChecks:
-    - kind: Deployment
-      name: backend
-      namespace: webapp
---
-apiVersion: kustomize.fluxcd.io/v1alpha1
-kind: Kustomization
-metadata:
-  name: webapp-frontend
-  namespace: kustomize-system
-spec:
-  dependsOn:
-    - webapp-backend
-  interval: 5m
-  path: "./webapp/frontend/"
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: webapp
-  validate: server
-```
-
-Configure alerting for all pipelines in the `kustomize-system` namespace:
-
-```yaml
-apiVersion: kustomize.fluxcd.io/v1alpha1
-kind: Profile
-metadata:
-  name: default
-  namespace: kustomize-system
-spec:
-  alert:
-    type: slack
-    verbosity: info
-    address: https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK
-    username: kustomize-controller
-    channel: general
-  kustomizations:
-    - '*'
-```
+## API Specification

+[v1beta1](v1beta2/README.md).
+[v1beta2](v1beta2/README.md).
+[v1](v1/README.md).
--- a/docs/spec/v1/README.md
+++ b/docs/spec/v1/README.md
@ -0,0 +1,17 @@
+# kustomize.toolkit.fluxcd.io/v1
+
+This is the v1 API specification for defining continuous delivery pipelines
+of Kubernetes objects generated with Kustomize.
+
+## Specification
+
+- [Kustomization CRD](kustomizations.md)
+    + [Example](kustomizations.md#example)
+    + [Writing a Kustomization spec](kustomizations.md#writing-a-kustomization-spec)
+    + [Working with Kustomizations](kustomizations.md#working-with-kustomizations)
+      * [Recommended settings](kustomizations.md#recommended-settings)
+    + [Kustomization Status](kustomizations.md#kustomization-status)
+
+## Implementation
+
+* [kustomize-controller](https://github.com/fluxcd/kustomize-controller/)
--- a/docs/spec/v1/kustomizations.md
+++ b/docs/spec/v1/kustomizations.md
--- a/docs/spec/v1alpha1/README.md
+++ b/docs/spec/v1alpha1/README.md
@ -1,21 +1,20 @@
-# kustomize.fluxcd.io/v1alpha1
+# kustomize.toolkit.fluxcd.io/v1alpha1

 This is the v1alpha1 API specification for defining continuous delivery pipelines
 of Kubernetes objects generated with Kustomize.

 ## Specification

- [Kustomization CRD](kustomization.md)
-    + [Source reference](kustomization.md#source-reference)
-    + [Generate kustomization.yaml](kustomization.md#generate-kustomizationyaml)
-    + [Reconciliation](kustomization.md#reconciliation)
-    + [Garbage collection](kustomization.md#garbage-collection)
-    + [Health assessment](kustomization.md#health-assessment)
-    + [Kustomization dependencies](kustomization.md#kustomization-dependencies)
-    + [Role-based access control](kustomization.md#role-based-access-control)
-    + [Status](kustomization.md#status)
- [Profile CRD](profile.md)
-    + [Alerting configuration](profile.md#alerting)
+- [Kustomization CRD](kustomizations.md)
+    + [Source reference](kustomizations.md#source-reference)
+    + [Generate kustomization.yaml](kustomizations.md#generate-kustomizationyaml)
+    + [Reconciliation](kustomizations.md#reconciliation)
+    + [Garbage collection](kustomizations.md#garbage-collection)
+    + [Health assessment](kustomizations.md#health-assessment)
+    + [Kustomization dependencies](kustomizations.md#kustomization-dependencies)
+    + [Role-based access control](kustomizations.md#role-based-access-control)
+    + [Secrets decryption](kustomizations.md#secrets-decryption)
+    + [Status](kustomizations.md#status)

 ## Implementation

--- a/docs/spec/v1alpha1/kustomizations.md
+++ b/docs/spec/v1alpha1/kustomizations.md
@ -1,27 +1,35 @@
 # Kustomization

-The `Kustomization` API defines a pipeline for fetching, building, testing and applying Kubernetes manifests.
+The `Kustomization` API defines a pipeline for fetching, decrypting, building, validating and applying Kubernetes manifests.

