Merge pull request #1491 from fluxcd/feat-dependon-cel

Extend the readiness evaluation of dependencies with CEL expressions

.github/dependabot.yaml

@@ -0,0 +1,34 @@
+version: 2
+
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    labels: ["dependencies"]
+    schedule:
+      interval: "monthly"
+    groups:
+      go-deps:
+        patterns:
+          - "*"
+    allow:
+      - dependency-type: "direct"
+    ignore:
+      # Kubernetes deps are updated by fluxcd/pkg
+      - dependency-name: "k8s.io/*"
+      - dependency-name: "sigs.k8s.io/*"
+      # KMS SDKs are updated by SOPS
+      - dependency-name: "github.com/Azure/*"
+      - dependency-name: "github.com/aws/*"
+      - dependency-name: "github.com/hashicorp/vault/*"
+      # Flux APIs pkg are updated at release time
+      - dependency-name: "github.com/fluxcd/kustomize-controller/api"
+      - dependency-name: "github.com/fluxcd/source-controller/api"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    labels: ["area/ci", "dependencies"]
+    groups:
+      ci:
+        patterns:
+          - "*"
+    schedule:
+      interval: "monthly"

.github/labels.yaml

@@ -0,0 +1,40 @@
+# Configuration file to declaratively configure labels
+# Ref: https://github.com/EndBug/label-sync#Config-files
+
+- name: area/kustomize
+  description: Kustomize related issues and pull requests
+  color: '#00e54d'
+- name: area/kstatus
+  description: Health checking related issues and pull requests
+  color: '#25D5CA'
+  aliases: ['area/health-checks']
+- name: area/sops
+  description: SOPS related issues and pull requests
+  color: '#FEE5D1'
+- name: area/server-side-apply
+  description: SSA related issues and pull requests
+  color: '#2819CB'
+- name: area/varsub
+  description: Post-build variable substitution related issues and pull requests
+  color: '#8D195D'
+- name: backport:release/v1.0.x
+  description: To be backported to release/v1.0.x
+  color: '#ffd700'
+- name: backport:release/v1.1.x
+  description: To be backported to release/v1.1.x
+  color: '#ffd700'
+- name: backport:release/v1.2.x
+  description: To be backported to release/v1.2.x
+  color: '#ffd700'
+- name: backport:release/v1.3.x
+  description: To be backported to release/v1.3.x
+  color: '#ffd700'
+- name: backport:release/v1.4.x
+  description: To be backported to release/v1.4.x
+  color: '#ffd700'
+- name: backport:release/v1.5.x
+  description: To be backported to release/v1.5.x
+  color: '#ffd700'
+- name: backport:release/v1.6.x
+  description: To be backported to release/v1.6.x
+  color: '#ffd700'

.github/workflows/backport.yaml

@@ -0,0 +1,34 @@
+name: backport
+
+on:
+  pull_request_target:
+    types: [closed, labeled]
+
+permissions:
+  contents: read
+
+jobs:
+  pull-request:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Create backport PRs
+        uses: korthout/backport-action@436145e922f9561fc5ea157ff406f21af2d6b363 # v3.2.0
+        # xref: https://github.com/korthout/backport-action#inputs
+        with:
+          # Use token to allow workflows to be triggered for the created PR
+          github_token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          # Match labels with a pattern `backport:<target-branch>`
+          label_pattern: '^backport:([^ ]+)$'
+          # A bit shorter pull-request title than the default
+          pull_title: '[${target_branch}] ${pull_title}'
+          # Simpler PR description than default
+          pull_description: |-
+            Automated backport to `${target_branch}`, triggered by a label in #${pull_number}.

.github/workflows/cifuzz.yaml

@@ -12,20 +12,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Setup Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
-        go-version: 1.19.x
-    - id: go-env
-      run: |
-        echo "::set-output name=go-mod-cache::$(go env GOMODCACHE)"
-    - name: Restore Go cache
-      uses: actions/cache@v3
-      with:
-        path: ${{ steps.go-env.outputs.go-mod-cache }}
-        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go
+        go-version: 1.24.x
+        cache-dependency-path: |
+          **/go.sum
+          **/go.mod
     - name: Smoke test Fuzzers
       run: make fuzz-smoketest

.github/workflows/e2e.yaml

@@ -4,33 +4,25 @@ on:
   pull_request:
   push:
     branches:
-      - main
+      - 'main'
+      - 'release/**'
 
 permissions:
   contents: read # for actions/checkout to fetch code
-  
+
 jobs:
   kind:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v1
-        with:
-          platforms: all
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Restore Go cache
-        uses: actions/cache@v3
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
       - name: Cache Docker layers
-        uses: actions/cache@v3
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         id: cache
         with:
           path: /tmp/.buildx-cache
@@ -38,20 +30,20 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-buildx-ghcache-
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: 1.19.x
+          go-version: 1.24.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
       - name: Setup Kubernetes
-        uses: engineerd/setup-kind@v0.5.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         with:
-          version: v0.11.1
-          image: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
+          version: v0.20.0
+          cluster_name: kind
+          node_image: kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72
       - name: Setup Kustomize
-        uses: fluxcd/pkg//actions/kustomize@main
-      - name: Setup Kubectl
-        uses: fluxcd/pkg/actions/kubectl@main
-        with:
-          version: 1.21.2
+        uses: fluxcd/pkg/actions/kustomize@main
       - name: Enable integration tests
         # Only run integration tests for main branch
         if: github.ref == 'refs/heads/main'
@@ -109,7 +101,7 @@ jobs:
       - name: Run tests for removing kubectl managed fields
         run: |
           kubectl create ns managed-fields
-          kustomize build github.com/stefanprodan/podinfo//kustomize?ref=6.0.0 > /tmp/podinfo.yaml
+          kustomize build github.com/stefanprodan/podinfo//kustomize?ref=6.3.5 > /tmp/podinfo.yaml
           kubectl -n managed-fields apply -f /tmp/podinfo.yaml
           kubectl -n managed-fields apply -f ./config/testdata/managed-fields
           kubectl -n managed-fields wait kustomization/podinfo --for=condition=ready --timeout=4m
@@ -161,9 +153,6 @@ jobs:
       - name: Debug failure
         if: failure()
         run: |
-          which kubectl
-          kubectl version
-          kustomize version
           kubectl -n kustomize-system get gitrepositories -oyaml
           kubectl -n kustomize-system get kustomizations -oyaml
           kubectl -n kustomize-system get all

.github/workflows/nightly.yml

@@ -9,23 +9,22 @@ env:
 
 permissions:
   contents: read # for actions/checkout to fetch code
-  
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v1
-        with:
-          platforms: all
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
         with:
           buildkitd-flags: "--debug"
       - name: Build multi-arch container image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0
         with:
           push: false
           builder: ${{ steps.buildx.outputs.name }}

.github/workflows/release.yml

@@ -11,18 +11,25 @@ on:
         required: true
 
 permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read
 
 env:
   CONTROLLER: ${{ github.event.repository.name }}
 
 jobs:
-  build-push:
+  release:
+    outputs:
+      hashes: ${{ steps.slsa.outputs.hashes }}
+      image_url: ${{ steps.slsa.outputs.image_url }}
+      image_digest: ${{ steps.slsa.outputs.image_digest }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # for creating the GitHub release.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for pushing and signing container images.
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Kustomize
         uses: fluxcd/pkg/actions/kustomize@main
       - name: Prepare
@@ -32,27 +39,27 @@ jobs:
           if [[ $GITHUB_REF == refs/tags/* ]]; then
             VERSION=${GITHUB_REF/refs\/tags\//}
           fi
-          echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
-          echo ::set-output name=VERSION::${VERSION}
+          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ghcr.io
           username: fluxcdbot
           password: ${{ secrets.GHCR_TOKEN }}
       - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           username: fluxcdbot
           password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
       - name: Generate images meta
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: |
             fluxcd/${{ env.CONTROLLER }}
@@ -60,8 +67,11 @@ jobs:
           tags: |
             type=raw,value=${{ steps.prep.outputs.VERSION }}
       - name: Publish images
-        uses: docker/build-push-action@v3
+        id: build-push
+        uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0
         with:
+          sbom: true
+          provenance: true
           push: true
           builder: ${{ steps.buildx.outputs.name }}
           context: .
@@ -69,32 +79,82 @@ jobs:
           platforms: linux/amd64,linux/arm/v7,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-      - name: Check images
-        run: |
-          docker buildx imagetools inspect docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-          docker buildx imagetools inspect ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-          docker pull docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-          docker pull ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-      - uses: sigstore/cosign-installer@main
+      - uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
       - name: Sign images
         env:
           COSIGN_EXPERIMENTAL: 1
         run: |
-          cosign sign fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-          cosign sign ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
+          cosign sign --yes fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }}
+          cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }}
       - name: Generate release artifacts
         if: startsWith(github.ref, 'refs/tags/v')
         run: |
           mkdir -p config/release
           kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml
           kustomize build ./config/manager > ./config/release/${{ env.CONTROLLER }}.deployment.yaml
-          echo '[CHANGELOG](https://github.com/fluxcd/${{ env.CONTROLLER }}/blob/main/CHANGELOG.md)' > ./config/release/notes.md
-      - uses: anchore/sbom-action/download-syft@v0
+      - uses: anchore/sbom-action/download-syft@e11c554f704a0b820cbf8c51673f6945e0731532 # v0.20.0
       - name: Create release and SBOM
+        id: run-goreleaser
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: goreleaser/goreleaser-action@v3
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
         with:
           version: latest
-          args: release --release-notes=config/release/notes.md --rm-dist --skip-validate
+          args: release --clean --skip=validate
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate SLSA metadata
+        id: slsa
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+          
+          image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
+          echo "image_url=$image_url" >> $GITHUB_OUTPUT
+          
+          image_digest=${{ steps.build-push.outputs.digest }}
+          echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
+
+  release-provenance:
+    needs: [release]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      contents: write # for uploading attestations to GitHub releases.
+    if: startsWith(github.ref, 'refs/tags/v')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    with:
+      provenance-name: "provenance.intoto.jsonl"
+      base64-subjects: "${{ needs.release.outputs.hashes }}"
+      upload-assets: true
+
+  dockerhub-provenance:
+    needs: [release]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: startsWith(github.ref, 'refs/tags/v')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ${{ needs.release.outputs.image_url }}
+      digest: ${{ needs.release.outputs.image_digest }}
+      registry-username: fluxcdbot
+    secrets:
+      registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+
+  ghcr-provenance:
+    needs: [release]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: startsWith(github.ref, 'refs/tags/v')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ghcr.io/${{ needs.release.outputs.image_url }}
+      digest: ${{ needs.release.outputs.image_digest }}
+      registry-username: fluxcdbot
+    secrets:
+      registry-password: ${{ secrets.GHCR_TOKEN }}

.github/workflows/scan.yml

@@ -11,15 +11,16 @@ on:
 permissions:
   contents: read # for actions/checkout to fetch code
   security-events: write # for codeQL to write security events
-  
+
 jobs:
   fossa:
     name: FOSSA
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@v1
+        uses: fossa-contrib/fossa-action@3d2ef181b1820d6dcd1972f86a767d18167fa19b # v3.0.1
         with:
           # FOSSA Push-Only API Token
           fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
@@ -29,17 +30,23 @@ jobs:
     name: CodeQL
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: 1.19.x
+          go-version: 1.24.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
         with:
           languages: go
+          # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # xref: https://codeql.github.com/codeql-query-help/go/
+          queries: security-and-quality
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18

.github/workflows/sync-labels.yaml

@@ -0,0 +1,28 @@
+name: sync-labels
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - .github/labels.yaml
+
+permissions:
+  contents: read
+
+jobs:
+  labels:
+    name: Run sync
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
+        with:
+          # Configuration file
+          config-file: |
+            https://raw.githubusercontent.com/fluxcd/community/main/.github/standard-labels.yaml
+            .github/labels.yaml
+          # Strictly declarative
+          delete-other-labels: true

.gitignore

@@ -1,22 +1,26 @@
-# Binaries for programs and plugins
+# Binaries for programs and plugins.
 *.exe
 *.exe~
 *.dll
 *.so
 *.dylib
 
-# Test binary, built with `go test -c`
+# Test binary, built with `go test -c`.
 *.test
 
-# Output of the go coverage tool, specifically when used with LiteIDE
+# Output of the go coverage tool.
 *.out
 
-# Dependency directories (remove the comment below to include it)
-# vendor/
+# Build tools downloaded at runtime.
 bin/
+
+# Release manifests generated at runtime.
 config/release/
 config/crd/bases/ocirepositories.yaml
 config/crd/bases/gitrepositories.yaml
 config/crd/bases/buckets.yaml
 
 build/
+
+# CRDs for fuzzing tests.
+internal/controllers/testdata/crd

.goreleaser.yaml

@@ -4,9 +4,26 @@ builds:
   - skip: true
 
 release:
-  prerelease: "true"
   extra_files:
     - glob: config/release/*.yaml
+  prerelease: "auto"
+  header: |
+    ## Changelog
+
+    [{{.Tag}} changelog](https://github.com/fluxcd/{{.ProjectName}}/blob/{{.Tag}}/CHANGELOG.md)
+  footer: |
+    ## Container images
+    
+    - `docker.io/fluxcd/{{.ProjectName}}:{{.Tag}}`
+    - `ghcr.io/fluxcd/{{.ProjectName}}:{{.Tag}}`
+    
+    Supported architectures: `linux/amd64`, `linux/arm64` and `linux/arm/v7`.
+    
+    The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
+    To verify the images and their provenance (SLSA level 3), please see the [security documentation](https://fluxcd.io/flux/security/).
+
+changelog:
+  disable: true
 
 checksum:
   extra_files:
@@ -32,6 +49,7 @@ signs:
     certificate: "${artifact}.pem"
     args:
       - sign-blob
+      - "--yes"
       - "--output-certificate=${certificate}"
       - "--output-signature=${signature}"
       - "${artifact}"

CHANGELOG.md

@@ -2,6 +2,789 @@
 
 All notable changes to this project are documented in this file.
 
+## 1.6.1
+
+**Release date:** 2025-07-08
+
+This patch release fixes a bug introduced in v1.6.0
+that causes SOPS decryption with US Government KMS
+keys to fail with the error:
+
+```
+STS: AssumeRoleWithWebIdentity, https response error\n   StatusCode: 0, RequestID: ,
+request send failed, Post\n \"https://sts.arn.amazonaws.com/\": dial tcp:
+lookupts.arn.amazonaws.com on 10.100.0.10:53: no such host
+```
+
+Fixes:
+- Fix regression in STS endpoint for SOPS decryption with AWS KMS in US Gov partition
+  [#1478](https://github.com/fluxcd/kustomize-controller/pull/1478)
+
+## 1.6.0
+
+**Release date:** 2025-05-28
+
+This minor release comes with various bug fixes and improvements.
+
+Kustomization API now supports object-level workload identity by setting
+`.spec.decryption.serviceAccountName` to the name of a service account
+in the same namespace that has been configured with appropriate cloud
+permissions. For this feature to work, the controller feature gate
+`ObjectLevelWorkloadIdentity` must be enabled. See a complete guide
+[here](https://fluxcd.io/flux/integrations/).
+
+Kustomization API now supports the value `WaitForTermination` for the
+`.spec.deletionPolicy` field. This instructs the controller to wait for the
+deletion of all resources managed by the Kustomization before allowing the
+Kustomization itself to be deleted. See docs
+[here](https://fluxcd.io/flux/components/kustomize/kustomizations/#deletion-policy).
+
+In addition, the Kubernetes dependencies have been updated to v1.33 and
+various other controller dependencies have been updated to their latest version.
+The controller is now built with Go 1.24.
+
+Fixes:
+- Fix performance regression due to using client without cache
+  [#1436](https://github.com/fluxcd/kustomize-controller/pull/1436)
+- Fix secret value showing up in logs
+  [#1372](https://github.com/fluxcd/kustomize-controller/pull/1372)
+
+Improvements:
+- [RFC-0010] Introduce KMS provider decryption with service account
+  [#1426](https://github.com/fluxcd/kustomize-controller/pull/1426)
+  [#1449](https://github.com/fluxcd/kustomize-controller/pull/1449)
+  [#1456](https://github.com/fluxcd/kustomize-controller/pull/1456)
+- Add `WaitForTermination` option to DeletionPolicy
+  [#1444](https://github.com/fluxcd/kustomize-controller/pull/1444)
+- Skip emitting events for suspended Kustomizations
+  [#1396](https://github.com/fluxcd/kustomize-controller/pull/1396)
+- Various dependency updates
+  [#1458](https://github.com/fluxcd/kustomize-controller/pull/1458)
+  [#1448](https://github.com/fluxcd/kustomize-controller/pull/1448)
+  [#1433](https://github.com/fluxcd/kustomize-controller/pull/1433)
+  [#1435](https://github.com/fluxcd/kustomize-controller/pull/1435)
+  [#1429](https://github.com/fluxcd/kustomize-controller/pull/1429)
+  [#1414](https://github.com/fluxcd/kustomize-controller/pull/1414)
+  [#1410](https://github.com/fluxcd/kustomize-controller/pull/1410)
+  [#1401](https://github.com/fluxcd/kustomize-controller/pull/1401)
+
+## 1.5.1
+
+**Release date:** 2025-02-25
+
+This patch release fixes a bug introduced in v1.5.0
+that was causing spurious logging for deprecated API versions
+and sometimes failures on health checks.
+
+In addition, all error logs resulting from SOPS decryption
+failures have been sanitised.
+
+Fixes:
+- Fix secret value showing up in logs
+  [#1372](https://github.com/fluxcd/kustomize-controller/pull/1372)
+- Use lazy restmapper vendored from controller-runtime v0.19
+  [#1377](https://github.com/fluxcd/kustomize-controller/pull/1377)
+
+## 1.5.0
+
+**Release date:** 2025-02-18
+
+This minor release comes with various bug fixes and improvements.
+
+The controller has been updated to Kustomize **v5.6**, please see the
+`kubernetes-sigs/kustomize` [changelog](https://github.com/kubernetes-sigs/kustomize/releases)
+for more details.
+
+The Kustomization API now supports custom health checks for Custom
+Resources through Common Expression Language (CEL) expressions.
+See [docs](https://fluxcd.io/flux/components/kustomize/kustomizations/#health-check-expressions).
+
+The controller now sends an origin revision from OCI artifact
+annotations to notification-controller on events, which is
+useful for updating commit statuses on the notification
+providers that support this feature.
+See [docs](https://fluxcd.io/flux/cheatsheets/oci-artifacts/#git-commit-status-updates).
+
+It is now also possible to control whether or not kustomize-controller
+will orphan resources when a Kustomization is deleted.
+See [docs](https://fluxcd.io/flux/components/kustomize/kustomizations/#deletion-policy).
+
+In addition, the Kubernetes dependencies have been updated to v1.32.1 and
+various other controller dependencies have been updated to their latest
+version.
+
+Fixes:
+- Clarify precedence in Kustomization substituteFrom
+  [#1301](https://github.com/fluxcd/kustomize-controller/pull/1301)
+- Remove deprecated object metrics from controllers
+  [#1305](https://github.com/fluxcd/kustomize-controller/pull/1305)
+
+Improvements:
+- Enable decryption of secrets generated by Kustomize components
+  [#1283](https://github.com/fluxcd/kustomize-controller/pull/1283)
+- Added decryption of Kustomize patches and refactor SOPS tests
+  [#1286](https://github.com/fluxcd/kustomize-controller/pull/1286)
+- Allow control of finalization garbage collection
+  [#1314](https://github.com/fluxcd/kustomize-controller/pull/1314)
+- Add OCI revision to events
+  [#1338](https://github.com/fluxcd/kustomize-controller/pull/1338)
+- [RFC-0009] Add CEL custom healthchecks
+  [#1344](https://github.com/fluxcd/kustomize-controller/pull/1344)
+- Add GroupChangeLog feature gate to fix es indexing cardinality
+  [#1361](https://github.com/fluxcd/kustomize-controller/pull/1361)
+- Various dependency updates
+  [#1302](https://github.com/fluxcd/kustomize-controller/pull/1302)
+  [#1304](https://github.com/fluxcd/kustomize-controller/pull/1304)
+  [#1310](https://github.com/fluxcd/kustomize-controller/pull/1310)
+  [#1313](https://github.com/fluxcd/kustomize-controller/pull/1313)
+  [#1318](https://github.com/fluxcd/kustomize-controller/pull/1318)
+  [#1320](https://github.com/fluxcd/kustomize-controller/pull/1320)
+  [#1330](https://github.com/fluxcd/kustomize-controller/pull/1330)
+  [#1348](https://github.com/fluxcd/kustomize-controller/pull/1348)
+  [#1352](https://github.com/fluxcd/kustomize-controller/pull/1352)
+  [#1354](https://github.com/fluxcd/kustomize-controller/pull/1354)
+  [#1359](https://github.com/fluxcd/kustomize-controller/pull/1359)
+  [#1362](https://github.com/fluxcd/kustomize-controller/pull/1362)
+  [#1364](https://github.com/fluxcd/kustomize-controller/pull/1364)
+  [#1358](https://github.com/fluxcd/kustomize-controller/pull/1358)
+
+## 1.4.0
+
+**Release date:** 2024-09-27
+
+This minor release comes with various bug fixes and improvements.
+
+kustomize-controller in [sharded
+deployment](https://fluxcd.io/flux/installation/configuration/sharding/)
+configuration now supports cross-shard dependency check. This allows a
+Kustomization to depend on other Kustomizations managed by different controller
+shards.
+
+In addition, the Kubernetes dependencies have been updated to v1.31.1 and
+various other controller dependencies have been updated to their latest version.
+The controller is now built with Go 1.23.
+
+Fixes:
+- Fix incorrect use of format strings with the conditions package.
+  [#1198](https://github.com/fluxcd/kustomize-controller/pull/1198)
+
+Improvements:
+- Update Bucket API to v1
+  [#1253](https://github.com/fluxcd/kustomize-controller/pull/1253)
+- Allow cross-shard dependency check
+  [#1248](https://github.com/fluxcd/kustomize-controller/pull/1248)
+- docs: Clarify .spec.decryption.secretRef usage
+  [#1242](https://github.com/fluxcd/kustomize-controller/pull/1242)
+- Build with Go 1.23
+  [#1230](https://github.com/fluxcd/kustomize-controller/pull/1230)
+- Various dependency updates
+  [#1165](https://github.com/fluxcd/kustomize-controller/pull/1165)
+  [#1181](https://github.com/fluxcd/kustomize-controller/pull/1181)
+  [#1212](https://github.com/fluxcd/kustomize-controller/pull/1212)
+  [#1228](https://github.com/fluxcd/kustomize-controller/pull/1228)
+  [#1229](https://github.com/fluxcd/kustomize-controller/pull/1229)
+  [#1233](https://github.com/fluxcd/kustomize-controller/pull/1233)
+  [#1239](https://github.com/fluxcd/kustomize-controller/pull/1239)
+  [#1240](https://github.com/fluxcd/kustomize-controller/pull/1240)
+  [#1243](https://github.com/fluxcd/kustomize-controller/pull/1243)
+  [#1249](https://github.com/fluxcd/kustomize-controller/pull/1249)
+  [#1250](https://github.com/fluxcd/kustomize-controller/pull/1250)
+  [#1251](https://github.com/fluxcd/kustomize-controller/pull/1251)
+
+## 1.3.0
+
+**Release date:** 2024-05-06
+
+This minor release comes with new features, improvements and bug fixes.
+
+The controller has been updated to Kustomize **v5.4**, please see the
+`kubernetes-sigs/kustomize` [changelog](https://github.com/kubernetes-sigs/kustomize/releases)
+for more details.
+
+The Flux `Kustomization` API gains two optional fields `.spec.namePrefix` and `.spec.nameSuffix`
+that can be used to specify a prefix and suffix to be added to the names
+of all managed resources.
+
+The controller now supports the `--feature-gates=StrictPostBuildSubstitutions=true`
+flag, when enabled the post-build substitutions will fail if a
+variable without a default value is declared in files but is
+missing from the input vars.
+
+When using variable substitution with values that are numbers or booleans,
+it is now possible to covert the values to strings, for more details see the 
+[post-build documentation](https://github.com/fluxcd/kustomize-controller/blob/release/v1.3.x/docs/spec/v1/kustomizations.md#post-build-substitution-of-numbers-and-booleans).
+
+In addition, the controller dependencies have been updated to Kubernetes v1.30
+and controller-runtime v0.18. Various other dependencies have also been updated to
+their latest version to patch upstream CVEs.
+
+Lastly, the controller is now built with Go 1.22.
+
+Improvements:
+- Implement name prefix/suffix transformers
+  [#1134](https://github.com/fluxcd/kustomize-controller/pull/1134)
+- Add `StrictPostBuildSubstitutions` feature flag
+  [#1130](https://github.com/fluxcd/kustomize-controller/pull/1130)
+- Document how to use numbers and booleans in post build substitutions
+  [#1129](https://github.com/fluxcd/kustomize-controller/pull/1129)
+- Remove deprecated aad pod identity from API docs
+  [#1152](https://github.com/fluxcd/kustomize-controller/pull/1152)
+- api: Refer condition type constants from `fluxcd/pkg/apis`
+  [#1144](https://github.com/fluxcd/kustomize-controller/pull/1144)
+- Update dependencies to Kustomize v5.4.0
+  [#1128](https://github.com/fluxcd/kustomize-controller/pull/1128)
+- Various dependency updates
+  [#1155](https://github.com/fluxcd/kustomize-controller/pull/1155)
+  [#1121](https://github.com/fluxcd/kustomize-controller/pull/1121)
+  [#1139](https://github.com/fluxcd/kustomize-controller/pull/1139)
+  [#1122](https://github.com/fluxcd/kustomize-controller/pull/1122)
+
+Fixes:
+- Fix requeue warning introduced by controller-runtime
+  [#1090](https://github.com/fluxcd/kustomize-controller/pull/1090)
+- Remove effectless statement
+  [#1091](https://github.com/fluxcd/kustomize-controller/pull/1091)
+- Remove `genclient:Namespaced` tag
+  [#1092](https://github.com/fluxcd/kustomize-controller/pull/1092)
+
+## 1.2.2
+
+**Release date:** 2024-02-01
+
+This patch release comes with various bug fixes and improvements.
+
+Reconciling empty directories and directories without Kubernetes manifests no
+longer results in an error. This regressing bug was introduced with the
+controller upgrade to Kustomize v5.3 and has been fixed in this patch release.
+
+The regression due to which the namespaced objects without a namespace specified
+resulted in `not found` error instead of `namespace not specified` has also been
+fixed. And the regression due to which Roles and ClusterRoles were reconciled
+over and over due to the normalization of Roles and ClusterRoles has also been
+fixed.
+
+In addition, the Kubernetes dependencies have been updated to v1.28.6. Various
+other dependencies have also been updated to their latest version to patch
+upstream CVEs.
+
+Lastly, the controller is now built with Go 1.21.
+
+Improvements:
+- Update Go to 1.21
+  [#1053](https://github.com/fluxcd/kustomize-controller/pull/1053)
+- Various dependency updates
+  [#1076](https://github.com/fluxcd/kustomize-controller/pull/1076)
+  [#1074](https://github.com/fluxcd/kustomize-controller/pull/1074)
+  [#1070](https://github.com/fluxcd/kustomize-controller/pull/1070)
+  [#1068](https://github.com/fluxcd/kustomize-controller/pull/1068)
+  [#1065](https://github.com/fluxcd/kustomize-controller/pull/1065)
+  [#1060](https://github.com/fluxcd/kustomize-controller/pull/1060)
+  [#1059](https://github.com/fluxcd/kustomize-controller/pull/1059)
+  [#1051](https://github.com/fluxcd/kustomize-controller/pull/1051)
+  [#1049](https://github.com/fluxcd/kustomize-controller/pull/1049)
+  [#1046](https://github.com/fluxcd/kustomize-controller/pull/1046)
+  [#1044](https://github.com/fluxcd/kustomize-controller/pull/1044)
+  [#1040](https://github.com/fluxcd/kustomize-controller/pull/1040)
+  [#1038](https://github.com/fluxcd/kustomize-controller/pull/1038)
+
+## 1.2.1
+
+**Release date:** 2023-12-14
+
+This patch release comes with improvements in logging to provide faster feedback
+on any HTTP errors encountered while fetching source artifacts.
+
+In addition, the status condition messages are now trimmed to respect the size
+limit defined by the API.
+
+Improvements:
+- Update runtime to v0.43.3
+  [#1031](https://github.com/fluxcd/kustomize-controller/pull/1031)
+- Log HTTP errors to provide faster feedback
+  [#1028](https://github.com/fluxcd/kustomize-controller/pull/1028)
+
+## 1.2.0
+
+**Release date:** 2023-12-11
+
+This minor release comes with performance improvements, bug fixes and several new features.
+
+The controller has been updated from Kustomize v5.0 to **v5.3**, please the see
+`kubernetes-sigs/kustomize` [changelog](https://github.com/kubernetes-sigs/kustomize/releases)
+for a more details.
+
+Starting with this version, the controller will automatically perform a cleanup of
+the Pods belonging to stale Kubernetes Jobs after a force apply.
+
+A new controller flag `--override-manager` has been added to extend the Field Managers disallow list.
+Using this flag, cluster administrators can configure the controller to undo changes
+made with Lens and other UI tools that directly modify Kubernetes objects on clusters.
+
+In addition, the controller dependencies have been updated, including an update to Kubernetes v1.28.
+The container base image has been updated to Alpine 3.19.
+
+Improvements:
+- Update source-controller to v1.2.2
+  [#1024](https://github.com/fluxcd/kustomize-controller/pull/1024)
+- build: update Alpine to 3.19
+  [#1023](https://github.com/fluxcd/kustomize-controller/pull/1023)
+- Update Kustomize to v5.3.0
+  [#1021](https://github.com/fluxcd/kustomize-controller/pull/1021)
+- Support additional Field Managers in the disallow list
+  [#1017](https://github.com/fluxcd/kustomize-controller/pull/1017)
+- Add test for Namespace custom resource
+  [#1016](https://github.com/fluxcd/kustomize-controller/pull/1016)
+- Update controller to Kubernetes v1.28.4
+  [#1014](https://github.com/fluxcd/kustomize-controller/pull/1014)
+- Disable status poller cache by default
+  [#1012](https://github.com/fluxcd/kustomize-controller/pull/1012)
+- Tweak permissions on various created files
+  [#1005](https://github.com/fluxcd/kustomize-controller/pull/1005)
+- Cleanup pods when recreating Kubernetes Jobs
+  [#997](https://github.com/fluxcd/kustomize-controller/pull/997)
+- Update SOPS to v3.8.1
+  [#995](https://github.com/fluxcd/kustomize-controller/pull/995)
+
+## 1.1.1
+
+**Release date:** 2023-10-11
+
+This patch release contains an improvement to retry the reconciliation of a
+`Kustomization` as soon as the source artifact is available in storage.
+Which is particularly useful when the source-controller has just been upgraded.
+
+In addition, the controller can now detect immutable field errors returned by the
+Google Cloud k8s-config-connector admission controller and recreate the GCP custom
+resources annotated with `kustomize.toolkit.fluxcd.io/force: Enabled`.
+
+Improvements:
+- Update `fluxcd/pkg` dependencies
+  [#983](https://github.com/fluxcd/kustomize-controller/pull/983)
+- Bump `github.com/cyphar/filepath-securejoi`n from 0.2.3 to 0.2.4
+  [#962](https://github.com/fluxcd/kustomize-controller/pull/962)
+
+Fixes:
+- fix: Retry when artifacts are available in storage
+  [#980](https://github.com/fluxcd/kustomize-controller/pull/980)
+- fix: Consistent artifact fetching retry timing
+  [#978](https://github.com/fluxcd/kustomize-controller/pull/978)
+
+## 1.1.0
+
+**Release date:** 2023-08-23
+
+This minor release comes with performance improvements, bug fixes and several new features.
+
+The apply behaviour has been extended with two policies `IfNotPresent` and `Ignore`.
+To change the apply behaviour for specific Kubernetes resources, you can annotate them with:
+
+| Annotation                          | Default    | Values                                                         | Role            |
+|-------------------------------------|------------|----------------------------------------------------------------|-----------------|
+| `kustomize.toolkit.fluxcd.io/ssa`   | `Override` | - `Override`<br/>- `Merge`<br/>- `IfNotPresent`<br/>- `Ignore` | Apply policy    |
+| `kustomize.toolkit.fluxcd.io/force` | `Disabled` | - `Enabled`<br/>- `Disabled`                                   | Recreate policy |
+| `kustomize.toolkit.fluxcd.io/prune` | `Enabled`  | - `Enabled`<br/>- `Disabled`                                   | Delete policy   |
+
+The `IfNotPresent` policy instructs the controller to only apply the Kubernetes resources if they are not present on the cluster.
+This policy can be used for Kubernetes `Secrets` and `ValidatingWebhookConfigurations` managed by cert-manager,
+where Flux creates the resources with fields that are later on mutated by other controllers.
+
+This version improves the health checking with fail-fast behaviour
+by detecting stalled Kubernetes rollouts.
+
+In addition, the controller now stops exporting an object's
+metrics as soon as the object has been deleted.
+
+Lastly, this release introduces two controller flags:
+
+- The `--concurrent-ssa` flag sets the number of concurrent server-side apply operations
+  performed by the controller. Defaults to 4 concurrent operations per reconciliation.
+- The `--interval-jitter-percentage` flag makes the
+  controller distribute the load more evenly when multiple objects are set up
+  with the same interval. The default of this flag is set to `5`, which means
+  that the interval will be jittered by a +/- 5% random value (e.g. if the
+  interval is 10 minutes, the actual reconciliation interval will be between 9.5
+  and 10.5 minutes).
+
+Improvements:
+- Add `--concurrent-ssa` flag
+  [#948](https://github.com/fluxcd/kustomize-controller/pull/948)
+- Add `IfNotPresent` and `Ignore` SSA policies
+  [#943](https://github.com/fluxcd/kustomize-controller/pull/943)
+- controller: jitter requeue interval
+  [#940](https://github.com/fluxcd/kustomize-controller/pull/940)
+- Enable fail-fast behavior for health checks
+  [#933](https://github.com/fluxcd/kustomize-controller/pull/933)
+- Bump `fluxcd/pkg/ssa` to improve immutable error detection
+  [#932](https://github.com/fluxcd/kustomize-controller/pull/932)
+- Update dependencies
+  [#939](https://github.com/fluxcd/kustomize-controller/pull/939)
+- Update Source API to v1.1.0
+  [#952](https://github.com/fluxcd/kustomize-controller/pull/952)
+
+Fixes:
+- Handle delete before adding finalizer
+  [#930](https://github.com/fluxcd/kustomize-controller/pull/930)
+- Delete stale metrics on object delete
+  [#944](https://github.com/fluxcd/kustomize-controller/pull/944)
+
+## 1.0.1
+
+**Release date:** 2023-07-10
+
+This is a patch release that fixes spurious events emitted for skipped resources.
+
+Fixes:
+- Exclude skipped resources from apply events
+  [#920](https://github.com/fluxcd/kustomize-controller/pull/920)
+
+## 1.0.0
+
+**Release date:** 2023-07-04
+
+This is the first stable release of the controller. From now on, this controller
+follows the [Flux 2 release cadence and support pledge](https://fluxcd.io/flux/releases/).
+
+Starting with this version, the build, release and provenance portions of the
+Flux project supply chain [provisionally meet SLSA Build Level 3](https://fluxcd.io/flux/security/slsa-assessment/).
+
+This release includes several bug fixes. In addition, dependencies have been updated
+to their latest version, including an update of Kubernetes to v1.27.3.
+
+For a comprehensive list of changes since `v0.35.x`, please refer to the
+changelog for [v1.0.0-rc.1](#100-rc1), [v1.0.0-rc.2](#100-rc2),
+[v1.0.0-rc.3](#100-rc3) and [`v1.0.0-rc.4](#100-rc4).
+
+Improvements:
+- Update dependencies
+  [#908](https://github.com/fluxcd/kustomize-controller/pull/908)
+- Align `go.mod` version with Kubernetes (Go 1.20)
+  [#900](https://github.com/fluxcd/kustomize-controller/pull/900)
+
+Fixes:
+- Use kustomization namespace for empty dependency source namespace
+  [#897](https://github.com/fluxcd/kustomize-controller/pull/897)
+- docs: Clarify that targetNamespace namespace can be part of resources
+  [#896](https://github.com/fluxcd/kustomize-controller/pull/896)
+
+## 1.0.0-rc.4
+
+**Release date:** 2023-05-29
+
+This release candidate comes with support for Kustomize v5.0.3.
+
+⚠️ Note that Kustomize v5 contains breaking changes, please consult their
+[changelog](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.0.0)
+for more details.
+
+In addition, the controller dependencies have been updated to
+Kubernetes v1.27.2 and controller-runtime v0.15.0.
+
+Improvements:
+- Update Kubernetes to v1.27 and Kustomize to v5
+  [#850](https://github.com/fluxcd/kustomize-controller/pull/850)
+- Update controller-runtime to v0.15.0
+  [#869](https://github.com/fluxcd/kustomize-controller/pull/869)
+- Update CA certificates
+  [#872](https://github.com/fluxcd/kustomize-controller/pull/872)
+- Update source-controller to v1.0.0-rc.4
+  [#873](https://github.com/fluxcd/kustomize-controller/pull/873)
+
+## 1.0.0-rc.3
+
+**Release date:** 2023-05-12
+
+This release candidate comes with improved error reporting for when
+the controller fails to fetch an artifact due to a checksum mismatch.
+
+In addition, the controller dependencies have been updated to patch
+CVE-2023-1732 and the base image has been updated to Alpine 3.18.
+
+Improvements:
+- Update Alpine to 3.18
+  [#855](https://github.com/fluxcd/kustomize-controller/pull/855)
+- Update dependencies
+  [#862](https://github.com/fluxcd/kustomize-controller/pull/862)
+- build(deps): bump github.com/cloudflare/circl from 1.1.0 to 1.3.3
+  [#860](https://github.com/fluxcd/kustomize-controller/pull/860)
+- docs: Clarify the Kustomize components relative paths requirement
+  [#861](https://github.com/fluxcd/kustomize-controller/pull/861)
+
+## 1.0.0-rc.2
+
+**Release date:** 2023-05-09
+
+This release candidate fixes secrets decryption when using Azure Key Vault.
+
+In addition, the controller dependencies have been updated to their latest
+versions.
+
+Improvements:
+- Fix SOPS azkv envCred
+  [#838](https://github.com/fluxcd/kustomize-controller/pull/838)
+- Update dependencies
+  [#853](https://github.com/fluxcd/kustomize-controller/pull/853)
+
+## 1.0.0-rc.1
+
+**Release date:** 2023-04-03
+
+This release candidate promotes the `Kustomization` API from `v1beta2` to `v1`.
+The controller now supports horizontal scaling using
+sharding based on a label selector.
+
+In addition, the controller now supports Workload Identity when
+decrypting secrets with SOPS and Azure Vault.
+
+### Highlights
+
+This release candidate requires the `GitRepository` API version `v1`,
+first shipped with [source-controller](https://github.com/fluxcd/source-controller)
+v1.0.0-rc.1.
+
+#### API changes
+
+The `Kustomization` kind was promoted from v1beta2 to v1 (GA) and deprecated fields were removed.
+
+A new optional field called `CommonMetadata` was added to the API
+for setting labels and/or annotations to all resources part of a Kustomization.
+The main difference to the Kustomize
+[commonLabels](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/commonlabels/) and
+[commonAnnotations](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/commonannotations/),
+is that the controller sets the labels and annotations only to the top level `metadata` field,
+without patching the Kubernetes Deployment `spec.template` or the Service `spec.selector`.
+
+The `kustomizations.kustomize.toolkit.fluxcd.io` CRD contains the following versions:
+- v1 (storage version)
+- v1beta2 (deprecated)
+- v1beta1 (deprecated)
+
+#### Upgrade procedure
+
+The `Kustomization` v1 API is backwards compatible with v1beta2, except for the following:
+- the deprecated field `.spec.validation` was removed
+- the deprecated field `.spec.patchesStrategicMerge` was removed (replaced by `.spec.patches`)
+- the deprecated field `.spec.patchesJson6902 ` was removed (replaced by `.spec.patches`)
+
+To upgrade from v1beta2, after deploying the new CRD and controller,
+set  `apiVersion: kustomize.toolkit.fluxcd.io/v1` in the YAML files that contain
+`Kustomization` definitions and remove the deprecated fields if any.
+Bumping the API version in manifests can be done gradually.
+It is advised to not delay this procedure as the beta versions will be removed after 6 months.
+
+#### Sharding
+
+Starting with this release, the controller can be configured with
+`--watch-label-selector`, after which only objects with this label will
+be reconciled by the controller.
+
+This allows for horizontal scaling, where kustomize-controller
+can be deployed multiple times with a unique label selector
+which is used as the sharding key.
+
+### Full changelog
+
+Improvements:
+- GA: Promote Kustomization API to `kustomize.toolkit.fluxcd.io/v1`
+  [#822](https://github.com/fluxcd/kustomize-controller/pull/822)
+- Add common labels and annotations patching capabilities
+  [#817](https://github.com/fluxcd/kustomize-controller/pull/817)
+- Add reconciler sharding capability based on label selector
+  [#821](https://github.com/fluxcd/kustomize-controller/pull/821)
+- Support Workload Identity for Azure Vault
+  [#813](https://github.com/fluxcd/kustomize-controller/pull/813)
+- Verify Digest of Artifact
+  [#818](https://github.com/fluxcd/kustomize-controller/pull/818)
+- Move `controllers` to `internal/controllers`
+  [#820](https://github.com/fluxcd/kustomize-controller/pull/820)
+- build(deps): bump github.com/opencontainers/runc from 1.1.2 to 1.1.5
+  [#824](https://github.com/fluxcd/kustomize-controller/pull/824)
+
+## 0.35.1
+
+**Release date:** 2023-03-20
+
+This prerelease comes with a fix to error reporting.
+The controller will now reveal validation errors when force applying
+resources with immutable field changes.
+
+In addition, the controller dependencies have been updated to their latest
+versions.
+
+Improvements:
+- Update dependencies
+  [#814](https://github.com/fluxcd/kustomize-controller/pull/814)
+
+## 0.35.0
+
+**Release date:** 2023-03-08
+
+This prerelease adds support for disabling the cache of the `kstatus` status
+poller, which is used to determine the health of the resources applied by the
+controller. To disable the cache, configure the Deployment of the controller
+with `--feature-gates=DisableStatusPollerCache=true`.
+
+This may have a positive impact on memory usage on large clusters with many
+objects, at the cost of an increased number of API calls.
+
+In addition, `klog` has been configured to log using the same logger as the
+rest of the controller (providing a consistent log format).
+
+Lastly, the controller is now built using Go `1.20`, and the dependencies have
+been updated to their latest versions.
+
+Improvements:
+- api: update description LastAppliedRevision
+  [#798](https://github.com/fluxcd/kustomize-controller/pull/798)
+- Update Go to 1.20
+  [#806](https://github.com/fluxcd/kustomize-controller/pull/806)
+- Update dependencies
+  [#807](https://github.com/fluxcd/kustomize-controller/pull/807)
+  [#811](https://github.com/fluxcd/kustomize-controller/pull/811)
+- Use `logger.SetLogger` to also configure `klog`
+  [#809](https://github.com/fluxcd/kustomize-controller/pull/809)
+
+## 0.34.0
+
+**Release date:** 2023-02-17
+
+This prerelease adds support for parsing the
+[RFC-0005](https://github.com/fluxcd/flux2/tree/main/rfcs/0005-artifact-revision-and-digest)
+revision format produced by source-controller `>=v0.35.0`.
+
+In addition, the controller dependencies have been updated to their latest
+versions.
+
+Improvements:
+- Support RFC-0005 revision format
+  [#793](https://github.com/fluxcd/kustomize-controller/pull/793)
+- Update dependencies
+  [#796](https://github.com/fluxcd/kustomize-controller/pull/796)
+
+## 0.33.0
+
+**Release date:** 2023-02-01
+
+This prerelease comes with support for recreating immutable resources (e.g. Kubernetes Jobs)
+by annotating or labeling them with `kustomize.toolkit.fluxcd.io/force: enabled`.
+
+The caching of Secret and ConfigMap resources has been disabled to improve memory usage.
+To opt-out from this behavior, start the controller with: `--feature-gates=CacheSecretsAndConfigMaps=true`.
+
+In addition, the controller dependencies have been updated to
+Kubernetes v1.26.1 and controller-runtime v0.14.2. The controller base image has 
+been updated to Alpine 3.17 (which contains CVE fixes for OS packages).
+
+Improvements:
+- Allow force apply to be configured in metadata
+  [#787](https://github.com/fluxcd/kustomize-controller/pull/787)
+- Disable caching of Secrets and ConfigMaps
+  [#789](https://github.com/fluxcd/kustomize-controller/pull/789)
+- build: Enable SBOM and SLSA Provenance
+  [#787](https://github.com/fluxcd/kustomize-controller/pull/788)
+- build: Update Alpine to 3.17
+  [#786](https://github.com/fluxcd/kustomize-controller/pull/786)
+- build: pdate source-controller/api to v0.34.0
+  [#790](https://github.com/fluxcd/kustomize-controller/pull/790)
+- build: Download CRD deps only when necessary
+  [#783](https://github.com/fluxcd/kustomize-controller/pull/783)
+- test: Enable kstatus checks
+  [#784](https://github.com/fluxcd/kustomize-controller/pull/784)
+
+## 0.32.0
+
+**Release date:** 2022-12-20
+
+This prerelease comes with experimental support for
+[Kustomize components](https://github.com/fluxcd/kustomize-controller/blob/v0.32.0/docs/spec/v1beta2/kustomization.md#components).
+
+In addition, the AWS and Google Cloud KMS dependencies have been updated
+to match the latest stable release from upstream.
+
+Improvements:
+- Add support for Kustomize components
+  [#754](https://github.com/fluxcd/kustomize-controller/pull/754)
+- Update dependencies
+  [#780](https://github.com/fluxcd/kustomize-controller/pull/780)
+- Document the behaviour of atomic fields with server-side apply
+  [#774](https://github.com/fluxcd/kustomize-controller/pull/774)
+- fuzz: Use build script from upstream and fix fuzzers
+  [#777](https://github.com/fluxcd/kustomize-controller/pull/777)
+- build: Fix cifuzz tests and improve fuzz tests' reliability
+  [#771](https://github.com/fluxcd/kustomize-controller/pull/771)
+- build: update dockertest to Go Mod compatible v3
+  [#776](https://github.com/fluxcd/kustomize-controller/pull/776)
+
+## 0.31.0
+
+**Release date:** 2022-11-18
+
+This prerelease comes with improvements to the manifests
+generation component. The Kustomize overlay build logic has been
+factored out into `github.com/fluxcd/pkg/kustomize` so that both
+the controller and the Flux CLI (`flux buid kustomization`)
+share the same code base.
+
+In addition, the controller dependencies have been updated to
+Kubernetes v1.25.4 and controller-runtime v0.13.1.
+The Azure Vault SDK used for secrets decryption has been updated
+to match the latest stable release from upstream.
+
+Improvements:
+- Refactor: Generate manifests with `flux/pkg/kustomize`
+  [#763](https://github.com/fluxcd/kustomize-controller/pull/763)
+- Update `keyvault/azkeys` Azure SDK to v0.9.0
+  [#759](https://github.com/fluxcd/kustomize-controller/pull/759)
+- Update Source API to v0.32.1
+  [#768](https://github.com/fluxcd/kustomize-controller/pull/768)
+- Update dependencies
+  [#767](https://github.com/fluxcd/kustomize-controller/pull/767)
+- Use Flux Event API v1beta1
+  [#758](https://github.com/fluxcd/kustomize-controller/pull/758)
+- build: Bump gpg to alpine's edge
+  [#760](https://github.com/fluxcd/kustomize-controller/pull/760)
+- build: Remove nsswitch.conf creation
+  [#765](https://github.com/fluxcd/kustomize-controller/pull/765)
+
+Fixes:
+- Don't override the reconcile error on status patching
+  [#761](https://github.com/fluxcd/kustomize-controller/pull/761)
+
+## 0.30.0
+
+**Release date:** 2022-10-21
+
+This prerelease comes with new status condition named `Reconciling` which improves
+the observability for the actions performed by the controller during a reconciliation run.
+The `Kustomization.status.conditions` have been aligned with Kubernetes
+standard conditions and kstatus.
+
+In addition, the controller memory usage was reduced by 90% when performing artifact
+operations and can now better handle the reconciliation of large sources in-parallel.
+
+Improvements:
+- Optimise the memory usage of artifact operations
+  [#747](https://github.com/fluxcd/kustomize-controller/pull/747)
+- Refactor: Adopt Flux runtime conditions and status standards
+  [#745](https://github.com/fluxcd/kustomize-controller/pull/745)
+- Refactor: Remove docs which overlap with Flux website
+  [#746](https://github.com/fluxcd/kustomize-controller/pull/746)
+- Refactor: Move inventory helpers to internal package
+  [#744](https://github.com/fluxcd/kustomize-controller/pull/744)
+- Refactor: Acquire artifacts with `fluxcd/pkg/http/fetch`
+  [#743](https://github.com/fluxcd/kustomize-controller/pull/743)
+- Refactor: Use impersonation from `fluxcd/pkg/runtime/client`
+  [#742](https://github.com/fluxcd/kustomize-controller/pull/742)
+- Refactor: Extract generator to internal package
+  [#740](https://github.com/fluxcd/kustomize-controller/pull/740)
+- Refactor: Extract decrytor to internal package
+  [#739](https://github.com/fluxcd/kustomize-controller/pull/739)
+- Support alternative kustomization file names
+  [#738](https://github.com/fluxcd/kustomize-controller/pull/738)
+- API: allow configuration of `h` unit for timeouts
+  [#749](https://github.com/fluxcd/kustomize-controller/pull/749)
+- Update dependencies
+  [#750](https://github.com/fluxcd/kustomize-controller/pull/750)
+
 ## 0.29.0
 
 **Release date:** 2022-09-29

DEVELOPMENT.md

@@ -13,19 +13,10 @@ There are a number of dependencies required to be able to run the controller and
 - [Install Docker](https://docs.docker.com/engine/install/)
 - (Optional) [Install Kubebuilder](https://book.kubebuilder.io/quick-start.html#installation)
 
-In addition to the above, the following dependencies are also used by some of the `make` targets:
-
-- `controller-gen` (v0.7.0)
-- `gen-crd-api-reference-docs` (v0.3.0)
-- `setup-envtest` (latest)
-- `sops` (v3.7.2)
-
-If any of the above dependencies are not present on your system, the first invocation of a `make` target that requires them will install them.
-
 ## How to run the test suite
 
 Prerequisites:
-* Go >= 1.18
+* Go >= 1.24
 
 You can run the test suite by simply doing
 

Dockerfile

@@ -1,9 +1,9 @@
-ARG GO_VERSION=1.19
-ARG XX_VERSION=1.1.0
+ARG GO_VERSION=1.24
+ARG XX_VERSION=1.6.1
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine as builder
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS builder
 
 # Copy the build utilities.
 COPY --from=xx / /
@@ -24,23 +24,21 @@ RUN go mod download
 
 # copy source code
 COPY main.go main.go
-COPY controllers/ controllers/
 COPY internal/ internal/
 
 # build
 ENV CGO_ENABLED=0
 RUN xx-go build -trimpath -a -o kustomize-controller main.go
 
-FROM alpine:3.16
+FROM alpine:3.21
 
-RUN apk add --no-cache ca-certificates tini git openssh-client gnupg
+ARG TARGETPLATFORM
+
+RUN apk --no-cache add ca-certificates tini git openssh-client gnupg \
+  && update-ca-certificates
 
 COPY --from=builder /workspace/kustomize-controller /usr/local/bin/
 
-# Create minimal nsswitch.conf file to prioritize the usage of /etc/hosts over DNS queries.
-# https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-354316460
-RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
-
 USER 65534:65534
 
 ENV GNUPGHOME=/tmp

Makefile

@@ -5,7 +5,7 @@ CRD_OPTIONS ?= crd:crdVersions=v1
 SOURCE_VER ?= $(shell go list -m all | grep github.com/fluxcd/source-controller/api | awk '{print $$2}')
 
 # Use the same version of SOPS already referenced on go.mod
-SOPS_VER := $(shell go list -m all | grep go.mozilla.org/sops | awk '{print $$2}')
+SOPS_VER := $(shell go list -m all | grep github.com/getsops/sops | awk '{print $$2}')
 
 # Repository root based on Git metadata
 REPOSITORY_ROOT := $(shell git rev-parse --show-toplevel)
@@ -34,6 +34,19 @@ BUILD_PLATFORMS ?= linux/amd64
 # Architecture to use envtest with
 ENVTEST_ARCH ?= amd64
 
+# Paths to download the CRD dependencies at.
+GITREPO_CRD ?= config/crd/bases/gitrepositories.yaml
+BUCKET_CRD ?= config/crd/bases/buckets.yaml
+OCIREPO_CRD ?= config/crd/bases/ocirepositories.yaml
+
+# Keep a record of the version of the downloaded source CRDs. It is used to
+# detect and download new CRDs when the SOURCE_VER changes.
+SOURCE_CRD_VER=$(BUILD_DIR)/.src-crd-$(SOURCE_VER)
+
+# API (doc) generation utilities
+CONTROLLER_GEN_VERSION ?= v0.16.1
+GEN_API_REF_DOCS_VERSION ?= e327d0730470cbd61b06300f81c5fcf91c23c113
+
 all: manager
 
 # Download the envtest binaries to testbin
@@ -45,7 +58,7 @@ install-envtest: setup-envtest
 
 SOPS = $(GOBIN)/sops
 $(SOPS): ## Download latest sops binary if none is found.
-	$(call go-install-tool,$(SOPS),go.mozilla.org/sops/v3/cmd/sops@$(SOPS_VER))
+	$(call go-install-tool,$(SOPS),github.com/getsops/sops/v3/cmd/sops@$(SOPS_VER))
 
 # Run controller tests
 KUBEBUILDER_ASSETS?="$(shell $(ENVTEST) --arch=$(ENVTEST_ARCH) use -i $(ENVTEST_KUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR) -p path)"
@@ -60,11 +73,29 @@ manager: generate fmt vet
 run: generate fmt vet manifests
 	go run ./main.go --metrics-addr=:8089
 
+# Delete previously downloaded CRDs and record the new version of the source
+# CRDs.
+$(SOURCE_CRD_VER):
+	rm -f $(BUILD_DIR)/.src-crd*
+	$(MAKE) cleanup-crd-deps
+	if ! test -d "$(BUILD_DIR)"; then mkdir -p $(BUILD_DIR); fi
+	touch $(SOURCE_CRD_VER)
+
+$(GITREPO_CRD):
+	curl -s https://raw.githubusercontent.com/fluxcd/source-controller/${SOURCE_VER}/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml -o $(GITREPO_CRD)
+
+$(BUCKET_CRD):
+	curl -s https://raw.githubusercontent.com/fluxcd/source-controller/${SOURCE_VER}/config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml -o $(BUCKET_CRD)
+
+$(OCIREPO_CRD):
+	curl -s https://raw.githubusercontent.com/fluxcd/source-controller/${SOURCE_VER}/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml -o $(OCIREPO_CRD)
+
 # Download the CRDs the controller depends on
-download-crd-deps:
-	curl -s https://raw.githubusercontent.com/fluxcd/source-controller/${SOURCE_VER}/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml > config/crd/bases/gitrepositories.yaml
-	curl -s https://raw.githubusercontent.com/fluxcd/source-controller/${SOURCE_VER}/config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml > config/crd/bases/buckets.yaml
-	curl -s https://raw.githubusercontent.com/fluxcd/source-controller/${SOURCE_VER}/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml > config/crd/bases/ocirepositories.yaml
+download-crd-deps: $(SOURCE_CRD_VER) $(GITREPO_CRD) $(BUCKET_CRD) $(OCIREPO_CRD)
+
+# Delete the downloaded CRD dependencies.
+cleanup-crd-deps:
+	rm -f $(GITREPO_CRD) $(BUCKET_CRD) $(OCIREPO_CRD)
 
 # Install CRDs into a cluster
 install: manifests
@@ -100,12 +131,12 @@ manifests: controller-gen
 
 # Generate API reference documentation
 api-docs: gen-crd-api-reference-docs
-	$(GEN_CRD_API_REFERENCE_DOCS) -api-dir=./api/v1beta2 -config=./hack/api-docs/config.json -template-dir=./hack/api-docs/template -out-file=./docs/api/kustomize.md
+	$(GEN_CRD_API_REFERENCE_DOCS) -api-dir=./api/v1 -config=./hack/api-docs/config.json -template-dir=./hack/api-docs/template -out-file=./docs/api/v1/kustomize.md
 
 # Run go mod tidy
 tidy:
-	cd api; rm -f go.sum; go mod tidy -compat=1.19
-	rm -f go.sum; go mod tidy -compat=1.19
+	cd api; rm -f go.sum; go mod tidy -compat=1.24
+	rm -f go.sum; go mod tidy -compat=1.24
 
 # Run go fmt against code
 fmt:
@@ -140,13 +171,13 @@ docker-deploy:
 CONTROLLER_GEN = $(GOBIN)/controller-gen
 .PHONY: controller-gen
 controller-gen: ## Download controller-gen locally if necessary.
-	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.8.0)
+	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION))
 
 # Find or download gen-crd-api-reference-docs
 GEN_CRD_API_REFERENCE_DOCS = $(GOBIN)/gen-crd-api-reference-docs
 .PHONY: gen-crd-api-reference-docs
-gen-crd-api-reference-docs:
-	$(call go-install-tool,$(GEN_CRD_API_REFERENCE_DOCS),github.com/ahmetb/gen-crd-api-reference-docs@v0.3.0)
+gen-crd-api-reference-docs: ## Download gen-crd-api-reference-docs locally if necessary
+	$(call go-install-tool,$(GEN_CRD_API_REFERENCE_DOCS),github.com/ahmetb/gen-crd-api-reference-docs@$(GEN_API_REF_DOCS_VERSION))
 
 ENVTEST = $(GOBIN)/setup-envtest
 .PHONY: envtest

PROJECT

@@ -1,6 +1,9 @@
 domain: toolkit.fluxcd.io
 repo: github.com/fluxcd/kustomize-controller
 resources:
+- group: kustomize
+  kind: Kustomization
+  version: v1
 - group: kustomize
   kind: Kustomization
   version: v1beta2

README.md

@@ -6,328 +6,50 @@
 [![license](https://img.shields.io/github/license/fluxcd/kustomize-controller.svg)](https://github.com/fluxcd/kustomize-controller/blob/main/LICENSE)
 [![release](https://img.shields.io/github/release/fluxcd/kustomize-controller/all.svg)](https://github.com/fluxcd/kustomize-controller/releases)
 
-The kustomize-controller is a Kubernetes operator, specialized in running 
-continuous delivery pipelines for infrastructure and workloads
+The kustomize-controller is a [Flux](https://github.com/fluxcd/flux2) component,
+specialized in running continuous delivery pipelines for infrastructure and workloads
 defined with Kubernetes manifests and assembled with Kustomize.
 
+The cluster desired state is described through a Kubernetes Custom Resource named `Kustomization`.
+Based on the creation, mutation or removal of a `Kustomization` resource in the cluster,
+the controller performs actions to reconcile the cluster current state with the desired state.
+
 ![overview](docs/diagrams/kustomize-controller-overview.png)
 
-Features:
+## Features
+
 * watches for `Kustomization` objects
 * fetches artifacts produced by [source-controller](https://github.com/fluxcd/source-controller) from `Source` objects 
 * watches `Source` objects for revision changes 
 * generates the `kustomization.yaml` file if needed
-* generates Kubernetes manifests with kustomize build
-* decrypts Kubernetes secrets with Mozilla SOPS
-* validates the build output with server-side apply dry-run
-* applies the generated manifests on the cluster
+* generates Kubernetes manifests with Kustomize SDK
+* decrypts Kubernetes secrets with Mozilla SOPS and KMS
+* validates the generated manifests with Kubernetes server-side apply dry-run
+- detects drift between the desired and state and cluster state
+- corrects drift by patching objects with Kubernetes server-side apply
 * prunes the Kubernetes objects removed from source
 * checks the health of the deployed workloads
 * runs `Kustomizations` in a specific order, taking into account the depends-on relationship 
 * notifies whenever a `Kustomization` status changes
 
-Specifications:
-* [API](docs/spec/v1beta2/README.md)
+## Specifications
+
+* [API](docs/spec/v1/README.md)
 * [Controller](docs/spec/README.md)
 
-## Usage
+## Guides
 
-The kustomize-controller is part of a composable [GitOps toolkit](https://fluxcd.io/flux/components/)
-and depends on [source-controller](https://github.com/fluxcd/source-controller)
-to acquire the Kubernetes manifests from Git repositories and S3 compatible storage buckets.
+* [Get started with Flux](https://fluxcd.io/flux/get-started/)
+* [Setup Notifications](https://fluxcd.io/flux/guides/notifications/)
+* [Manage Kubernetes secrets with Flux and SOPS](https://fluxcd.io/flux/guides/mozilla-sops/)
+* [How to build, publish and consume OCI Artifacts with Flux](https://fluxcd.io/flux/cheatsheets/oci-artifacts/)
+* [Flux and Kustomize FAQ](https://fluxcd.io/flux/faq/#kustomize-questions)
 
-### Install the toolkit controllers
+## Roadmap
 
-Download the flux CLI:
+The roadmap for the Flux family of projects can be found at <https://fluxcd.io/roadmap/>.
 
-```bash
-curl -s https://fluxcd.io/install.sh | sudo bash
-```
+## Contributing
 
-Install the toolkit controllers in the `flux-system` namespace:
-
-```bash
-flux install
-```
-
-### Define a Git repository source
-
-Create a source object that points to a Git repository containing Kubernetes and Kustomize manifests:
-
-```yaml
-apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: GitRepository
-metadata:
-  name: podinfo
-  namespace: flux-system
-spec:
-  interval: 1m
-  url: https://github.com/stefanprodan/podinfo
-  ref:
-    branch: master
-```
-
-For private repositories, SSH or token based authentication can be
-[configured with Kubernetes secrets](https://github.com/fluxcd/source-controller/blob/master/docs/spec/v1beta1/gitrepositories.md).
-
-Save the above file and apply it on the cluster.
-You can wait for the source controller to assemble an artifact from the head of the repo master branch with:
-
-```bash
-kubectl -n flux-system wait gitrepository/podinfo --for=condition=ready
-```
-
-The source controller will check for new commits in the master branch every minute. You can force a git sync with:
-
-```bash
-kubectl -n flux-system annotate --overwrite gitrepository/podinfo reconcile.fluxcd.io/requestedAt="$(date +%s)"
-```
-
-### Define a kustomization
-
-Create a kustomization object that uses the git repository defined above:
-
-```yaml
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: podinfo-dev
-  namespace: flux-system
-spec:
-  interval: 5m
-  path: "./deploy/overlays/dev/"
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: podinfo
-  healthChecks:
-    - kind: Deployment
-      name: frontend
-      namespace: dev
-    - kind: Deployment
-      name: backend
-      namespace: dev
-  timeout: 80s
-```
-
-> **Note** that if your repository contains only plain Kubernetes manifests, the controller will
-> [automatically generate](docs/spec/v1beta1/kustomization.md#generate-kustomizationyaml)
-> a kustomization.yaml file inside the specified path.
-
-A detailed explanation of the Kustomization object and its fields
-can be found in the [specification doc](docs/spec/v1beta1/README.md). 
-
-Based on the above definition, the kustomize-controller fetches the Git repository content from source-controller,
-generates Kubernetes manifests by running kustomize build inside `./deploy/overlays/dev/`,
-and validates them with a dry-run apply. If the manifests pass validation, the controller will apply them 
-on the cluster and starts the health assessment of the deployed workload. If the health checks are passing, the
-Kustomization object status transitions to a ready state.
-
-![workflow](docs/diagrams/kustomize-controller-flow.png)
-
-You can wait for the kustomize controller to complete the deployment with:
-
-```bash
-kubectl -n flux-system wait kustomization/podinfo-dev --for=condition=ready
-```
-
-When the controller finishes the reconciliation, it will log the applied objects:
-
-```bash
-kubectl -n flux-system logs deploy/kustomize-controller | jq .
-```
-
-```json
-{
-  "level": "info",
-  "ts": "2020-09-17T07:27:11.921Z",
-  "logger": "controllers.Kustomization",
-  "msg": "Kustomization applied in 1.436096591s",
-  "kustomization": "flux-system/podinfo-dev",
-  "output": {
-    "namespace/dev": "created",
-    "service/dev/frontend": "created",
-    "deployment/dev/frontend": "created",
-    "horizontalpodautoscaler/dev/frontend": "created",
-    "service/dev/backend": "created",
-    "deployment/dev/backend": "created",
-    "horizontalpodautoscaler/dev/backend": "created"
-  }
-}
-```
-
-You can trigger a kustomization reconciliation any time with:
-
-```bash
-kubectl -n flux-system annotate --overwrite kustomization/podinfo-dev \
-fluxcd.io/reconcileAt="$(date +%s)"
-```
-
-When the source controller pulls a new Git revision, the kustomize controller will detect that the
-source revision changed, and will reconcile those changes right away.
-
-If the kustomization reconciliation fails, the controller sets the ready condition to `false` and logs the error:
-
-```yaml
-status:
-  conditions:
-  - lastTransitionTime: "2020-09-17T07:27:58Z"
-    message: 'namespaces dev not found'
-    reason: ReconciliationFailed
-    status: "False"
-    type: Ready
-``` 
-
-```json
-{
-  "kustomization": "flux-system/podinfo-dev",
-  "error": "Error when creating 'Service/dev/frontend': namespaces dev not found"
-}
-```
-
-### Control the execution order
-
-When running a kustomization, you may need to make sure other kustomizations have been 
-successfully applied beforehand. A kustomization can specify a list of dependencies with `spec.dependsOn`.
-When combined with health assessment, a kustomization will run after all its dependencies health checks are passing.
-
-For example, a service mesh proxy injector should be running before deploying applications inside the mesh:
-
-```yaml
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: istio
-  namespace: flux-system
-spec:
-  interval: 10m
-  path: "./istio/system/"
-  sourceRef:
-    kind: GitRepository
-    name: istio
-  healthChecks:
-    - kind: Deployment
-      name: istiod
-      namespace: istio-system
-  timeout: 2m
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: podinfo-dev
-  namespace: flux-system
-spec:
-  dependsOn:
-    - name: istio
-  interval: 5m
-  path: "./deploy/overlays/dev/"
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: podinfo
-```
-
-### Deploy releases to production
-
-For production deployments, instead of synchronizing with a branch you can use a semver range to target stable releases:
-
-```yaml
-apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: GitRepository
-metadata:
-  name: podinfo-releases
-  namespace: flux-system
-spec:
-  interval: 5m
-  url: https://github.com/stefanprodan/podinfo
-  ref:
-    semver: ">=4.0.0 <5.0.0"
-```
-
-With `ref.semver` we configure source controller to pull the Git tags and create an artifact from the most recent tag
-that matches the semver range.
-
-Create a production kustomization and reference the git source that follows the latest semver release:
-
-```yaml
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: podinfo-production
-  namespace: flux-system
-spec:
-  interval: 10m
-  path: "./deploy/overlays/production/"
-  sourceRef:
-    kind: GitRepository
-    name: podinfo-releases
-```
-
-Based on the above definition, the kustomize controller will apply the kustomization that matches the semver range
-set in the Git repository.
-
-### Configure alerting
-
-The kustomize controller emits Kubernetes events whenever a kustomization status changes.
-
-You can use the [notification-controller](https://github.com/fluxcd/notification-controller) to forward these events
-to Slack, Microsoft Teams, Discord or Rocket chart.
-
-Create a notification provider for Slack:
-
-```yaml
-apiVersion: notification.toolkit.fluxcd.io/v1beta1
-kind: Provider
-metadata:
-  name: slack
-  namespace: flux-system
-spec:
-  type: slack
-  channel: alerts
-  secretRef:
-    name: slack-url
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: slack-url
-  namespace: flux-system
-data:
-  address: <encoded-url>
-```
-
-Create an alert for a list of GitRepositories and Kustomizations:
-
-```yaml
-apiVersion: notification.toolkit.fluxcd.io/v1beta1
-kind: Alert
-metadata:
-  name: on-call
-  namespace: flux-system
-spec:
-  providerRef: 
-    name: slack
-  eventSeverity: info
-  eventSources:
-    - kind: GitRepository
-      name: podinfo-releases
-    - kind: Kustomization
-      name: podinfo-production
-```
-
-Multiple alerts can be used to send notifications to different channels or Slack organizations.
-
-The event severity can be set to `info` or `error`.
-When the severity is set to `error`, the controller will alert on any error encountered during the
-reconciliation process. This includes kustomize build and validation errors, apply errors and
-health check failures.
-
-![error alert](docs/diagrams/slack-error-alert.png)
-
-When the verbosity is set to `info`, the controller will alert if:
-* a Kubernetes object was created, updated or deleted
-* heath checks are passing
-* a dependency is delaying the execution
-* an error occurs
-
-![info alert](docs/diagrams/slack-info-alert.png)
+This project is Apache 2.0 licensed and accepts contributions via GitHub pull requests.
+To start contributing please see the [development guide](DEVELOPMENT.md).

api/go.mod

@@ -1,34 +1,36 @@
 module github.com/fluxcd/kustomize-controller/api
 
-go 1.18
+go 1.24.0
 
 require (
-	github.com/fluxcd/pkg/apis/kustomize v0.6.0
-	github.com/fluxcd/pkg/apis/meta v0.16.0
-	k8s.io/apiextensions-apiserver v0.25.2
-	k8s.io/apimachinery v0.25.2
-	sigs.k8s.io/controller-runtime v0.13.0
+	github.com/fluxcd/pkg/apis/kustomize v1.11.0
+	github.com/fluxcd/pkg/apis/meta v1.18.0
+	k8s.io/apiextensions-apiserver v0.33.2
+	k8s.io/apimachinery v0.33.2
+	sigs.k8s.io/controller-runtime v0.21.0
 )
 
 // Fix CVE-2022-28948
 replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
 
 require (
-	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/stretchr/testify v1.7.1 // indirect
-	golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
-	golang.org/x/text v0.3.7 // indirect
-	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	golang.org/x/net v0.41.0 // indirect
+	golang.org/x/text v0.27.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/klog/v2 v2.70.1 // indirect
-	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
-	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
+	sigs.k8s.io/yaml v1.5.0 // indirect
 )

api/go.sum

@@ -1,48 +1,62 @@
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fluxcd/pkg/apis/kustomize v0.6.0 h1:Afxv3Uv+xiuettzqm3sP0ceWikDZTfHdHtLv6u2nFM8=
-github.com/fluxcd/pkg/apis/kustomize v0.6.0/go.mod h1:iY0zSpK6eUiPfNt/yR6g0q/wQP+wH+Ax/L7KBOx5x2M=
-github.com/fluxcd/pkg/apis/meta v0.16.0 h1:6Mj9rB0TtvCeTe3IlQDc1i2DH75Oosea9yUqS7XafVg=
-github.com/fluxcd/pkg/apis/meta v0.16.0/go.mod h1:GrOVzWXiu22XjLNgLLe2EBYhQPqZetes5SIADb4bmHE=
-github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
-github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
-github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/fluxcd/pkg/apis/kustomize v1.11.0 h1:0IzDgxZkc4v+5SDNCvgZhfwfkdkQLPXCner7TNaJFWE=
+github.com/fluxcd/pkg/apis/kustomize v1.11.0/go.mod h1:j302mJGDww8cn9qvMsRQ0LJ1HPAPs/IlX7CSsoJV7BI=
+github.com/fluxcd/pkg/apis/meta v1.18.0 h1:ACHrMIjlcioE9GKS7NGk62KX4NshqNewr8sBwMcXABs=
+github.com/fluxcd/pkg/apis/meta v1.18.0/go.mod h1:97l3hTwBpJbXBY+wetNbqrUsvES8B1jGioKcBUxmqd8=
+github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU=
+github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
-github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
+github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
-github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
-github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q=
+github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg=
+github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/gomega v1.36.1 h1:bJDPBO7ibjxcbHMgSCoo4Yj18UWbKDlLwX1x9sybDcw=
+github.com/onsi/gomega v1.36.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
+go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v3 v3.0.3 h1:bXOww4E/J3f66rav3pX3m8w6jDE4knZjGOw8b5Y6iNE=
+go.yaml.in/yaml/v3 v3.0.3/go.mod h1:tBHosrYAkRZjRAOREWbDnBXUf08JOwYq++0QNwQiWzI=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -52,23 +66,26 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b h1:PxfKdU9lEEDYjdIzOtC4qFWgkU2rGHdKlKowJSMN9h0=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
+golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f h1:v4INt8xihDGvnrfjMDVXGxw9wrfxYyCjk0KbXjhR55s=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
+golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
+golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -78,27 +95,27 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.25.2 h1:v6G8RyFcwf0HR5jQGIAYlvtRNrxMJQG1xJzaSeVnIS8=
-k8s.io/apiextensions-apiserver v0.25.2 h1:8uOQX17RE7XL02ngtnh3TgifY7EhekpK+/piwzQNnBo=
-k8s.io/apiextensions-apiserver v0.25.2/go.mod h1:iRwwRDlWPfaHhuBfQ0WMa5skdQfrE18QXJaJvIDLvE8=
-k8s.io/apimachinery v0.25.2 h1:WbxfAjCx+AeN8Ilp9joWnyJ6xu9OMeS/fsfjK/5zaQs=
-k8s.io/apimachinery v0.25.2/go.mod h1:hqqA1X0bsgsxI6dXsJ4HnNTBOmJNxyPp8dw3u2fSHwA=
-k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
-k8s.io/klog/v2 v2.70.1 h1:7aaoSdahviPmR+XkS7FyxlkkXs6tHISSG03RxleQAVQ=
-k8s.io/klog/v2 v2.70.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
-k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed h1:jAne/RjBTyawwAy0utX5eqigAwz/lQhTmy+Hr/Cpue4=
-k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-sigs.k8s.io/controller-runtime v0.13.0 h1:iqa5RNciy7ADWnIc8QxCbOX5FEKVR3uxVxKHRMc2WIQ=
-sigs.k8s.io/controller-runtime v0.13.0/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI=
-sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k=
-sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
-sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
-sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
-sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
+k8s.io/api v0.33.2 h1:YgwIS5jKfA+BZg//OQhkJNIfie/kmRsO0BmNaVSimvY=
+k8s.io/api v0.33.2/go.mod h1:fhrbphQJSM2cXzCWgqU29xLDuks4mu7ti9vveEnpSXs=
+k8s.io/apiextensions-apiserver v0.33.2 h1:6gnkIbngnaUflR3XwE1mCefN3YS8yTD631JXQhsU6M8=
+k8s.io/apiextensions-apiserver v0.33.2/go.mod h1:IvVanieYsEHJImTKXGP6XCOjTwv2LUMos0YWc9O+QP8=
+k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY=
+k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e h1:KqK5c/ghOm8xkHYhlodbp6i6+r+ChV2vuAuVRdFbLro=
+k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8=
+sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
+sigs.k8s.io/yaml v1.5.0 h1:M10b2U7aEUY6hRtU870n2VTPgR5RZiL/I6Lcc2F4NUQ=
+sigs.k8s.io/yaml v1.5.0/go.mod h1:wZs27Rbxoai4C0f8/9urLZtZtF3avA3gKvGyPdDqTO4=

api/v1/doc.go

@@ -0,0 +1,21 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1 contains API Schema definitions for the kustomize.toolkit.fluxcd.io
+// v1 API group.
+// +kubebuilder:object:generate=true
+// +groupName=kustomize.toolkit.fluxcd.io
+package v1

api/v1/groupversion_info.go

@@ -0,0 +1,33 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects.
+	GroupVersion = schema.GroupVersion{Group: "kustomize.toolkit.fluxcd.io", Version: "v1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)

api/v1/inventory_types.go

@@ -0,0 +1,34 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+// ResourceInventory contains a list of Kubernetes resource object references
+// that have been applied by a Kustomization.
+type ResourceInventory struct {
+	// Entries of Kubernetes resource object references.
+	Entries []ResourceRef `json:"entries"`
+}
+
+// ResourceRef contains the information necessary to locate a resource within a cluster.
+type ResourceRef struct {
+	// ID is the string representation of the Kubernetes resource object's metadata,
+	// in the format '<namespace>_<name>_<group>_<kind>'.
+	ID string `json:"id"`
+
+	// Version is the API version of the Kubernetes resource object's kind.
+	Version string `json:"v"`
+}