 ## Specification

-A **kustomization** object defines the source of Kubernetes manifests by referencing an object 
+A **Kustomization** object defines the source of Kubernetes manifests by referencing an object 
 managed by [source-controller](https://github.com/fluxcd/source-controller),
 the path to the kustomization file within that source,
 and the interval at which the kustomize build output is applied on the cluster.

 ```go
 type KustomizationSpec struct {
-	// A list of kustomization that must be ready before this
-	// kustomization can be applied.
+	// DependsOn may contain a dependency.CrossNamespaceDependencyReference slice
+	// with references to Kustomization resources that must be ready before this
+	// Kustomization can be reconciled.
 	// +optional
-	DependsOn []string `json:"dependsOn,omitempty"`
+	DependsOn []dependency.CrossNamespaceDependencyReference `json:"dependsOn,omitempty"`
+
+	// Decrypt Kubernetes secrets before applying them on the cluster.
+	// +optional
+	Decryption *Decryption `json:"decryption,omitempty"`

 	// The interval at which to apply the kustomization.
 	// +required
 	Interval metav1.Duration `json:"interval"`

+	// The KubeConfig for reconciling the Kustomization on a remote cluster.
+	// +optional
+	KubeConfig *KubeConfig `json:"kubeConfig,omitempty"`
+
 	// Path to the directory containing the kustomization file.
-	// +kubebuilder:validation:Pattern="^\\./"
 	// +required
 	Path string `json:"path"`

@ -29,10 +37,9 @@ type KustomizationSpec struct {
 	// +required
 	Prune bool `json:"prune"`

-	// A list of workloads (Deployments, DaemonSets and StatefulSets)
-	// to be included in the health assessment.
+	// A list of resources to be included in the health assessment.
 	// +optional
-	HealthChecks []WorkloadReference `json:"healthChecks,omitempty"`
+	HealthChecks []CrossNamespaceObjectReference `json:"healthChecks,omitempty"`

 	// The Kubernetes service account used for applying the kustomization.
 	// +optional
@ -40,13 +47,18 @@ type KustomizationSpec struct {

 	// Reference of the source where the kustomization file is.
 	// +required
-	SourceRef corev1.TypedLocalObjectReference `json:"sourceRef"`
+	SourceRef CrossNamespaceSourceReference `json:"sourceRef"`

 	// This flag tells the controller to suspend subsequent kustomize executions,
 	// it does not apply to already started executions. Defaults to false.
 	// +optional
 	Suspend bool `json:"suspend,omitempty"`

+	// TargetNamespace sets or overrides the namespace in the
+	// kustomization.yaml file.
+	// +optional
+	TargetNamespace string `json:"targetNamespace,omitempty"`
+
 	// Timeout for validation, apply and health checking operations.
 	// Defaults to 'Interval' duration.
 	// +optional
@ -60,18 +72,57 @@ type KustomizationSpec struct {
 }
 ```

-The status sub-resource describes the result of the last kustomization execution:
+The decryption section defines how decryption is handled for Kubernetes manifests:
+
+```go
+type Decryption struct {
+	// Provider is the name of the decryption engine.
+	// +kubebuilder:validation:Enum=sops
+	// +required
+	Provider string `json:"provider"`
+
+	// The secret name containing the private OpenPGP keys used for decryption.
+	// +optional
+	SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty"`
+}
+```
+
+KubeConfig references a Kubernetes secret generated by CAPI:
+
+```go
+type KubeConfig struct {
+	// The secret name containing a 'value' key with the kubeconfig file as the value.
+	// Ref: https://github.com/kubernetes-sigs/cluster-api/blob/release-0.3/util/secret/consts.go#L24
+	// +required
+	SecretRef corev1.LocalObjectReference `json:"secretRef,omitempty"`
+}
+```
+
+The status sub-resource records the result of the last reconciliation:

 ```go
 type KustomizationStatus struct {
+	// ObservedGeneration is the last reconciled generation.
 	// +optional
-	Conditions []Condition `json:"conditions,omitempty"`
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`

 	// The last successfully applied revision.
 	// The revision format for Git sources is <branch|tag>/<commit-sha>.
 	// +optional
 	LastAppliedRevision string `json:"lastAppliedRevision,omitempty"`

+	// LastAttemptedRevision is the revision of the last reconciliation attempt.
+	// +optional
+	LastAttemptedRevision string `json:"lastAttemptedRevision,omitempty"`
+
+	// LastHandledReconcileAt is the last manual reconciliation request (by
+	// annotating the Kustomization) handled by the reconciler.
+	// +optional
+	LastHandledReconcileAt string `json:"lastHandledReconcileAt,omitempty"`
+
 	// The last successfully applied revision metadata.
 	// +optional
 	Snapshot *Snapshot `json:"snapshot"`
@ -82,8 +133,8 @@ Status condition types:

 ```go
 const (
-	// ReadyCondition represents the fact that a given kustomization has passed
-	// validation and was successfully applied on the cluster.
+	// ReadyCondition is the name of the condition that
+	// records the readiness status of a Kustomization.
 	ReadyCondition string = "Ready"
 )
 ```
@ -92,38 +143,44 @@ Status condition reasons:

 ```go
 const (
-	// ApplySucceedReason represents the fact that the kustomization apply succeed.
-	ApplySucceedReason string = "ApplySucceed"
+	// ReconciliationSucceededReason represents the fact that the
+	// reconciliation of the Kustomization has succeeded.
+	ReconciliationSucceededReason string = "ReconciliationSucceeded"

-	// ApplyFailedReason represents the fact that the kustomization apply failed.
-	ApplyFailedReason string = "ApplyFailed"
+	// ReconciliationFailedReason represents the fact that the
+	// reconciliation of the Kustomization has failed.
+	ReconciliationFailedReason string = "ReconciliationFailed"

-	// ArtifactFailedReason represents the fact that the artifact download failed.
-	ArtifactFailedReason string = "ArtifactFailed"
-
-	// BuildFailedReason represents the fact that the kustomize build command failed.
-	BuildFailedReason string = "BuildFailed"
-
-	// DependencyNotReady represents the fact that the one of the dependencies is not ready.
-	DependencyNotReadyReason string = "DependencyNotReady"
-
-	// HealthCheckFailedReason represents the fact that the one of the health check failed.
-	HealthCheckFailedReason string = "HealthCheckFailed"
-
-	// InitializedReason represents the fact that a given resource has been initialized.
-	InitializedReason string = "Initialized"
-
-	// ProgressingReason represents the fact that a kustomization reconciliation
-	// is underway.
+	// ProgressingReason represents the fact that the
+	// reconciliation of the Kustomization is underway.
 	ProgressingReason string = "Progressing"

-	// PruneFailedReason represents the fact that the kustomization pruning failed.
-	PruneFailedReason string = "PruneFailed"
-
-	// SuspendedReason represents the fact that the kustomization execution is suspended.
+	// SuspendedReason represents the fact that the
+	// reconciliation of the Kustomization has been suspended.
 	SuspendedReason string = "Suspended"

-	// ValidationFailedReason represents the fact that the dry-run apply failed.
+	// DependencyNotReady represents the fact that
+	// one of the dependencies of the Kustomization is not ready.
+	DependencyNotReadyReason string = "DependencyNotReady"
+
+	// PruneFailedReason represents the fact that the
+	// pruning of the Kustomization failed.
+	PruneFailedReason string = "PruneFailed"
+
+	// ArtifactFailedReason represents the fact that the
+	// artifact download of the kustomization failed.
+	ArtifactFailedReason string = "ArtifactFailed"
+
+	// BuildFailedReason represents the fact that the
+	// kustomize build of the Kustomization failed.
+	BuildFailedReason string = "BuildFailed"
+
+	// HealthCheckFailedReason represents the fact that
+	// one of the health checks of the Kustomization failed.
+	HealthCheckFailedReason string = "HealthCheckFailed"
+
+	// ValidationFailedReason represents the fact that the
+	// validation of the Kustomization manifests has failed.
 	ValidationFailedReason string = "ValidationFailed"
 )
 ```
@ -138,10 +195,12 @@ changes, it generates a Kubernetes event that triggers a kustomize build and app
 Source supported types:

 * [GitRepository](https://github.com/fluxcd/source-controller/blob/master/docs/spec/v1alpha1/gitrepositories.md)
+* [Bucket](https://github.com/fluxcd/source-controller/blob/master/docs/spec/v1alpha1/buckets.md)

 > **Note** that the source should contain the kustomization.yaml and all the
 > Kubernetes manifests and configuration files referenced in the kustomization.yaml.
-> If your repository contains only plain manifests, then you should enable kustomization.yaml generation.
+> If your Git repository or S3 bucket contains only plain manifests,
+> then a kustomization.yaml will be automatically generated.

 ## Generate kustomization.yaml

@ -160,21 +219,21 @@ The interval time units are `s`, `m` and `h` e.g. `interval: 5m`, the minimum va

 The kustomization execution can be suspended by setting `spec.susped` to `true`.

-The controller can be told to execute the kustomization outside of the specified interval
+The controller can be told to reconcile the kustomization outside of the specified interval
 by annotating the kustomization object with:

 ```go
 const (
-	// SyncAtAnnotation is the annotation used for triggering a
-	// sync outside of the specified schedule.
-	SyncAtAnnotation string = "kustomize.fluxcd.io/syncAt"
+	// ReconcileAtAnnotation is the annotation used for triggering a
+	// reconciliation outside of the defined schedule.
+	ReconcileAtAnnotation string = "fluxcd.io/reconcileAt"
 )
 ```

 On-demand execution example:

 ```bash
-kubectl annotate --overwrite kustomization/podinfo kustomize.fluxcd.io/syncAt="$(date +%s)"
+kubectl annotate --overwrite kustomization/podinfo fluxcd.io/reconcileAt="$(date +%s)"
 ```

 ## Garbage collection
@ -190,14 +249,19 @@ triggering a removal of all Kubernetes objects previously applied on the cluster

 A kustomization can contain a series of health checks used to determine the
 [rollout status](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#deployment-status)
-of the deployed workloads. A health check entry can reference one of the following Kubernetes types:
-Deployment, DaemonSet or StatefulSet.
+of the deployed workloads and the ready status of custom resources.
+
+A health check entry can reference one of the following types:
+
+* Kubernetes builtin kinds: Deployment, DaemonSet, StatefulSet, PersistentVolumeClaim, Pod, PodDisruptionBudget, Job, CronJob, Service, Secret, ConfigMap, CustomResourceDefinition
+* Toolkit kinds: HelmRelease, HelmRepository, GitRepository, etc
+* Custom resources that are compatible with [kstatus](https://github.com/kubernetes-sigs/cli-utils/tree/master/pkg/kstatus)

 Assuming the kustomization source contains a Kubernetes Deployment named `backend`,
 a health check can be defined as follows:

 ```yaml
-apiVersion: kustomize.fluxcd.io/v1alpha1
+apiVersion: kustomize.toolkit.fluxcd.io/v1alpha1
 kind: Kustomization
 metadata:
  name: backend
@ -209,7 +273,8 @@ spec:
    kind: GitRepository
    name: webapp
  healthChecks:
-    - kind: Deployment
+    - apiVersion: apps/v1
+      kind: Deployment
      name: backend
      namespace: dev
  timeout: 2m
@ -221,6 +286,35 @@ if the rollout failed, or if it takes more than the specified timeout to complet
 kustomization ready condition is set to `false`. If the deployment becomes healthy on the next
 execution, then the kustomization is marked as ready.

+When a Kustomization contains HelmRelease objects, instead of checking the underling Deployments, you can
+define a health check that waits for the HelmReleases to be reconciled with:
+
+```yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1alpha1
+kind: Kustomization
+metadata:
+  name: webapp
+spec:
+  interval: 15m
+  path: "./releases/"
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: webapp
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v1alpha1
+      kind: HelmRelease
+      name: frontend
+      namespace: dev
+    - apiVersion: helm.toolkit.fluxcd.io/v1alpha1
+      kind: HelmRelease
+      name: backend
+      namespace: dev
+  timeout: 5m
+```
+
+If all the HelmRelease objects are successfully installed or upgraded, then the Kustomization will be marked as ready.
+
 ## Kustomization dependencies 

 When applying a kustomization, you may need to make sure other resources exist before the
@ -239,7 +333,7 @@ Assuming two kustomizations:
 You can instruct the controller to apply the `common` kustomization before `backend`:

 ```yaml
-apiVersion: kustomize.fluxcd.io/v1alpha1
+apiVersion: kustomize.toolkit.fluxcd.io/v1alpha1
 kind: Kustomization
 metadata:
  name: common
@ -251,13 +345,13 @@ spec:
    kind: GitRepository
    name: webapp
 ---
-apiVersion: kustomize.fluxcd.io/v1alpha1
+apiVersion: kustomize.toolkit.fluxcd.io/v1alpha1
 kind: Kustomization
 metadata:
  name: backend
 spec:
  dependsOn:
-    - common
+    - name: common
  interval: 5m
  path: "./webapp/backend/"
  prune: true
@ -270,10 +364,11 @@ When combined with health assessment, a kustomization will run after all its dep
 For example, a service mesh proxy injector should be running before deploying applications inside the mesh.