api/v1/kustomization_types.go

@@ -0,0 +1,391 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"time"
+
+	"github.com/fluxcd/pkg/apis/kustomize"
+	"github.com/fluxcd/pkg/apis/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	KustomizationKind         = "Kustomization"
+	KustomizationFinalizer    = "finalizers.fluxcd.io"
+	MaxConditionMessageLength = 20000
+	EnabledValue              = "enabled"
+	DisabledValue             = "disabled"
+	MergeValue                = "Merge"
+	IfNotPresentValue         = "IfNotPresent"
+	IgnoreValue               = "Ignore"
+
+	DeletionPolicyMirrorPrune        = "MirrorPrune"
+	DeletionPolicyDelete             = "Delete"
+	DeletionPolicyWaitForTermination = "WaitForTermination"
+	DeletionPolicyOrphan             = "Orphan"
+)
+
+// KustomizationSpec defines the configuration to calculate the desired state
+// from a Source using Kustomize.
+type KustomizationSpec struct {
+	// CommonMetadata specifies the common labels and annotations that are
+	// applied to all resources. Any existing label or annotation will be
+	// overridden if its key matches a common one.
+	// +optional
+	CommonMetadata *CommonMetadata `json:"commonMetadata,omitempty"`
+
+	// DependsOn may contain a DependencyReference slice
+	// with references to Kustomization resources that must be ready before this
+	// Kustomization can be reconciled.
+	// +optional
+	DependsOn []DependencyReference `json:"dependsOn,omitempty"`
+
+	// Decrypt Kubernetes secrets before applying them on the cluster.
+	// +optional
+	Decryption *Decryption `json:"decryption,omitempty"`
+
+	// The interval at which to reconcile the Kustomization.
+	// This interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +required
+	Interval metav1.Duration `json:"interval"`
+
+	// The interval at which to retry a previously failed reconciliation.
+	// When not specified, the controller uses the KustomizationSpec.Interval
+	// value to retry failures.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +optional
+	RetryInterval *metav1.Duration `json:"retryInterval,omitempty"`
+
+	// The KubeConfig for reconciling the Kustomization on a remote cluster.
+	// When used in combination with KustomizationSpec.ServiceAccountName,
+	// forces the controller to act on behalf of that Service Account at the
+	// target cluster.
+	// If the --default-service-account flag is set, its value will be used as
+	// a controller level fallback for when KustomizationSpec.ServiceAccountName
+	// is empty.
+	// +optional
+	KubeConfig *meta.KubeConfigReference `json:"kubeConfig,omitempty"`
+
+	// Path to the directory containing the kustomization.yaml file, or the
+	// set of plain YAMLs a kustomization.yaml should be generated for.
+	// Defaults to 'None', which translates to the root path of the SourceRef.
+	// +optional
+	Path string `json:"path,omitempty"`
+
+	// PostBuild describes which actions to perform on the YAML manifest
+	// generated by building the kustomize overlay.
+	// +optional
+	PostBuild *PostBuild `json:"postBuild,omitempty"`
+
+	// Prune enables garbage collection.
+	// +required
+	Prune bool `json:"prune"`
+
+	// DeletionPolicy can be used to control garbage collection when this
+	// Kustomization is deleted. Valid values are ('MirrorPrune', 'Delete',
+	// 'WaitForTermination', 'Orphan'). 'MirrorPrune' mirrors the Prune field
+	// (orphan if false, delete if true). Defaults to 'MirrorPrune'.
+	// +kubebuilder:validation:Enum=MirrorPrune;Delete;WaitForTermination;Orphan
+	// +optional
+	DeletionPolicy string `json:"deletionPolicy,omitempty"`
+
+	// A list of resources to be included in the health assessment.
+	// +optional
+	HealthChecks []meta.NamespacedObjectKindReference `json:"healthChecks,omitempty"`
+
+	// NamePrefix will prefix the names of all managed resources.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=200
+	// +kubebuilder:validation:Optional
+	// +optional
+	NamePrefix string `json:"namePrefix,omitempty" yaml:"namePrefix,omitempty"`
+
+	// NameSuffix will suffix the names of all managed resources.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=200
+	// +kubebuilder:validation:Optional
+	// +optional
+	NameSuffix string `json:"nameSuffix,omitempty" yaml:"nameSuffix,omitempty"`
+
+	// Strategic merge and JSON patches, defined as inline YAML objects,
+	// capable of targeting objects based on kind, label and annotation selectors.
+	// +optional
+	Patches []kustomize.Patch `json:"patches,omitempty"`
+
+	// Images is a list of (image name, new name, new tag or digest)
+	// for changing image names, tags or digests. This can also be achieved with a
+	// patch, but this operator is simpler to specify.
+	// +optional
+	Images []kustomize.Image `json:"images,omitempty"`
+
+	// The name of the Kubernetes service account to impersonate
+	// when reconciling this Kustomization.
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+
+	// Reference of the source where the kustomization file is.
+	// +required
+	SourceRef CrossNamespaceSourceReference `json:"sourceRef"`
+
+	// This flag tells the controller to suspend subsequent kustomize executions,
+	// it does not apply to already started executions. Defaults to false.
+	// +optional
+	Suspend bool `json:"suspend,omitempty"`
+
+	// TargetNamespace sets or overrides the namespace in the
+	// kustomization.yaml file.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=63
+	// +kubebuilder:validation:Optional
+	// +optional
+	TargetNamespace string `json:"targetNamespace,omitempty"`
+
+	// Timeout for validation, apply and health checking operations.
+	// Defaults to 'Interval' duration.
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	// +optional
+	Timeout *metav1.Duration `json:"timeout,omitempty"`
+
+	// Force instructs the controller to recreate resources
+	// when patching fails due to an immutable field change.
+	// +kubebuilder:default:=false
+	// +optional
+	Force bool `json:"force,omitempty"`
+
+	// Wait instructs the controller to check the health of all the reconciled
+	// resources. When enabled, the HealthChecks are ignored. Defaults to false.
+	// +optional
+	Wait bool `json:"wait,omitempty"`
+
+	// Components specifies relative paths to specifications of other Components.
+	// +optional
+	Components []string `json:"components,omitempty"`
+
+	// HealthCheckExprs is a list of healthcheck expressions for evaluating the
+	// health of custom resources using Common Expression Language (CEL).
+	// The expressions are evaluated only when Wait or HealthChecks are specified.
+	// +optional
+	HealthCheckExprs []kustomize.CustomHealthCheck `json:"healthCheckExprs,omitempty"`
+}
+
+// CommonMetadata defines the common labels and annotations.
+type CommonMetadata struct {
+	// Annotations to be added to the object's metadata.
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+
+	// Labels to be added to the object's metadata.
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+}
+
+// Decryption defines how decryption is handled for Kubernetes manifests.
+type Decryption struct {
+	// Provider is the name of the decryption engine.
+	// +kubebuilder:validation:Enum=sops
+	// +required
+	Provider string `json:"provider"`
+
+	// ServiceAccountName is the name of the service account used to
+	// authenticate with KMS services from cloud providers. If a
+	// static credential for a given cloud provider is defined
+	// inside the Secret referenced by SecretRef, that static
+	// credential takes priority.
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+
+	// The secret name containing the private OpenPGP keys used for decryption.
+	// A static credential for a cloud provider defined inside the Secret
+	// takes priority to secret-less authentication with the ServiceAccountName
+	// field.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+}
+
+// PostBuild describes which actions to perform on the YAML manifest
+// generated by building the kustomize overlay.
+type PostBuild struct {
+	// Substitute holds a map of key/value pairs.
+	// The variables defined in your YAML manifests that match any of the keys
+	// defined in the map will be substituted with the set value.
+	// Includes support for bash string replacement functions
+	// e.g. ${var:=default}, ${var:position} and ${var/substring/replacement}.
+	// +optional
+	Substitute map[string]string `json:"substitute,omitempty"`
+
+	// SubstituteFrom holds references to ConfigMaps and Secrets containing
+	// the variables and their values to be substituted in the YAML manifests.
+	// The ConfigMap and the Secret data keys represent the var names, and they
+	// must match the vars declared in the manifests for the substitution to
+	// happen.
+	// +optional
+	SubstituteFrom []SubstituteReference `json:"substituteFrom,omitempty"`
+}
+
+// SubstituteReference contains a reference to a resource containing
+// the variables name and value.
+type SubstituteReference struct {
+	// Kind of the values referent, valid values are ('Secret', 'ConfigMap').
+	// +kubebuilder:validation:Enum=Secret;ConfigMap
+	// +required
+	Kind string `json:"kind"`
+
+	// Name of the values referent. Should reside in the same namespace as the
+	// referring resource.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +required
+	Name string `json:"name"`
+
+	// Optional indicates whether the referenced resource must exist, or whether to
+	// tolerate its absence. If true and the referenced resource is absent, proceed
+	// as if the resource was present but empty, without any variables defined.
+	// +kubebuilder:default:=false
+	// +optional
+	Optional bool `json:"optional,omitempty"`
+}
+
+// KustomizationStatus defines the observed state of a kustomization.
+type KustomizationStatus struct {
+	meta.ReconcileRequestStatus `json:",inline"`
+
+	// ObservedGeneration is the last reconciled generation.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// The last successfully applied revision.
+	// Equals the Revision of the applied Artifact from the referenced Source.
+	// +optional
+	LastAppliedRevision string `json:"lastAppliedRevision,omitempty"`
+
+	// The last successfully applied origin revision.
+	// Equals the origin revision of the applied Artifact from the referenced Source.
+	// Usually present on the Metadata of the applied Artifact and depends on the
+	// Source type, e.g. for OCI it's the value associated with the key
+	// "org.opencontainers.image.revision".
+	// +optional
+	LastAppliedOriginRevision string `json:"lastAppliedOriginRevision,omitempty"`
+
+	// LastAttemptedRevision is the revision of the last reconciliation attempt.
+	// +optional
+	LastAttemptedRevision string `json:"lastAttemptedRevision,omitempty"`
+
+	// Inventory contains the list of Kubernetes resource object references that
+	// have been successfully applied.
+	// +optional
+	Inventory *ResourceInventory `json:"inventory,omitempty"`
+}
+
+// GetTimeout returns the timeout with default.
+func (in Kustomization) GetTimeout() time.Duration {
+	duration := in.Spec.Interval.Duration - 30*time.Second
+	if in.Spec.Timeout != nil {
+		duration = in.Spec.Timeout.Duration
+	}
+	if duration < 30*time.Second {
+		return 30 * time.Second
+	}
+	return duration
+}
+
+// GetRetryInterval returns the retry interval
+func (in Kustomization) GetRetryInterval() time.Duration {
+	if in.Spec.RetryInterval != nil {
+		return in.Spec.RetryInterval.Duration
+	}
+	return in.GetRequeueAfter()
+}
+
+// GetRequeueAfter returns the duration after which the Kustomization must be
+// reconciled again.
+func (in Kustomization) GetRequeueAfter() time.Duration {
+	return in.Spec.Interval.Duration
+}
+
+// GetDeletionPolicy returns the deletion policy and default value if not specified.
+func (in Kustomization) GetDeletionPolicy() string {
+	if in.Spec.DeletionPolicy == "" {
+		return DeletionPolicyMirrorPrune
+	}
+	return in.Spec.DeletionPolicy
+}
+
+// GetDependsOn returns the dependencies as a list of meta.NamespacedObjectReference.
+//
+// This function makes the Kustomization type conformant with the meta.ObjectWithDependencies interface
+// and allows the controller-runtime to index Kustomizations by their dependencies.
+func (in Kustomization) GetDependsOn() []meta.NamespacedObjectReference {
+	deps := make([]meta.NamespacedObjectReference, len(in.Spec.DependsOn))
+	for i := range in.Spec.DependsOn {
+		deps[i] = meta.NamespacedObjectReference{
+			Name:      in.Spec.DependsOn[i].Name,
+			Namespace: in.Spec.DependsOn[i].Namespace,
+		}
+	}
+	return deps
+}
+
+// GetConditions returns the status conditions of the object.
+func (in Kustomization) GetConditions() []metav1.Condition {
+	return in.Status.Conditions
+}
+
+// SetConditions sets the status conditions on the object.
+func (in *Kustomization) SetConditions(conditions []metav1.Condition) {
+	in.Status.Conditions = conditions
+}
+
+// +genclient
+// +kubebuilder:storageversion
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=ks
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
+
+// Kustomization is the Schema for the kustomizations API.
+type Kustomization struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec KustomizationSpec `json:"spec,omitempty"`
+	// +kubebuilder:default:={"observedGeneration":-1}
+	Status KustomizationStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// KustomizationList contains a list of kustomizations.
+type KustomizationList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Kustomization `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&Kustomization{}, &KustomizationList{})
+}

api/v1/reference_types.go

@@ -0,0 +1,72 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"fmt"
+)
+
+// CrossNamespaceSourceReference contains enough information to let you locate the
+// typed Kubernetes resource object at cluster level.
+type CrossNamespaceSourceReference struct {
+	// API version of the referent.
+	// +optional
+	APIVersion string `json:"apiVersion,omitempty"`
+
+	// Kind of the referent.
+	// +kubebuilder:validation:Enum=OCIRepository;GitRepository;Bucket
+	// +required
+	Kind string `json:"kind"`
+
+	// Name of the referent.
+	// +required
+	Name string `json:"name"`
+
+	// Namespace of the referent, defaults to the namespace of the Kubernetes
+	// resource object that contains the reference.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// String returns a string representation of the CrossNamespaceSourceReference
+// in the format "Kind/Name" or "Kind/Namespace/Name" if Namespace is set.
+func (s *CrossNamespaceSourceReference) String() string {
+	if s.Namespace != "" {
+		return fmt.Sprintf("%s/%s/%s", s.Kind, s.Namespace, s.Name)
+	}
+	return fmt.Sprintf("%s/%s", s.Kind, s.Name)
+}
+
+// DependencyReference defines a Kustomization dependency on another Kustomization resource.
+type DependencyReference struct {
+	// Name of the referent.
+	// +required
+	Name string `json:"name"`
+
+	// Namespace of the referent, defaults to the namespace of the Kustomization
+	// resource object that contains the reference.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+
+	// ReadyExpr is a CEL expression that can be used to assess the readiness
+	// of a dependency. When specified, the built-in readiness check
+	// is replaced by the logic defined in the CEL expression.
+	// To make the CEL expression additive to the built-in readiness check,
+	// the feature gate `AdditiveCELDependencyCheck` must be set to `true`.
+	// +optional
+	ReadyExpr string `json:"readyExpr,omitempty"`
+}

api/v1/zz_generated.deepcopy.go

@@ -0,0 +1,350 @@
+//go:build !ignore_autogenerated
+
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	"github.com/fluxcd/pkg/apis/kustomize"
+	"github.com/fluxcd/pkg/apis/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CommonMetadata) DeepCopyInto(out *CommonMetadata) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommonMetadata.
+func (in *CommonMetadata) DeepCopy() *CommonMetadata {
+	if in == nil {
+		return nil
+	}
+	out := new(CommonMetadata)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CrossNamespaceSourceReference) DeepCopyInto(out *CrossNamespaceSourceReference) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CrossNamespaceSourceReference.
+func (in *CrossNamespaceSourceReference) DeepCopy() *CrossNamespaceSourceReference {
+	if in == nil {
+		return nil
+	}
+	out := new(CrossNamespaceSourceReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Decryption) DeepCopyInto(out *Decryption) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(meta.LocalObjectReference)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Decryption.
+func (in *Decryption) DeepCopy() *Decryption {
+	if in == nil {
+		return nil
+	}
+	out := new(Decryption)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DependencyReference) DeepCopyInto(out *DependencyReference) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DependencyReference.
+func (in *DependencyReference) DeepCopy() *DependencyReference {
+	if in == nil {
+		return nil
+	}
+	out := new(DependencyReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Kustomization) DeepCopyInto(out *Kustomization) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Kustomization.
+func (in *Kustomization) DeepCopy() *Kustomization {
+	if in == nil {
+		return nil
+	}
+	out := new(Kustomization)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Kustomization) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KustomizationList) DeepCopyInto(out *KustomizationList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Kustomization, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KustomizationList.
+func (in *KustomizationList) DeepCopy() *KustomizationList {
+	if in == nil {
+		return nil
+	}
+	out := new(KustomizationList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *KustomizationList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KustomizationSpec) DeepCopyInto(out *KustomizationSpec) {
+	*out = *in
+	if in.CommonMetadata != nil {
+		in, out := &in.CommonMetadata, &out.CommonMetadata
+		*out = new(CommonMetadata)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.DependsOn != nil {
+		in, out := &in.DependsOn, &out.DependsOn
+		*out = make([]DependencyReference, len(*in))
+		copy(*out, *in)
+	}
+	if in.Decryption != nil {
+		in, out := &in.Decryption, &out.Decryption
+		*out = new(Decryption)
+		(*in).DeepCopyInto(*out)
+	}
+	out.Interval = in.Interval
+	if in.RetryInterval != nil {
+		in, out := &in.RetryInterval, &out.RetryInterval
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	if in.KubeConfig != nil {
+		in, out := &in.KubeConfig, &out.KubeConfig
+		*out = new(meta.KubeConfigReference)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.PostBuild != nil {
+		in, out := &in.PostBuild, &out.PostBuild
+		*out = new(PostBuild)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.HealthChecks != nil {
+		in, out := &in.HealthChecks, &out.HealthChecks
+		*out = make([]meta.NamespacedObjectKindReference, len(*in))
+		copy(*out, *in)
+	}
+	if in.Patches != nil {
+		in, out := &in.Patches, &out.Patches
+		*out = make([]kustomize.Patch, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Images != nil {
+		in, out := &in.Images, &out.Images
+		*out = make([]kustomize.Image, len(*in))
+		copy(*out, *in)
+	}
+	out.SourceRef = in.SourceRef
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	if in.Components != nil {
+		in, out := &in.Components, &out.Components
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.HealthCheckExprs != nil {
+		in, out := &in.HealthCheckExprs, &out.HealthCheckExprs
+		*out = make([]kustomize.CustomHealthCheck, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KustomizationSpec.
+func (in *KustomizationSpec) DeepCopy() *KustomizationSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(KustomizationSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KustomizationStatus) DeepCopyInto(out *KustomizationStatus) {
+	*out = *in
+	out.ReconcileRequestStatus = in.ReconcileRequestStatus
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Inventory != nil {
+		in, out := &in.Inventory, &out.Inventory
+		*out = new(ResourceInventory)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KustomizationStatus.
+func (in *KustomizationStatus) DeepCopy() *KustomizationStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(KustomizationStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PostBuild) DeepCopyInto(out *PostBuild) {
+	*out = *in
+	if in.Substitute != nil {
+		in, out := &in.Substitute, &out.Substitute
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.SubstituteFrom != nil {
+		in, out := &in.SubstituteFrom, &out.SubstituteFrom
+		*out = make([]SubstituteReference, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostBuild.
+func (in *PostBuild) DeepCopy() *PostBuild {
+	if in == nil {
+		return nil
+	}
+	out := new(PostBuild)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceInventory) DeepCopyInto(out *ResourceInventory) {
+	*out = *in
+	if in.Entries != nil {
+		in, out := &in.Entries, &out.Entries
+		*out = make([]ResourceRef, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceInventory.
+func (in *ResourceInventory) DeepCopy() *ResourceInventory {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceInventory)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceRef) DeepCopyInto(out *ResourceRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceRef.
+func (in *ResourceRef) DeepCopy() *ResourceRef {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SubstituteReference) DeepCopyInto(out *SubstituteReference) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubstituteReference.
+func (in *SubstituteReference) DeepCopy() *SubstituteReference {
+	if in == nil {
+		return nil
+	}
+	out := new(SubstituteReference)
+	in.DeepCopyInto(out)
+	return out
+}

api/v1beta1/kustomization_types.go

@@ -20,8 +20,6 @@ import (
 	"time"
 
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
-
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
@@ -231,78 +229,6 @@ type KustomizationStatus struct {
 	Snapshot *Snapshot `json:"snapshot,omitempty"`
 }
 
-// KustomizationProgressing resets the conditions of the given Kustomization to a single
-// ReadyCondition with status ConditionUnknown.
-func KustomizationProgressing(k Kustomization) Kustomization {
-	newCondition := metav1.Condition{
-		Type:    meta.ReadyCondition,
-		Status:  metav1.ConditionUnknown,
-		Reason:  meta.ProgressingReason,
-		Message: "reconciliation in progress",
-	}
-	apimeta.SetStatusCondition(k.GetStatusConditions(), newCondition)
-	return k
-}
-
-// SetKustomizationHealthiness sets the HealthyCondition status for a Kustomization.
-func SetKustomizationHealthiness(k *Kustomization, status metav1.ConditionStatus, reason, message string) {
-	switch len(k.Spec.HealthChecks) {
-	case 0:
-		apimeta.RemoveStatusCondition(k.GetStatusConditions(), HealthyCondition)
-	default:
-		newCondition := metav1.Condition{
-			Type:    HealthyCondition,
-			Status:  status,
-			Reason:  reason,
-			Message: trimString(message, MaxConditionMessageLength),
-		}
-		apimeta.SetStatusCondition(k.GetStatusConditions(), newCondition)
-	}
-}
-
-// SetKustomizeReadiness sets the ReadyCondition, ObservedGeneration, and LastAttemptedRevision,
-// on the Kustomization.
-func SetKustomizationReadiness(k *Kustomization, status metav1.ConditionStatus, reason, message string, revision string) {
-	newCondition := metav1.Condition{
-		Type:    meta.ReadyCondition,
-		Status:  status,
-		Reason:  reason,
-		Message: trimString(message, MaxConditionMessageLength),
-	}
-	apimeta.SetStatusCondition(k.GetStatusConditions(), newCondition)
-
-	k.Status.ObservedGeneration = k.Generation
-	k.Status.LastAttemptedRevision = revision
-}
-
-// KustomizationNotReady registers a failed apply attempt of the given Kustomization.
-func KustomizationNotReady(k Kustomization, revision, reason, message string) Kustomization {
-	SetKustomizationReadiness(&k, metav1.ConditionFalse, reason, trimString(message, MaxConditionMessageLength), revision)
-	if revision != "" {
-		k.Status.LastAttemptedRevision = revision
-	}
-	return k
-}
-
-// KustomizationNotReady registers a failed apply attempt of the given Kustomization,
-// including a Snapshot.
-func KustomizationNotReadySnapshot(k Kustomization, snapshot *Snapshot, revision, reason, message string) Kustomization {
-	SetKustomizationReadiness(&k, metav1.ConditionFalse, reason, trimString(message, MaxConditionMessageLength), revision)
-	SetKustomizationHealthiness(&k, metav1.ConditionFalse, reason, reason)
-	k.Status.Snapshot = snapshot
-	k.Status.LastAttemptedRevision = revision
-	return k
-}
-
-// KustomizationReady registers a successful apply attempt of the given Kustomization.
-func KustomizationReady(k Kustomization, snapshot *Snapshot, revision, reason, message string) Kustomization {
-	SetKustomizationReadiness(&k, metav1.ConditionTrue, reason, trimString(message, MaxConditionMessageLength), revision)
-	SetKustomizationHealthiness(&k, metav1.ConditionTrue, reason, reason)
-	k.Status.Snapshot = snapshot
-	k.Status.LastAppliedRevision = revision
-	return k
-}
-
 // GetTimeout returns the timeout with default.
 func (in Kustomization) GetTimeout() time.Duration {
 	duration := in.Spec.Interval.Duration
@@ -345,13 +271,13 @@ const (
 )
 
 // +genclient
-// +genclient:Namespaced
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=ks
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
 // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
+// +kubebuilder:deprecatedversion:warning="v1beta1 Kustomization is deprecated, upgrade to v1"
 
 // Kustomization is the Schema for the kustomizations API.
 type Kustomization struct {

api/v1beta1/zz_generated.deepcopy.go

@@ -1,8 +1,7 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated
 
 /*
-Copyright 2021 The Flux authors
+Copyright 2023 The Flux authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -176,7 +175,9 @@ func (in *KustomizationSpec) DeepCopyInto(out *KustomizationSpec) {
 	if in.Patches != nil {
 		in, out := &in.Patches, &out.Patches
 		*out = make([]kustomize.Patch, len(*in))
-		copy(*out, *in)
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
 	if in.PatchesStrategicMerge != nil {
 		in, out := &in.PatchesStrategicMerge, &out.PatchesStrategicMerge

api/v1beta2/condition_types.go

@@ -48,4 +48,8 @@ const (
 	// ReconciliationFailedReason represents the fact that
 	// the reconciliation failed.
 	ReconciliationFailedReason string = "ReconciliationFailed"
+
+	// ProgressingWithRetryReason represents the fact that
+	// the reconciliation encountered an error that will be retried.
+	ProgressingWithRetryReason string = "ProgressingWithRetry"
 )

api/v1beta2/kustomization_types.go

@@ -22,7 +22,6 @@ import (
 	"github.com/fluxcd/pkg/apis/kustomize"
 	"github.com/fluxcd/pkg/apis/meta"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -30,12 +29,18 @@ const (
 	KustomizationKind         = "Kustomization"
 	KustomizationFinalizer    = "finalizers.fluxcd.io"
 	MaxConditionMessageLength = 20000
+	EnabledValue              = "enabled"
 	DisabledValue             = "disabled"
 	MergeValue                = "merge"
 )
 
 // KustomizationSpec defines the configuration to calculate the desired state from a Source using Kustomize.
 type KustomizationSpec struct {
+	// CommonMetadata specifies the common labels and annotations that are applied to all resources.
+	// Any existing label or annotation will be overridden if its key matches a common one.
+	// +optional
+	CommonMetadata *CommonMetadata `json:"commonMetadata,omitempty"`
+
 	// DependsOn may contain a meta.NamespacedObjectReference slice
 	// with references to Kustomization resources that must be ready before this
 	// Kustomization can be reconciled.
@@ -68,7 +73,7 @@ type KustomizationSpec struct {
 	// a controller level fallback for when KustomizationSpec.ServiceAccountName
 	// is empty.
 	// +optional
-	KubeConfig *KubeConfig `json:"kubeConfig,omitempty"`
+	KubeConfig *meta.KubeConfigReference `json:"kubeConfig,omitempty"`
 
 	// Path to the directory containing the kustomization.yaml file, or the
 	// set of plain YAMLs a kustomization.yaml should be generated for.
@@ -135,7 +140,7 @@ type KustomizationSpec struct {
 	// Timeout for validation, apply and health checking operations.
 	// Defaults to 'Interval' duration.
 	// +kubebuilder:validation:Type=string
-	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+	// +kubebuilder:validation:Pattern="^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
 	// +optional
 	Timeout *metav1.Duration `json:"timeout,omitempty"`
 
@@ -150,12 +155,27 @@ type KustomizationSpec struct {
 	// +optional
 	Wait bool `json:"wait,omitempty"`
 
+	// Components specifies relative paths to specifications of other Components.
+	// +optional
+	Components []string `json:"components,omitempty"`
+
 	// Deprecated: Not used in v1beta2.
 	// +kubebuilder:validation:Enum=none;client;server
 	// +optional
 	Validation string `json:"validation,omitempty"`
 }
 
+// CommonMetadata defines the common labels and annotations.
+type CommonMetadata struct {
+	// Annotations to be added to the object's metadata.
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+
+	// Labels to be added to the object's metadata.
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+}
+
 // Decryption defines how decryption is handled for Kubernetes manifests.
 type Decryption struct {
 	// Provider is the name of the decryption engine.
@@ -168,21 +188,6 @@ type Decryption struct {
 	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
 }
 
-// KubeConfig references a Kubernetes secret that contains a kubeconfig file.
-type KubeConfig struct {
-	// SecretRef holds the name of a secret that contains a key with
-	// the kubeconfig file as the value. If no key is set, the key will default
-	// to 'value'. The secret must be in the same namespace as
-	// the Kustomization.
-	// It is recommended that the kubeconfig is self-contained, and the secret
-	// is regularly updated if credentials such as a cloud-access-token expire.
-	// Cloud specific `cmd-path` auth helpers will not function without adding
-	// binaries and credentials to the Pod that is responsible for reconciling
-	// the Kustomization.
-	// +required
-	SecretRef meta.SecretKeyReference `json:"secretRef,omitempty"`
-}
-
 // PostBuild describes which actions to perform on the YAML manifest
 // generated by building the kustomize overlay.
 type PostBuild struct {
@@ -238,7 +243,7 @@ type KustomizationStatus struct {
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
 
 	// The last successfully applied revision.
-	// The revision format for Git sources is <branch|tag>/<commit-sha>.
+	// Equals the Revision of the applied Artifact from the referenced Source.
 	// +optional
 	LastAppliedRevision string `json:"lastAppliedRevision,omitempty"`
 
@@ -251,78 +256,6 @@ type KustomizationStatus struct {
 	Inventory *ResourceInventory `json:"inventory,omitempty"`
 }
 
-// KustomizationProgressing resets the conditions of the given Kustomization to a single
-// ReadyCondition with status ConditionUnknown.
-func KustomizationProgressing(k Kustomization, message string) Kustomization {
-	newCondition := metav1.Condition{
-		Type:    meta.ReadyCondition,
-		Status:  metav1.ConditionUnknown,
-		Reason:  meta.ProgressingReason,
-		Message: trimString(message, MaxConditionMessageLength),
-	}
-	apimeta.SetStatusCondition(k.GetStatusConditions(), newCondition)
-	return k
-}
-
-// SetKustomizationHealthiness sets the HealthyCondition status for a Kustomization.
-func SetKustomizationHealthiness(k *Kustomization, status metav1.ConditionStatus, reason, message string) {
-	if !k.Spec.Wait && len(k.Spec.HealthChecks) == 0 {
-		apimeta.RemoveStatusCondition(k.GetStatusConditions(), HealthyCondition)
-	} else {
-		newCondition := metav1.Condition{
-			Type:    HealthyCondition,
-			Status:  status,
-			Reason:  reason,
-			Message: trimString(message, MaxConditionMessageLength),
-		}
-		apimeta.SetStatusCondition(k.GetStatusConditions(), newCondition)
-	}
-
-}
-
-// SetKustomizationReadiness sets the ReadyCondition, ObservedGeneration, and LastAttemptedRevision, on the Kustomization.
-func SetKustomizationReadiness(k *Kustomization, status metav1.ConditionStatus, reason, message string, revision string) {
-	newCondition := metav1.Condition{
-		Type:    meta.ReadyCondition,
-		Status:  status,
-		Reason:  reason,
-		Message: trimString(message, MaxConditionMessageLength),
-	}
-	apimeta.SetStatusCondition(k.GetStatusConditions(), newCondition)
-
-	k.Status.ObservedGeneration = k.Generation
-	k.Status.LastAttemptedRevision = revision
-}
-
-// KustomizationNotReady registers a failed apply attempt of the given Kustomization.
-func KustomizationNotReady(k Kustomization, revision, reason, message string) Kustomization {
-	SetKustomizationReadiness(&k, metav1.ConditionFalse, reason, trimString(message, MaxConditionMessageLength), revision)
-	if revision != "" {
-		k.Status.LastAttemptedRevision = revision
-	}
-	return k
-}
-
-// KustomizationNotReadyInventory registers a failed apply attempt of the given Kustomization.
-func KustomizationNotReadyInventory(k Kustomization, inventory *ResourceInventory, revision, reason, message string) Kustomization {
-	SetKustomizationReadiness(&k, metav1.ConditionFalse, reason, trimString(message, MaxConditionMessageLength), revision)
-	SetKustomizationHealthiness(&k, metav1.ConditionFalse, reason, reason)
-	if revision != "" {
-		k.Status.LastAttemptedRevision = revision
-	}
-	k.Status.Inventory = inventory
-	return k
-}
-
-// KustomizationReadyInventory registers a successful apply attempt of the given Kustomization.
-func KustomizationReadyInventory(k Kustomization, inventory *ResourceInventory, revision, reason, message string) Kustomization {
-	SetKustomizationReadiness(&k, metav1.ConditionTrue, reason, trimString(message, MaxConditionMessageLength), revision)
-	SetKustomizationHealthiness(&k, metav1.ConditionTrue, reason, reason)
-	k.Status.Inventory = inventory
-	k.Status.LastAppliedRevision = revision
-	return k
-}
-
 // GetTimeout returns the timeout with default.
 func (in Kustomization) GetTimeout() time.Duration {
 	duration := in.Spec.Interval.Duration - 30*time.Second
@@ -371,14 +304,13 @@ func (in *Kustomization) GetStatusConditions() *[]metav1.Condition {
 }
 
 // +genclient
-// +genclient:Namespaced
-// +kubebuilder:storageversion
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:shortName=ks
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description=""
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description=""
 // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description=""
+// +kubebuilder:deprecatedversion:warning="v1beta2 Kustomization is deprecated, upgrade to v1"
 
 // Kustomization is the Schema for the kustomizations API.
 type Kustomization struct {
@@ -402,11 +334,3 @@ type KustomizationList struct {
 func init() {
 	SchemeBuilder.Register(&Kustomization{}, &KustomizationList{})
 }
-
-func trimString(str string, limit int) string {
-	if len(str) <= limit {
-		return str
-	}
-
-	return str[0:limit] + "..."
-}

api/v1beta2/zz_generated.deepcopy.go

@@ -1,8 +1,7 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated
 
 /*
-Copyright 2021 The Flux authors
+Copyright 2023 The Flux authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -29,6 +28,35 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CommonMetadata) DeepCopyInto(out *CommonMetadata) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommonMetadata.
+func (in *CommonMetadata) DeepCopy() *CommonMetadata {
+	if in == nil {
+		return nil
+	}
+	out := new(CommonMetadata)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CrossNamespaceSourceReference) DeepCopyInto(out *CrossNamespaceSourceReference) {
 	*out = *in
@@ -64,22 +92,6 @@ func (in *Decryption) DeepCopy() *Decryption {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *KubeConfig) DeepCopyInto(out *KubeConfig) {
-	*out = *in
-	out.SecretRef = in.SecretRef
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeConfig.
-func (in *KubeConfig) DeepCopy() *KubeConfig {
-	if in == nil {
-		return nil
-	}
-	out := new(KubeConfig)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Kustomization) DeepCopyInto(out *Kustomization) {
 	*out = *in
@@ -142,6 +154,11 @@ func (in *KustomizationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KustomizationSpec) DeepCopyInto(out *KustomizationSpec) {
 	*out = *in
+	if in.CommonMetadata != nil {
+		in, out := &in.CommonMetadata, &out.CommonMetadata
+		*out = new(CommonMetadata)
+		(*in).DeepCopyInto(*out)
+	}
 	if in.DependsOn != nil {
 		in, out := &in.DependsOn, &out.DependsOn
 		*out = make([]meta.NamespacedObjectReference, len(*in))
@@ -160,8 +177,8 @@ func (in *KustomizationSpec) DeepCopyInto(out *KustomizationSpec) {
 	}
 	if in.KubeConfig != nil {
 		in, out := &in.KubeConfig, &out.KubeConfig
-		*out = new(KubeConfig)
-		**out = **in
+		*out = new(meta.KubeConfigReference)
+		(*in).DeepCopyInto(*out)
 	}
 	if in.PostBuild != nil {
 		in, out := &in.PostBuild, &out.PostBuild
@@ -176,7 +193,9 @@ func (in *KustomizationSpec) DeepCopyInto(out *KustomizationSpec) {
 	if in.Patches != nil {
 		in, out := &in.Patches, &out.Patches
 		*out = make([]kustomize.Patch, len(*in))
-		copy(*out, *in)
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
 	if in.PatchesStrategicMerge != nil {
 		in, out := &in.PatchesStrategicMerge, &out.PatchesStrategicMerge
@@ -203,6 +222,11 @@ func (in *KustomizationSpec) DeepCopyInto(out *KustomizationSpec) {
 		*out = new(v1.Duration)
 		**out = **in
 	}
+	if in.Components != nil {
+		in, out := &in.Components, &out.Components
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KustomizationSpec.