 ```yaml
-apiVersion: kustomize.fluxcd.io/v1alpha1
+apiVersion: kustomize.toolkit.fluxcd.io/v1alpha1
 kind: Kustomization
 metadata:
  name: istio
+  namespace: istio-system
 spec:
  interval: 5m
  path: "./profiles/default/"
@ -286,14 +381,15 @@ spec:
      namespace: istio-system
  timeout: 2m
 ---
-apiVersion: kustomize.fluxcd.io/v1alpha1
+apiVersion: kustomize.toolkit.fluxcd.io/v1alpha1
 kind: Kustomization
 metadata:
  name: backend
 spec:
  dependsOn:
-    - common
-    - istio
+    - name: common
+    - name: istio
+      namespace: istio-system
  interval: 5m
  path: "./webapp/backend/"
  prune: true
@ -360,13 +456,13 @@ subjects:
 Create a kustomization that prevents altering the cluster state outside of the `webapp` namespace:

 ```yaml
-apiVersion: kustomize.fluxcd.io/v1alpha1
+apiVersion: kustomize.toolkit.fluxcd.io/v1alpha1
 kind: Kustomization
 metadata:
  name: backend
 spec:
  dependsOn:
-    - common
+    - name: common
  serviceAccount:
    name: webapp-reconciler
    namespace: webapp
@ -383,6 +479,52 @@ account. If the kustomization contains cluster level objects like CRDs or object
 namespace, the reconciliation will fail since the account it runs under has no permissions to alter objects
 outside of the `webapp` namespace.

+## Secrets decryption
+
+In order to store secrets safely in a public or private Git repository,
+you can use [Mozilla SOPS](https://github.com/mozilla/sops)
+and encrypt your Kubernetes Secrets data with OpenPGP keys. 
+
+Generate a GPG key **without passphrase** using [gnupg](https://www.gnupg.org/)
+then use sops to encrypt a Kubernetes secret:
+
+```sh
+sops --pgp=FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 \
+--encrypt --encrypted-regex '^(data|stringData)$' --in-place my-secret.yaml
+```
+
+Commit and push the encrypted file to Git.
+
+> **Note** that you should encrypt only the `data` section, encrypting the Kubernetes secret
+> metadata, kind or apiVersion is not supported by kustomize-controller.
+
+Create a secret in the `gitops-system` namespace with the OpenPGP private key:
+
+```sh
+gpg --export-secret-keys --armor FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 |
+kubectl -n gitops-system create secret generic sops-gpg \
+--from-file=sops.asc=/dev/stdin
+```
+
+Configure decryption by referring the private key secret:
+
+```yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1alpha1
+kind: Kustomization
+metadata:
+  name: my-secrets
+spec:
+  interval: 5m
+  path: "./"
+  sourceRef:
+    kind: GitRepository
+    name: my-secrets
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-pgp
+```
+
 ## Status

 When the controller completes a kustomization apply, reports the result in the `status` sub-resource.
@ -392,12 +534,13 @@ A successful reconciliation sets the ready condition to `true` and updates the r
 ```yaml
 status:
  conditions:
-  - lastTransitionTime: "2020-04-23T19:28:48Z"
-    message: kustomization was successfully applied
-    reason: ApplySucceed
+  - lastTransitionTime: "2020-09-17T19:28:48Z"
+    message: "Applied revision: master/a1afe267b54f38b46b487f6e938a6fd508278c07"
+    reason: ReconciliationSucceeded
    status: "True"
    type: Ready
  lastAppliedRevision: master/a1afe267b54f38b46b487f6e938a6fd508278c07
+  lastAttemptedRevision: master/a1afe267b54f38b46b487f6e938a6fd508278c07
 ```

 You can wait for the kustomize controller to complete a reconciliation with:
@ -411,7 +554,7 @@ The controller logs the Kubernetes objects:
 ```json
 {
  "level": "info",
-  "ts": 1587195448.071468,
+  "ts": "2020-09-17T07:27:11.921Z",
  "logger": "controllers.Kustomization",
  "msg": "Kustomization applied in 1.436096591s",
  "kustomization": "default/backend",
@ -428,24 +571,24 @@ A failed reconciliation sets the ready condition to `false`:
 ```yaml
 status:
  conditions:
-  - lastTransitionTime: "2020-04-23T19:29:48Z"
-    message: 'server-side validation failed'
+  - lastTransitionTime: "2020-09-17T07:26:48Z"
+    message: "The Service 'backend' is invalid: spec.type: Unsupported value: 'Ingress'"
    reason: ValidationFailed
    status: "False"
    type: Ready
  lastAppliedRevision: master/a1afe267b54f38b46b487f6e938a6fd508278c07
+  lastAttemptedRevision: master/7c500d302e38e7e4a3f327343a8a5c21acaaeb87
 ``` 

 > **Note** that the last applied revision is updated only on a successful reconciliation.