config/default/kustomization.yaml

@@ -2,8 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kustomize-system
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.30.0/source-controller.crds.yaml
-- https://github.com/fluxcd/source-controller/releases/download/v0.30.0/source-controller.deployment.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v1.6.0/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v1.6.0/source-controller.deployment.yaml
 - ../crd
 - ../rbac
 - ../manager

config/manager/kustomization.yaml

@@ -5,4 +5,4 @@ resources:
 images:
   - name: fluxcd/kustomize-controller
     newName: fluxcd/kustomize-controller
-    newTag: v0.29.0
+    newTag: v1.6.0

config/rbac/role.yaml

@@ -2,7 +2,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: manager-role
 rules:
 - apiGroups:
@@ -22,6 +21,12 @@ rules:
   verbs:
   - create
   - patch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
 - apiGroups:
   - kustomize.toolkit.fluxcd.io
   resources:

config/samples/kustomize_v1_kustomization.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: webapp-dev
@@ -12,7 +12,7 @@ spec:
   wait: true
   timeout: 2m
 ---
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: webapp-production

config/samples/source_v1_gitrepository.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
   name: webapp-latest
@@ -8,7 +8,7 @@ spec:
   ref:
     branch: master
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
   name: webapp-releases

config/testdata/crds-crs/cert-manager.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
   name: certs
@@ -8,7 +8,7 @@ spec:
   ref:
     tag: "v1.1.0"
 ---
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: certs

config/testdata/dependencies/backend.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: backend
@@ -11,9 +11,8 @@ spec:
   sourceRef:
     kind: GitRepository
     name: webapp
-  validation: server
   healthChecks:
     - kind: Deployment
       name: backend
       namespace: webapp
-  timeout: 2m
+  timeout: 2m

config/testdata/dependencies/common.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: common
@@ -9,4 +9,3 @@ spec:
   sourceRef:
     kind: GitRepository
     name: webapp
-  validation: client

config/testdata/dependencies/frontend.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: frontend
@@ -12,9 +12,8 @@ spec:
   sourceRef:
     kind: GitRepository
     name: webapp
-  validation: server
   healthChecks:
     - kind: Deployment
       name: frontend
       namespace: webapp
-  timeout: 2m
+  timeout: 2m

config/testdata/dependencies/source.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
   name: webapp
@@ -6,4 +6,4 @@ spec:
   interval: 10m
   url: https://github.com/stefanprodan/podinfo
   ref:
-    semver: ">=3.2.3"
+    semver: ">=6.3.5"

config/testdata/impersonation/test.yaml

@@ -33,7 +33,7 @@ subjects:
     name: gotk-reconciler
     namespace: impersonation
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
   name: podinfo
@@ -42,9 +42,9 @@ spec:
   interval: 5m
   url: https://github.com/stefanprodan/podinfo
   ref:
-    tag: "5.0.3"
+    tag: "6.3.5"
 ---
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: podinfo
@@ -60,7 +60,7 @@ spec:
     name: podinfo
   patches:
     - patch: |
-        apiVersion: autoscaling/v2beta2
+        apiVersion: autoscaling/v2
         kind: HorizontalPodAutoscaler
         metadata:
           name: podinfo

config/testdata/managed-fields/podinfo.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: podinfo
@@ -12,7 +12,7 @@ spec:
   timeout: 1m
   targetNamespace: managed-fields
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
   name: podinfo
@@ -20,4 +20,4 @@ spec:
   interval: 5m
   url: https://github.com/stefanprodan/podinfo
   ref:
-    semver: "6.0.0"
+    semver: "6.3.5"

config/testdata/oci/podinfo.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: OCIRepository
 metadata:
   name: oci
@@ -7,9 +7,9 @@ spec:
   interval: 10m
   url: oci://ghcr.io/stefanprodan/manifests/podinfo
   ref:
-    tag: "6.1.6"
+    tag: "6.3.5"
 ---
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: oci
@@ -17,7 +17,7 @@ metadata:
 spec:
   targetNamespace: oci
   interval: 10m
-  path: "./kustomize"
+  path: "./"
   prune: true
   sourceRef:
     kind: OCIRepository
@@ -26,7 +26,7 @@ spec:
   timeout: 2m
   patches:
     - patch: |-
-        apiVersion: autoscaling/v2beta2
+        apiVersion: autoscaling/v2
         kind: HorizontalPodAutoscaler
         metadata:
           name: podinfo

config/testdata/overlays/production.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: webapp-production
@@ -9,7 +9,6 @@ spec:
   sourceRef:
     kind: GitRepository
     name: webapp-releases
-  validation: client
   healthChecks:
     - kind: Deployment
       name: backend
@@ -19,7 +18,7 @@ spec:
       namespace: production
   timeout: 2m
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
   name: webapp-releases
@@ -27,4 +26,4 @@ spec:
   interval: 5m
   url: https://github.com/stefanprodan/podinfo
   ref:
-    semver: ">=3.2.3"
+    semver: ">=6.3.5"

config/testdata/overlays/staging.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: webapp-staging
@@ -9,7 +9,6 @@ spec:
   sourceRef:
     kind: GitRepository
     name: webapp-releases
-  validation: client
   healthChecks:
     - kind: Deployment
       name: backend
@@ -19,7 +18,7 @@ spec:
       namespace: staging
   timeout: 2m
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
   name: webapp-latest

config/testdata/status-defaults/empty-kustomization.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: status-defaults

controllers/kustomization_dependson_test.go

@@ -1,186 +0,0 @@
-/*
-Copyright 2021 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controllers
-
-import (
-	"context"
-	"fmt"
-	"testing"
-	"time"
-
-	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/testserver"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
-	. "github.com/onsi/gomega"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
-)
-
-func TestKustomizationReconciler_DependsOn(t *testing.T) {
-	g := NewWithT(t)
-	id := "dep-" + randStringRunes(5)
-	revision := "v1.0.0"
-
-	err := createNamespace(id)
-	g.Expect(err).NotTo(HaveOccurred(), "failed to create test namespace")
-
-	err = createKubeConfigSecret(id)
-	g.Expect(err).NotTo(HaveOccurred(), "failed to create kubeconfig secret")
-
-	manifests := func(name string, data string) []testserver.File {
-		return []testserver.File{
-			{
-				Name: "config.yaml",
-				Body: fmt.Sprintf(`---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: %[1]s
-data:
-  key: "%[2]s"
----
-apiVersion: autoscaling/v2beta2
-kind: HorizontalPodAutoscaler
-metadata:
-  name: "v2beta2-%[1]s"
-  namespace: "%[2]s"
-spec:
-  scaleTargetRef:
-    apiVersion: apps/v1
-    kind: Deployment
-    name: test
-  minReplicas: 1
-  maxReplicas: 10
-  metrics:
-  - type: Resource
-    resource:
-      name: cpu
-      target:
-        type: Utilization
-        averageUtilization: 50
-  - type: Pods
-    pods:
-      metric:
-        name: packets-per-second
-      target:
-        type: AverageValue
-        averageValue: 1k
-  - type: Object
-    object:
-      metric:
-        name: requests-per-second
-      describedObject:
-        apiVersion: networking.k8s.io/v1beta1
-        kind: Ingress
-        name: main-route
-      target:
-        type: Value
-        value: 10k
-`, name, data),
-			},
-		}
-	}
-
-	artifact, err := testServer.ArtifactFromFiles(manifests(id, id))
-	g.Expect(err).NotTo(HaveOccurred())
-
-	repositoryName := types.NamespacedName{
-		Name:      fmt.Sprintf("dep-%s", randStringRunes(5)),
-		Namespace: id,
-	}
-
-	kustomizationKey := types.NamespacedName{
-		Name:      fmt.Sprintf("dep-%s", randStringRunes(5)),
-		Namespace: id,
-	}
-	kustomization := &kustomizev1.Kustomization{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      kustomizationKey.Name,
-			Namespace: kustomizationKey.Namespace,
-		},
-		Spec: kustomizev1.KustomizationSpec{
-			Interval: metav1.Duration{Duration: reconciliationInterval},
-			Path:     "./",
-			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.SecretKeyReference{
-					Name: "kubeconfig",
-				},
-			},
-			SourceRef: kustomizev1.CrossNamespaceSourceReference{
-				Name:      repositoryName.Name,
-				Namespace: repositoryName.Namespace,
-				Kind:      sourcev1.GitRepositoryKind,
-			},
-			TargetNamespace: id,
-			Prune:           true,
-		},
-	}
-
-	g.Expect(k8sClient.Create(context.Background(), kustomization)).To(Succeed())
-
-	resultK := &kustomizev1.Kustomization{}
-
-	g.Eventually(func() bool {
-		_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
-		return apimeta.FindStatusCondition(resultK.Status.Conditions, meta.ReadyCondition) != nil
-	}, timeout, time.Second).Should(BeTrue())
-
-	t.Run("fails due to source not found", func(t *testing.T) {
-		g := NewWithT(t)
-		g.Eventually(func() bool {
-			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
-			ready := apimeta.FindStatusCondition(resultK.Status.Conditions, meta.ReadyCondition)
-			return ready.Reason == kustomizev1.ArtifactFailedReason
-		}, timeout, time.Second).Should(BeTrue())
-	})
-
-	t.Run("reconciles when source is found", func(t *testing.T) {
-		g := NewWithT(t)
-		err = applyGitRepository(repositoryName, artifact, revision)
-		g.Expect(err).NotTo(HaveOccurred())
-
-		g.Eventually(func() bool {
-			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
-			ready := apimeta.FindStatusCondition(resultK.Status.Conditions, meta.ReadyCondition)
-			return ready.Reason == kustomizev1.ReconciliationSucceededReason
-		}, timeout, time.Second).Should(BeTrue())
-	})
-
-	t.Run("fails due to dependency not found", func(t *testing.T) {
-		g := NewWithT(t)
-		g.Eventually(func() error {
-			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
-			resultK.Spec.DependsOn = []meta.NamespacedObjectReference{
-				{
-					Namespace: id,
-					Name:      "root",
-				},
-			}
-			return k8sClient.Update(context.Background(), resultK)
-		}, timeout, time.Second).Should(BeNil())
-
-		g.Eventually(func() bool {
-			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
-			ready := apimeta.FindStatusCondition(resultK.Status.Conditions, meta.ReadyCondition)
-			return ready.Reason == kustomizev1.DependencyNotReadyReason
-		}, timeout, time.Second).Should(BeTrue())
-	})
-}

controllers/kustomization_fetcher.go

@@ -1,127 +0,0 @@
-/*
-Copyright 2022 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controllers
-
-import (
-	"bytes"
-	"crypto/sha1"
-	"crypto/sha256"
-	"errors"
-	"fmt"
-	"io"
-	"net/http"
-	"net/url"
-	"os"
-	"time"
-
-	"github.com/fluxcd/pkg/untar"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
-	"github.com/hashicorp/go-retryablehttp"
-)
-
-// ArtifactFetcher holds the HTTP client that reties with back off when
-// the artifact server is offline.
-type ArtifactFetcher struct {
-	httpClient *retryablehttp.Client
-}
-
-// ArtifactNotFoundError is an error type used to signal 404 HTTP status code responses.
-var ArtifactNotFoundError = errors.New("artifact not found")
-
-// NewArtifactFetcher configures the retryable http client used for fetching artifacts.
-// By default, it retries 10 times within a 3.5 minutes window.
-func NewArtifactFetcher(retries int) *ArtifactFetcher {
-	httpClient := retryablehttp.NewClient()
-	httpClient.RetryWaitMin = 5 * time.Second
-	httpClient.RetryWaitMax = 30 * time.Second
-	httpClient.RetryMax = retries
-	httpClient.Logger = nil
-
-	return &ArtifactFetcher{httpClient: httpClient}
-}
-
-// Fetch downloads, verifies and extracts the artifact content to the specified directory.
-// If the artifact server responds with 5xx errors, the download operation is retried.
-// If the artifact server responds with 404, the returned error is of type ArtifactNotFoundError.
-// If the artifact server is unavailable for more than 3 minutes, the returned error contains the original status code.
-func (r *ArtifactFetcher) Fetch(artifact *sourcev1.Artifact, dir string) error {
-	artifactURL := artifact.URL
-	if hostname := os.Getenv("SOURCE_CONTROLLER_LOCALHOST"); hostname != "" {
-		u, err := url.Parse(artifactURL)
-		if err != nil {
-			return err
-		}
-		u.Host = hostname
-		artifactURL = u.String()
-	}
-
-	req, err := retryablehttp.NewRequest(http.MethodGet, artifactURL, nil)
-	if err != nil {
-		return fmt.Errorf("failed to create a new request: %w", err)
-	}
-
-	resp, err := r.httpClient.Do(req)
-	if err != nil {
-		return fmt.Errorf("failed to download artifact, error: %w", err)
-	}
-	defer resp.Body.Close()
-
-	if code := resp.StatusCode; code != http.StatusOK {
-		if code == http.StatusNotFound {
-			return ArtifactNotFoundError
-		}
-		return fmt.Errorf("failed to download artifact from %s, status: %s", artifactURL, resp.Status)
-	}
-
-	var buf bytes.Buffer
-
-	// verify checksum matches origin
-	if err := r.Verify(artifact, &buf, resp.Body); err != nil {
-		return err
-	}
-
-	// extract
-	if _, err = untar.Untar(&buf, dir); err != nil {
-		return fmt.Errorf("failed to untar artifact, error: %w", err)
-	}
-
-	return nil
-}
-
-// Verify computes the checksum of the tarball and returns an error if the computed value
-// does not match the artifact advertised checksum.
-func (r *ArtifactFetcher) Verify(artifact *sourcev1.Artifact, buf *bytes.Buffer, reader io.Reader) error {
-	hasher := sha256.New()
-
-	// for backwards compatibility with source-controller v0.17.2 and older
-	if len(artifact.Checksum) == 40 {
-		hasher = sha1.New()
-	}
-
-	// compute checksum
-	mw := io.MultiWriter(hasher, buf)
-	if _, err := io.Copy(mw, reader); err != nil {
-		return err
-	}
-
-	if checksum := fmt.Sprintf("%x", hasher.Sum(nil)); checksum != artifact.Checksum {
-		return fmt.Errorf("failed to verify artifact: computed checksum '%s' doesn't match advertised '%s'",
-			checksum, artifact.Checksum)
-	}
-
-	return nil
-}

controllers/kustomization_generator.go

@@ -1,288 +0,0 @@
-/*
-Copyright 2020 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controllers
-
-import (
-	"encoding/json"
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-	"sync"
-
-	"sigs.k8s.io/kustomize/api/filesys"
-	"sigs.k8s.io/kustomize/api/konfig"
-	"sigs.k8s.io/kustomize/api/krusty"
-	"sigs.k8s.io/kustomize/api/provider"
-	"sigs.k8s.io/kustomize/api/resmap"
-	kustypes "sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/yaml"
-
-	"github.com/fluxcd/pkg/apis/kustomize"
-	securefs "github.com/fluxcd/pkg/kustomize/filesys"
-
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
-)
-
-type KustomizeGenerator struct {
-	root          string
-	kustomization kustomizev1.Kustomization
-}
-
-func NewGenerator(root string, kustomization kustomizev1.Kustomization) *KustomizeGenerator {
-	return &KustomizeGenerator{
-		root:          root,
-		kustomization: kustomization,
-	}
-}
-
-func (kg *KustomizeGenerator) WriteFile(dirPath string) error {
-	if err := kg.generateKustomization(dirPath); err != nil {
-		return err
-	}
-
-	kfile := filepath.Join(dirPath, konfig.DefaultKustomizationFileName())
-
-	data, err := os.ReadFile(kfile)
-	if err != nil {
-		return err
-	}
-
-	kus := kustypes.Kustomization{
-		TypeMeta: kustypes.TypeMeta{
-			APIVersion: kustypes.KustomizationVersion,
-			Kind:       kustypes.KustomizationKind,
-		},
-	}
-
-	if err := yaml.Unmarshal(data, &kus); err != nil {
-		return err
-	}
-
-	if kg.kustomization.Spec.TargetNamespace != "" {
-		kus.Namespace = kg.kustomization.Spec.TargetNamespace
-	}
-
-	for _, m := range kg.kustomization.Spec.Patches {
-		kus.Patches = append(kus.Patches, kustypes.Patch{
-			Patch:  m.Patch,
-			Target: adaptSelector(&m.Target),
-		})
-	}
-
-	for _, m := range kg.kustomization.Spec.PatchesStrategicMerge {
-		kus.PatchesStrategicMerge = append(kus.PatchesStrategicMerge, kustypes.PatchStrategicMerge(m.Raw))
-	}
-
-	for _, m := range kg.kustomization.Spec.PatchesJSON6902 {
-		patch, err := json.Marshal(m.Patch)
-		if err != nil {
-			return err
-		}
-		kus.PatchesJson6902 = append(kus.PatchesJson6902, kustypes.Patch{
-			Patch:  string(patch),
-			Target: adaptSelector(&m.Target),
-		})
-	}
-
-	for _, image := range kg.kustomization.Spec.Images {
-		newImage := kustypes.Image{
-			Name:    image.Name,
-			NewName: image.NewName,
-			NewTag:  image.NewTag,
-			Digest:  image.Digest,
-		}
-		if exists, index := checkKustomizeImageExists(kus.Images, image.Name); exists {
-			kus.Images[index] = newImage
-		} else {
-			kus.Images = append(kus.Images, newImage)
-		}
-	}
-
-	kd, err := yaml.Marshal(kus)
-	if err != nil {
-		return err
-	}
-	return os.WriteFile(kfile, kd, os.ModePerm)
-}
-
-func checkKustomizeImageExists(images []kustypes.Image, imageName string) (bool, int) {
-	for i, image := range images {
-		if imageName == image.Name {
-			return true, i
-		}
-	}
-
-	return false, -1
-}
-
-func (kg *KustomizeGenerator) generateKustomization(dirPath string) error {
-	fs, err := securefs.MakeFsOnDiskSecure(kg.root)
-	if err != nil {
-		return err
-	}
-
-	// Determine if there already is a Kustomization file at the root,
-	// as this means we do not have to generate one.
-	for _, kfilename := range konfig.RecognizedKustomizationFileNames() {
-		if kpath := filepath.Join(dirPath, kfilename); fs.Exists(kpath) && !fs.IsDir(kpath) {
-			return nil
-		}
-	}
-
-	scan := func(base string) ([]string, error) {
-		var paths []string
-		pvd := provider.NewDefaultDepProvider()
-		rf := pvd.GetResourceFactory()
-		err := fs.Walk(base, func(path string, info os.FileInfo, err error) error {
-			if err != nil {
-				return err
-			}
-			if path == base {
-				return nil
-			}
-			if info.IsDir() {
-				// If a sub-directory contains an existing kustomization file add the
-				// directory as a resource and do not decend into it.
-				for _, kfilename := range konfig.RecognizedKustomizationFileNames() {
-					if kpath := filepath.Join(path, kfilename); fs.Exists(kpath) && !fs.IsDir(kpath) {
-						paths = append(paths, path)
-						return filepath.SkipDir
-					}
-				}
-				return nil
-			}
-
-			extension := filepath.Ext(path)
-			if extension != ".yaml" && extension != ".yml" {
-				return nil
-			}
-
-			fContents, err := fs.ReadFile(path)
-			if err != nil {
-				return err
-			}
-
-			if _, err := rf.SliceFromBytes(fContents); err != nil {
-				return fmt.Errorf("failed to decode Kubernetes YAML from %s: %w", path, err)
-			}
-			paths = append(paths, path)
-			return nil
-		})
-		return paths, err
-	}
-
-	abs, err := filepath.Abs(dirPath)
-	if err != nil {
-		return err
-	}
-
-	files, err := scan(abs)
-	if err != nil {
-		return err
-	}
-
-	kfile := filepath.Join(dirPath, konfig.DefaultKustomizationFileName())
-	f, err := fs.Create(kfile)
-	if err != nil {
-		return err
-	}
-	if err = f.Close(); err != nil {
-		return err
-	}
-
-	kus := kustypes.Kustomization{
-		TypeMeta: kustypes.TypeMeta{
-			APIVersion: kustypes.KustomizationVersion,
-			Kind:       kustypes.KustomizationKind,
-		},
-	}
-
-	var resources []string
-	for _, file := range files {
-		resources = append(resources, strings.Replace(file, abs, ".", 1))
-	}
-
-	kus.Resources = resources
-	kd, err := yaml.Marshal(kus)
-	if err != nil {
-		return err
-	}
-
-	return os.WriteFile(kfile, kd, os.ModePerm)
-}
-
-func adaptSelector(selector *kustomize.Selector) (output *kustypes.Selector) {
-	if selector != nil {
-		output = &kustypes.Selector{}
-		output.Gvk.Group = selector.Group
-		output.Gvk.Kind = selector.Kind
-		output.Gvk.Version = selector.Version
-		output.Name = selector.Name
-		output.Namespace = selector.Namespace
-		output.LabelSelector = selector.LabelSelector
-		output.AnnotationSelector = selector.AnnotationSelector
-	}
-	return
-}
-
-// TODO: remove mutex when kustomize fixes the concurrent map read/write panic
-var kustomizeBuildMutex sync.Mutex
-
-// secureBuildKustomization wraps krusty.MakeKustomizer with the following settings:
-//   - secure on-disk FS denying operations outside root
-//   - load files from outside the kustomization dir path
-//     (but not outside root)
-//   - disable plugins except for the builtin ones
-func secureBuildKustomization(root, dirPath string, allowRemoteBases bool) (_ resmap.ResMap, err error) {
-	var fs filesys.FileSystem
-
-	// Create secure FS for root with or without remote base support
-	if allowRemoteBases {
-		fs, err = securefs.MakeFsOnDiskSecureBuild(root)
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		fs, err = securefs.MakeFsOnDiskSecure(root)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	// Temporary workaround for concurrent map read and map write bug
-	// https://github.com/kubernetes-sigs/kustomize/issues/3659
-	kustomizeBuildMutex.Lock()
-	defer kustomizeBuildMutex.Unlock()
-
-	// Kustomize tends to panic in unpredicted ways due to (accidental)
-	// invalid object data; recover when this happens to ensure continuity of
-	// operations
-	defer func() {
-		if r := recover(); r != nil {
-			err = fmt.Errorf("recovered from kustomize build panic: %v", r)
-		}
-	}()
-
-	buildOptions := &krusty.Options{
-		LoadRestrictions: kustypes.LoadRestrictionsNone,
-		PluginConfig:     kustypes.DisabledPluginConfig(),
-	}
-
-	k := krusty.MakeKustomizer(buildOptions)
-	return k.Run(fs, dirPath)
-}

controllers/kustomization_generator_test.go

@@ -1,59 +0,0 @@
-/*
-Copyright 2022 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controllers
-
-import (
-	"testing"
-
-	. "github.com/onsi/gomega"
-)
-
-func Test_secureBuildKustomization(t *testing.T) {
-	t.Run("remote build", func(t *testing.T) {
-		g := NewWithT(t)
-
-		_, err := secureBuildKustomization("testdata/remote", "testdata/remote", true)
-		g.Expect(err).ToNot(HaveOccurred())
-	})
-
-	t.Run("no remote build", func(t *testing.T) {
-		g := NewWithT(t)
-
-		_, err := secureBuildKustomization("testdata/remote", "testdata/remote", false)
-		g.Expect(err).To(HaveOccurred())
-	})
-}
-
-func Test_secureBuildKustomization_panic(t *testing.T) {
-	t.Run("build panic", func(t *testing.T) {
-		g := NewWithT(t)
-
-		_, err := secureBuildKustomization("testdata/panic", "testdata/panic", false)
-		g.Expect(err).To(HaveOccurred())
-		g.Expect(err.Error()).To(ContainSubstring("recovered from kustomize build panic"))
-		// Run again to ensure the lock is released
-		_, err = secureBuildKustomization("testdata/panic", "testdata/panic", false)
-		g.Expect(err).To(HaveOccurred())
-	})
-}
-
-func Test_secureBuildKustomization_rel_basedir(t *testing.T) {
-	g := NewWithT(t)
-
-	_, err := secureBuildKustomization("testdata/relbase", "testdata/relbase/clusters/staging/flux-system", false)
-	g.Expect(err).ToNot(HaveOccurred())
-}

controllers/kustomization_impersonation.go

@@ -1,200 +0,0 @@
-/*
-Copyright 2020 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controllers
-
-import (
-	"context"
-	"fmt"
-
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/rest"
-	"k8s.io/client-go/tools/clientcmd"
-	"sigs.k8s.io/cli-utils/pkg/kstatus/polling"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
-	"sigs.k8s.io/controller-runtime/pkg/client/config"
-
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
-
-	runtimeClient "github.com/fluxcd/pkg/runtime/client"
-)
-
-// KustomizeImpersonation holds the state for impersonating a service account.
-type KustomizeImpersonation struct {
-	client.Client
-	kustomization         kustomizev1.Kustomization
-	statusPoller          *polling.StatusPoller
-	defaultServiceAccount string
-	pollingOpts           polling.Options
-	kubeConfigOpts        runtimeClient.KubeConfigOptions
-}
-
-// NewKustomizeImpersonation creates a new KustomizeImpersonation.
-func NewKustomizeImpersonation(
-	kustomization kustomizev1.Kustomization,
-	kubeClient client.Client,
-	statusPoller *polling.StatusPoller,
-	defaultServiceAccount string,
-	kubeConfigOpts runtimeClient.KubeConfigOptions,
-	pollingOpts polling.Options) *KustomizeImpersonation {
-	return &KustomizeImpersonation{
-		defaultServiceAccount: defaultServiceAccount,
-		kustomization:         kustomization,
-		statusPoller:          statusPoller,
-		Client:                kubeClient,
-		kubeConfigOpts:        kubeConfigOpts,
-		pollingOpts:           pollingOpts,
-	}
-}
-
-// GetClient creates a controller-runtime client for talking to a Kubernetes API server.
-// If spec.KubeConfig is set, use the kubeconfig bytes from the Kubernetes secret.
-// Otherwise will assume running in cluster and use the cluster provided kubeconfig.
-// If a --default-service-account is set and no spec.ServiceAccountName, use the provided kubeconfig and impersonate the default SA.
-// If spec.ServiceAccountName is set, use the provided kubeconfig and impersonate the specified SA.
-func (ki *KustomizeImpersonation) GetClient(ctx context.Context) (client.Client, *polling.StatusPoller, error) {
-	switch {
-	case ki.kustomization.Spec.KubeConfig != nil:
-		return ki.clientForKubeConfig(ctx)
-	case ki.defaultServiceAccount != "" || ki.kustomization.Spec.ServiceAccountName != "":
-		return ki.clientForServiceAccountOrDefault()
-	default:
-		return ki.Client, ki.statusPoller, nil
-	}
-}
-
-// CanFinalize asserts if the given Kustomization can be finalized using impersonation.
-func (ki *KustomizeImpersonation) CanFinalize(ctx context.Context) bool {
-	name := ki.defaultServiceAccount
-	if sa := ki.kustomization.Spec.ServiceAccountName; sa != "" {
-		name = sa
-	}
-	if name == "" {
-		return true
-	}
-
-	sa := &corev1.ServiceAccount{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "ServiceAccount",
-			APIVersion: "v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      name,
-			Namespace: ki.kustomization.Namespace,
-		},
-	}
-	if err := ki.Client.Get(ctx, client.ObjectKeyFromObject(sa), sa); err != nil {
-		return false
-	}
-
-	return true
-}
-
-func (ki *KustomizeImpersonation) setImpersonationConfig(restConfig *rest.Config) {
-	name := ki.defaultServiceAccount
-	if sa := ki.kustomization.Spec.ServiceAccountName; sa != "" {
-		name = sa
-	}
-	if name != "" {
-		username := fmt.Sprintf("system:serviceaccount:%s:%s", ki.kustomization.GetNamespace(), name)
-		restConfig.Impersonate = rest.ImpersonationConfig{UserName: username}
-	}
-}
-
-func (ki *KustomizeImpersonation) clientForServiceAccountOrDefault() (client.Client, *polling.StatusPoller, error) {
-	restConfig, err := config.GetConfig()
-	if err != nil {
-		return nil, nil, err
-	}
-	ki.setImpersonationConfig(restConfig)
-
-	restMapper, err := apiutil.NewDynamicRESTMapper(restConfig)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	client, err := client.New(restConfig, client.Options{Mapper: restMapper})
-	if err != nil {
-		return nil, nil, err
-	}
-
-	statusPoller := polling.NewStatusPoller(client, restMapper, ki.pollingOpts)
-	return client, statusPoller, err
-
-}
-
-func (ki *KustomizeImpersonation) clientForKubeConfig(ctx context.Context) (client.Client, *polling.StatusPoller, error) {
-	kubeConfigBytes, err := ki.getKubeConfig(ctx)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	restConfig, err := clientcmd.RESTConfigFromKubeConfig(kubeConfigBytes)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	restConfig = runtimeClient.KubeConfig(restConfig, ki.kubeConfigOpts)
-	ki.setImpersonationConfig(restConfig)
-
-	restMapper, err := apiutil.NewDynamicRESTMapper(restConfig)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	client, err := client.New(restConfig, client.Options{Mapper: restMapper})
-	if err != nil {
-		return nil, nil, err
-	}
-
-	statusPoller := polling.NewStatusPoller(client, restMapper, ki.pollingOpts)
-
-	return client, statusPoller, err
-}
-
-func (ki *KustomizeImpersonation) getKubeConfig(ctx context.Context) ([]byte, error) {
-	secretName := types.NamespacedName{
-		Namespace: ki.kustomization.GetNamespace(),
-		Name:      ki.kustomization.Spec.KubeConfig.SecretRef.Name,
-	}
-
-	var secret corev1.Secret
-	if err := ki.Get(ctx, secretName, &secret); err != nil {
-		return nil, fmt.Errorf("unable to read KubeConfig secret '%s' error: %w", secretName.String(), err)
-	}
-
-	var kubeConfig []byte
-	switch {
-	case ki.kustomization.Spec.KubeConfig.SecretRef.Key != "":
-		key := ki.kustomization.Spec.KubeConfig.SecretRef.Key
-		kubeConfig = secret.Data[key]
-		if kubeConfig == nil {
-			return nil, fmt.Errorf("KubeConfig secret '%s' does not contain a '%s' key with a kubeconfig", secretName, key)
-		}
-	case secret.Data["value"] != nil:
-		kubeConfig = secret.Data["value"]
-	case secret.Data["value.yaml"] != nil:
-		kubeConfig = secret.Data["value.yaml"]
-	default:
-		// User did not specify a key, and the 'value' key was not defined.
-		return nil, fmt.Errorf("KubeConfig secret '%s' does not contain a 'value' key with a kubeconfig", secretName)
-	}
-
-	return kubeConfig, nil
-}

controllers/kustomization_indexers.go

@@ -1,90 +0,0 @@
-/*
-Copyright 2020 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controllers
-
-import (
-	"context"
-	"fmt"
-
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
-	"github.com/fluxcd/pkg/runtime/dependency"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
-)
-
-func (r *KustomizationReconciler) requestsForRevisionChangeOf(indexKey string) func(obj client.Object) []reconcile.Request {
-	return func(obj client.Object) []reconcile.Request {
-		repo, ok := obj.(interface {
-			GetArtifact() *sourcev1.Artifact
-		})
-		if !ok {
-			panic(fmt.Sprintf("Expected an object conformed with GetArtifact() method, but got a %T", obj))
-		}
-		// If we do not have an artifact, we have no requests to make
-		if repo.GetArtifact() == nil {
-			return nil
-		}
-
-		ctx := context.Background()
-		var list kustomizev1.KustomizationList
-		if err := r.List(ctx, &list, client.MatchingFields{
-			indexKey: client.ObjectKeyFromObject(obj).String(),
-		}); err != nil {
-			return nil
-		}
-		var dd []dependency.Dependent
-		for _, d := range list.Items {
-			// If the revision of the artifact equals to the last attempted revision,
-			// we should not make a request for this Kustomization
-			if repo.GetArtifact().Revision == d.Status.LastAttemptedRevision {
-				continue
-			}
-			dd = append(dd, d.DeepCopy())
-		}
-		sorted, err := dependency.Sort(dd)
-		if err != nil {
-			return nil
-		}
-		reqs := make([]reconcile.Request, len(sorted))
-		for i := range sorted {
-			reqs[i].NamespacedName.Name = sorted[i].Name
-			reqs[i].NamespacedName.Namespace = sorted[i].Namespace
-		}
-		return reqs
-	}
-}
-
-func (r *KustomizationReconciler) indexBy(kind string) func(o client.Object) []string {
-	return func(o client.Object) []string {
-		k, ok := o.(*kustomizev1.Kustomization)
-		if !ok {
-			panic(fmt.Sprintf("Expected a Kustomization, got %T", o))
-		}
-
-		if k.Spec.SourceRef.Kind == kind {
-			namespace := k.GetNamespace()
-			if k.Spec.SourceRef.Namespace != "" {
-				namespace = k.Spec.SourceRef.Namespace
-			}
-			return []string{fmt.Sprintf("%s/%s", namespace, k.Spec.SourceRef.Name)}
-		}
-
-		return nil
-	}
-}

controllers/kustomization_varsub.go

@@ -1,109 +0,0 @@
-package controllers
-
-import (
-	"context"
-	"fmt"
-	"regexp"
-	"strings"
-
-	"github.com/drone/envsubst"
-	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/kustomize/api/resource"
-	"sigs.k8s.io/yaml"
-
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
-)
-
-// varsubRegex is the regular expression used to validate
-// the var names before substitution
-const varsubRegex = "^[_[:alpha:]][_[:alpha:][:digit:]]*$"
-
-// substituteVariables replaces the vars with their values in the specified resource.
-// If a resource is labeled or annotated with
-// 'kustomize.toolkit.fluxcd.io/substitute: disabled' the substitution is skipped.
-func substituteVariables(
-	ctx context.Context,
-	kubeClient client.Client,
-	kustomization kustomizev1.Kustomization,
-	res *resource.Resource) (*resource.Resource, error) {
-	resData, err := res.AsYAML()
-	if err != nil {
-		return nil, err
-	}
-
-	key := fmt.Sprintf("%s/substitute", kustomizev1.GroupVersion.Group)
-
-	if res.GetLabels()[key] == kustomizev1.DisabledValue || res.GetAnnotations()[key] == kustomizev1.DisabledValue {
-		return nil, nil
-	}
-
-	vars := make(map[string]string)
-
-	// load vars from ConfigMaps and Secrets data keys
-	for _, reference := range kustomization.Spec.PostBuild.SubstituteFrom {
-		namespacedName := types.NamespacedName{Namespace: kustomization.Namespace, Name: reference.Name}
-		switch reference.Kind {
-		case "ConfigMap":
-			resource := &corev1.ConfigMap{}
-			if err := kubeClient.Get(ctx, namespacedName, resource); err != nil {
-				if reference.Optional && apierrors.IsNotFound(err) {
-					continue
-				}
-				return nil, fmt.Errorf("substitute from 'ConfigMap/%s' error: %w", reference.Name, err)
-			}
-			for k, v := range resource.Data {
-				vars[k] = strings.ReplaceAll(v, "\n", "")
-			}
-		case "Secret":
-			resource := &corev1.Secret{}
-			if err := kubeClient.Get(ctx, namespacedName, resource); err != nil {
-				if reference.Optional && apierrors.IsNotFound(err) {
-					continue
-				}
-				return nil, fmt.Errorf("substitute from 'Secret/%s' error: %w", reference.Name, err)
-			}
-			for k, v := range resource.Data {
-				vars[k] = strings.ReplaceAll(string(v), "\n", "")
-			}
-		}
-	}
-
-	// load in-line vars (overrides the ones from resources)
-	if kustomization.Spec.PostBuild.Substitute != nil {
-		for k, v := range kustomization.Spec.PostBuild.Substitute {
-			vars[k] = strings.ReplaceAll(v, "\n", "")
-		}
-	}
-
-	// run bash variable substitutions
-	if len(vars) > 0 {
-		r, _ := regexp.Compile(varsubRegex)
-		for v := range vars {
-			if !r.MatchString(v) {
-				return nil, fmt.Errorf("'%s' var name is invalid, must match '%s'", v, varsubRegex)
-			}
-		}
-
-		output, err := envsubst.Eval(string(resData), func(s string) string {
-			return vars[s]
-		})
-		if err != nil {
-			return nil, fmt.Errorf("variable substitution failed: %w", err)
-		}
-
-		jsonData, err := yaml.YAMLToJSON([]byte(output))
-		if err != nil {
-			return nil, fmt.Errorf("YAMLToJSON: %w", err)
-		}
-
-		err = res.UnmarshalJSON(jsonData)
-		if err != nil {
-			return nil, fmt.Errorf("UnmarshalJSON: %w", err)
-		}
-	}
-
-	return res, nil
-}

controllers/kustomization_wait_test.go

@@ -1,209 +0,0 @@
-/*
-Copyright 2021 The Flux authors
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package controllers
-
-import (
-	"context"
-	"fmt"
-	"testing"
-	"time"
-
-	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/testserver"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
-	. "github.com/onsi/gomega"
-	apimeta "k8s.io/apimachinery/pkg/api/meta"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
-)
-
-func TestKustomizationReconciler_HealthCheck(t *testing.T) {
-	g := NewWithT(t)
-	id := "wait-" + randStringRunes(5)
-	revision := "v1.0.0"
-
-	err := createNamespace(id)
-	g.Expect(err).NotTo(HaveOccurred(), "failed to create test namespace")
-
-	err = createKubeConfigSecret(id)
-	g.Expect(err).NotTo(HaveOccurred(), "failed to create kubeconfig secret")
-
-	manifests := func(name string, data string) []testserver.File {
-		return []testserver.File{
-			{
-				Name: "config.yaml",
-				Body: fmt.Sprintf(`---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: %[1]s
-data:
-  key: "%[2]s"
----
-kind: StorageClass
-apiVersion: storage.k8s.io/v1
-metadata:
-  name: aws-efs
-  namespace: was-system
-provisioner: aws-efs
-parameters:
-  gidMin: "2200"
-  gidMax: "2299"
-  gidAllocate: "true"
-`, name, data),
-			},
-		}
-	}
-
-	artifact, err := testServer.ArtifactFromFiles(manifests(id, id))
-	g.Expect(err).NotTo(HaveOccurred())
-
-	repositoryName := types.NamespacedName{
-		Name:      fmt.Sprintf("wait-%s", randStringRunes(5)),
-		Namespace: id,
-	}
-
-	err = applyGitRepository(repositoryName, artifact, revision)
-	g.Expect(err).NotTo(HaveOccurred())
-
-	kustomizationKey := types.NamespacedName{
-		Name:      fmt.Sprintf("wait-%s", randStringRunes(5)),
-		Namespace: id,
-	}
-	kustomization := &kustomizev1.Kustomization{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      kustomizationKey.Name,
-			Namespace: kustomizationKey.Namespace,
-		},
-		Spec: kustomizev1.KustomizationSpec{
-			Interval: metav1.Duration{Duration: 2 * time.Minute},
-			Path:     "./",
-			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.SecretKeyReference{
-					Name: "kubeconfig",
-				},
-			},
-			SourceRef: kustomizev1.CrossNamespaceSourceReference{
-				Name:      repositoryName.Name,
-				Namespace: repositoryName.Namespace,
-				Kind:      sourcev1.GitRepositoryKind,
-			},
-			TargetNamespace: id,
-			Prune:           true,
-			Timeout:         &metav1.Duration{Duration: time.Second},
-			Wait:            true,
-		},
-	}
-
-	g.Expect(k8sClient.Create(context.Background(), kustomization)).To(Succeed())
-
-	resultK := &kustomizev1.Kustomization{}
-
-	g.Eventually(func() bool {
-		_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
-		return resultK.Status.LastAppliedRevision == revision
-	}, timeout, time.Second).Should(BeTrue())
-
-	t.Run("reports healthy status", func(t *testing.T) {
-		g.Eventually(func() bool {
-			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
-			ready := apimeta.IsStatusConditionTrue(resultK.Status.Conditions, meta.ReadyCondition)
-			healthy := apimeta.IsStatusConditionTrue(resultK.Status.Conditions, kustomizev1.HealthyCondition)
-			return ready && healthy
-		}, timeout, time.Second).Should(BeTrue())
-	})
-
-	t.Run("reports unhealthy status", func(t *testing.T) {
-		reconcileRequestAt := metav1.Now().String()
-		g.Eventually(func() error {
-			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
-			resultK.SetAnnotations(map[string]string{
-				meta.ReconcileRequestAnnotation: reconcileRequestAt,
-			})
-			resultK.Spec.Wait = false
-			resultK.Spec.HealthChecks = []meta.NamespacedObjectKindReference{
-				{
-					APIVersion: "v1",
-					Kind:       "ConfigMap",
-					Name:       "does-not-exists",
-					Namespace:  id,
-				},
-			}
-			return k8sClient.Update(context.Background(), resultK)
-		}, timeout, time.Second).Should(BeNil())
-
-		readyCondition := &metav1.Condition{}
-		healthyCondition := &metav1.Condition{}
-		g.Eventually(func() bool {
-			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
-			readyCondition = apimeta.FindStatusCondition(resultK.Status.Conditions, meta.ReadyCondition)
-			healthyCondition = apimeta.FindStatusCondition(resultK.Status.Conditions, kustomizev1.HealthyCondition)
-			return healthyCondition.Reason == meta.ProgressingReason
-		}, timeout, time.Second).Should(BeTrue())
-
-		expectedMessage := "running health checks"
-		g.Expect(readyCondition.Status).To(BeIdenticalTo(metav1.ConditionUnknown))
-		g.Expect(readyCondition.Message).To(ContainSubstring(expectedMessage))
-		g.Expect(healthyCondition.Status).To(BeIdenticalTo(metav1.ConditionUnknown))
-		g.Expect(healthyCondition.Message).To(ContainSubstring(expectedMessage))
-
-		g.Eventually(func() bool {
-			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
-			readyCondition = apimeta.FindStatusCondition(resultK.Status.Conditions, meta.ReadyCondition)
-			healthyCondition = apimeta.FindStatusCondition(resultK.Status.Conditions, kustomizev1.HealthyCondition)
-			return healthyCondition.Reason == kustomizev1.HealthCheckFailedReason
-		}, time.Minute, time.Second).Should(BeTrue())
-
-		g.Expect(resultK.Status.LastHandledReconcileAt).To(BeIdenticalTo(reconcileRequestAt))
-		g.Expect(readyCondition.Status).To(BeIdenticalTo(metav1.ConditionFalse))
-		g.Expect(healthyCondition.Status).To(BeIdenticalTo(metav1.ConditionFalse))
-		g.Expect(healthyCondition.Message).To(BeIdenticalTo(kustomizev1.HealthCheckFailedReason))
-	})
-
-	t.Run("emits unhealthy event", func(t *testing.T) {
-		events := getEvents(resultK.GetName(), map[string]string{"kustomize.toolkit.fluxcd.io/revision": revision})
-		g.Expect(len(events) > 0).To(BeTrue())
-		g.Expect(events[len(events)-1].Type).To(BeIdenticalTo("Warning"))
-		g.Expect(events[len(events)-1].Message).To(ContainSubstring("does-not-exists"))
-	})
-
-	t.Run("recovers and reports healthy status", func(t *testing.T) {
-		g.Eventually(func() error {
-			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
-			resultK.Spec.Wait = true
-			return k8sClient.Update(context.Background(), resultK)
-		}, timeout, time.Second).Should(BeNil())
-
-		g.Eventually(func() bool {
-			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
-			ready := apimeta.IsStatusConditionTrue(resultK.Status.Conditions, meta.ReadyCondition)
-			healthy := apimeta.IsStatusConditionTrue(resultK.Status.Conditions, kustomizev1.HealthyCondition)
-			return ready && healthy
-		}, timeout, time.Second).Should(BeTrue())
-	})
-
-	t.Run("emits recovery event", func(t *testing.T) {
-		expectedMessage := "Health check passed"
-		events := getEvents(resultK.GetName(), map[string]string{"kustomize.toolkit.fluxcd.io/revision": revision})
-		g.Expect(len(events) > 1).To(BeTrue())
-		g.Expect(events[len(events)-2].Type).To(BeIdenticalTo("Normal"))
-		g.Expect(events[len(events)-2].Message).To(ContainSubstring(expectedMessage))
-	})
-}

controllers/testdata/panic/secret.age.yaml

@@ -1,27 +0,0 @@
-apiVersion: ENC[AES256_GCM,data:RwzrBF8wy16SpfbQoeADeKyz,iv:DuJce2Ebx1Y49DaLCOJ74OOkgiv21roxhz/sZqKCSSs=,tag:Gg9XHapZI5q+rvtgeY6nrg==,type:str]
-kind: ENC[AES256_GCM,data:RwzrBF8wy16SpfbQoeADeKyz,iv:DuJce2Ebx1Y49DaLCOJ74OOkgiv21roxhz/sZqKCSSs=,tag:Gg9XHapZI5q+rvtgeY6nrg==,type:str]
-metadata:
-    name: ENC[AES256_GCM,data:RwzrBF8wy16SpfbQoeADeKyz,iv:DuJce2Ebx1Y49DaLCOJ74OOkgiv21roxhz/sZqKCSSs=,tag:Gg9XHapZI5q+rvtgeY6nrg==,type:str]
-    namespace: ENC[AES256_GCM,data:RwzrBF8wy16SpfbQoeADeKyz,iv:DuJce2Ebx1Y49DaLCOJ74OOkgiv21roxhz/sZqKCSSs=,tag:Gg9XHapZI5q+rvtgeY6nrg==,type:str]
-stringData:
-    secret: ENC[AES256_GCM,data:RwzrBF8wy16SpfbQoeADeKyz,iv:DuJce2Ebx1Y49DaLCOJ74OOkgiv21roxhz/sZqKCSSs=,tag:Gg9XHapZI5q+rvtgeY6nrg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeGduOFZjRWw2WTFQdWdu
-            OS83OEZaN1E1aU1zSThhMlNEZzd0aEYvdURFCnE3bmJ5c3J2cDNEbXhselFPVC9v
-            NFhMRjZjOHZOdEpoYjdiS0ZPd2pvN1kKLS0tIDZUVEFoblpDNWhnaWxYRTBjaktk
-            bHRXV0o1K2ZDNm5Mem5SdzNBMTNuNFUKylE2cRLqydjj6e4+4Giwn4y8mIPej+CM
-            Bab3UWiK1da2rFNTOEnoHl6QDAVxNrWdrrIa5k22SzApT88VtJ4xuQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2021-04-06T09:07:05Z"
-    mac: ENC[AES256_GCM,data:oaM8qFtEP8dOCd/Tr5yb08uetsnDtZO8o1rCayN53ncQ1HUAdhRBrFdmbYx1YTh1mwQVVN6sGYqFZU1LBMVv5pTqvpwd41biJZEg8NznXQWx0GA2Z6HOrblGhFZKrqky3P5xN+6j63zkJizXWgBMKzRvBnsVKxjZGr/lk1vVVv4=,iv:p4y9Fo3SArkEMuoK2d9sQYgNdc0iw/StFhg/5LnhcXM=,tag:61JGbnEw35tv6WnGj46JOw==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.0

controllers/testdata/relbase/clusters/base/configmap.yaml

@@ -1,8 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: cm
-  namespace: foo
-data:
-  key: value

controllers/testdata/relbase/clusters/staging/flux-system/secret.yaml

@@ -1,8 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: secret
-  namespace: foo
-stringData:
-  foo: bar

controllers/testdata/remote/kustomization.yaml

@@ -1,7 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - github.com/fluxcd/kustomize-controller//config/crd?ref=main
-  - git::https://github.com/fluxcd/kustomize-controller//config/rbac?ref=main
-  - https://github.com/fluxcd/kustomize-controller//config/manager?ref=main

controllers/testdata/sops/.sops.yaml

@@ -1,11 +0,0 @@
-# creation rules are evaluated sequentially, the first match wins
-creation_rules:
-  # files using age
-  - path_regex: \.age.yaml$
-    encrypted_regex: ^(data|stringData)$
-    age: age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
-  - path_regex: month.yaml$
-    pgp: 35C1A64CD7FC0AB6EB66756B2445463C3234ECE1
-  # fallback to PGP
-  - encrypted_regex: ^(data|stringData)$
-    pgp: 35C1A64CD7FC0AB6EB66756B2445463C3234ECE1

controllers/testdata/sops/day.txt

@@ -1 +0,0 @@
-day=Tuesday

controllers/testdata/sops/day.txt.encrypted

@@ -1,20 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:YWPHPTVOCWivqZu0,iv:tLqbJD/KN2BchlAz1mnf4FtMY+SP5hiBYJP6dHy8gtc=,tag:Aj9T0Q7y9baA84EfEt8MfQ==,type:str]",
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"lastmodified": "2021-04-27T20:27:20Z",
-		"mac": "ENC[AES256_GCM,data:1OqDvIaUpOKFa1vsa6nc+GHIvsxwQ3JhJsDTp+Yl2r8y0+n0VUbCm9FyqVvq8ur3Y3NyZfX+7FL6HxgTN0RnSMdwK1X16ioGWBk4CM3K7W8tyY7gmhddsuJqSDZdV7Hr2s7FB6LZJAHWO9vTn9zXM75Ef0B5yuOgzp29LmIhCK4=,iv:8ozNZ7IgDub2vICSzHWcAdx7/sVEoe8YayXYrAkN0BM=,tag:UwE0b6eTpA9uir+4Mwed7g==,type:str]",
-		"pgp": [
-			{
-				"created_at": "2021-04-27T20:27:20Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA90SOJihaAjLAQ//cd4d6zghXW7uJ8rk0PoWiCVy5BeYwnInJT4uqJ5uUY62\nFLlsM4ZJB2SSBHGcXdwkWqTXeLLmD8aEuAe0lfutcOYyMZVWeYY+wybyJ5TgBMAo\nvEJoY67felWRb4h0BzkHIG/ZLiuDTV020GJNH2tGgE/mXVPhYosQ+EmA5EF45vfj\nqx2LjZjsCg28FK2qkXnHHjOV/12OnGpR0y6t9GijBUtttyjYaXUpNUSUiHHMjXyL\nQnKlRPt9N2QF6oUQVEwr9plNYKTfmeqUwWh6wFAaWF/104oSOwXFA8ID5wF6de1j\ntnzVf+1Ld5WNmXGmrz/6ugWfcU/3147EuPodjTyQIFMTxA6V7Z7BORjhuxFpR/jS\noZJF/SS70fg9J7sdizWKFNkqS9pPasdNHcGuXU+KGkD2ya54WyUDE86gMq0xtEf3\nMmQJRnjHuriD5EvnKmDJ+QE9nU0ld0kyfVUueHQHCtuuw7yZGi8vlyyjOq4nqCGV\nZ4TJcmpt7pKoxEAnp2tImnos7DbEoQMl7RIYgrhxS7Nej9naYeadFz/G84uwjfm0\nBr5J3A+xtG37HXQWqtd7EXmy/I94okNVXeAZuuQFt/So78jJ4H9uQK1snukPNBhr\nG8aM8SfdrTbp4KZQpm2RJwNdhbHzHoz2M2Dc6Eo14FceW0R0jYDaKTwKeNIgH6jS\nXgGdX+eJRyC1yhp6HAXOaaR9MvXJ8xCi6clWRpI9h3wxnrZtg+pERFeHhp2Ldlww\nRTjw4g3Cp9GQJB/0aTkVVOPmZ4/jpCyUS6hiV3cEE4veuDYZ20evpgO4sld6Ve8=\n=1o9a\n-----END PGP MESSAGE-----\n",
-				"fp": "35C1A64CD7FC0AB6EB66756B2445463C3234ECE1"
-			}
-		],
-		"encrypted_regex": "^(data|stringData)$",
-		"version": "3.6.0"
-	}
-}

controllers/testdata/sops/month/month.yaml

@@ -1,32 +0,0 @@
-month: ENC[AES256_GCM,data:9e+R,iv:EzJxah6sCY2D9L76l/CuVq6qVq2ncJDYphm9gXE/ZgM=,tag:r82agynzHp/aOTVo6Iu9wg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2021-05-31T11:27:34Z"
-    mac: ENC[AES256_GCM,data:BV/jKqSzKr2sq/yA4HToFseOWOB04cYo+54Dby/Jp4ZuVwxNt1i02zncsvWyQZK5WFcvK47brvzN6fWJyyf5WnX+XISbuUDGMWjqNG/te3YKEY4ZqJUopDF/AxDZDkUC5KdnIln6RZqtHuJH18J35kakWFrg1YOJtI28ZVK5yBM=,iv:T6JJkYbfqpUz2AClToZtSsuVbUXcPD5nqaUhJJdH6Uc=,tag:jvmH8iyfivoGIt1k+Uodrg==,type:str]
-    pgp:
-        - created_at: "2021-05-31T11:27:34Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA90SOJihaAjLAQ/9HYs2HyaYL9dOj8zIAr3JzqEFHlMX59Vw8kj9KxBQJXYQ
-            N3mE/HHQVBWk/36Pq/14n0Eals8GwivDDiJmovfeRASmb0/LnGQDzMkDGEJvyu7N
-            Q69rBjzVWbmMPgI0vQb0zTBRcUW+LnSijkv+H5mxuFnnZd8N3UeFLHX2oKNeA7O3
-            pYjjK8vr6KaXJqYfH+bFs29cnk0+xZiThr21cz40yFZD7ynns4xjdVtqI5bvGk/F
-            bDW7oGgJe+q/9OHKJaVESLrcZMe2lLxA7x821ssq6BlNzv9DHTc7PloVNepsze6d
-            MBTgzAZoH04ENQSiL9qo24AVGaFhUXak7MslxE8nhjFJD6sfb0Q/LtlhOSpDw7NR
-            gugPzQuQLGN9U54id0bql8CBi58g0wdxjo6kDlMYTEd9CZbugfM1pR1imknlgPLi
-            7ODDrWTTxnZm4+hZRj7EjMGlRshavPgZ/rgT1tTnjNw9c+llgCWW8Ei8JOEvA86M
-            DwsPzodesMO56yf3MJPAgakCapTH9VMad+E63yUMsNAX6+otrjgssvxg3j8KnjPp
-            Z7593P7RGYrRR+YwEi5nTHmDL1H80vP6pNnBGd7wLa3TLzypkDiZSKY6vq6vSIwd
-            QOpLX3VC2X53mtWmNm7oWxKLX3hKPrjTqBYE0EDK7Yc0q8rj++ygntOekI+WSm/S
-            XAG4Ufue6i2MTvnZmK/Byt+E/zT4jRmjRQImGekHB+rLYfM3Z85i6ExH4OCCWNqC
-            rg4DqrWTS8Nvt2PE5UC3Phqe51D4/ZrQPVPkFQftgQl44xECv4X8rI7RTux6
-            =HE0m
-            -----END PGP MESSAGE-----
-          fp: 35C1A64CD7FC0AB6EB66756B2445463C3234ECE1
-    unencrypted_suffix: _unencrypted
-    version: 3.7.1

controllers/testdata/sops/month/unencrypted-year.env

@@ -1 +0,0 @@
-year=2021

controllers/testdata/sops/month/year.env

@@ -1,7 +0,0 @@
-year=ENC[AES256_GCM,data:EfNnlA==,iv:pBaHDmjQ1d6JrA0Rk19giCQon7CP37hZ0dEQTkJEw1U=,tag:J29CEN9S6pSie8tsAD2REA==,type:str]
-sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NHYyMHdNcXhMS2x6aXJq\nTHVhbUYrcW8waFduN1NoWUIyTWFuMmNEVGpzCjUxb05zUndSdnpiQng2VnZ2SkNF\nbnlzY0VmaVd1Z0xZR2FKdDRPQlhKSE0KLS0tIDlEaGgwT3VHcUg5QzFpenZNOTBk\nbUZ5QkRnY0kwMFpYanFLYTlvc0FXdXMKb32CnEO8yg91kkUMFXhBL5Sfz32dNOJT\ntNGdKcOGVBzOJVgU1RquB+5OcJdbuwdV7GCq8KvXqh5fypTI00hZeg==\n-----END AGE ENCRYPTED FILE-----\n
-sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
-sops_lastmodified=2021-10-14T15:35:45Z
-sops_mac=ENC[AES256_GCM,data:brSfy5j0wETn6YT7p8qoCSuI6bevGwrxBbtcqBSYRJ+GgLAr9a7rtwHK8/BnKCi1C1H/zGa1gEERqz2j6Zw0uS4V5lejvtDtfRn9DwYWQ2Aqo2zi4crfNhljerwQVa/Hy9pq2falIZyyhoDX30WOoLe+2eZWQXLtFlVkx4x7U1s=,iv:wr4szytKCN9j6dqccZZl0bkDUHsOtFSvDXjdpuZwTbA=,tag:N1uQ25uLS+E6yQPzXJRiNw==,type:str]
-sops_version=3.7.1
-sops_unencrypted_suffix=_unencrypted

controllers/testdata/sops/secret.age.yaml

@@ -1,26 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: sops-age
-stringData:
-    secret: ENC[AES256_GCM,data:RwzrBF8wy16SpfbQoeADeKyz,iv:DuJce2Ebx1Y49DaLCOJ74OOkgiv21roxhz/sZqKCSSs=,tag:Gg9XHapZI5q+rvtgeY6nrg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeGduOFZjRWw2WTFQdWdu
-            OS83OEZaN1E1aU1zSThhMlNEZzd0aEYvdURFCnE3bmJ5c3J2cDNEbXhselFPVC9v
-            NFhMRjZjOHZOdEpoYjdiS0ZPd2pvN1kKLS0tIDZUVEFoblpDNWhnaWxYRTBjaktk
-            bHRXV0o1K2ZDNm5Mem5SdzNBMTNuNFUKylE2cRLqydjj6e4+4Giwn4y8mIPej+CM
-            Bab3UWiK1da2rFNTOEnoHl6QDAVxNrWdrrIa5k22SzApT88VtJ4xuQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2021-04-06T09:07:05Z"
-    mac: ENC[AES256_GCM,data:oaM8qFtEP8dOCd/Tr5yb08uetsnDtZO8o1rCayN53ncQ1HUAdhRBrFdmbYx1YTh1mwQVVN6sGYqFZU1LBMVv5pTqvpwd41biJZEg8NznXQWx0GA2Z6HOrblGhFZKrqky3P5xN+6j63zkJizXWgBMKzRvBnsVKxjZGr/lk1vVVv4=,iv:p4y9Fo3SArkEMuoK2d9sQYgNdc0iw/StFhg/5LnhcXM=,tag:61JGbnEw35tv6WnGj46JOw==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.0

controllers/testdata/sops/secret.day.yaml

@@ -1,7 +0,0 @@
-apiVersion: v1
-data:
-  secret: ewoJImRhdGEiOiAiRU5DW0FFUzI1Nl9HQ00sZGF0YTpCZDJuL1VCc21KN2NYYXVvLGl2OmR4c25ncWVDVitzVVVIM24rVTZ1N1F3WjEvRFptM3RhVlVOSjJRTFNlWGM9LHRhZzp3enhxUjA2MWRmbmVhQmlMNHRxaTN3PT0sdHlwZTpzdHJdIiwKCSJzb3BzIjogewoJCSJrbXMiOiBudWxsLAoJCSJnY3Bfa21zIjogbnVsbCwKCQkiYXp1cmVfa3YiOiBudWxsLAoJCSJoY192YXVsdCI6IG51bGwsCgkJImxhc3Rtb2RpZmllZCI6ICIyMDIxLTA0LTI3VDE5OjQ4OjIwWiIsCgkJIm1hYyI6ICJFTkNbQUVTMjU2X0dDTSxkYXRhOkUwQmFsdjRGcWRiQVNRSGNpa2oyaURTeTdCTjBVSUY3cHhlSFNwUUZ2dXF6akVtRWlDV2xJRFl0dmgxY2t4ZnZxNHpYS2xITkp6QitkM1RSaHNuaGtIZ2tSWFA1MldwUkNHZ1pwY3h5Q3FCTmhhL00wRGNGY1ZZZG14T2NVNEU4eFdsdFRuektzZll0bVkvTVludmVJT1htNkpmMUhPS2FVM1EwdzBGbG8wQT0saXY6QWgza0puZEI3UnE5RVV3ZUc0TUMzUmh5bXRYRXY0ellIc2M3M3NxQzlGdz0sdGFnOnpOS3ZHcW5WNG8yWTdhNUJTV28yZEE9PSx0eXBlOnN0cl0iLAoJCSJwZ3AiOiBbCgkJCXsKCQkJCSJjcmVhdGVkX2F0IjogIjIwMjEtMDQtMjdUMTk6NDg6MjBaIiwKCQkJCSJlbmMiOiAiLS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tXG5cbmhRSU1BOTBTT0ppaGFBakxBUS8vZGo2NzlnSXpKdU1vc05wdkRZQVNUOVF4MjBGdmJOREsvTDhmY2xlTFd0NHpcbktWaHdlTnRRdXhZbXA1a2Z6VUpBWXh2Mk01a2NSWFo1QzVDWDJLSER2N1lxVWRRdVdMam9wTFRmR1RPcE56RlBcbjNyZE5sRXZKMC8zSXdteEhtYXVPbUpPazByRUQrOXZtTXNCL3pnaXIxWkd2d0tTNVM5dW9XSDN6bUlVdmJBR29cbmpCKzAxRkdqaXlYRUhSanFzbFlMZ0tXczhZaVR4anNPOVd3QlU0ZmRySzRCKytEaWFweVdFcDJYVWhFZWt6MjFcbjR3dXU5dEp5TmtOWXpmMXNXUWxMc1lPblMzRkkrNSsrMFg1SmREYWtFVmkzSnF1TmtLeDRuWms3ZHJqcktnM1hcbnJPWTc1YnIxdGkwTkxrQWFsaUwvbEJSR3JCTW5BeTViV0l4dkpoSmtqRGMyZTNBWmJNbXdJQ0FJZ05kMEcrNFBcbkJqWkhNWnZUQk1RN0VvWFhGeVg5K3JKKzFnUzF5UEJuaFNma3lrSmJSR1ljdnB1RVRFL1NyK0FSa0s0cHV5bFVcbk5sdU8xZmdOMEF1STVqVll2NzJ1MzJWZEw2N2ZYbjlPdjhFYmlkdVVKcWoxZXB3Mk53dDNZK2xrNERLbVBybVRcbjFRTzF3OC96UHo1SlR0U1R4ZXFJak4weXBTazFocE9XekNwOTE0QmgxckFscXFxakorc0Q4dkVseEk2N2JSWG5cblY1alBkZkQwQktLU0tqS0ZLeVhnUHdPdCtvd2xTTDROR0V6bmdTcmsyeDlTcHVDdWQweXpoeVpta2tHRm5JKzdcbmhpT2kzeGxmZnkvRWY4TDkvaWhDbmJQc1pTck50L0RPQlVGK0ZGQUlmZitpUElPRTBieGZCaHpMNWZOTS9ZdlNcblhBRS9pYk42NktLT2ZwYWlqWnRXSkdTY1RHVVlYMkt2WTAwN2h6Y1ErR3BaZUZOd3oyUlpEd3BkTzZ4N3JHelFcbkFHQUtjd2pTYXcramluVzQwWmZnOWQ5YmFMdWRYTDRXVU9FSUdTN2FpWjNFNjJTSFJGU2U0dmNpSVh6blxuPThRcmZcbi0tLS0tRU5EIFBHUCBNRVNTQUdFLS0tLS1cbiIsCgkJCQkiZnAiOiAiMzVDMUE2NENEN0ZDMEFCNkVCNjY3NTZCMjQ0NTQ2M0MzMjM0RUNFMSIKCQkJfQoJCV0sCgkJImVuY3J5cHRlZF9yZWdleCI6ICJeKGRhdGF8c3RyaW5nRGF0YSkkIiwKCQkidmVyc2lvbiI6ICIzLjYuMCIKCX0KfQ==
-kind: Secret
-metadata:
-  creationTimestamp: null
-  name: sops-day

controllers/testdata/sops/secret.vault.yaml

@@ -1,8 +0,0 @@
-apiVersion: v1
-data:
-    secret: bXktc29wcy12YXVsdC1zZWNyZXQK
-kind: Secret
-metadata:
-    name: sops-hcvault
-    namespace: default
-type: Opaque

controllers/testdata/sops/secret.yaml

@@ -1,37 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: sops-pgp
-stringData:
-    secret: ENC[AES256_GCM,data:rZEmadbj49GoQLlK85hKKAsc,iv:FX4Dfbd173bZQdUgEVRo4q29m/Gz9ob07QHFuiCAufA=,tag:VM6tzAVdGjsythy2Mr5tvw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2021-04-06T09:07:19Z"
-    mac: ENC[AES256_GCM,data:iBg8FY39VSykcWZ/asv86P3VNZkscQdINNOy3UtI5m4OWDpUkyDuq66w7ELiiEXJ3D+b7JKJrsSrYtT7Tn7t+NZGxJcLQFEczozvWgKd2hCikxnMEepCJ3tRcoz7JaItommi1HvA08syGfLA5f6eOxsHQWzmjVdYaVpQ4VGRibk=,iv:VI+Fb7dXV4442IMKZSHOb0GJ/2nNgK9AUTblOZ49Oco=,tag:gJjFguJeE7irKZW7yZi0jw==,type:str]
-    pgp:
-        - created_at: "2021-04-06T09:07:19Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA90SOJihaAjLAQ/+LnZo9UHmJ2Llcpq6m5gjo5hbCx6aYTbrvJOFCWeu2oyC
-            71XsuTUzBp7TK8SkGrxlJmUodezACQ3rCsKY/r2GI4t9HkVRSuhnc/YQMunm3iG1
-            bsgfdV/KBm0Go7dFXy2R1Pt3PuVnuM9MZ59U4SdqYGZDI7vzy2gfH127qa3oIOoF
-            2OFfwhUy8nZIVCJ47ExIdrc7Qdk94tbLfwmBAKHFN4Ab0YXasKCpH9O+9/vQ+JJU
-            7xy61Nv4dqtEDYU9QTh2ZuT6ZaWikTqCcIv/W7lW1RsT8n7YiRZv9POobKDh5KbP
-            PyfqvJsLcJB8LHN2kZfwr6Iemuce19kRi+7JL9zMGRJSsq0thJ0ly3JBi48pU27w
-            jbFnmxlIwfb0EsLBp9lsxw7GoUbooSC/rfI5NVeQ+4lFA4gQn2oz7i4zTYesnwil
-            lrgMxz49SSluAYsGjrJHc+ABmlDz83K42KtWlNjwaIbDgHMl4EbYUe4pxcynEZ6D
-            0csDIsIA15MP0THfTL1F1vkhvdPHNuUlVjFqgWaJAP2CC5KH8IeTCUN72FySEYAB
-            BJH+VQoRnS942M8VQAfUQyBsfZKtQhyCkU7KEimUjQzy75JWgy8YMX1mviXk52qB
-            kVHQIjNEuBta58pmNyhxc+6+bz+ABGp+mR9QemUQjmXghH3VjOwnZVj6KMMX4J3S
-            XgEubPmw6u4nYqb9bLDVyE2uXXA4TVgFDuZxJrbZOn9zF2aQOOGfZX2Gx5xgK+pV
-            srM1wyJqdP+QL/fWO9ZI38+tyr1T5zOBPpJ/JTrkSJoVeRWpwuI6BUCZhH66nfU=
-            =+1cf
-            -----END PGP MESSAGE-----
-          fp: 35C1A64CD7FC0AB6EB66756B2445463C3234ECE1
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.0

controllers/testdata/test-dotenv/bases/secrets/year2.txt

@@ -1,7 +0,0 @@
-year=ENC[AES256_GCM,data:HoFRvaM=,iv:XNDFLkONNvKSKkbqErVx1/tnEtDuZIG3SficCd7NIaM=,tag:aC7SCerL01kYyXyXkWR2ag==,type:str]
-sops_unencrypted_suffix=_unencrypted
-sops_mac=ENC[AES256_GCM,data:s75x7NzSjmkovCOopnT1eIfXMAdwwsN8KoVdVbAYDTAsB856w/i/W/JshXAUdr5SnXHNbtwzEha/HSppnWEQw1nds18yZCeIW54QE7yxvBKw9Mhd3wxHWiZWziTY0awbYinbyQ45zpq1Iz97BueNjhwtZWMQzRKLQvwyqEljTHs=,iv:AuKqCzIgTYcogtyLrtM6VdgwKTlDE3uMxvVaWbpKBOA=,tag:Ija+U/97TxxWoXYDpG6+jg==,type:str]
-sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYV1FYTkdzV210SkswWmty\nZzZSVzlCUlRQcVNEOVpYSWNSSWtPd00rcDJrCjZKVVp6aFY2cHJQbm9oY2Q1Z2N3\nLzBWalF4ZHZYTU5kMlcwaGRvYkVKcFEKLS0tIG1QTjNuY0pRbFBqT3dFNFROQWU3\nTWQxNVlUNG8rblQyYmJoaCtKSGcrdE0KjUJ+hGiyCkzUG41mwT3rAb0BdwBF8303\nhBDRmW+DjP1ETrGTXviTS1Cq29IX1K2KdBRxixjtwewkXV/i87wHRA==\n-----END AGE ENCRYPTED FILE-----\n
-sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29
-sops_lastmodified=2021-10-15T11:09:14Z
-sops_version=3.7.1

controllers/testdata/test-dotenv/overlays/year1.env

@@ -1,7 +0,0 @@
-year=ENC[AES256_GCM,data:tV/GLTE=,iv:AtEKKSUa4BiTnDzGMtpGrO78NuR0wMXzjKrQScbtX24=,tag:zAzcBzQ6ORO+NhcY3idHcA==,type:str]
-sops_lastmodified=2021-10-15T11:08:51Z
-sops_unencrypted_suffix=_unencrypted
-sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFU29oWEh2ckRjaCs3d1FJ\nYTkxN0dqY1lsc1dEUmZ4OGN0N1BHK0xxQld3CmpTL2Z2VDloQStCYnRmYnJ0SDFj\nVU9USmszbU44YUxzRi95Q0sxY2t0bkUKLS0tIC80Ulh1RWJPeUFqbUFNSjFOeGIy\nY001MzMwbnRsQXlsN1VVY2xLY20yazQKYhZQGZpay9J1cnGiHCKBY6DtYMCSIBo7\nAP41GiVukT6M4LT83TpWzWgbR/xNgreKdNpweYcw+Fp+wJHVeR3+fg==\n-----END AGE ENCRYPTED FILE-----\n
-sops_mac=ENC[AES256_GCM,data:rw8vAq+8nqa5/V8p/ICuVKXNQCeTIFExF33qy1YEbc8f4kePDhTlGqxluEytbWOhk+hzCd4POk+zY8bWBY2QSiq0lle2rCtE2WT3I04/+bHzX74yMBuadYLqiUFEhkra/58FXD404PPJBUrOy8mAPgWVczcqMexYhzz//tPdGMY=,iv:yk3CsyGigCSHonvMBTQvjg+kgNssf87KqlKeR6FE8sk=,tag:dCaOhh97ebJWNT5v35n6Iw==,type:str]
-sops_version=3.7.1
-sops_age__list_0__map_recipient=age1l44xcng8dqj32nlv6d930qvvrny05hglzcv9qpc7kxjc6902ma4qufys29