-When a reconciliation fails, the controller logs the error:
+When a reconciliation fails, the controller logs the error and issues a Kubernetes event:

 ```json
 {
  "level": "error",
-  "ts": 1587195448.071468,
+  "ts": "2020-09-17T07:27:11.921Z",
  "logger": "controllers.Kustomization",
-  "msg": "server-side validation failed",
  "kustomization": "default/backend",
  "error": "The Service 'backend' is invalid: spec.type: Unsupported value: 'Ingress'"
 }
--- a/docs/spec/v1alpha1/profile.md
+++ b/docs/spec/v1alpha1/profile.md
@ -1,97 +0,0 @@
-# Profile
-
-The `Profile` API defines a common behavior for a group of [Kustomization](kustomization.md) objects. 
-
-## Specification
-
-```go
-type ProfileSpec struct {
-	// Alerting configuration of the kustomizations targeted by this profile.
-	// +optional
-	Alert *AlertProvider `json:"alert"`
-
-	// The list of kustomizations that this profile applies to.
-	// +required
-	Kustomizations []string `json:"kustomizations"`
-}
-```
-
-Alerting configuration:
-
-```go
-type AlertProvider struct {
-	// HTTP(S) webhook address of this provider
-	// +required
-	Address string `json:"address"`
-
-	// Alert channel for this provider
-	// +required
-	Channel string `json:"channel"`
-
-	// Bot username for this provider
-	// +required
-	Username string `json:"username"`
-
-	// Filter alerts based on verbosity level, defaults to ('error').
-	// +kubebuilder:validation:Enum=info;error
-	// +optional
-	Verbosity string `json:"verbosity,omitempty"`
-
-	// Type of provider
-	// +kubebuilder:validation:Enum=slack;discord
-	// +required
-	Type string `json:"type"`
-}
-```
-
-Status condition types:
-
-```go
-const (
-	// ReadyCondition represents the fact that a given Profile has been
-	// processed by the controller.
-	ReadyCondition string = "Ready"
-)
-```
-
-Status condition reasons:
-
-```go
-const (
-	// InitializedReason represents the fact that a given resource has been initialized.
-	InitializedReason string = "Initialized"
-)
-```
-
-## Alerting
-
-Alerting can be configured by creating a profile that contains an alert definition:
-
-```yaml
-apiVersion: kustomize.fluxcd.io/v1alpha1
-kind: Profile
-metadata:
-  name: default
-spec:
-  alert:
-    type: slack
-    verbosity: info
-    address: https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK
-    username: kustomize-controller
-    channel: general
-  kustomizations:
-    - '*'
-```
-
-The alert provider type can be: `slack` or `discord` and the verbosity can be set to `info` or `error`.
-
-The `*` wildcard tells the controller to use this profile for all kustomizations that are present
-in the same namespace as the profile.
-Multiple profiles can be used to send alerts to different channels or Slack organizations.
-
-When the verbosity is set to `error`, the controller will alert on any error encountered during the
-reconciliation process. This includes kustomize build and validation errors, apply errors and
-health check failures.
-
-When the verbosity is set to `info`, the controller will alert whenever a kustomization status changes.
-
--- a/docs/spec/v1beta1/README.md
+++ b/docs/spec/v1beta1/README.md
@ -0,0 +1,24 @@
+# kustomize.toolkit.fluxcd.io/v1beta1
+
+This is the v1beta1 API specification for defining continuous delivery pipelines
+of Kubernetes objects generated with Kustomize.
+
+## Specification
+
+- [Kustomization CRD](kustomizations.md)
+    + [Source reference](kustomizations.md#source-reference)
+    + [Generate kustomization.yaml](kustomizations.md#generate-kustomizationyaml)
+    + [Reconciliation](kustomizations.md#reconciliation)
+    + [Garbage collection](kustomizations.md#garbage-collection)
+    + [Health assessment](kustomizations.md#health-assessment)
+    + [Kustomization dependencies](kustomizations.md#kustomization-dependencies)
+    + [Role-based access control](kustomizations.md#role-based-access-control)
+    + [Override kustomize config](kustomizations.md#override-kustomize-config)
+    + [Variable substitution](kustomizations.md#variable-substitution)
+    + [Targeting remote clusters](kustomizations.md#remote-clusters--cluster-api)
+    + [Secrets decryption](kustomizations.md#secrets-decryption)
+    + [Status](kustomizations.md#status)
+
+## Implementation
+
+* [kustomize-controller](https://github.com/fluxcd/kustomize-controller/)
--- a/docs/spec/v1beta1/kustomizations.md