docs/api/v1/kustomize.md

@@ -1,17 +1,18 @@
-<h1>Kustomize API reference</h1>
+<h1>Kustomize API reference v1</h1>
 <p>Packages:</p>
 <ul class="simple">
 <li>
-<a href="#kustomize.toolkit.fluxcd.io%2fv1beta2">kustomize.toolkit.fluxcd.io/v1beta2</a>
+<a href="#kustomize.toolkit.fluxcd.io%2fv1">kustomize.toolkit.fluxcd.io/v1</a>
 </li>
 </ul>
-<h2 id="kustomize.toolkit.fluxcd.io/v1beta2">kustomize.toolkit.fluxcd.io/v1beta2</h2>
-<p>Package v1beta2 contains API Schema definitions for the kustomize.toolkit.fluxcd.io v1beta2 API group.</p>
+<h2 id="kustomize.toolkit.fluxcd.io/v1">kustomize.toolkit.fluxcd.io/v1</h2>
+<p>Package v1 contains API Schema definitions for the kustomize.toolkit.fluxcd.io
+v1 API group.</p>
 Resource Types:
 <ul class="simple"><li>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.Kustomization">Kustomization</a>
+<a href="#kustomize.toolkit.fluxcd.io/v1.Kustomization">Kustomization</a>
 </li></ul>
-<h3 id="kustomize.toolkit.fluxcd.io/v1beta2.Kustomization">Kustomization
+<h3 id="kustomize.toolkit.fluxcd.io/v1.Kustomization">Kustomization
 </h3>
 <p>Kustomization is the Schema for the kustomizations API.</p>
 <div class="md-typeset__scrollwrap">
@@ -29,7 +30,7 @@ Resource Types:
 <code>apiVersion</code><br>
 string</td>
 <td>
-<code>kustomize.toolkit.fluxcd.io/v1beta2</code>
+<code>kustomize.toolkit.fluxcd.io/v1</code>
 </td>
 </tr>
 <tr>
@@ -59,7 +60,7 @@ Refer to the Kubernetes API documentation for the fields of the
 <td>
 <code>spec</code><br>
 <em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.KustomizationSpec">
+<a href="#kustomize.toolkit.fluxcd.io/v1.KustomizationSpec">
 KustomizationSpec
 </a>
 </em>
@@ -70,16 +71,32 @@ KustomizationSpec
 <table>
 <tr>
 <td>
-<code>dependsOn</code><br>
+<code>commonMetadata</code><br>
 <em>
-<a href="https://godoc.org/github.com/fluxcd/pkg/apis/meta#NamespacedObjectReference">
-[]github.com/fluxcd/pkg/apis/meta.NamespacedObjectReference
+<a href="#kustomize.toolkit.fluxcd.io/v1.CommonMetadata">
+CommonMetadata
 </a>
 </em>
 </td>
 <td>
 <em>(Optional)</em>
-<p>DependsOn may contain a meta.NamespacedObjectReference slice
+<p>CommonMetadata specifies the common labels and annotations that are
+applied to all resources. Any existing label or annotation will be
+overridden if its key matches a common one.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>dependsOn</code><br>
+<em>
+<a href="#kustomize.toolkit.fluxcd.io/v1.DependencyReference">
+[]DependencyReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>DependsOn may contain a DependencyReference slice
 with references to Kustomization resources that must be ready before this
 Kustomization can be reconciled.</p>
 </td>
@@ -88,7 +105,7 @@ Kustomization can be reconciled.</p>
 <td>
 <code>decryption</code><br>
 <em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.Decryption">
+<a href="#kustomize.toolkit.fluxcd.io/v1.Decryption">
 Decryption
 </a>
 </em>
@@ -108,7 +125,9 @@ Kubernetes meta/v1.Duration
 </em>
 </td>
 <td>
-<p>The interval at which to reconcile the Kustomization.</p>
+<p>The interval at which to reconcile the Kustomization.
+This interval is approximate and may be subject to jitter to ensure
+efficient use of resources.</p>
 </td>
 </tr>
 <tr>
@@ -131,8 +150,8 @@ value to retry failures.</p>
 <td>
 <code>kubeConfig</code><br>
 <em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.KubeConfig">
-KubeConfig
+<a href="https://godoc.org/github.com/fluxcd/pkg/apis/meta#KubeConfigReference">
+github.com/fluxcd/pkg/apis/meta.KubeConfigReference
 </a>
 </em>
 </td>
@@ -165,7 +184,7 @@ Defaults to &lsquo;None&rsquo;, which translates to the root path of the SourceR
 <td>
 <code>postBuild</code><br>
 <em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.PostBuild">
+<a href="#kustomize.toolkit.fluxcd.io/v1.PostBuild">
 PostBuild
 </a>
 </em>
@@ -189,6 +208,21 @@ bool
 </tr>
 <tr>
 <td>
+<code>deletionPolicy</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>DeletionPolicy can be used to control garbage collection when this
+Kustomization is deleted. Valid values are (&lsquo;MirrorPrune&rsquo;, &lsquo;Delete&rsquo;,
+&lsquo;WaitForTermination&rsquo;, &lsquo;Orphan&rsquo;). &lsquo;MirrorPrune&rsquo; mirrors the Prune field
+(orphan if false, delete if true). Defaults to &lsquo;MirrorPrune&rsquo;.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>healthChecks</code><br>
 <em>
 <a href="https://godoc.org/github.com/fluxcd/pkg/apis/meta#NamespacedObjectKindReference">
@@ -203,6 +237,30 @@ bool
 </tr>
 <tr>
 <td>
+<code>namePrefix</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>NamePrefix will prefix the names of all managed resources.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>nameSuffix</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>NameSuffix will suffix the names of all managed resources.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>patches</code><br>
 <em>
 <a href="https://godoc.org/github.com/fluxcd/pkg/apis/kustomize#Patch">
@@ -218,36 +276,6 @@ capable of targeting objects based on kind, label and annotation selectors.</p>
 </tr>
 <tr>
 <td>
-<code>patchesStrategicMerge</code><br>
-<em>
-<a href="https://pkg.go.dev/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1?tab=doc#JSON">
-[]Kubernetes pkg/apis/apiextensions/v1.JSON
-</a>
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>Strategic merge patches, defined as inline YAML objects.
-Deprecated: Use Patches instead.</p>
-</td>
-</tr>
-<tr>
-<td>
-<code>patchesJson6902</code><br>
-<em>
-<a href="https://godoc.org/github.com/fluxcd/pkg/apis/kustomize#JSON6902Patch">
-[]github.com/fluxcd/pkg/apis/kustomize.JSON6902Patch
-</a>
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>JSON 6902 patches, defined as inline YAML objects.
-Deprecated: Use Patches instead.</p>
-</td>
-</tr>
-<tr>
-<td>
 <code>images</code><br>
 <em>
 <a href="https://godoc.org/github.com/fluxcd/pkg/apis/kustomize#Image">
@@ -279,7 +307,7 @@ when reconciling this Kustomization.</p>
 <td>
 <code>sourceRef</code><br>
 <em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.CrossNamespaceSourceReference">
+<a href="#kustomize.toolkit.fluxcd.io/v1.CrossNamespaceSourceReference">
 CrossNamespaceSourceReference
 </a>
 </em>
@@ -351,20 +379,36 @@ bool
 </td>
 <td>
 <em>(Optional)</em>
-<p>Wait instructs the controller to check the health of all the reconciled resources.
-When enabled, the HealthChecks are ignored. Defaults to false.</p>
+<p>Wait instructs the controller to check the health of all the reconciled
+resources. When enabled, the HealthChecks are ignored. Defaults to false.</p>
 </td>
 </tr>
 <tr>
 <td>
-<code>validation</code><br>
+<code>components</code><br>
 <em>
-string
+[]string
 </em>
 </td>
 <td>
 <em>(Optional)</em>
-<p>Deprecated: Not used in v1beta2.</p>
+<p>Components specifies relative paths to specifications of other Components.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>healthCheckExprs</code><br>
+<em>
+<a href="https://godoc.org/github.com/fluxcd/pkg/apis/kustomize#CustomHealthCheck">
+[]github.com/fluxcd/pkg/apis/kustomize.CustomHealthCheck
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>HealthCheckExprs is a list of healthcheck expressions for evaluating the
+health of custom resources using Common Expression Language (CEL).
+The expressions are evaluated only when Wait or HealthChecks are specified.</p>
 </td>
 </tr>
 </table>
@@ -374,7 +418,7 @@ string
 <td>
 <code>status</code><br>
 <em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.KustomizationStatus">
+<a href="#kustomize.toolkit.fluxcd.io/v1.KustomizationStatus">
 KustomizationStatus
 </a>
 </em>
@@ -386,11 +430,56 @@ KustomizationStatus
 </table>
 </div>
 </div>
-<h3 id="kustomize.toolkit.fluxcd.io/v1beta2.CrossNamespaceSourceReference">CrossNamespaceSourceReference
+<h3 id="kustomize.toolkit.fluxcd.io/v1.CommonMetadata">CommonMetadata
 </h3>
 <p>
 (<em>Appears on:</em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.KustomizationSpec">KustomizationSpec</a>)
+<a href="#kustomize.toolkit.fluxcd.io/v1.KustomizationSpec">KustomizationSpec</a>)
+</p>
+<p>CommonMetadata defines the common labels and annotations.</p>
+<div class="md-typeset__scrollwrap">
+<div class="md-typeset__table">
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>annotations</code><br>
+<em>
+map[string]string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Annotations to be added to the object&rsquo;s metadata.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>labels</code><br>
+<em>
+map[string]string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Labels to be added to the object&rsquo;s metadata.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
+<h3 id="kustomize.toolkit.fluxcd.io/v1.CrossNamespaceSourceReference">CrossNamespaceSourceReference
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#kustomize.toolkit.fluxcd.io/v1.KustomizationSpec">KustomizationSpec</a>)
 </p>
 <p>CrossNamespaceSourceReference contains enough information to let you locate the
 typed Kubernetes resource object at cluster level.</p>
@@ -447,18 +536,19 @@ string
 </td>
 <td>
 <em>(Optional)</em>
-<p>Namespace of the referent, defaults to the namespace of the Kubernetes resource object that contains the reference.</p>
+<p>Namespace of the referent, defaults to the namespace of the Kubernetes
+resource object that contains the reference.</p>
 </td>
 </tr>
 </tbody>
 </table>
 </div>
 </div>
-<h3 id="kustomize.toolkit.fluxcd.io/v1beta2.Decryption">Decryption
+<h3 id="kustomize.toolkit.fluxcd.io/v1.Decryption">Decryption
 </h3>
 <p>
 (<em>Appears on:</em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.KustomizationSpec">KustomizationSpec</a>)
+<a href="#kustomize.toolkit.fluxcd.io/v1.KustomizationSpec">KustomizationSpec</a>)
 </p>
 <p>Decryption defines how decryption is handled for Kubernetes manifests.</p>
 <div class="md-typeset__scrollwrap">
@@ -484,6 +574,22 @@ string
 </tr>
 <tr>
 <td>
+<code>serviceAccountName</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ServiceAccountName is the name of the service account used to
+authenticate with KMS services from cloud providers. If a
+static credential for a given cloud provider is defined
+inside the Secret referenced by SecretRef, that static
+credential takes priority.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>secretRef</code><br>
 <em>
 <a href="https://godoc.org/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
@@ -493,20 +599,23 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference
 </td>
 <td>
 <em>(Optional)</em>
-<p>The secret name containing the private OpenPGP keys used for decryption.</p>
+<p>The secret name containing the private OpenPGP keys used for decryption.
+A static credential for a cloud provider defined inside the Secret
+takes priority to secret-less authentication with the ServiceAccountName
+field.</p>
 </td>
 </tr>
 </tbody>
 </table>
 </div>
 </div>
-<h3 id="kustomize.toolkit.fluxcd.io/v1beta2.KubeConfig">KubeConfig
+<h3 id="kustomize.toolkit.fluxcd.io/v1.DependencyReference">DependencyReference
 </h3>
 <p>
 (<em>Appears on:</em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.KustomizationSpec">KustomizationSpec</a>)
+<a href="#kustomize.toolkit.fluxcd.io/v1.KustomizationSpec">KustomizationSpec</a>)
 </p>
-<p>KubeConfig references a Kubernetes secret that contains a kubeconfig file.</p>
+<p>DependencyReference defines a Kustomization dependency on another Kustomization resource.</p>
 <div class="md-typeset__scrollwrap">
 <div class="md-typeset__table">
 <table>
@@ -519,36 +628,56 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference
 <tbody>
 <tr>
 <td>
-<code>secretRef</code><br>
+<code>name</code><br>
 <em>
-<a href="https://godoc.org/github.com/fluxcd/pkg/apis/meta#SecretKeyReference">
-github.com/fluxcd/pkg/apis/meta.SecretKeyReference
-</a>
+string
 </em>
 </td>
 <td>
-<p>SecretRef holds the name of a secret that contains a key with
-the kubeconfig file as the value. If no key is set, the key will default
-to &lsquo;value&rsquo;. The secret must be in the same namespace as
-the Kustomization.
-It is recommended that the kubeconfig is self-contained, and the secret
-is regularly updated if credentials such as a cloud-access-token expire.
-Cloud specific <code>cmd-path</code> auth helpers will not function without adding
-binaries and credentials to the Pod that is responsible for reconciling
-the Kustomization.</p>
+<p>Name of the referent.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>namespace</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Namespace of the referent, defaults to the namespace of the Kustomization
+resource object that contains the reference.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>readyExpr</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ReadyExpr is a CEL expression that can be used to assess the readiness
+of a dependency. When specified, the built-in readiness check
+is replaced by the logic defined in the CEL expression.
+To make the CEL expression additive to the built-in readiness check,
+the feature gate <code>AdditiveCELDependencyCheck</code> must be set to <code>true</code>.</p>
 </td>
 </tr>
 </tbody>
 </table>
 </div>
 </div>
-<h3 id="kustomize.toolkit.fluxcd.io/v1beta2.KustomizationSpec">KustomizationSpec
+<h3 id="kustomize.toolkit.fluxcd.io/v1.KustomizationSpec">KustomizationSpec
 </h3>
 <p>
 (<em>Appears on:</em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.Kustomization">Kustomization</a>)
+<a href="#kustomize.toolkit.fluxcd.io/v1.Kustomization">Kustomization</a>)
 </p>
-<p>KustomizationSpec defines the configuration to calculate the desired state from a Source using Kustomize.</p>
+<p>KustomizationSpec defines the configuration to calculate the desired state
+from a Source using Kustomize.</p>
 <div class="md-typeset__scrollwrap">
 <div class="md-typeset__table">
 <table>
@@ -561,16 +690,32 @@ the Kustomization.</p>
 <tbody>
 <tr>
 <td>
-<code>dependsOn</code><br>
+<code>commonMetadata</code><br>
 <em>
-<a href="https://godoc.org/github.com/fluxcd/pkg/apis/meta#NamespacedObjectReference">
-[]github.com/fluxcd/pkg/apis/meta.NamespacedObjectReference
+<a href="#kustomize.toolkit.fluxcd.io/v1.CommonMetadata">
+CommonMetadata
 </a>
 </em>
 </td>
 <td>
 <em>(Optional)</em>
-<p>DependsOn may contain a meta.NamespacedObjectReference slice
+<p>CommonMetadata specifies the common labels and annotations that are
+applied to all resources. Any existing label or annotation will be
+overridden if its key matches a common one.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>dependsOn</code><br>
+<em>
+<a href="#kustomize.toolkit.fluxcd.io/v1.DependencyReference">
+[]DependencyReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>DependsOn may contain a DependencyReference slice
 with references to Kustomization resources that must be ready before this
 Kustomization can be reconciled.</p>
 </td>
@@ -579,7 +724,7 @@ Kustomization can be reconciled.</p>
 <td>
 <code>decryption</code><br>
 <em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.Decryption">
+<a href="#kustomize.toolkit.fluxcd.io/v1.Decryption">
 Decryption
 </a>
 </em>
@@ -599,7 +744,9 @@ Kubernetes meta/v1.Duration
 </em>
 </td>
 <td>
-<p>The interval at which to reconcile the Kustomization.</p>
+<p>The interval at which to reconcile the Kustomization.
+This interval is approximate and may be subject to jitter to ensure
+efficient use of resources.</p>
 </td>
 </tr>
 <tr>
@@ -622,8 +769,8 @@ value to retry failures.</p>
 <td>
 <code>kubeConfig</code><br>
 <em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.KubeConfig">
-KubeConfig
+<a href="https://godoc.org/github.com/fluxcd/pkg/apis/meta#KubeConfigReference">
+github.com/fluxcd/pkg/apis/meta.KubeConfigReference
 </a>
 </em>
 </td>
@@ -656,7 +803,7 @@ Defaults to &lsquo;None&rsquo;, which translates to the root path of the SourceR
 <td>
 <code>postBuild</code><br>
 <em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.PostBuild">
+<a href="#kustomize.toolkit.fluxcd.io/v1.PostBuild">
 PostBuild
 </a>
 </em>
@@ -680,6 +827,21 @@ bool
 </tr>
 <tr>
 <td>
+<code>deletionPolicy</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>DeletionPolicy can be used to control garbage collection when this
+Kustomization is deleted. Valid values are (&lsquo;MirrorPrune&rsquo;, &lsquo;Delete&rsquo;,
+&lsquo;WaitForTermination&rsquo;, &lsquo;Orphan&rsquo;). &lsquo;MirrorPrune&rsquo; mirrors the Prune field
+(orphan if false, delete if true). Defaults to &lsquo;MirrorPrune&rsquo;.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>healthChecks</code><br>
 <em>
 <a href="https://godoc.org/github.com/fluxcd/pkg/apis/meta#NamespacedObjectKindReference">
@@ -694,6 +856,30 @@ bool
 </tr>
 <tr>
 <td>
+<code>namePrefix</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>NamePrefix will prefix the names of all managed resources.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>nameSuffix</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>NameSuffix will suffix the names of all managed resources.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>patches</code><br>
 <em>
 <a href="https://godoc.org/github.com/fluxcd/pkg/apis/kustomize#Patch">
@@ -709,36 +895,6 @@ capable of targeting objects based on kind, label and annotation selectors.</p>
 </tr>
 <tr>
 <td>
-<code>patchesStrategicMerge</code><br>
-<em>
-<a href="https://pkg.go.dev/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1?tab=doc#JSON">
-[]Kubernetes pkg/apis/apiextensions/v1.JSON
-</a>
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>Strategic merge patches, defined as inline YAML objects.
-Deprecated: Use Patches instead.</p>
-</td>
-</tr>
-<tr>
-<td>
-<code>patchesJson6902</code><br>
-<em>
-<a href="https://godoc.org/github.com/fluxcd/pkg/apis/kustomize#JSON6902Patch">
-[]github.com/fluxcd/pkg/apis/kustomize.JSON6902Patch
-</a>
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>JSON 6902 patches, defined as inline YAML objects.
-Deprecated: Use Patches instead.</p>
-</td>
-</tr>
-<tr>
-<td>
 <code>images</code><br>
 <em>
 <a href="https://godoc.org/github.com/fluxcd/pkg/apis/kustomize#Image">
@@ -770,7 +926,7 @@ when reconciling this Kustomization.</p>
 <td>
 <code>sourceRef</code><br>
 <em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.CrossNamespaceSourceReference">
+<a href="#kustomize.toolkit.fluxcd.io/v1.CrossNamespaceSourceReference">
 CrossNamespaceSourceReference
 </a>
 </em>
@@ -842,31 +998,47 @@ bool
 </td>
 <td>
 <em>(Optional)</em>
-<p>Wait instructs the controller to check the health of all the reconciled resources.
-When enabled, the HealthChecks are ignored. Defaults to false.</p>
+<p>Wait instructs the controller to check the health of all the reconciled
+resources. When enabled, the HealthChecks are ignored. Defaults to false.</p>
 </td>
 </tr>
 <tr>
 <td>
-<code>validation</code><br>
+<code>components</code><br>
 <em>
-string
+[]string
 </em>
 </td>
 <td>
 <em>(Optional)</em>
-<p>Deprecated: Not used in v1beta2.</p>
+<p>Components specifies relative paths to specifications of other Components.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>healthCheckExprs</code><br>
+<em>
+<a href="https://godoc.org/github.com/fluxcd/pkg/apis/kustomize#CustomHealthCheck">
+[]github.com/fluxcd/pkg/apis/kustomize.CustomHealthCheck
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>HealthCheckExprs is a list of healthcheck expressions for evaluating the
+health of custom resources using Common Expression Language (CEL).
+The expressions are evaluated only when Wait or HealthChecks are specified.</p>
 </td>
 </tr>
 </tbody>
 </table>
 </div>
 </div>
-<h3 id="kustomize.toolkit.fluxcd.io/v1beta2.KustomizationStatus">KustomizationStatus
+<h3 id="kustomize.toolkit.fluxcd.io/v1.KustomizationStatus">KustomizationStatus
 </h3>
 <p>
 (<em>Appears on:</em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.Kustomization">Kustomization</a>)
+<a href="#kustomize.toolkit.fluxcd.io/v1.Kustomization">Kustomization</a>)
 </p>
 <p>KustomizationStatus defines the observed state of a kustomization.</p>
 <div class="md-typeset__scrollwrap">
@@ -929,7 +1101,23 @@ string
 <td>
 <em>(Optional)</em>
 <p>The last successfully applied revision.
-The revision format for Git sources is <branch|tag>/<commit-sha>.</p>
+Equals the Revision of the applied Artifact from the referenced Source.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>lastAppliedOriginRevision</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>The last successfully applied origin revision.
+Equals the origin revision of the applied Artifact from the referenced Source.
+Usually present on the Metadata of the applied Artifact and depends on the
+Source type, e.g. for OCI it&rsquo;s the value associated with the key
+&ldquo;org.opencontainers.image.revision&rdquo;.</p>
 </td>
 </tr>
 <tr>
@@ -948,25 +1136,26 @@ string
 <td>
 <code>inventory</code><br>
 <em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.ResourceInventory">
+<a href="#kustomize.toolkit.fluxcd.io/v1.ResourceInventory">
 ResourceInventory
 </a>
 </em>
 </td>
 <td>
 <em>(Optional)</em>
-<p>Inventory contains the list of Kubernetes resource object references that have been successfully applied.</p>
+<p>Inventory contains the list of Kubernetes resource object references that
+have been successfully applied.</p>
 </td>
 </tr>
 </tbody>
 </table>
 </div>
 </div>
-<h3 id="kustomize.toolkit.fluxcd.io/v1beta2.PostBuild">PostBuild
+<h3 id="kustomize.toolkit.fluxcd.io/v1.PostBuild">PostBuild
 </h3>
 <p>
 (<em>Appears on:</em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.KustomizationSpec">KustomizationSpec</a>)
+<a href="#kustomize.toolkit.fluxcd.io/v1.KustomizationSpec">KustomizationSpec</a>)
 </p>
 <p>PostBuild describes which actions to perform on the YAML manifest
 generated by building the kustomize overlay.</p>
@@ -990,9 +1179,8 @@ map[string]string
 <td>
 <em>(Optional)</em>
 <p>Substitute holds a map of key/value pairs.
-The variables defined in your YAML manifests
-that match any of the keys defined in the map
-will be substituted with the set value.
+The variables defined in your YAML manifests that match any of the keys
+defined in the map will be substituted with the set value.
 Includes support for bash string replacement functions
 e.g. ${var:=default}, ${var:position} and ${var/substring/replacement}.</p>
 </td>
@@ -1001,7 +1189,7 @@ e.g. ${var:=default}, ${var:position} and ${var/substring/replacement}.</p>
 <td>
 <code>substituteFrom</code><br>
 <em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.SubstituteReference">
+<a href="#kustomize.toolkit.fluxcd.io/v1.SubstituteReference">
 []SubstituteReference
 </a>
 </em>
@@ -1010,21 +1198,23 @@ e.g. ${var:=default}, ${var:position} and ${var/substring/replacement}.</p>
 <em>(Optional)</em>
 <p>SubstituteFrom holds references to ConfigMaps and Secrets containing
 the variables and their values to be substituted in the YAML manifests.
-The ConfigMap and the Secret data keys represent the var names and they
-must match the vars declared in the manifests for the substitution to happen.</p>
+The ConfigMap and the Secret data keys represent the var names, and they
+must match the vars declared in the manifests for the substitution to
+happen.</p>
 </td>
 </tr>
 </tbody>
 </table>
 </div>
 </div>
-<h3 id="kustomize.toolkit.fluxcd.io/v1beta2.ResourceInventory">ResourceInventory
+<h3 id="kustomize.toolkit.fluxcd.io/v1.ResourceInventory">ResourceInventory
 </h3>
 <p>
 (<em>Appears on:</em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.KustomizationStatus">KustomizationStatus</a>)
+<a href="#kustomize.toolkit.fluxcd.io/v1.KustomizationStatus">KustomizationStatus</a>)
 </p>
-<p>ResourceInventory contains a list of Kubernetes resource object references that have been applied by a Kustomization.</p>
+<p>ResourceInventory contains a list of Kubernetes resource object references
+that have been applied by a Kustomization.</p>
 <div class="md-typeset__scrollwrap">
 <div class="md-typeset__table">
 <table>
@@ -1039,7 +1229,7 @@ must match the vars declared in the manifests for the substitution to happen.</p
 <td>
 <code>entries</code><br>
 <em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.ResourceRef">
+<a href="#kustomize.toolkit.fluxcd.io/v1.ResourceRef">
 []ResourceRef
 </a>
 </em>
@@ -1052,11 +1242,11 @@ must match the vars declared in the manifests for the substitution to happen.</p
 </table>
 </div>
 </div>
-<h3 id="kustomize.toolkit.fluxcd.io/v1beta2.ResourceRef">ResourceRef
+<h3 id="kustomize.toolkit.fluxcd.io/v1.ResourceRef">ResourceRef
 </h3>
 <p>
 (<em>Appears on:</em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.ResourceInventory">ResourceInventory</a>)
+<a href="#kustomize.toolkit.fluxcd.io/v1.ResourceInventory">ResourceInventory</a>)
 </p>
 <p>ResourceRef contains the information necessary to locate a resource within a cluster.</p>
 <div class="md-typeset__scrollwrap">
@@ -1096,11 +1286,11 @@ string
 </table>
 </div>
 </div>
-<h3 id="kustomize.toolkit.fluxcd.io/v1beta2.SubstituteReference">SubstituteReference
+<h3 id="kustomize.toolkit.fluxcd.io/v1.SubstituteReference">SubstituteReference
 </h3>
 <p>
 (<em>Appears on:</em>
-<a href="#kustomize.toolkit.fluxcd.io/v1beta2.PostBuild">PostBuild</a>)
+<a href="#kustomize.toolkit.fluxcd.io/v1.PostBuild">PostBuild</a>)
 </p>
 <p>SubstituteReference contains a reference to a resource containing
 the variables name and value.</p>

docs/spec/README.md

@@ -1,191 +1,7 @@
 # Kustomize Controller
 
-The Kustomize Controller is a Kubernetes operator, specialized in running 
-continuous delivery pipelines for infrastructure and workloads
-defined with Kubernetes manifests and assembled with Kustomize.
-
-## Motivation
-
-The main goal is to provide an automated operator that can
-bootstrap and continuously reconcile the cluster state
-from multiple sources (e.g. infrastructure and application repositories).
-
-When provisioning a new cluster, one may wish to install workloads in a specific order,
-for example a validation controller such as OPA Gatekeeper should be up and running before 
-applying other manifests on the cluster. Another example is a service mesh admission controller,
-the proxy injector must be functional before deploying applications into the mesh.
-
-When a cluster is shared with multiple teams, a cluster admin may wish to assign roles and service
-accounts to each team. The manifests owned by a team will be applied on the cluster using
-the team's account thus ensuring isolation between teams. For example, an admin can 
-restrict the operations performed on the cluster by a team to a single namespace.
-
-When dealing with an incident, one may wish to suspend the reconciliation of some workloads and
-pin the reconciliation of others to a specific Git revision, without having to stop the reconciler
-and affect the whole cluster.
-
-When operating a cluster, different teams may wish to receive notification about the status
-of their CD pipelines. For example, the on-call team would receive alerts about all
-failures in the prod namespace, while the frontend team may wish to be alerted when a new version 
-of the frontend app was deployed and if the deployment is healthy, no matter the namespace.
-
-## Design
-
-The reconciliation process can be defined with a Kubernetes custom resource
-that describes a pipeline such as:
-- **check** if depends-on conditions are meet  
-- **fetch** manifests from source-controller (Git repository or S3 bucket)
-- **generate** a kustomization if needed
-- **build** the manifest using kustomization X
-- **decrypt** Kubernetes secrets using Mozilla SOPS
-- **validate** the resulting objects 
-- **impersonate** Kubernetes account
-- **apply** the objects 
-- **prune** the objects removed from source
-- **verify** the deployment status
-- **alert** if something went wrong
-- **notify** if the cluster state changed 
-
-The controller that runs these pipelines relies on
-[source-controller](https://github.com/fluxcd/source-controller)
-for providing the raw manifests from Git repositories or any
-other source that source-controller could support in the future. 
-
-If a Git repository contains no Kustomize manifests, the controller can
-generate the `kustomization.yaml` file automatically and label
-the objects for garbage collection (GC).
-
-A pipeline runs on-a-schedule and ca be triggered manually by a
-cluster admin or automatically by a source event such as a Git revision change.
-
-When a pipeline is removed from the cluster, the controller's GC terminates
-all the objects previously created by that pipeline.
-
-A pipeline can be suspended, while in suspension the controller
-stops the scheduler and ignores any source events.
-Deleting a suspended pipeline does not trigger garbage collection.
-
-Alerting can be configured with a Kubernetes custom resource
-that specifies a webhook address, and a group of pipelines to be monitored.
-
-The API design of the controller can be found at [kustomize.toolkit.fluxcd.io/v1beta1](v1beta1/README.md).
-
-## Backward compatibility
-
-| Feature                                      | Kustomize Controller    | Flux v1            |
-| -------------------------------------------- | ----------------------- | ------------------ |
-| Plain Kubernetes manifests sync              | :heavy_check_mark:      | :heavy_check_mark: |
-| Kustomize build sync                         | :heavy_check_mark:      | :heavy_check_mark: |
-| Garbage collection                           | :heavy_check_mark:      | :heavy_check_mark: |
-| Secrets decryption                           | :heavy_check_mark:      | :heavy_check_mark: |
-| Generate manifests with shell scripts        | :x:                     | :heavy_check_mark: |
-
-Syncing will not support the `.flux.yaml` mechanism as running shell scripts and binaries to
-generate manifests is not in the scope of Kustomize controller.
-
-## Example
-
-After installing kustomize-controller and its companion source-controller, we
-can create a series of pipelines for deploying Istio, and an application made of
-multiple services.
-
-Create a source that points to where the Istio control plane manifests are,
-and a kustomization for installing/upgrading Istio:
-
-```yaml
-apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: GitRepository
-metadata:
-  name: istio
-  namespace: flux-system
-spec:
-  interval: 5m
-  url: https://github.com/stefanprodan/gitops-istio
-  ref:
-    branch: master
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
-kind: Kustomization
-metadata:
-  name: istio
-  namespace: flux-system
-spec:
-  interval: 10m
-  path: "./istio/"
-  sourceRef:
-    kind: GitRepository
-    name: istio
-  healthChecks:
-    - kind: Deployment
-      name: istiod
-      namespace: istio-system
-  timeout: 2m
-```
-
-Create a source for the app repo, a kustomization for each service defining depends-on relationships:
-
-```yaml
-apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: GitRepository
-metadata:
-  name: webapp
-  namespace: flux-system
-spec:
-  interval: 1m
-  url: https://github.com/stefanprodan/podinfo-deploy
-  ref:
-    branch: master
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
-kind: Kustomization
-metadata:
-  name: webapp-common
-  namespace: flux-system
-spec:
-  dependsOn:
-    - name: istio
-  interval: 5m
-  path: "./webapp/common/"
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: webapp
-  validation: client
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
-kind: Kustomization
-metadata:
-  name: webapp-backend
-  namespace: flux-system
-spec:
-  dependsOn:
-    - name: webapp-common
-  interval: 5m
-  path: "./webapp/backend/"
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: webapp
-  validation: server
-  healthChecks:
-    - kind: Deployment
-      name: backend
-      namespace: webapp
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
-kind: Kustomization
-metadata:
-  name: webapp-frontend
-  namespace: flux-system
-spec:
-  dependsOn:
-    - name: webapp-backend
-  interval: 5m
-  path: "./webapp/frontend/"
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: webapp
-  validation: server
-```
+## API Specification
 
+[v1beta1](v1beta2/README.md).
+[v1beta2](v1beta2/README.md).
+[v1](v1/README.md).

docs/spec/v1/README.md

@@ -0,0 +1,17 @@
+# kustomize.toolkit.fluxcd.io/v1
+
+This is the v1 API specification for defining continuous delivery pipelines
+of Kubernetes objects generated with Kustomize.
+
+## Specification
+
+- [Kustomization CRD](kustomizations.md)
+    + [Example](kustomizations.md#example)
+    + [Writing a Kustomization spec](kustomizations.md#writing-a-kustomization-spec)
+    + [Working with Kustomizations](kustomizations.md#working-with-kustomizations)
+      * [Recommended settings](kustomizations.md#recommended-settings)
+    + [Kustomization Status](kustomizations.md#kustomization-status)
+
+## Implementation
+
+* [kustomize-controller](https://github.com/fluxcd/kustomize-controller/)

docs/spec/v1alpha1/README.md

@@ -5,16 +5,16 @@ of Kubernetes objects generated with Kustomize.
 
 ## Specification
 
-- [Kustomization CRD](kustomization.md)
-    + [Source reference](kustomization.md#source-reference)
-    + [Generate kustomization.yaml](kustomization.md#generate-kustomizationyaml)
-    + [Reconciliation](kustomization.md#reconciliation)
-    + [Garbage collection](kustomization.md#garbage-collection)
-    + [Health assessment](kustomization.md#health-assessment)
-    + [Kustomization dependencies](kustomization.md#kustomization-dependencies)
-    + [Role-based access control](kustomization.md#role-based-access-control)
-    + [Secrets decryption](kustomization.md#secrets-decryption)
-    + [Status](kustomization.md#status)
+- [Kustomization CRD](kustomizations.md)
+    + [Source reference](kustomizations.md#source-reference)
+    + [Generate kustomization.yaml](kustomizations.md#generate-kustomizationyaml)
+    + [Reconciliation](kustomizations.md#reconciliation)
+    + [Garbage collection](kustomizations.md#garbage-collection)
+    + [Health assessment](kustomizations.md#health-assessment)
+    + [Kustomization dependencies](kustomizations.md#kustomization-dependencies)
+    + [Role-based access control](kustomizations.md#role-based-access-control)
+    + [Secrets decryption](kustomizations.md#secrets-decryption)
+    + [Status](kustomizations.md#status)
 
 ## Implementation
 

docs/spec/v1beta1/README.md

@@ -1,23 +1,23 @@
-# kustomize.toolkit.fluxcd.io/v1alpha1
+# kustomize.toolkit.fluxcd.io/v1beta1
 
 This is the v1beta1 API specification for defining continuous delivery pipelines
 of Kubernetes objects generated with Kustomize.
 
 ## Specification
 
-- [Kustomization CRD](kustomization.md)
-    + [Source reference](kustomization.md#source-reference)
-    + [Generate kustomization.yaml](kustomization.md#generate-kustomizationyaml)
-    + [Reconciliation](kustomization.md#reconciliation)
-    + [Garbage collection](kustomization.md#garbage-collection)
-    + [Health assessment](kustomization.md#health-assessment)
-    + [Kustomization dependencies](kustomization.md#kustomization-dependencies)
-    + [Role-based access control](kustomization.md#role-based-access-control)
-    + [Override kustomize config](kustomization.md#override-kustomize-config)
-    + [Variable substitution](kustomization.md#variable-substitution)
-    + [Targeting remote clusters](kustomization.md#remote-clusters--cluster-api)
-    + [Secrets decryption](kustomization.md#secrets-decryption)
-    + [Status](kustomization.md#status)
+- [Kustomization CRD](kustomizations.md)
+    + [Source reference](kustomizations.md#source-reference)
+    + [Generate kustomization.yaml](kustomizations.md#generate-kustomizationyaml)
+    + [Reconciliation](kustomizations.md#reconciliation)
+    + [Garbage collection](kustomizations.md#garbage-collection)
+    + [Health assessment](kustomizations.md#health-assessment)
+    + [Kustomization dependencies](kustomizations.md#kustomization-dependencies)
+    + [Role-based access control](kustomizations.md#role-based-access-control)
+    + [Override kustomize config](kustomizations.md#override-kustomize-config)
+    + [Variable substitution](kustomizations.md#variable-substitution)
+    + [Targeting remote clusters](kustomizations.md#remote-clusters--cluster-api)
+    + [Secrets decryption](kustomizations.md#secrets-decryption)
+    + [Status](kustomizations.md#status)
 
 ## Implementation
 

docs/spec/v1beta2/README.md

@@ -5,19 +5,21 @@ of Kubernetes objects generated with Kustomize.
 
 ## Specification
 
-- [Kustomization CRD](kustomization.md)
-    + [Source reference](kustomization.md#source-reference)
-    + [Generate kustomization.yaml](kustomization.md#generate-kustomizationyaml)
-    + [Reconciliation](kustomization.md#reconciliation)
-    + [Garbage collection](kustomization.md#garbage-collection)
-    + [Health assessment](kustomization.md#health-assessment)
-    + [Kustomization dependencies](kustomization.md#kustomization-dependencies)
-    + [Role-based access control](kustomization.md#role-based-access-control)
-    + [Override kustomize config](kustomization.md#override-kustomize-config)
-    + [Variable substitution](kustomization.md#variable-substitution)
-    + [Targeting remote clusters](kustomization.md#remote-clusters--cluster-api)
-    + [Secrets decryption](kustomization.md#secrets-decryption)
-    + [Status](kustomization.md#status)
+- [Kustomization CRD](kustomizations.md)
+    + [Example](kustomizations.md#example)
+    + [Recommended settings](kustomizations.md#recommended-settings)
+    + [Source reference](kustomizations.md#source-reference)
+    + [Generate kustomization.yaml](kustomizations.md#generate-kustomizationyaml)
+    + [Reconciliation](kustomizations.md#reconciliation)
+    + [Garbage collection](kustomizations.md#garbage-collection)
+    + [Health assessment](kustomizations.md#health-assessment)
+    + [Kustomization dependencies](kustomizations.md#kustomization-dependencies)
+    + [Role-based access control](kustomizations.md#role-based-access-control)
+    + [Override kustomize config](kustomizations.md#override-kustomize-config)
+    + [Variable substitution](kustomizations.md#variable-substitution)
+    + [Targeting remote clusters](kustomizations.md#remote-clusters--cluster-api)
+    + [Secrets decryption](kustomizations.md#secrets-decryption)
+    + [Status](kustomizations.md#status)
 
 ## Implementation
 

docs/spec/v1beta2/kustomizations.md

@@ -61,14 +61,14 @@ You can run this example by saving the manifest into `podinfo.yaml`.
 
    ```console
    NAME      URL                                       READY   STATUS                                                                        
-   podinfo   https://github.com/stefanprodan/podinfo   True    stored artifact for revision 'master/450796ddb2ab6724ee1cc32a4be56da032d1cca0'
+   podinfo   https://github.com/stefanprodan/podinfo   True    stored artifact for revision 'master@sha1:450796ddb2ab6724ee1cc32a4be56da032d1cca0'
    ```
 
 3. Run `kubectl get kustomizations` to see the reconciliation status:
 
    ```console
    NAME      READY   STATUS
-   podinfo   True    Applied revision: master/450796ddb2ab6724ee1cc32a4be56da032d1cca0
+   podinfo   True    Applied revision: master@sha1:450796ddb2ab6724ee1cc32a4be56da032d1cca0
    ```
 
 4. Run `kubectl describe kustomization podinfo` to see the reconciliation status conditions and events:
@@ -78,7 +78,7 @@ You can run this example by saving the manifest into `podinfo.yaml`.
     Status:
       Conditions:
         Last Transition Time:  2022-06-07T11:14:41Z
-        Message:               Applied revision: master/450796ddb2ab6724ee1cc32a4be56da032d1cca0
+        Message:               Applied revision: master@sha1:450796ddb2ab6724ee1cc32a4be56da032d1cca0
         Reason:                ReconciliationSucceeded
         Status:                True
         Type:                  Ready
@@ -127,7 +127,7 @@ spec:
   timeout: 3m0s # give up waiting after three minutes
   retryInterval: 2m0s # retry every two minutes on apply or waiting failures
   prune: true # remove stale resources from cluster
-  force: true # recreate resources on immutable fields changes
+  force: false # enable this to recreate resources on immutable fields changes
   targetNamespace: apps # set the namespace for all resources
   sourceRef:
     kind: GitRepository
@@ -136,6 +136,8 @@ spec:
   path: "./deploy/production"
 ```
 
+### Disable Kustomize remote bases
+
 For security and performance reasons, it is advised to disallow the usage of
 [remote bases](https://github.com/kubernetes-sigs/kustomize/blob/a7f4db7fb41e17b2c826a524f545e6174b4dc6ac/examples/remoteBuild.md)
 in Kustomize overlays. To enforce this setting, platform admins can use the `--no-remote-bases=true` controller flag.
@@ -149,14 +151,15 @@ changes, it generates a Kubernetes event that triggers a kustomize build and app
 
 Source supported types:
 
-* [GitRepository](https://github.com/fluxcd/source-controller/blob/main/docs/spec/v1beta2/gitrepositories.md)
-* [OCIRepository](https://github.com/fluxcd/source-controller/blob/main/docs/spec/v1beta2/ocirepositories.md)
-* [Bucket](https://github.com/fluxcd/source-controller/blob/main/docs/spec/v1beta2/buckets.md)
+- [GitRepository](https://github.com/fluxcd/source-controller/blob/main/docs/spec/v1beta2/gitrepositories.md)
+- [OCIRepository](https://github.com/fluxcd/source-controller/blob/main/docs/spec/v1beta2/ocirepositories.md)
+- [Bucket](https://github.com/fluxcd/source-controller/blob/main/docs/spec/v1beta2/buckets.md)
 
-> **Note** that the source should contain the kustomization.yaml and all the
-> Kubernetes manifests and configuration files referenced in the kustomization.yaml.
-> If your Git repository or S3 bucket contains only plain manifests,
-> then a kustomization.yaml will be automatically generated.
+**Note:** If the source contains a `kustomization.yaml` file, then it should also contain
+all the Kubernetes manifests and configuration files referenced in the Kustomize config file.
+If your Git, OCI repository or S3 bucket contains **plain manifests**,
+then a kustomization.yaml will be [automatically generated](#generate-kustomizationyaml)
+by the controller.
 
 ### Cross-namespace references
 
@@ -187,12 +190,12 @@ If your repository contains plain Kubernetes manifests, the
 manifests in the directory tree specified in the `spec.path` field of the Flux `Kustomization`.
 All YAML files present under that path must be valid Kubernetes
 manifests, unless they're excluded either by way of the `.sourceignore`
-file or the `spec.ignore` field on the corresponding `GitRepository` object.
+file or the `spec.ignore` field on the corresponding source object.
 
 Example of excluding CI workflows and SOPS config files:
 
 ```yaml
-apiVersion: source.toolkit.fluxcd.io/v1beta1
+apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:
   name: podinfo
@@ -201,7 +204,6 @@ spec:
   interval: 5m
   url: https://github.com/stefanprodan/podinfo
   ignore: |
-    .git/
     .github/
     .sops.yaml
     .gitlab-ci.yml
@@ -209,16 +211,13 @@ spec:
 
 It is recommended to generate the `kustomization.yaml` on your own and store it in Git, this way you can
 validate your manifests in CI (example script [here](https://github.com/fluxcd/flux2-multi-tenancy/blob/main/scripts/validate.sh)).
-Assuming your manifests are inside `./clusters/my-cluster`, you can generate a `kustomization.yaml` with:
+Assuming your manifests are inside `apps/my-app`, you can generate a `kustomization.yaml` with:
 
 ```sh
-cd clusters/my-cluster
+cd apps/my-app
 
-# create kustomization
+# create kustomization.yaml
 kustomize create --autodetect --recursive
-
-# validate kustomization
-kustomize build | kubeconform -ignore-missing-schemas
 ```
 
 ## Reconciliation
@@ -229,9 +228,6 @@ The interval time units are `s` and `m` e.g. `interval: 5m`, the minimum value s
 
 The Kustomization execution can be suspended by setting `spec.suspend` to `true`.
 
-With `spec.force` you can tell the controller to replace the resources in-cluster if the
-patching fails due to immutable fields changes.
-
 The controller can be told to reconcile the Kustomization outside of the specified interval
 by annotating the Kustomization object with:
 
@@ -254,15 +250,25 @@ kubectl get all --all-namespaces \
 -l=kustomize.toolkit.fluxcd.io/namespace="<Kustomization namespace>"
 ```
 
-You can configure the controller to ignore in-cluster resources by labeling or annotating them:
+With `spec.force` you can tell the controller to replace the resources in-cluster if the
+patching fails due to immutable fields changes.
+
+You can enable force apply for specific resources by labeling or annotating them with:
+
+```yaml
+kustomize.toolkit.fluxcd.io/force: enabled
+```
+
+You can configure the controller to ignore in-cluster resources by labeling or annotating them with:
 
 ```yaml
 kustomize.toolkit.fluxcd.io/reconcile: disabled
 ```
 
-Note that when the `kustomize.toolkit.fluxcd.io/reconcile` annotation is set to `disabled`,
+**Note:** When the `kustomize.toolkit.fluxcd.io/reconcile` annotation is set to `disabled`,
 the controller will no longer apply changes from source, nor will it prune the resource.
-To resume reconciliation, set the annotation to `enabled` or remove it.
+To resume reconciliation, set the annotation to `enabled` in source
+and remove it from the in-cluster object.
 
 If you use kubectl to edit an object managed by Flux, all changes will be undone when
 the controller reconciles a Flux Kustomization containing that object.
@@ -279,9 +285,14 @@ Another option is to annotate or label objects with:
 kustomize.toolkit.fluxcd.io/ssa: merge
 ```
 
-Note that the fields defined in manifests will always be overridden,
+**Note:** The fields defined in manifests will always be overridden,
 the above procedure works only for adding new fields that don’t overlap with the desired state.
 
+For lists fields which are atomic (e.g `spec.tolerations` in PodSpec), Kubernetes doesn't allow different managers 
+for such fields, therefore any changes to these fields will be undone, even if you specify a manager. 
+For more context, please see the Kubernetes enhancement doc:
+[555-server-side-apply](https://github.com/kubernetes/enhancements/blob/master/keps/sig-api-machinery/555-server-side-apply/README.md#lists).
+
 ## Garbage collection
 
 To enable garbage collection, set `spec.prune` to `true`.
@@ -329,18 +340,20 @@ spec:
 ```
 
 If you wish to select only certain resources, list them under `spec.healthChecks`.
-Note that when `spec.wait` is enabled, the `spec.healthChecks` field is ignored.
+
+**Note:** When `spec.wait` is enabled, the `spec.healthChecks` field is ignored.
 
 A health check entry can reference one of the following types:
 
-* Kubernetes builtin kinds: Deployment, DaemonSet, StatefulSet, PersistentVolumeClaim, Pod, PodDisruptionBudget, Job, CronJob, Service, Secret, ConfigMap, CustomResourceDefinition
-* Toolkit kinds: HelmRelease, HelmRepository, GitRepository, etc
-* Custom resources that are compatible with [kstatus](https://github.com/kubernetes-sigs/cli-utils/tree/master/pkg/kstatus)
+- Kubernetes builtin kinds: Deployment, DaemonSet, StatefulSet, PersistentVolumeClaim, Pod, PodDisruptionBudget, Job, CronJob, Service, Secret, ConfigMap, CustomResourceDefinition
+- Toolkit kinds: HelmRelease, HelmRepository, GitRepository, etc
+- Custom resources that are compatible with [kstatus](https://github.com/kubernetes-sigs/cli-utils/tree/master/pkg/kstatus)
 
 Assuming the Kustomization source contains a Kubernetes Deployment named `backend`,
 a health check can be defined as follows:
 
 ```yaml
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
 kind: Kustomization
 metadata:
@@ -371,6 +384,7 @@ When a Kustomization contains HelmRelease objects, instead of checking the under
 define a health check that waits for the HelmReleases to be reconciled with:
 
 ```yaml
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
 kind: Kustomization
 metadata:
@@ -410,12 +424,13 @@ its last apply status condition.
 
 Assuming two Kustomizations:
 
-* `cert-manager` - reconciles the cert-manager CRDs and controller
-* `certs` - reconciles the cert-manager custom resources
+- `cert-manager` - reconciles the cert-manager CRDs and controller
+- `certs` - reconciles the cert-manager custom resources
 
 You can instruct the controller to apply the `cert-manager` Kustomization before `certs`:
 
 ```yaml
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
 kind: Kustomization
 metadata:
@@ -453,8 +468,8 @@ spec:
 When combined with health assessment, a Kustomization will run after all its dependencies health checks are passing.
 For example, a service mesh proxy injector should be running before deploying applications inside the mesh.
 
-> **Note** that circular dependencies between Kustomizations must be avoided, otherwise the
-> interdependent Kustomizations will never be applied on the cluster.
+**Note:** Circular dependencies between Kustomizations must be avoided, otherwise the
+interdependent Kustomizations will never be applied on the cluster.
 
 ## Role-based access control
 
@@ -468,6 +483,7 @@ Assuming you want to restrict a group of Kustomizations to a single namespace, y
 with a role binding that grants access only to that namespace:
 
 ```yaml
+---
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -504,13 +520,14 @@ subjects:
   namespace: webapp
 ```
 
-> **Note** that the namespace, RBAC and service account manifests should be
-> placed in a Git source and applied with a Kustomization. The Kustomizations that
-> are running under that service account should depend-on the one that contains the account.
+**Note:** The namespace, RBAC and service account manifests should be
+placed in a Git source and applied with a Kustomization. The Kustomizations that
+are running under that service account should depend-on the one that contains the account.
 
 Create a Kustomization that prevents altering the cluster state outside of the `webapp` namespace:
 
 ```yaml
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
 kind: Kustomization
 metadata:
@@ -549,8 +566,10 @@ patches and namespace on all the Kubernetes objects reconciled by the resource,
 offering support for the following Kustomize directives:
 
 - [namespace](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/namespace/)
+- common [labels](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/commonlabels/) and [annotations](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/commonannotations/)
 - [patches](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patches/)
 - [images](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/images/)
+- [components](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/components/)
 
 ### Target namespace
 
@@ -569,7 +588,36 @@ spec:
   targetNamespace: test
 ```
 
-While the field `targetNamespace` in a Kustomization is optional, if this field is non-empty then the Kubernetes namespace pointed to by `targetNamespace` must exist prior to the Kustomization being applied, kustomize-controller will not create the namespace.
+While the field `targetNamespace` in a Kustomization is optional,
+if this field is non-empty then the Kubernetes namespace pointed to by `targetNamespace`
+must exist prior to the Kustomization being applied, kustomize-controller will not create the namespace.
+
+### Common Metadata
+
+With `spec.commonMetadata` you can set common labels and annotations to all resources.
+
+The main difference to the Kustomize
+[commonLabels](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/commonlabels/)
+and [commonAnnotations](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/commonannotations/),
+is that the controller sets the labels and annotations only to the top level `metadata` field,
+without patching the Kubernetes Deployment `spec.template` or the Service `spec.selector`.
+
+```yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: my-app
+  namespace: apps
+spec:
+  # ...omitted for brevity
+  commonMetadata:
+    labels:
+      app.kubernetes.io/part-of: my-app
+    annotations:
+      a8r.io/owner: my-team
+```
+
+**Note:** Any existing label or annotation will be overridden if its key matches a common one.
 
 ### Patches
 
@@ -580,6 +628,7 @@ patch or a [JSON6902](https://kubectl.docs.kubernetes.io/references/kustomize/gl
 The patch can target a single resource or multiple resources:
 
 ```yaml
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
 kind: Kustomization
 metadata:
@@ -648,6 +697,31 @@ spec:
     digest: sha256:24a0c4b4a4c0eb97a1aabb8e29f18e917d05abfe1b7a7c07857230879ce7d3d3
 ```
 
+### Components
+
+To add [Kustomize `components` entries](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/components/)
+to the configuration, and use reusable pieces of configuration logic that can
+be included from multiple overlays, `spec.components` can be defined:
+
+```yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: podinfo
+  namespace: flux-system
+spec:
+  # ...omitted for brevity
+  components:
+  - ingress
+  - tls
+```
+
+**Note:** The component paths must be local and relative to the source root.
+
+**Warning:** Components are an alpha feature in Kustomize and are therefore
+considered experimental in Flux. No guarantees are provided as the feature may
+be modified in backwards incompatible ways or removed without warning.
+
 ## Variable substitution
 
 With `spec.postBuild.substitute` you can provide a map of key/value pairs holding the
@@ -675,13 +749,14 @@ for [bash string replacement functions](https://github.com/drone/envsubst) e.g.:
 - `${var:position:length}`
 - `${var/substring/replacement}`
 
-Note that the name of a variable can contain only alphanumeric and underscore characters.
+**Note:** The name of a variable can contain only alphanumeric and underscore characters.
 The controller validates the var names using this regular expression:
 `^[_[:alpha:]][_[:alpha:][:digit:]]*$`.
 
 Assuming you have manifests with the following variables:
 
 ```yaml
+---
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -695,6 +770,7 @@ You can specify the variables and their values in the Kustomization definition u
 `substitute` and/or `substituteFrom` post build section:
 
 ```yaml
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
 kind: Kustomization
 metadata:
@@ -716,9 +792,10 @@ spec:
         # Fail if this Secret does not exist.
 ```
 
-Note that for substituting variables in a secret, `spec.stringData` field must be used i.e
+**Note:** For substituting variables in a secret, `spec.stringData` field must be used i.e
 
 ```yaml
+---
 apiVersion: v1
 kind: Secret
 metadata:
@@ -732,7 +809,7 @@ stringData:
 The var values which are specified in-line with `substitute`
 take precedence over the ones in `substituteFrom`.
 
-Note that if you want to avoid var substitutions in scripts embedded in ConfigMaps or container commands,
+**Note:** If you want to avoid var substitutions in scripts embedded in ConfigMaps or container commands,
 you must use the format `$var` instead of `${var}`. If you want to keep the curly braces you can use `$${var}`
 which will print out `${var}`. 
 
@@ -854,11 +931,11 @@ kubectl create secret generic prod-kubeconfig \
     --from-file=value.yaml=./kubeconfig
 ```
 
-> **Note** that the KubeConfig should be self-contained and not rely on binaries, environment,
-> or credential files from the kustomize-controller Pod.
-> This matches the constraints of KubeConfigs from current Cluster API providers.
-> KubeConfigs with `cmd-path` in them likely won't work without a custom,
-> per-provider installation of kustomize-controller.
+**Note:** The KubeConfig should be self-contained and not rely on binaries, environment,
+or credential files from the kustomize-controller Pod.
+This matches the constraints of KubeConfigs from current Cluster API providers.
+KubeConfigs with `cmd-path` in them likely won't work without a custom,
+per-provider installation of kustomize-controller.
 
 When both `spec.kubeConfig` and `spec.ServiceAccountName` are specified,
 the controller will impersonate the service account on the target cluster.
@@ -871,10 +948,10 @@ and encrypt your Kubernetes Secrets data with [age](https://age-encryption.org/v
 and [OpenPGP](https://www.openpgp.org) keys, or using provider
 implementations like Azure Key Vault, GCP KMS or Hashicorp Vault.
 
-> **Note:** You should encrypt only the `data` section of the Kubernetes
-> Secret, encrypting the `metadata`, `kind` or `apiVersion` fields is not
-> supported. An easy way to do this is by appending
-> `--encrypted-regex '^(data|stringData)$'` to your `sops --encrypt` command.
+**Note:** You should encrypt only the `data` section of the Kubernetes
+Secret, encrypting the `metadata`, `kind` or `apiVersion` fields is not
+supported. An easy way to do this is by appending
+`--encrypted-regex '^(data|stringData)$'` to your `sops --encrypt` command.
 
 ### Decryption Secret reference
 
@@ -1171,9 +1248,9 @@ In addition to this, the
 [general SOPS documentation around KMS AWS applies](https://github.com/mozilla/sops#27kms-aws-profiles),
 allowing you to specify e.g. a `SOPS_KMS_ARN` environment variable.
 
-> **Note:**: If you're mounting a secret containing the AWS credentials as a file in the `kustomize-controller` pod,
-> you'd need to specify an environment variable `$HOME`, since the AWS credentials file is expected to be present
-> at `~/.aws`, like so:
+**Note:**: If you're mounting a secret containing the AWS credentials as a file in the `kustomize-controller` pod,
+you'd need to specify an environment variable `$HOME`, since the AWS credentials file is expected to be present
+at `~/.aws`, like so:
 ```yaml
 env:
   - name: HOME
@@ -1345,20 +1422,38 @@ secretGenerator:
 
 ## Status
 
-When the controller completes a Kustomization reconciliation, reports the result in the `status` sub-resource.
+Every time the controller starts reconciling a `Kustomization`, it adds the `Reconciling` condition in `status` and
+updates its message to report the action performed during a reconciliation run:
 
-A successful reconciliation sets the ready condition to `true` and updates the revision field:
+```yaml
+conditions:
+- lastTransitionTime: "2022-10-17T13:40:21Z"
+  message: Detecting drift for revision main@sha1:a1afe267b54f38b46b487f6e938a6fd508278c07 with a timeout of 50s
+  observedGeneration: 2
+  reason: Progressing
+  status: "True"
+  type: Reconciling
+- lastTransitionTime: "2022-10-17T13:40:21Z"
+  message: Reconciliation in progress
+  observedGeneration: 2
+  reason: Progressing
+  status: Unknown
+  type: Ready
+```
+
+If the reconciliation finishes successfully, the `Reconciling` condition is removed from `status`
+and the `Ready` condition is set to `True`:
 
 ```yaml
 status:
   conditions:
-  - lastTransitionTime: "2020-09-17T19:28:48Z"
-    message: "Applied revision: master/a1afe267b54f38b46b487f6e938a6fd508278c07"
+  - lastTransitionTime: "2022-10-17T13:40:21Z"
+    message: "Applied revision: main@sha1:a1afe267b54f38b46b487f6e938a6fd508278c07"
     reason: ReconciliationSucceeded
     status: "True"
     type: Ready
-  lastAppliedRevision: master/a1afe267b54f38b46b487f6e938a6fd508278c07
-  lastAttemptedRevision: master/a1afe267b54f38b46b487f6e938a6fd508278c07
+  lastAppliedRevision: main@sha1:a1afe267b54f38b46b487f6e938a6fd508278c07
+  lastAttemptedRevision: main@sha1:a1afe267b54f38b46b487f6e938a6fd508278c07
 ```
 
 If `spec.wait` or `spec.healthChecks` is enabled, the health assessment result
@@ -1376,10 +1471,12 @@ The controller logs the Kubernetes objects:
 ```json
 {
   "level": "info",
-  "ts": "2020-09-17T07:27:11.921Z",
-  "logger": "controllers.Kustomization",
-  "msg": "Kustomization applied in 1.436096591s",
-  "kustomization": "default/backend",
+  "ts": "2022-09-17T07:27:11.921Z",
+  "controllerGroup": "kustomize.toolkit.fluxcd.io",
+  "msg": "server-side apply completed",
+  "name": "backend",
+  "namespace": "default",
+  "revision": "main@sha1:a1afe267b54f38b46b487f6e938a6fd508278c07",
   "output": {
     "service/backend": "created",
     "deployment.apps/backend": "created",
@@ -1388,7 +1485,7 @@ The controller logs the Kubernetes objects:
 }
 ```
 
-A failed reconciliation sets the ready condition to `false`:
+A failed reconciliation sets the `Ready` condition to `false`:
 
 ```yaml
 status:
@@ -1398,20 +1495,23 @@ status:
     reason: ValidationFailed
     status: "False"
     type: Ready
-  lastAppliedRevision: master/a1afe267b54f38b46b487f6e938a6fd508278c07
-  lastAttemptedRevision: master/7c500d302e38e7e4a3f327343a8a5c21acaaeb87
+  lastAppliedRevision: master@sha1:a1afe267b54f38b46b487f6e938a6fd508278c07
+  lastAttemptedRevision: master@sha1:7c500d302e38e7e4a3f327343a8a5c21acaaeb87
 ```
 
-> **Note** that the last applied revision is updated only on a successful reconciliation.
+**Note:** The last applied revision is updated only on a successful reconciliation.
 
 When a reconciliation fails, the controller logs the error and issues a Kubernetes event:
 
 ```json
 {
   "level": "error",
-  "ts": "2020-09-17T07:27:11.921Z",
-  "logger": "controllers.Kustomization",
-  "kustomization": "default/backend",
+  "ts": "2022-09-17T07:27:11.921Z",
+  "controllerGroup": "kustomize.toolkit.fluxcd.io",
+  "msg": "server-side apply completed",
+  "name": "backend",
+  "namespace": "default",
+  "revision": "main@sha1:a1afe267b54f38b46b487f6e938a6fd508278c07",
   "error": "The Service 'backend' is invalid: spec.type: Unsupported value: 'Ingress'"
 }
 ```

go.mod

@@ -1,233 +1,265 @@
 module github.com/fluxcd/kustomize-controller
 
-go 1.18
+go 1.24.0
 
 replace github.com/fluxcd/kustomize-controller/api => ./api
 
+// Replace digest lib to master to gather access to BLAKE3.
+// xref: https://github.com/opencontainers/go-digest/pull/66
+replace github.com/opencontainers/go-digest => github.com/opencontainers/go-digest v1.0.1-0.20220411205349-bde1400a84be
+
 require (
-	cloud.google.com/go/kms v1.4.0
-	filippo.io/age v1.0.0
-	github.com/AdaLogics/go-fuzz-headers v0.0.0-20220903154154-e8044f6e4c72
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v0.22.0
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.13.2
-	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.4.0
-	github.com/aws/aws-sdk-go v1.44.107
-	github.com/aws/aws-sdk-go-v2 v1.16.16
-	github.com/aws/aws-sdk-go-v2/config v1.17.7
-	github.com/aws/aws-sdk-go-v2/credentials v1.12.20
-	github.com/aws/aws-sdk-go-v2/service/kms v1.18.11
-	github.com/aws/aws-sdk-go-v2/service/sts v1.16.19
-	github.com/cyphar/filepath-securejoin v0.2.3
+	cloud.google.com/go/kms v1.22.0
+	filippo.io/age v1.2.1
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.1
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1
+	github.com/aws/aws-sdk-go-v2 v1.36.5
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.70
+	github.com/cyphar/filepath-securejoin v0.4.1
 	github.com/dimchansky/utfbom v1.1.1
-	github.com/drone/envsubst v1.0.3
-	github.com/fluxcd/kustomize-controller/api v0.29.0
-	github.com/fluxcd/pkg/apis/acl v0.1.0
-	github.com/fluxcd/pkg/apis/kustomize v0.6.0
-	github.com/fluxcd/pkg/apis/meta v0.16.0
-	github.com/fluxcd/pkg/kustomize v0.8.0
-	github.com/fluxcd/pkg/runtime v0.19.0
-	github.com/fluxcd/pkg/ssa v0.21.0
-	github.com/fluxcd/pkg/testserver v0.3.0
-	github.com/fluxcd/pkg/untar v0.2.0
-	github.com/fluxcd/source-controller/api v0.30.0
-	github.com/hashicorp/go-retryablehttp v0.7.1
-	github.com/hashicorp/vault/api v1.8.0
-	github.com/onsi/gomega v1.20.2
-	github.com/ory/dockertest v3.3.5+incompatible
-	github.com/spf13/pflag v1.0.5
-	go.mozilla.org/sops/v3 v3.7.3
-	golang.org/x/net v0.0.0-20220927171203-f486391704dc
-	google.golang.org/api v0.98.0
-	google.golang.org/genproto v0.0.0-20220929141241-1ce7b20da813
-	google.golang.org/grpc v1.49.0
-	google.golang.org/protobuf v1.28.1
-	k8s.io/api v0.25.2
-	k8s.io/apiextensions-apiserver v0.25.2
-	k8s.io/apimachinery v0.25.2
-	k8s.io/client-go v0.25.2
-	sigs.k8s.io/cli-utils v0.33.0
-	sigs.k8s.io/controller-runtime v0.13.0
-	sigs.k8s.io/kustomize/api v0.12.1
-	sigs.k8s.io/yaml v1.3.0
+	github.com/fluxcd/cli-utils v0.36.0-flux.14
+	github.com/fluxcd/kustomize-controller/api v1.6.0
+	github.com/fluxcd/pkg/apis/acl v0.8.0
+	github.com/fluxcd/pkg/apis/event v0.18.0
+	github.com/fluxcd/pkg/apis/kustomize v1.11.0
+	github.com/fluxcd/pkg/apis/meta v1.18.0
+	github.com/fluxcd/pkg/auth v0.23.0
+	github.com/fluxcd/pkg/cache v0.10.0
+	github.com/fluxcd/pkg/http/fetch v0.17.0
+	github.com/fluxcd/pkg/kustomize v1.19.0
+	github.com/fluxcd/pkg/runtime v0.72.0
+	github.com/fluxcd/pkg/ssa v0.51.0
+	github.com/fluxcd/pkg/tar v0.13.0
+	github.com/fluxcd/pkg/testserver v0.11.0
+	github.com/fluxcd/source-controller/api v1.6.0
+	github.com/getsops/sops/v3 v3.10.2
+	github.com/google/cel-go v0.23.2
+	github.com/hashicorp/vault/api v1.20.0
+	github.com/onsi/gomega v1.37.0
+	github.com/opencontainers/go-digest v1.0.0
+	github.com/ory/dockertest/v3 v3.12.0
+	github.com/spf13/pflag v1.0.6
+	golang.org/x/net v0.42.0
+	golang.org/x/oauth2 v0.30.0
+	k8s.io/api v0.33.2
+	k8s.io/apimachinery v0.33.2
+	k8s.io/client-go v0.33.2
+	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	sigs.k8s.io/controller-runtime v0.21.0
+	sigs.k8s.io/kustomize/api v0.20.0
+	sigs.k8s.io/yaml v1.5.0
 )
 
-// Pin kustomize to v4.5.7
+// Pin kustomize to v5.7.0
 replace (
-	sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.12.1
-	sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.13.9
+	sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.20.0
+	sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.20.0
 )
 
-// Fix CVE-2022-29162
-replace github.com/opencontainers/runc => github.com/opencontainers/runc v1.1.2
-
-// Fix CVE-2022-27191
-replace golang.org/x/crypto => golang.org/x/crypto v0.0.0-20220518034528-6f7dac969898
-
-// Fix CVE-2022-1996 (for v2, Go Modules incompatible)
-replace github.com/emicklei/go-restful => github.com/emicklei/go-restful v2.16.0+incompatible
-
 // Fix CVE-2022-28948
 replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
 
 require (
-	cloud.google.com/go v0.102.0 // indirect
-	cloud.google.com/go/compute v1.7.0 // indirect
-	cloud.google.com/go/iam v0.3.0 // indirect
-	github.com/Azure/azure-sdk-for-go v63.3.0+incompatible // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v0.9.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.2.1 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
-	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.27 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect
-	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
-	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
-	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
-	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
-	github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
-	github.com/Azure/go-autorest/logger v0.2.1 // indirect
-	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v0.4.0 // indirect
-	github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect
-	github.com/Microsoft/go-winio v0.5.2 // indirect
+	cel.dev/expr v0.23.0 // indirect
+	cloud.google.com/go v0.120.1 // indirect
+	cloud.google.com/go/auth v0.16.2 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.7.0 // indirect
+	cloud.google.com/go/iam v1.5.2 // indirect
+	cloud.google.com/go/longrunning v0.6.7 // indirect
+	cloud.google.com/go/monitoring v1.24.2 // indirect
+	cloud.google.com/go/storage v1.51.0 // indirect
+	dario.cat/mergo v1.0.1 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry v0.2.3 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice v1.0.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0 // indirect
+	github.com/MakeNowJust/heredoc v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20220407094043-a94812496cf5 // indirect
-	github.com/PuerkitoBio/purell v1.1.1 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
-	github.com/armon/go-metrics v0.3.10 // indirect
-	github.com/armon/go-radix v1.0.0 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.17 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.24 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.17 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.11.23 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.5 // indirect
-	github.com/aws/smithy-go v1.13.3 // indirect
+	github.com/ProtonMail/go-crypto v1.2.0 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.29.17 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.72 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.36 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/eks v1.66.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.38.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.79.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.34.0 // indirect
+	github.com/aws/smithy-go v1.22.4 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
-	github.com/cenkalti/backoff v2.2.1+incompatible // indirect
-	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
-	github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect
-	github.com/containerd/continuity v0.2.2 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/go-connections v0.4.0 // indirect
-	github.com/docker/go-units v0.4.0 // indirect
-	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
-	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
-	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
-	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
-	github.com/fatih/color v1.13.0 // indirect
-	github.com/fsnotify/fsnotify v1.5.4 // indirect
-	github.com/go-errors/errors v1.0.1 // indirect
-	github.com/go-logr/logr v1.2.3 // indirect
-	github.com/go-logr/zapr v1.2.3 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.19.5 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/carapace-sh/carapace-shlex v1.0.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/chai2010/gettext-go v1.0.3 // indirect
+	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/cncf/xds/go v0.0.0-20250326154945-ae57f3c0d45f // indirect
+	github.com/containerd/continuity v0.4.5 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/docker/cli v28.2.2+incompatible // indirect
+	github.com/docker/docker v28.2.2+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.9.3 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
+	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
+	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fluxcd/pkg/envsubst v1.4.0 // indirect
+	github.com/fluxcd/pkg/sourceignore v0.13.0 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/getsops/gopgagent v0.0.0-20241224165529-7044f28e491e // indirect
+	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.6.2 // indirect
+	github.com/go-git/go-git/v5 v5.16.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.1 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.1 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt v3.2.1+incompatible // indirect
-	github.com/golang-jwt/jwt/v4 v4.3.0 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/golang/snappy v0.0.4 // indirect
-	github.com/google/btree v1.0.1 // indirect
-	github.com/google/gnostic v0.5.7-v3refs // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/google/gnostic-models v0.7.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/go-containerregistry v0.20.6 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
-	github.com/googleapis/gax-go/v2 v2.4.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.2 // indirect
+	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/goware/prefixer v0.0.0-20160118172347-395022866408 // indirect
-	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
+	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-hclog v1.2.0 // indirect
-	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/go-plugin v1.4.3 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
-	github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 // indirect
-	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 // indirect
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
-	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
-	github.com/hashicorp/go-uuid v1.0.2 // indirect
-	github.com/hashicorp/go-version v1.4.0 // indirect
-	github.com/hashicorp/golang-lru v0.5.4 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/hashicorp/vault/sdk v0.6.0 // indirect
-	github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 // indirect
-	github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/hashicorp/go-sockaddr v1.0.7 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/lib/pq v1.10.5 // indirect
+	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
-	github.com/mattn/go-colorable v0.1.12 // indirect
-	github.com/mattn/go-isatty v0.0.14 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
-	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/spdystream v0.5.0 // indirect
+	github.com/moby/sys/user v0.4.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/oklog/run v1.1.0 // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.2 // indirect
-	github.com/opencontainers/runc v1.1.0 // indirect
+	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+	github.com/opencontainers/go-digest/blake3 v0.0.0-20250116041648-1e56c6daea3b // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/opencontainers/runc v1.2.6 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
-	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
-	github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_golang v1.13.0 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.37.0 // indirect
-	github.com/prometheus/procfs v0.8.0 // indirect
-	github.com/russross/blackfriday v1.5.2 // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
+	github.com/prometheus/client_golang v1.22.0 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.65.0 // indirect
+	github.com/prometheus/procfs v0.17.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
-	github.com/spf13/cobra v1.4.0 // indirect
-	github.com/xlab/treeprint v1.1.0 // indirect
-	go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a // indirect
-	go.opencensus.io v0.23.0 // indirect
-	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
-	go.uber.org/atomic v1.9.0 // indirect
-	go.uber.org/multierr v1.6.0 // indirect
-	go.uber.org/zap v1.23.0 // indirect
-	golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 // indirect
-	golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094 // indirect
-	golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect
-	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
-	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
+	github.com/stoewer/go-strcase v1.3.0 // indirect
+	github.com/urfave/cli v1.22.16 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	github.com/xlab/treeprint v1.2.0 // indirect
+	github.com/zeebo/blake3 v0.2.4 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.35.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.37.0 // indirect
+	go.opentelemetry.io/otel/metric v1.37.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/crypto v0.40.0 // indirect
+	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sys v0.34.0 // indirect
+	golang.org/x/term v0.33.0 // indirect
+	golang.org/x/text v0.27.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
+	google.golang.org/api v0.241.0 // indirect
+	google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250505200425-f936aa4a68b2 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
+	google.golang.org/grpc v1.73.0 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/ini.v1 v1.66.4 // indirect
-	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
-	gopkg.in/urfave/cli.v1 v1.20.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/cli-runtime v0.24.0 // indirect
-	k8s.io/component-base v0.25.2 // indirect
-	k8s.io/klog/v2 v2.80.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
-	k8s.io/kubectl v0.24.0 // indirect
-	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect
-	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
-	sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	k8s.io/apiextensions-apiserver v0.33.2 // indirect
+	k8s.io/cli-runtime v0.33.2 // indirect
+	k8s.io/component-base v0.33.2 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250701173324-9bd5c66d9911 // indirect
+	k8s.io/kubectl v0.33.2 // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.20.0 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
 )

hack/api-docs/template/pkg.tpl

@@ -1,5 +1,10 @@
 {{ define "packages" }}
-    <h1>Kustomize API reference</h1>
+    <h1>Kustomize API reference
+        {{- with (index .packages 0) -}}
+            {{ with (index .GoPackages 0 ) -}}
+                {{ printf " %s" .Name -}}
+            {{ end -}}
+        {{ end }}</h1>
 
     {{ with .packages}}
         <p>Packages:</p>

hack/boilerplate.go.txt

@@ -1,5 +1,5 @@
 /*
-Copyright 2021 The Flux authors
+Copyright 2023 The Flux authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

internal/cache/operations.go

@@ -0,0 +1,31 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+const (
+	OperationFetchKubeConfig  = "fetch_kubeconfig"
+	OperationDecryptWithAWS   = "decrypt_with_aws"
+	OperationDecryptWithAzure = "decrypt_with_azure"
+	OperationDecryptWithGCP   = "decrypt_with_gcp"
+)
+
+var AllOperations = []string{
+	OperationFetchKubeConfig,
+	OperationDecryptWithAWS,
+	OperationDecryptWithAzure,
+	OperationDecryptWithGCP,
+}

internal/controller/constants.go

@@ -0,0 +1,22 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+const (
+	OCIArtifactOriginRevisionAnnotation = "org.opencontainers.image.revision"
+	TerminalErrorMessage                = "Reconciliation failed terminally due to configuration error"
+)

internal/controller/kustomization_acl_test.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package controllers
+package controller
 
 import (
 	"context"
@@ -22,16 +22,17 @@ import (
 	"testing"
 	"time"
 
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	apiacl "github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/testserver"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	. "github.com/onsi/gomega"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 )
 
 func TestKustomizationReconciler_NoCrossNamespaceRefs(t *testing.T) {
@@ -88,8 +89,8 @@ stringData:
 		Spec: kustomizev1.KustomizationSpec{
 			Interval: metav1.Duration{Duration: reconciliationInterval},
 			Path:     "./",
-			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.SecretKeyReference{
+			KubeConfig: &meta.KubeConfigReference{
+				SecretRef: &meta.SecretKeyReference{
 					Name: "kubeconfig",
 				},
 			},
@@ -114,7 +115,7 @@ stringData:
 			return resultK.Status.LastAppliedRevision == revision
 		}, timeout, time.Second).Should(BeTrue())
 
-		g.Expect(readyCondition.Reason).To(Equal(kustomizev1.ReconciliationSucceededReason))
+		g.Expect(readyCondition.Reason).To(Equal(meta.ReconciliationSucceededReason))
 	})
 
 	t.Run("fails to reconcile from cross-namespace source", func(t *testing.T) {

internal/controller/kustomization_configuration_error_test.go

@@ -0,0 +1,216 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	. "github.com/onsi/gomega"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/pkg/apis/kustomize"
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/auth"
+	"github.com/fluxcd/pkg/runtime/conditions"
+	"github.com/fluxcd/pkg/testserver"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	"github.com/fluxcd/kustomize-controller/internal/decryptor"
+)
+
+func TestKustomizationReconciler_ConfigurationError(t *testing.T) {
+	g := NewWithT(t)
+	id := "invalid-config-" + randStringRunes(5)
+	revision := "v1.0.0"
+	resultK := &kustomizev1.Kustomization{}
+	timeout := 60 * time.Second
+
+	err := createNamespace(id)
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create test namespace")
+
+	manifests := func(name string) []testserver.File {
+		return []testserver.File{
+			{
+				Name: "config.yaml",
+				Body: fmt.Sprintf(`---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: %[1]s
+data: {}
+`, name),
+			},
+		}
+	}
+
+	artifact, err := testServer.ArtifactFromFiles(manifests(id))
+	g.Expect(err).NotTo(HaveOccurred())
+
+	repositoryName := types.NamespacedName{
+		Name:      fmt.Sprintf("invalid-config-%s", randStringRunes(5)),
+		Namespace: id,
+	}
+
+	err = applyGitRepository(repositoryName, artifact, revision)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	t.Run("invalid cel expression", func(t *testing.T) {
+		g := NewWithT(t)
+
+		kustomizationKey := types.NamespacedName{
+			Name:      fmt.Sprintf("invalid-config-%s", randStringRunes(5)),
+			Namespace: id,
+		}
+		kustomization := &kustomizev1.Kustomization{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      kustomizationKey.Name,
+				Namespace: kustomizationKey.Namespace,
+			},
+			Spec: kustomizev1.KustomizationSpec{
+				TargetNamespace: id,
+				Interval:        metav1.Duration{Duration: 2 * time.Minute},
+				SourceRef: kustomizev1.CrossNamespaceSourceReference{
+					Name:      repositoryName.Name,
+					Namespace: repositoryName.Namespace,
+					Kind:      sourcev1.GitRepositoryKind,
+				},
+				Prune:   true,
+				Timeout: &metav1.Duration{Duration: time.Second},
+				Wait:    true,
+				HealthCheckExprs: []kustomize.CustomHealthCheck{{
+					APIVersion: "v1",
+					Kind:       "ConfigMap",
+					HealthCheckExpressions: kustomize.HealthCheckExpressions{
+						InProgress: "foo.",
+						Current:    "true",
+					},
+				}},
+			},
+		}
+
+		err = k8sClient.Create(context.Background(), kustomization)
+		g.Expect(err).NotTo(HaveOccurred())
+
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			return conditions.IsFalse(resultK, meta.ReadyCondition)
+		}, timeout, time.Second).Should(BeTrue())
+
+		g.Expect(resultK.Status.ObservedGeneration).To(Equal(resultK.GetGeneration()))
+
+		g.Expect(conditions.IsTrue(resultK, meta.StalledCondition)).To(BeTrue())
+		for _, cond := range []string{meta.ReadyCondition, meta.StalledCondition} {
+			g.Expect(conditions.GetReason(resultK, cond)).To(Equal(meta.InvalidCELExpressionReason))
+			g.Expect(conditions.GetMessage(resultK, cond)).To(ContainSubstring(
+				"failed to create custom status evaluator for healthchecks[0]: failed to parse the expression InProgress: failed to parse the CEL expression 'foo.': ERROR: <input>:1:5: Syntax error: no viable alternative at input '.'"))
+		}
+	})
+
+	t.Run("object level workload identity feature gate disabled", func(t *testing.T) {
+		g := NewWithT(t)
+
+		kustomizationKey := types.NamespacedName{
+			Name:      fmt.Sprintf("invalid-config-%s", randStringRunes(5)),
+			Namespace: id,
+		}
+		kustomization := &kustomizev1.Kustomization{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      kustomizationKey.Name,
+				Namespace: kustomizationKey.Namespace,
+			},
+			Spec: kustomizev1.KustomizationSpec{
+				TargetNamespace: id,
+				Interval:        metav1.Duration{Duration: 2 * time.Minute},
+				SourceRef: kustomizev1.CrossNamespaceSourceReference{
+					Name:      repositoryName.Name,
+					Namespace: repositoryName.Namespace,
+					Kind:      sourcev1.GitRepositoryKind,
+				},
+				Prune: true,
+				Decryption: &kustomizev1.Decryption{
+					Provider:           decryptor.DecryptionProviderSOPS,
+					ServiceAccountName: "foo",
+				},
+			},
+		}
+
+		err = k8sClient.Create(context.Background(), kustomization)
+		g.Expect(err).NotTo(HaveOccurred())
+
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			return conditions.IsFalse(resultK, meta.ReadyCondition)
+		}, timeout, time.Second).Should(BeTrue())
+
+		// In this case the controller does not update the observed generation
+		// because if the feature gate is enabled then the generation of the
+		// object can be properly observed.
+		g.Expect(resultK.Status.ObservedGeneration).To(Equal(int64(-1)))
+
+		g.Expect(conditions.IsTrue(resultK, meta.StalledCondition)).To(BeTrue())
+		for _, cond := range []string{meta.ReadyCondition, meta.StalledCondition} {
+			g.Expect(conditions.GetReason(resultK, cond)).To(Equal(meta.FeatureGateDisabledReason))
+			g.Expect(conditions.GetMessage(resultK, cond)).To(ContainSubstring(
+				"to use spec.decryption.serviceAccountName for decryption authentication please enable the ObjectLevelWorkloadIdentity feature gate in the controller"))
+		}
+	})
+
+	t.Run("object level workload identity feature gate enabled", func(t *testing.T) {
+		g := NewWithT(t)
+
+		t.Setenv(auth.EnvVarEnableObjectLevelWorkloadIdentity, "true")
+
+		kustomizationKey := types.NamespacedName{
+			Name:      fmt.Sprintf("invalid-config-%s", randStringRunes(5)),
+			Namespace: id,
+		}
+		kustomization := &kustomizev1.Kustomization{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      kustomizationKey.Name,
+				Namespace: kustomizationKey.Namespace,
+			},
+			Spec: kustomizev1.KustomizationSpec{
+				TargetNamespace: id,
+				Interval:        metav1.Duration{Duration: 2 * time.Minute},
+				SourceRef: kustomizev1.CrossNamespaceSourceReference{
+					Name:      repositoryName.Name,
+					Namespace: repositoryName.Namespace,
+					Kind:      sourcev1.GitRepositoryKind,
+				},
+				Prune: true,
+				Decryption: &kustomizev1.Decryption{
+					Provider:           decryptor.DecryptionProviderSOPS,
+					ServiceAccountName: "foo",
+				},
+			},
+		}
+
+		err = k8sClient.Create(context.Background(), kustomization)
+		g.Expect(err).NotTo(HaveOccurred())
+
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			return conditions.IsTrue(resultK, meta.ReadyCondition)
+		}, timeout, time.Second).Should(BeTrue())
+	})
+}

internal/controller/kustomization_controller_test.go

@@ -0,0 +1,138 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/fluxcd/pkg/apis/meta"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+)
+
+func TestKustomizationReconciler_StagedApply(t *testing.T) {
+	g := NewWithT(t)
+
+	namespaceName := "kust-" + randStringRunes(5)
+	namespace := &corev1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{Name: namespaceName},
+	}
+	g.Expect(k8sClient.Create(ctx, namespace)).ToNot(HaveOccurred())
+	t.Cleanup(func() {
+		g.Expect(k8sClient.Delete(ctx, namespace)).NotTo(HaveOccurred())
+	})
+
+	err := createKubeConfigSecret(namespaceName)
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create kubeconfig secret")
+
+	artifactName := "val-" + randStringRunes(5)
+	artifactChecksum, err := testServer.ArtifactFromDir("testdata/crds", artifactName)
+	g.Expect(err).ToNot(HaveOccurred())
+
+	repositoryName := types.NamespacedName{
+		Name:      fmt.Sprintf("val-%s", randStringRunes(5)),
+		Namespace: namespaceName,
+	}
+
+	err = applyGitRepository(repositoryName, artifactName, "main/"+artifactChecksum)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	kustomization := &kustomizev1.Kustomization{}
+	kustomization.Name = "test-kust"
+	kustomization.Namespace = namespaceName
+	kustomization.Spec = kustomizev1.KustomizationSpec{
+		Interval: metav1.Duration{Duration: 10 * time.Minute},
+		Prune:    true,
+		Path:     "./",
+		SourceRef: kustomizev1.CrossNamespaceSourceReference{
+			Name:      repositoryName.Name,
+			Namespace: repositoryName.Namespace,
+			Kind:      sourcev1.GitRepositoryKind,
+		},
+		KubeConfig: &meta.KubeConfigReference{
+			SecretRef: &meta.SecretKeyReference{
+				Name: "kubeconfig",
+			},
+		},
+	}
+
+	g.Expect(k8sClient.Create(context.Background(), kustomization)).To(Succeed())
+
+	g.Eventually(func() bool {
+		var obj kustomizev1.Kustomization
+		_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), &obj)
+		return isReconcileSuccess(&obj) && obj.Status.LastAttemptedRevision == "main/"+artifactChecksum
+	}, timeout, time.Second).Should(BeTrue())
+
+	g.Expect(k8sClient.Delete(context.Background(), kustomization)).To(Succeed())
+
+	g.Eventually(func() bool {
+		var obj kustomizev1.Kustomization
+		err = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), &obj)
+		return errors.IsNotFound(err)
+	}, timeout, time.Second).Should(BeTrue())
+}
+
+func TestKustomizationReconciler_deleteBeforeFinalizer(t *testing.T) {
+	g := NewWithT(t)
+
+	namespaceName := "kust-" + randStringRunes(5)
+	namespace := &corev1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{Name: namespaceName},
+	}
+	g.Expect(k8sClient.Create(ctx, namespace)).ToNot(HaveOccurred())
+	t.Cleanup(func() {
+		g.Expect(k8sClient.Delete(ctx, namespace)).NotTo(HaveOccurred())
+	})
+
+	kustomization := &kustomizev1.Kustomization{}
+	kustomization.Name = "test-kust"
+	kustomization.Namespace = namespaceName
+	kustomization.Spec = kustomizev1.KustomizationSpec{
+		Interval: metav1.Duration{Duration: interval},
+		Prune:    true,
+		SourceRef: kustomizev1.CrossNamespaceSourceReference{
+			Kind: "Bucket",
+			Name: "foo",
+		},
+	}
+	// Add a test finalizer to prevent the object from getting deleted.
+	kustomization.SetFinalizers([]string{"test-finalizer"})
+	g.Expect(k8sClient.Create(ctx, kustomization)).NotTo(HaveOccurred())
+	// Add deletion timestamp by deleting the object.
+	g.Expect(k8sClient.Delete(ctx, kustomization)).NotTo(HaveOccurred())
+
+	r := &KustomizationReconciler{
+		Client:        k8sClient,
+		EventRecorder: record.NewFakeRecorder(32),
+	}
+	// NOTE: Only a real API server responds with an error in this scenario.
+	_, err := r.Reconcile(ctx, ctrl.Request{NamespacedName: client.ObjectKeyFromObject(kustomization)})
+	g.Expect(err).NotTo(HaveOccurred())
+}