+++ b/docs/spec/v1beta1/kustomizations.md
--- a/docs/spec/v1beta2/README.md
+++ b/docs/spec/v1beta2/README.md
@ -0,0 +1,26 @@
+# kustomize.toolkit.fluxcd.io/v1beta2
+
+This is the v1beta2 API specification for defining continuous delivery pipelines
+of Kubernetes objects generated with Kustomize.
+
+## Specification
+
+- [Kustomization CRD](kustomizations.md)
+    + [Example](kustomizations.md#example)
+    + [Recommended settings](kustomizations.md#recommended-settings)
+    + [Source reference](kustomizations.md#source-reference)
+    + [Generate kustomization.yaml](kustomizations.md#generate-kustomizationyaml)
+    + [Reconciliation](kustomizations.md#reconciliation)
+    + [Garbage collection](kustomizations.md#garbage-collection)
+    + [Health assessment](kustomizations.md#health-assessment)
+    + [Kustomization dependencies](kustomizations.md#kustomization-dependencies)
+    + [Role-based access control](kustomizations.md#role-based-access-control)
+    + [Override kustomize config](kustomizations.md#override-kustomize-config)
+    + [Variable substitution](kustomizations.md#variable-substitution)
+    + [Targeting remote clusters](kustomizations.md#remote-clusters--cluster-api)
+    + [Secrets decryption](kustomizations.md#secrets-decryption)
+    + [Status](kustomizations.md#status)
+
+## Implementation
+
+* [kustomize-controller](https://github.com/fluxcd/kustomize-controller/)
--- a/docs/spec/v1beta2/kustomizations.md
+++ b/docs/spec/v1beta2/kustomizations.md
--- a/go.mod
+++ b/go.mod
@ -1,16 +1,265 @@
 module github.com/fluxcd/kustomize-controller

-go 1.13
+go 1.24.0
+
+replace github.com/fluxcd/kustomize-controller/api => ./api
+
+// Replace digest lib to master to gather access to BLAKE3.
+// xref: https://github.com/opencontainers/go-digest/pull/66
+replace github.com/opencontainers/go-digest => github.com/opencontainers/go-digest v1.0.1-0.20220411205349-bde1400a84be

 require (
-	github.com/fluxcd/source-controller v0.0.1-alpha.3
-	github.com/go-logr/logr v0.1.0
-	github.com/onsi/ginkgo v1.11.0
-	github.com/onsi/gomega v1.8.1
-	k8s.io/api v0.17.2
-	k8s.io/apimachinery v0.17.2
-	k8s.io/client-go v0.17.2
-	sigs.k8s.io/controller-runtime v0.5.0
-	sigs.k8s.io/kustomize/api v0.3.2
-	sigs.k8s.io/yaml v1.1.0
+	cloud.google.com/go/kms v1.22.0
+	filippo.io/age v1.2.1
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.1
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1
+	github.com/aws/aws-sdk-go-v2 v1.36.5
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.70
+	github.com/cyphar/filepath-securejoin v0.4.1
+	github.com/dimchansky/utfbom v1.1.1
+	github.com/fluxcd/cli-utils v0.36.0-flux.14
+	github.com/fluxcd/kustomize-controller/api v1.6.0
+	github.com/fluxcd/pkg/apis/acl v0.8.0
+	github.com/fluxcd/pkg/apis/event v0.18.0
+	github.com/fluxcd/pkg/apis/kustomize v1.11.0
+	github.com/fluxcd/pkg/apis/meta v1.18.0
+	github.com/fluxcd/pkg/auth v0.23.0
+	github.com/fluxcd/pkg/cache v0.10.0
+	github.com/fluxcd/pkg/http/fetch v0.17.0
+	github.com/fluxcd/pkg/kustomize v1.19.0
+	github.com/fluxcd/pkg/runtime v0.72.0
+	github.com/fluxcd/pkg/ssa v0.51.0
+	github.com/fluxcd/pkg/tar v0.13.0
+	github.com/fluxcd/pkg/testserver v0.11.0
+	github.com/fluxcd/source-controller/api v1.6.0
+	github.com/getsops/sops/v3 v3.10.2
+	github.com/google/cel-go v0.23.2
+	github.com/hashicorp/vault/api v1.20.0
+	github.com/onsi/gomega v1.37.0
+	github.com/opencontainers/go-digest v1.0.0
+	github.com/ory/dockertest/v3 v3.12.0
+	github.com/spf13/pflag v1.0.6
+	golang.org/x/net v0.42.0
+	golang.org/x/oauth2 v0.30.0
+	k8s.io/api v0.33.2
+	k8s.io/apimachinery v0.33.2
+	k8s.io/client-go v0.33.2
+	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	sigs.k8s.io/controller-runtime v0.21.0
+	sigs.k8s.io/kustomize/api v0.20.0
+	sigs.k8s.io/yaml v1.5.0
+)
+
+// Pin kustomize to v5.7.0
+replace (
+	sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.20.0
+	sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.20.0
+)
+
+// Fix CVE-2022-28948
+replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
+
+require (
+	cel.dev/expr v0.23.0 // indirect
+	cloud.google.com/go v0.120.1 // indirect
+	cloud.google.com/go/auth v0.16.2 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.7.0 // indirect
+	cloud.google.com/go/iam v1.5.2 // indirect
+	cloud.google.com/go/longrunning v0.6.7 // indirect
+	cloud.google.com/go/monitoring v1.24.2 // indirect
+	cloud.google.com/go/storage v1.51.0 // indirect
+	dario.cat/mergo v1.0.1 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry v0.2.3 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice v1.0.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0 // indirect
+	github.com/MakeNowJust/heredoc v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
+	github.com/ProtonMail/go-crypto v1.2.0 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.29.17 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.72 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.36 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/eks v1.66.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.38.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.79.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.34.0 // indirect
+	github.com/aws/smithy-go v1.22.4 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/carapace-sh/carapace-shlex v1.0.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/chai2010/gettext-go v1.0.3 // indirect
+	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/cncf/xds/go v0.0.0-20250326154945-ae57f3c0d45f // indirect
+	github.com/containerd/continuity v0.4.5 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/docker/cli v28.2.2+incompatible // indirect
+	github.com/docker/docker v28.2.2+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.9.3 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
+	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
+	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fluxcd/pkg/envsubst v1.4.0 // indirect
+	github.com/fluxcd/pkg/sourceignore v0.13.0 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/getsops/gopgagent v0.0.0-20241224165529-7044f28e491e // indirect
+	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.6.2 // indirect
+	github.com/go-git/go-git/v5 v5.16.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.1 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.1 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/google/gnostic-models v0.7.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/go-containerregistry v0.20.6 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.2 // indirect
+	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
+	github.com/goware/prefixer v0.0.0-20160118172347-395022866408 // indirect
+	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
+	github.com/hashicorp/go-sockaddr v1.0.7 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/lib/pq v1.10.9 // indirect
+	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/spdystream v0.5.0 // indirect
+	github.com/moby/sys/user v0.4.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+	github.com/opencontainers/go-digest/blake3 v0.0.0-20250116041648-1e56c6daea3b // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/opencontainers/runc v1.2.6 // indirect
+	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
+	github.com/prometheus/client_golang v1.22.0 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.65.0 // indirect
+	github.com/prometheus/procfs v0.17.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/ryanuber/go-glob v1.0.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
+	github.com/stoewer/go-strcase v1.3.0 // indirect
+	github.com/urfave/cli v1.22.16 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	github.com/xlab/treeprint v1.2.0 // indirect
+	github.com/zeebo/blake3 v0.2.4 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.35.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.37.0 // indirect
+	go.opentelemetry.io/otel/metric v1.37.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/crypto v0.40.0 // indirect
+	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sys v0.34.0 // indirect
+	golang.org/x/term v0.33.0 // indirect
+	golang.org/x/text v0.27.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
+	google.golang.org/api v0.241.0 // indirect
+	google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
+	google.golang.org/grpc v1.73.0 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/apiextensions-apiserver v0.33.2 // indirect
+	k8s.io/cli-runtime v0.33.2 // indirect
+	k8s.io/component-base v0.33.2 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250701173324-9bd5c66d9911 // indirect
+	k8s.io/kubectl v0.33.2 // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.20.0 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/Show More
+++ b/Show More