internal/controller/kustomization_decryptor_test.go

@@ -0,0 +1,365 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"testing"
+	"time"
+
+	"github.com/fluxcd/pkg/apis/meta"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	"github.com/hashicorp/vault/api"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+)
+
+func TestKustomizationReconciler_Decryptor(t *testing.T) {
+	g := NewWithT(t)
+
+	cli, err := api.NewClient(api.DefaultConfig())
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create vault client")
+
+	// create a master key on the vault transit engine
+	path, data := "sops/keys/vault", map[string]interface{}{"type": "rsa-4096"}
+	_, err = cli.Logical().Write(path, data)
+	g.Expect(err).NotTo(HaveOccurred(), "failed to write key")
+
+	// encrypt the testdata vault secret
+	cmd := exec.Command("sops", "--hc-vault-transit", cli.Address()+"/v1/sops/keys/vault", "--encrypt", "--encrypted-regex", "^(data|stringData)$", "--in-place", "./testdata/sops/algorithms/vault.yaml")
+	err = cmd.Run()
+	g.Expect(err).NotTo(HaveOccurred(), "failed to encrypt file")
+
+	// defer the testdata vault secret decryption, to leave a clean testdata vault secret
+	defer func() {
+		cmd := exec.Command("sops", "--hc-vault-transit", cli.Address()+"/v1/sops/keys/firstkey", "--decrypt", "--encrypted-regex", "^(data|stringData)$", "--in-place", "./testdata/sops/algorithms/vault.yaml")
+		err = cmd.Run()
+	}()
+
+	id := "sops-" + randStringRunes(5)
+
+	err = createNamespace(id)
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create test namespace")
+
+	err = createKubeConfigSecret(id)
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create kubeconfig secret")
+
+	artifactName := "sops-" + randStringRunes(5)
+	artifactChecksum, err := testServer.ArtifactFromDir("testdata/sops", artifactName)
+	g.Expect(err).ToNot(HaveOccurred())
+
+	repositoryName := types.NamespacedName{
+		Name:      fmt.Sprintf("sops-%s", randStringRunes(5)),
+		Namespace: id,
+	}
+
+	err = applyGitRepository(repositoryName, artifactName, "main/"+artifactChecksum)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	pgpKey, err := os.ReadFile("testdata/sops/keys/pgp.asc")
+	g.Expect(err).ToNot(HaveOccurred())
+	ageKey, err := os.ReadFile("testdata/sops/keys/age.txt")
+	g.Expect(err).ToNot(HaveOccurred())
+
+	sopsSecretKey := types.NamespacedName{
+		Name:      "sops-" + randStringRunes(5),
+		Namespace: id,
+	}
+	sopsSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      sopsSecretKey.Name,
+			Namespace: sopsSecretKey.Namespace,
+		},
+		StringData: map[string]string{
+			"pgp.asc":          string(pgpKey),
+			"age.agekey":       string(ageKey),
+			"sops.vault-token": "secret",
+		},
+	}
+
+	g.Expect(k8sClient.Create(context.Background(), sopsSecret)).To(Succeed())
+
+	kustomizationKey := types.NamespacedName{
+		Name:      fmt.Sprintf("sops-%s", randStringRunes(5)),
+		Namespace: id,
+	}
+	kustomization := &kustomizev1.Kustomization{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      kustomizationKey.Name,
+			Namespace: kustomizationKey.Namespace,
+		},
+		Spec: kustomizev1.KustomizationSpec{
+			Interval: metav1.Duration{Duration: 2 * time.Minute},
+			Path:     "./",
+			KubeConfig: &meta.KubeConfigReference{
+				SecretRef: &meta.SecretKeyReference{
+					Name: "kubeconfig",
+				},
+			},
+			SourceRef: kustomizev1.CrossNamespaceSourceReference{
+				Name:      repositoryName.Name,
+				Namespace: repositoryName.Namespace,
+				Kind:      sourcev1.GitRepositoryKind,
+			},
+			Decryption: &kustomizev1.Decryption{
+				Provider: "sops",
+				SecretRef: &meta.LocalObjectReference{
+					Name: sopsSecretKey.Name,
+				},
+			},
+			TargetNamespace: id,
+		},
+	}
+	g.Expect(k8sClient.Create(context.TODO(), kustomization)).To(Succeed())
+
+	g.Eventually(func() bool {
+		var obj kustomizev1.Kustomization
+		_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), &obj)
+		return obj.Status.LastAppliedRevision == "main/"+artifactChecksum
+	}, timeout, time.Second).Should(BeTrue())
+
+	t.Run("decrypts SOPS secrets", func(t *testing.T) {
+		g := NewWithT(t)
+
+		secretNames := []string{
+			"sops-algo-age",
+			"sops-algo-pgp",
+			"sops-algo-vault",
+			"sops-component",
+			"sops-envs-secret",
+			"sops-files-secret",
+			"sops-inside-secret",
+			"sops-remote-secret",
+		}
+		for _, name := range secretNames {
+			var secret corev1.Secret
+			g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: id}, &secret)).To(Succeed())
+			g.Expect(string(secret.Data["key"])).To(Equal("value"), fmt.Sprintf("failed on secret %s", name))
+		}
+
+		configMapNames := []string{
+			"sops-envs-configmap",
+			"sops-files-configmap",
+			"sops-remote-configmap",
+		}
+		for _, name := range configMapNames {
+			var configMap corev1.ConfigMap
+			g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: id}, &configMap)).To(Succeed())
+			g.Expect(string(configMap.Data["key"])).To(Equal("value"), fmt.Sprintf("failed on configmap %s", name))
+		}
+
+		var patchedSecret corev1.Secret
+		g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-patches-secret", Namespace: id}, &patchedSecret)).To(Succeed())
+		g.Expect(string(patchedSecret.Data["key"])).To(Equal("merge1"))
+		g.Expect(string(patchedSecret.Data["merge2"])).To(Equal("merge2"))
+	})
+
+	t.Run("does not emit change events for identical secrets", func(t *testing.T) {
+		g := NewWithT(t)
+
+		resultK := &kustomizev1.Kustomization{}
+		revision := "v2.0.0"
+		err = applyGitRepository(repositoryName, artifactName, revision)
+		g.Expect(err).NotTo(HaveOccurred())
+
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			return resultK.Status.LastAppliedRevision == revision
+		}, timeout, time.Second).Should(BeTrue())
+
+		events := getEvents(resultK.GetName(), map[string]string{"kustomize.toolkit.fluxcd.io/revision": revision})
+		g.Expect(len(events)).To(BeIdenticalTo(1))
+		g.Expect(events[0].Message).Should(ContainSubstring("Reconciliation finished"))
+		g.Expect(events[0].Message).ShouldNot(ContainSubstring("configured"))
+	})
+
+	t.Run("global SOPS age secret as fallback", func(t *testing.T) {
+		g := NewWithT(t)
+
+		namespace := "global-sops-" + randStringRunes(5)
+		t.Setenv("RUNTIME_NAMESPACE", namespace)
+
+		err := createNamespace(namespace)
+		g.Expect(err).NotTo(HaveOccurred())
+
+		// Create the global SOPS age secret with the private key
+		ageKey, err := os.ReadFile("testdata/sops/keys/age-global.txt")
+		g.Expect(err).NotTo(HaveOccurred())
+
+		globalSOPSSecret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      sopsAgeSecret,
+				Namespace: namespace,
+			},
+			StringData: map[string]string{
+				"identity.agekey": string(ageKey),
+			},
+		}
+		g.Expect(k8sClient.Create(context.Background(), globalSOPSSecret)).To(Succeed())
+
+		artifactName := "global-sops-" + randStringRunes(5)
+		artifactChecksum, err := testServer.ArtifactFromDir("testdata/sops/global", artifactName)
+		g.Expect(err).NotTo(HaveOccurred())
+
+		repositoryName := types.NamespacedName{
+			Name:      fmt.Sprintf("global-sops-%s", randStringRunes(5)),
+			Namespace: namespace,
+		}
+
+		err = applyGitRepository(repositoryName, artifactName, "main/"+artifactChecksum)
+		g.Expect(err).NotTo(HaveOccurred())
+
+		// Create Kustomization WITHOUT spec.decryption.secretRef
+		kustomizationKey := types.NamespacedName{
+			Name:      fmt.Sprintf("global-sops-%s", randStringRunes(5)),
+			Namespace: namespace,
+		}
+		kustomization := &kustomizev1.Kustomization{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      kustomizationKey.Name,
+				Namespace: kustomizationKey.Namespace,
+			},
+			Spec: kustomizev1.KustomizationSpec{
+				Interval: metav1.Duration{Duration: 2 * time.Minute},
+				Path:     "./",
+				SourceRef: kustomizev1.CrossNamespaceSourceReference{
+					Name:      repositoryName.Name,
+					Namespace: repositoryName.Namespace,
+					Kind:      sourcev1.GitRepositoryKind,
+				},
+				TargetNamespace: namespace,
+				Decryption: &kustomizev1.Decryption{
+					Provider: "sops",
+				},
+			},
+		}
+		g.Expect(k8sClient.Create(context.TODO(), kustomization)).To(Succeed())
+
+		g.Eventually(func() bool {
+			var obj kustomizev1.Kustomization
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), &obj)
+			return obj.Status.LastAppliedRevision == "main/"+artifactChecksum
+		}, timeout, time.Second).Should(BeTrue())
+
+		// Verify the SOPS encrypted secret was decrypted using the global secret
+		var secret corev1.Secret
+		g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "global-age-secret", Namespace: namespace}, &secret)).To(Succeed())
+		g.Expect(string(secret.Data["key"])).To(Equal("global-value"))
+	})
+
+	t.Run("spec.decryption.secretRef takes precedence over global secret", func(t *testing.T) {
+		g := NewWithT(t)
+
+		namespace := "precedence-" + randStringRunes(5)
+		t.Setenv("RUNTIME_NAMESPACE", namespace)
+
+		err := createNamespace(namespace)
+		g.Expect(err).NotTo(HaveOccurred())
+
+		// Create global SOPS secret
+		ageGlobalKey, err := os.ReadFile("testdata/sops/keys/age-global.txt")
+		g.Expect(err).NotTo(HaveOccurred())
+
+		globalSOPSSecret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      sopsAgeSecret,
+				Namespace: namespace,
+			},
+			StringData: map[string]string{
+				"identity.agekey": string(ageGlobalKey),
+			},
+		}
+		g.Expect(k8sClient.Create(context.Background(), globalSOPSSecret)).To(Succeed())
+
+		localSOPSSecretKey := types.NamespacedName{
+			Name:      "local-sops-" + randStringRunes(5),
+			Namespace: namespace,
+		}
+		localSOPSSecret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      localSOPSSecretKey.Name,
+				Namespace: localSOPSSecretKey.Namespace,
+			},
+			StringData: map[string]string{
+				"pgp.asc":          string(pgpKey),
+				"age.agekey":       string(ageKey),
+				"sops.vault-token": "secret",
+			},
+		}
+		g.Expect(k8sClient.Create(context.Background(), localSOPSSecret)).To(Succeed())
+
+		artifactName := "precedence-" + randStringRunes(5)
+		artifactChecksum, err := testServer.ArtifactFromDir("testdata/sops/algorithms", artifactName)
+		g.Expect(err).NotTo(HaveOccurred())
+
+		repositoryName := types.NamespacedName{
+			Name:      fmt.Sprintf("precedence-%s", randStringRunes(5)),
+			Namespace: namespace,
+		}
+
+		err = applyGitRepository(repositoryName, artifactName, "main/"+artifactChecksum)
+		g.Expect(err).NotTo(HaveOccurred())
+
+		// Create Kustomization WITH spec.decryption.secretRef
+		kustomizationKey := types.NamespacedName{
+			Name:      fmt.Sprintf("precedence-%s", randStringRunes(5)),
+			Namespace: namespace,
+		}
+		kustomization := &kustomizev1.Kustomization{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      kustomizationKey.Name,
+				Namespace: kustomizationKey.Namespace,
+			},
+			Spec: kustomizev1.KustomizationSpec{
+				Interval: metav1.Duration{Duration: 2 * time.Minute},
+				Path:     "./",
+				SourceRef: kustomizev1.CrossNamespaceSourceReference{
+					Name:      repositoryName.Name,
+					Namespace: repositoryName.Namespace,
+					Kind:      sourcev1.GitRepositoryKind,
+				},
+				Decryption: &kustomizev1.Decryption{
+					Provider: "sops",
+					SecretRef: &meta.LocalObjectReference{
+						Name: localSOPSSecretKey.Name,
+					},
+				},
+				TargetNamespace: namespace,
+			},
+		}
+		g.Expect(k8sClient.Create(context.TODO(), kustomization)).To(Succeed())
+
+		g.Eventually(func() bool {
+			var obj kustomizev1.Kustomization
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), &obj)
+			return obj.Status.LastAppliedRevision == "main/"+artifactChecksum
+		}, timeout, time.Second).Should(BeTrue())
+
+		// Verify the secret was decrypted using the local secret (not the global one)
+		var secret corev1.Secret
+		g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "algo-age", Namespace: namespace}, &secret)).To(Succeed())
+		g.Expect(string(secret.Data["key"])).To(Equal("value"))
+	})
+}

internal/controller/kustomization_deletion_policy_test.go

@@ -0,0 +1,171 @@
+/*
+Copyright 2024 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/testserver"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+)
+
+func TestKustomizationReconciler_DeletionPolicyDelete(t *testing.T) {
+	tests := []struct {
+		name           string
+		prune          bool
+		deletionPolicy string
+		wantDelete     bool
+	}{
+		{
+			name:           "should delete when deletionPolicy overrides pruning disabled",
+			prune:          false,
+			deletionPolicy: kustomizev1.DeletionPolicyDelete,
+			wantDelete:     true,
+		},
+		{
+			name:           "should delete and wait when deletionPolicy overrides pruning disabled",
+			prune:          false,
+			deletionPolicy: kustomizev1.DeletionPolicyWaitForTermination,
+			wantDelete:     true,
+		},
+		{
+			name:           "should delete when deletionPolicy mirrors prune and pruning enabled",
+			prune:          true,
+			deletionPolicy: kustomizev1.DeletionPolicyMirrorPrune,
+			wantDelete:     true,
+		},
+		{
+			name:           "should orphan when deletionPolicy overrides pruning enabled",
+			prune:          true,
+			deletionPolicy: kustomizev1.DeletionPolicyOrphan,
+			wantDelete:     false,
+		},
+		{
+			name:           "should orphan when deletionPolicy mirrors prune and pruning disabled",
+			prune:          false,
+			deletionPolicy: kustomizev1.DeletionPolicyMirrorPrune,
+			wantDelete:     false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+			id := "gc-" + randStringRunes(5)
+			revision := "v1.0.0"
+
+			err := createNamespace(id)
+			g.Expect(err).NotTo(HaveOccurred(), "failed to create test namespace")
+
+			err = createKubeConfigSecret(id)
+			g.Expect(err).NotTo(HaveOccurred(), "failed to create kubeconfig secret")
+
+			manifests := func(name string, data string) []testserver.File {
+				return []testserver.File{
+					{
+						Name: "config.yaml",
+						Body: fmt.Sprintf(`---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: %[1]s
+data:
+  key: "%[2]s"
+`, name, data),
+					},
+				}
+			}
+
+			artifact, err := testServer.ArtifactFromFiles(manifests(id, id))
+			g.Expect(err).NotTo(HaveOccurred())
+
+			repositoryName := types.NamespacedName{
+				Name:      fmt.Sprintf("gc-%s", randStringRunes(5)),
+				Namespace: id,
+			}
+
+			err = applyGitRepository(repositoryName, artifact, revision)
+			g.Expect(err).NotTo(HaveOccurred())
+
+			kustomizationKey := types.NamespacedName{
+				Name:      fmt.Sprintf("gc-%s", randStringRunes(5)),
+				Namespace: id,
+			}
+			kustomization := &kustomizev1.Kustomization{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      kustomizationKey.Name,
+					Namespace: kustomizationKey.Namespace,
+				},
+				Spec: kustomizev1.KustomizationSpec{
+					Interval: metav1.Duration{Duration: reconciliationInterval},
+					Path:     "./",
+					KubeConfig: &meta.KubeConfigReference{
+						SecretRef: &meta.SecretKeyReference{
+							Name: "kubeconfig",
+						},
+					},
+					SourceRef: kustomizev1.CrossNamespaceSourceReference{
+						Name:      repositoryName.Name,
+						Namespace: repositoryName.Namespace,
+						Kind:      sourcev1.GitRepositoryKind,
+					},
+					TargetNamespace: id,
+					Prune:           tt.prune,
+					DeletionPolicy:  tt.deletionPolicy,
+					Timeout:         &metav1.Duration{Duration: 5 * time.Second},
+				},
+			}
+
+			g.Expect(k8sClient.Create(context.Background(), kustomization)).To(Succeed())
+
+			resultK := &kustomizev1.Kustomization{}
+			resultConfig := &corev1.ConfigMap{}
+
+			g.Eventually(func() bool {
+				_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+				return resultK.Status.LastAppliedRevision == revision
+			}, timeout, time.Second).Should(BeTrue())
+
+			g.Expect(k8sClient.Get(context.Background(), types.NamespacedName{Name: id, Namespace: id}, resultConfig)).Should(Succeed())
+
+			g.Expect(k8sClient.Delete(context.Background(), kustomization)).To(Succeed())
+			g.Eventually(func() bool {
+				err = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), kustomization)
+				return apierrors.IsNotFound(err)
+			}, timeout, time.Second).Should(BeTrue())
+
+			if tt.wantDelete {
+				err = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(resultConfig), resultConfig)
+				g.Expect(apierrors.IsNotFound(err)).To(BeTrue())
+			} else {
+				g.Expect(k8sClient.Get(context.Background(), client.ObjectKeyFromObject(resultConfig), resultConfig)).Should(Succeed())
+			}
+
+		})
+	}
+}

internal/controller/kustomization_dependson_test.go

@@ -0,0 +1,381 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/conditions"
+	"github.com/fluxcd/pkg/testserver"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	. "github.com/onsi/gomega"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+)
+
+func TestKustomizationReconciler_DependsOn(t *testing.T) {
+	g := NewWithT(t)
+	id := "dep-" + randStringRunes(5)
+	revision := "v1.0.0"
+
+	err := createNamespace(id)
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create test namespace")
+
+	err = createKubeConfigSecret(id)
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create kubeconfig secret")
+
+	manifests := func(name string, data string) []testserver.File {
+		return []testserver.File{
+			{
+				Name: "config.yaml",
+				Body: fmt.Sprintf(`---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: %[1]s
+data:
+  key: "%[2]s"
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: "v2-%[1]s"
+  namespace: "%[2]s"
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: test
+  minReplicas: 1
+  maxReplicas: 10
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 50
+  - type: Pods
+    pods:
+      metric:
+        name: packets-per-second
+      target:
+        type: AverageValue
+        averageValue: 1k
+  - type: Object
+    object:
+      metric:
+        name: requests-per-second
+      describedObject:
+        apiVersion: networking.k8s.io/v1beta1
+        kind: Ingress
+        name: main-route
+      target:
+        type: Value
+        value: 10k
+`, name, data),
+			},
+		}
+	}
+
+	artifact, err := testServer.ArtifactFromFiles(manifests(id, id))
+	g.Expect(err).NotTo(HaveOccurred())
+
+	repositoryName := types.NamespacedName{
+		Name:      fmt.Sprintf("dep-%s", randStringRunes(5)),
+		Namespace: id,
+	}
+
+	kustomizationKey := types.NamespacedName{
+		Name:      fmt.Sprintf("dep-%s", randStringRunes(5)),
+		Namespace: id,
+	}
+	kustomization := &kustomizev1.Kustomization{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      kustomizationKey.Name,
+			Namespace: kustomizationKey.Namespace,
+		},
+		Spec: kustomizev1.KustomizationSpec{
+			Interval: metav1.Duration{Duration: time.Hour},
+			Path:     "./",
+			KubeConfig: &meta.KubeConfigReference{
+				SecretRef: &meta.SecretKeyReference{
+					Name: "kubeconfig",
+				},
+			},
+			SourceRef: kustomizev1.CrossNamespaceSourceReference{
+				Name:      repositoryName.Name,
+				Namespace: repositoryName.Namespace,
+				Kind:      sourcev1.GitRepositoryKind,
+			},
+			TargetNamespace: id,
+			Prune:           true,
+		},
+	}
+
+	g.Expect(k8sClient.Create(context.Background(), kustomization)).To(Succeed())
+
+	resultK := &kustomizev1.Kustomization{}
+
+	g.Eventually(func() bool {
+		_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+		return conditions.Has(resultK, meta.ReadyCondition)
+	}, timeout, time.Second).Should(BeTrue())
+
+	t.Run("fails due to source not found", func(t *testing.T) {
+		g := NewWithT(t)
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			return conditions.HasAnyReason(resultK, meta.ReadyCondition, meta.ArtifactFailedReason)
+		}, timeout, time.Second).Should(BeTrue())
+	})
+
+	t.Run("reconciles when source is found", func(t *testing.T) {
+		g := NewWithT(t)
+		err = applyGitRepository(repositoryName, artifact, revision)
+		g.Expect(err).NotTo(HaveOccurred())
+
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			return conditions.IsReady(resultK)
+		}, timeout, time.Second).Should(BeTrue())
+	})
+
+	t.Run("fails due to dependency not found", func(t *testing.T) {
+		g := NewWithT(t)
+		g.Eventually(func() error {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			resultK.Spec.DependsOn = []kustomizev1.DependencyReference{
+				{
+					Namespace: id,
+					Name:      "root",
+				},
+			}
+			return k8sClient.Update(context.Background(), resultK)
+		}, timeout, time.Second).Should(BeNil())
+
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			return conditions.HasAnyReason(resultK, meta.ReadyCondition, meta.DependencyNotReadyReason)
+		}, timeout, time.Second).Should(BeTrue())
+	})
+}
+
+func TestKustomizationReconciler_DependsOn_CEL(t *testing.T) {
+	g := NewWithT(t)
+	id := "dep-cel" + randStringRunes(5)
+	depID := "test-dep-" + randStringRunes(5)
+	revision := "v1.0.0"
+
+	err := createNamespace(id)
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create test namespace")
+
+	err = createKubeConfigSecret(id)
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create kubeconfig secret")
+
+	manifests := func(name string, data string) []testserver.File {
+		return []testserver.File{
+			{
+				Name: "config.yaml",
+				Body: fmt.Sprintf(`---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: %[1]s
+data:
+  key: "%[2]s"
+`, name, data),
+			},
+		}
+	}
+
+	artifact, err := testServer.ArtifactFromFiles(manifests(id, id))
+	g.Expect(err).NotTo(HaveOccurred())
+
+	repositoryName := types.NamespacedName{
+		Name:      fmt.Sprintf("dep-%s", randStringRunes(5)),
+		Namespace: id,
+	}
+	err = applyGitRepository(repositoryName, artifact, revision)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	kustomizationKey := types.NamespacedName{
+		Name:      fmt.Sprintf("dep-%s", randStringRunes(5)),
+		Namespace: id,
+	}
+	kustomization := &kustomizev1.Kustomization{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      kustomizationKey.Name,
+			Namespace: kustomizationKey.Namespace,
+		},
+		Spec: kustomizev1.KustomizationSpec{
+			Interval: metav1.Duration{Duration: time.Hour},
+			Path:     "./",
+			KubeConfig: &meta.KubeConfigReference{
+				SecretRef: &meta.SecretKeyReference{
+					Name: "kubeconfig",
+				},
+			},
+			SourceRef: kustomizev1.CrossNamespaceSourceReference{
+				Name:      repositoryName.Name,
+				Namespace: repositoryName.Namespace,
+				Kind:      sourcev1.GitRepositoryKind,
+			},
+			TargetNamespace: id,
+			Prune:           true,
+		},
+	}
+
+	g.Expect(k8sClient.Create(context.Background(), kustomization)).To(Succeed())
+
+	resultK := &kustomizev1.Kustomization{}
+
+	g.Eventually(func() bool {
+		_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+		return conditions.Has(resultK, meta.ReadyCondition)
+	}, timeout, time.Second).Should(BeTrue())
+
+	t.Run("succeeds with readyExpr dependency check", func(t *testing.T) {
+		g := NewWithT(t)
+
+		// Create a dependency Kustomization with matching annotations
+		dependency := &kustomizev1.Kustomization{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      depID,
+				Namespace: id,
+				Annotations: map[string]string{
+					"app/version": "v1.2.3",
+				},
+			},
+			Spec: kustomizev1.KustomizationSpec{
+				Suspend:  true, // Suspended dependency should work with readyExpr and AdditiveCELDependencyCheck disabled
+				Interval: metav1.Duration{Duration: reconciliationInterval},
+				Path:     "./",
+				KubeConfig: &meta.KubeConfigReference{
+					SecretRef: &meta.SecretKeyReference{
+						Name: "kubeconfig",
+					},
+				},
+				SourceRef: kustomizev1.CrossNamespaceSourceReference{
+					Name:      repositoryName.Name,
+					Namespace: repositoryName.Namespace,
+					Kind:      sourcev1.GitRepositoryKind,
+				},
+				Prune: true,
+			},
+		}
+
+		g.Expect(k8sClient.Create(context.Background(), dependency)).To(Succeed())
+
+		// Update the main Kustomization with matching annotations and readyExpr
+		g.Eventually(func() error {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			resultK.ObjectMeta.Annotations = map[string]string{
+				"app/version": "v1.2.3",
+			}
+			resultK.Spec.DependsOn = []kustomizev1.DependencyReference{
+				{
+					Name:      dependency.Name,
+					ReadyExpr: `self.metadata.annotations['app/version'] == dep.metadata.annotations['app/version']`,
+				},
+			}
+			return k8sClient.Update(context.Background(), resultK)
+		}, timeout, time.Second).Should(BeNil())
+
+		// Should succeed because CEL expression evaluates to true
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			return conditions.IsReady(resultK)
+		}, timeout, time.Second).Should(BeTrue())
+	})
+
+	t.Run("fails with readyExpr when condition not met", func(t *testing.T) {
+		g := NewWithT(t)
+
+		// Update the main kustomization with mismatched annotations
+		g.Eventually(func() error {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			resultK.ObjectMeta.Annotations = map[string]string{
+				"app/version": "v1.2.4",
+			}
+			resultK.Spec.DependsOn = []kustomizev1.DependencyReference{
+				{
+					Namespace: id,
+					Name:      depID,
+					ReadyExpr: `self.metadata.annotations['app/version'] == dep.metadata.annotations['app/version']`,
+				},
+			}
+			return k8sClient.Update(context.Background(), resultK)
+		}, timeout, time.Second).Should(BeNil())
+
+		// Should fail because CEL expression evaluates to false
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			ready := conditions.Get(resultK, meta.ReadyCondition)
+			return ready.Reason == meta.DependencyNotReadyReason &&
+				strings.Contains(ready.Message, "not ready according to readyExpr")
+		}, timeout, time.Second).Should(BeTrue())
+
+		g.Expect(conditions.IsStalled(resultK)).Should(BeFalse())
+	})
+
+	t.Run("fails terminally with invalid readyExpr", func(t *testing.T) {
+		g := NewWithT(t)
+
+		// Update the main kustomization with invalid CEL expression
+		g.Eventually(func() error {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			resultK.Spec.DependsOn = []kustomizev1.DependencyReference{
+				{
+					Name:      depID,
+					ReadyExpr: `self.generation == deps.generation`, // Invalid vars
+				},
+			}
+			return k8sClient.Update(context.Background(), resultK)
+		}, timeout, time.Second).Should(BeNil())
+
+		// Should be marked as stalled because CEL expression is invalid
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			return conditions.IsStalled(resultK)
+		}, timeout, time.Second).Should(BeTrue())
+
+		g.Expect(conditions.IsReady(resultK)).Should(BeFalse())
+		g.Expect(conditions.GetReason(resultK, meta.ReadyCondition)).Should(BeIdenticalTo(meta.InvalidCELExpressionReason))
+		g.Expect(conditions.GetMessage(resultK, meta.ReadyCondition)).Should(ContainSubstring("failed to parse"))
+	})
+
+	t.Run("GC works with failing dependency", func(t *testing.T) {
+		g := NewWithT(t)
+
+		g.Expect(k8sClient.Delete(context.Background(), kustomization)).To(Succeed())
+
+		g.Eventually(func() bool {
+			err = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			return errors.IsNotFound(err)
+		}, timeout, time.Second).Should(BeTrue())
+	})
+}

internal/controller/kustomization_disallowed_managers_test.go

@@ -0,0 +1,156 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/testserver"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+)
+
+func TestKustomizationReconciler_DisallowedManagers(t *testing.T) {
+	g := NewWithT(t)
+	id := "disallowed-managers-" + randStringRunes(5)
+	revision := "v1.0.0"
+
+	err := createNamespace(id)
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create test namespace")
+
+	err = createKubeConfigSecret(id)
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create kubeconfig secret")
+
+	manifests := func(name string, data string) []testserver.File {
+		return []testserver.File{
+			{
+				Name: "configmap.yaml",
+				Body: fmt.Sprintf(`---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: %[1]s
+data:
+  key: %[2]s
+`, name, data),
+			},
+		}
+	}
+
+	artifact, err := testServer.ArtifactFromFiles(manifests(id, randStringRunes(5)))
+	g.Expect(err).NotTo(HaveOccurred(), "failed to create artifact from files")
+
+	repositoryName := types.NamespacedName{
+		Name:      fmt.Sprintf("disallowed-managers-%s", randStringRunes(5)),
+		Namespace: id,
+	}
+
+	err = applyGitRepository(repositoryName, artifact, revision)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	kustomizationKey := types.NamespacedName{
+		Name:      fmt.Sprintf("disallowed-managers-%s", randStringRunes(5)),
+		Namespace: id,
+	}
+	kustomization := &kustomizev1.Kustomization{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      kustomizationKey.Name,
+			Namespace: kustomizationKey.Namespace,
+		},
+		Spec: kustomizev1.KustomizationSpec{
+			Interval: metav1.Duration{Duration: reconciliationInterval},
+			Path:     "./",
+			KubeConfig: &meta.KubeConfigReference{
+				SecretRef: &meta.SecretKeyReference{
+					Name: "kubeconfig",
+				},
+			},
+			SourceRef: kustomizev1.CrossNamespaceSourceReference{
+				Name:      repositoryName.Name,
+				Namespace: repositoryName.Namespace,
+				Kind:      sourcev1.GitRepositoryKind,
+			},
+			HealthChecks: []meta.NamespacedObjectKindReference{
+				{
+					APIVersion: "v1",
+					Kind:       "ConfigMap",
+					Name:       id,
+					Namespace:  id,
+				},
+			},
+			TargetNamespace: id,
+			Force:           false,
+		},
+	}
+
+	g.Expect(k8sClient.Create(context.Background(), kustomization)).To(Succeed())
+
+	resultK := &kustomizev1.Kustomization{}
+	initialConfigMap := &corev1.ConfigMap{}
+	badConfigMap := &corev1.ConfigMap{}
+	fixedConfigMap := &corev1.ConfigMap{}
+
+	t.Run("creates configmap", func(t *testing.T) {
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			return resultK.Status.LastAppliedRevision == revision
+		}, timeout, time.Second).Should(BeTrue())
+		logStatus(t, resultK)
+
+		kstatusCheck.CheckErr(ctx, resultK)
+		g.Expect(k8sClient.Get(context.Background(), types.NamespacedName{Name: id, Namespace: id}, initialConfigMap)).Should(Succeed())
+		g.Expect(initialConfigMap.Data).Should(HaveKey("key"))
+	})
+
+	t.Run("update configmap with new data", func(t *testing.T) {
+		configMap := corev1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      id,
+				Namespace: id,
+			},
+		}
+		err = k8sClient.Patch(context.Background(), &configMap, client.RawPatch(types.MergePatchType, []byte(`{"data":{"bad-key":"overridden field manager"}}`)), &client.PatchOptions{FieldManager: overrideManagerName})
+		g.Expect(err).NotTo(HaveOccurred())
+		err = k8sClient.Patch(context.Background(), &configMap, client.RawPatch(types.MergePatchType, []byte(`{"data":{"key2":"not overridden field manager"}}`)), &client.PatchOptions{FieldManager: "good-name"})
+		g.Expect(err).NotTo(HaveOccurred())
+		err = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(initialConfigMap), badConfigMap)
+		g.Expect(err).NotTo(HaveOccurred())
+		g.Expect(badConfigMap.Data).Should(HaveKey("bad-key"))
+		g.Expect(badConfigMap.Data).Should(HaveKey("key2"))
+	})
+
+	t.Run("bad-key should be removed from the configmap", func(t *testing.T) {
+		reconciler.Reconcile(context.Background(), ctrl.Request{
+			NamespacedName: kustomizationKey,
+		})
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(initialConfigMap), fixedConfigMap)
+			return g.Expect(fixedConfigMap.Data).ShouldNot(HaveKey("bad-key")) && g.Expect(fixedConfigMap.Data).Should(HaveKey("key2"))
+		}, timeout, time.Second).Should(BeTrue())
+	})
+}

internal/controller/kustomization_fetcher_test.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package controllers
+package controller
 
 import (
 	"context"
@@ -25,14 +25,14 @@ import (
 
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/testserver"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	. "github.com/onsi/gomega"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 )
 
 func TestKustomizationReconciler_ArtifactDownload(t *testing.T) {
@@ -85,8 +85,8 @@ stringData:
 		Spec: kustomizev1.KustomizationSpec{
 			Interval: metav1.Duration{Duration: reconciliationInterval},
 			Path:     "./",
-			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.SecretKeyReference{
+			KubeConfig: &meta.KubeConfigReference{
+				SecretRef: &meta.SecretKeyReference{
 					Name: "kubeconfig",
 				},
 			},

internal/controller/kustomization_force_test.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package controllers
+package controller
 
 import (
 	"context"
@@ -22,16 +22,17 @@ import (
 	"testing"
 	"time"
 
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/testserver"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	. "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 )
 
 func TestKustomizationReconciler_Force(t *testing.T) {
@@ -85,8 +86,8 @@ stringData:
 		Spec: kustomizev1.KustomizationSpec{
 			Interval: metav1.Duration{Duration: reconciliationInterval},
 			Path:     "./",
-			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.SecretKeyReference{
+			KubeConfig: &meta.KubeConfigReference{
+				SecretRef: &meta.SecretKeyReference{
 					Name: "kubeconfig",
 				},
 			},
@@ -113,41 +114,44 @@ stringData:
 	resultK := &kustomizev1.Kustomization{}
 	resultSecret := &corev1.Secret{}
 
-	g.Eventually(func() bool {
-		_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
-		return resultK.Status.LastAppliedRevision == revision
-	}, timeout, time.Second).Should(BeTrue())
-
 	t.Run("creates immutable secret", func(t *testing.T) {
+		g.Eventually(func() bool {
+			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
+			return resultK.Status.LastAppliedRevision == revision
+		}, timeout, time.Second).Should(BeTrue())
+		logStatus(t, resultK)
+
+		kstatusCheck.CheckErr(ctx, resultK)
 		g.Expect(k8sClient.Get(context.Background(), types.NamespacedName{Name: id, Namespace: id}, resultSecret)).Should(Succeed())
 	})
 
 	t.Run("fails to update immutable secret", func(t *testing.T) {
-		artifact, err := testServer.ArtifactFromFiles(manifests(id, randStringRunes(5)))
+		artifact, err = testServer.ArtifactFromFiles(manifests(id, randStringRunes(5)))
 		g.Expect(err).NotTo(HaveOccurred())
-		revision := "v2.0.0"
+		revision = "v2.0.0"
 		err = applyGitRepository(repositoryName, artifact, revision)
 		g.Expect(err).NotTo(HaveOccurred())
 
 		g.Eventually(func() bool {
 			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
-			return resultK.Status.LastAttemptedRevision == revision
+			return isReconcileFailure(resultK)
 		}, timeout, time.Second).Should(BeTrue())
+		logStatus(t, resultK)
 
-		g.Expect(apimeta.IsStatusConditionTrue(resultK.Status.Conditions, meta.ReadyCondition)).To(BeFalse())
+		kstatusCheck.CheckErr(ctx, resultK)
 
 		t.Run("emits validation error event", func(t *testing.T) {
 			events := getEvents(resultK.GetName(), map[string]string{"kustomize.toolkit.fluxcd.io/revision": revision})
 			g.Expect(len(events) > 0).To(BeTrue())
 			g.Expect(events[0].Type).To(BeIdenticalTo("Warning"))
-			g.Expect(events[0].Message).To(ContainSubstring("invalid, error: secret is immutable"))
+			g.Expect(events[0].Message).To(ContainSubstring("field is immutable"))
 		})
 	})
 
 	t.Run("recreates immutable secret", func(t *testing.T) {
-		artifact, err := testServer.ArtifactFromFiles(manifests(id, randStringRunes(5)))
+		artifact, err = testServer.ArtifactFromFiles(manifests(id, randStringRunes(5)))
 		g.Expect(err).NotTo(HaveOccurred())
-		revision := "v3.0.0"
+		revision = "v3.0.0"
 		err = applyGitRepository(repositoryName, artifact, revision)
 		g.Expect(err).NotTo(HaveOccurred())
 
@@ -159,10 +163,12 @@ stringData:
 
 		g.Eventually(func() bool {
 			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
-			return resultK.Status.LastAppliedRevision == revision
+			return isReconcileSuccess(resultK)
 		}, timeout, time.Second).Should(BeTrue())
+		logStatus(t, resultK)
 
-		g.Expect(apimeta.IsStatusConditionTrue(resultK.Status.Conditions, meta.ReadyCondition)).To(BeTrue())
-		g.Expect(apimeta.IsStatusConditionTrue(resultK.Status.Conditions, kustomizev1.HealthyCondition)).To(BeTrue())
+		kstatusCheck.CheckErr(ctx, resultK)
+
+		g.Expect(apimeta.IsStatusConditionTrue(resultK.Status.Conditions, meta.HealthyCondition)).To(BeTrue())
 	})
 }

internal/controller/kustomization_fuzzer_test.go

@@ -1,5 +1,5 @@
-//go:build gofuzz
-// +build gofuzz
+//go:build gofuzz_libfuzzer
+// +build gofuzz_libfuzzer
 
 /*
 Copyright 2021 The Flux authors
@@ -17,31 +17,51 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package controllers
+package controller
 
 import (
+	"archive/tar"
+	"compress/gzip"
 	"context"
+	"crypto/sha1"
+	"embed"
 	"errors"
 	"fmt"
+	"io"
+	"io/fs"
+	"math/rand"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"strings"
 	"sync"
+	"testing"
 	"time"
 
-	"embed"
-	"io/fs"
-
 	securejoin "github.com/cyphar/filepath-securejoin"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
-	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/testenv"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	"github.com/hashicorp/vault/api"
+	"github.com/opencontainers/go-digest"
+	"github.com/ory/dockertest/v3"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+	controllerLog "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/controller"
+	"github.com/fluxcd/pkg/runtime/testenv"
+	"github.com/fluxcd/pkg/testserver"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 
 	fuzz "github.com/AdaLogics/go-fuzz-headers"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 )
 
 var (
@@ -56,12 +76,12 @@ var (
 	debugMode    = os.Getenv("DEBUG_TEST") != ""
 )
 
-const vaultVersion = "1.2.2"
+const vaultVersion = "1.13.2"
 const defaultBinVersion = "1.24"
 
 //go:embed testdata/crd/*.yaml
-//go:embed testdata/sops/pgp.asc
-//go:embed testdata/sops/age.txt
+//go:embed testdata/sops/keys/pgp.asc
+//go:embed testdata/sops/keys/age.txt
 var testFiles embed.FS
 
 // FuzzControllers implements a fuzzer that targets the Kustomize controller.
@@ -105,8 +125,9 @@ func Fuzz_Controllers(f *testing.F) {
 			reconciler := &KustomizationReconciler{
 				ControllerName: controllerName,
 				Client:         testEnv,
+				Mapper:         testEnv.GetRESTMapper(),
 			}
-			if err := (reconciler).SetupWithManager(testEnv, KustomizationReconcilerOptions{MaxConcurrentReconciles: 1}); err != nil {
+			if err := (reconciler).SetupWithManager(ctx, testEnv, KustomizationReconcilerOptions{}); err != nil {
 				panic(fmt.Sprintf("Failed to start GitRepositoryReconciler: %v", err))
 			}
 		}, func() error {
@@ -162,11 +183,11 @@ func Fuzz_Controllers(f *testing.F) {
 			if err != nil {
 				return err
 			}
-			pgpKey, err := testFiles.ReadFile("testdata/sops/pgp.asc")
+			pgpKey, err := testFiles.ReadFile("testdata/sops/keys/pgp.asc")
 			if err != nil {
 				return err
 			}
-			ageKey, err := testFiles.ReadFile("testdata/sops/age.txt")
+			ageKey, err := testFiles.ReadFile("testdata/sops/keys/age.txt")
 			if err != nil {
 				return err
 			}
@@ -210,8 +231,8 @@ func Fuzz_Controllers(f *testing.F) {
 				},
 				Spec: kustomizev1.KustomizationSpec{
 					Path: "./",
-					KubeConfig: &kustomizev1.KubeConfig{
-						SecretRef: meta.SecretKeyReference{
+					KubeConfig: &meta.KubeConfigReference{
+						SecretRef: &meta.SecretKeyReference{
 							Name: "kubeconfig",
 						},
 					},
@@ -344,7 +365,7 @@ func createFiles(f *fuzz.ConsumeFuzzer, rootDir string) error {
 			continue // some errors here are not permanent, so we can try again with different values
 		}
 
-		err = os.MkdirAll(dirPath, 0o755)
+		err = os.MkdirAll(dirPath, 0o750)
 		if err != nil {
 			if noOfCreatedFiles > 0 {
 				return nil
@@ -413,7 +434,7 @@ func ensureDependencies() error {
 	// as it is being consumed directly from the embed.FS.
 	embedDirs := []string{"testdata/crd"}
 	for _, dir := range embedDirs {
-		err := os.MkdirAll(dir, 0o755)
+		err := os.MkdirAll(dir, 0o750)
 		if err != nil {
 			return fmt.Errorf("mkdir %s: %v", dir, err)
 		}
@@ -432,7 +453,7 @@ func ensureDependencies() error {
 				return fmt.Errorf("reading embedded file %s: %v", fileName, err)
 			}
 
-			os.WriteFile(fileName, data, 0o644)
+			os.WriteFile(fileName, data, 0o600)
 			if err != nil {
 				return fmt.Errorf("writing %s: %v", fileName, err)
 			}
@@ -579,7 +600,7 @@ func applyGitRepository(objKey client.ObjectKey, artifactName string, revision s
 	}
 
 	b, _ := os.ReadFile(filepath.Join(testServer.Root(), artifactName))
-	checksum := fmt.Sprintf("%x", sha256.Sum256(b))
+	dig := digest.SHA256.FromBytes(b)
 
 	url := fmt.Sprintf("%s/%s", testServer.URL(), artifactName)
 
@@ -596,7 +617,7 @@ func applyGitRepository(objKey client.ObjectKey, artifactName string, revision s
 			Path:           url,
 			URL:            url,
 			Revision:       revision,
-			Checksum:       checksum,
+			Digest:         dig.String(),
 			LastUpdateTime: metav1.Now(),
 		},
 	}
@@ -612,7 +633,14 @@ func applyGitRepository(objKey client.ObjectKey, artifactName string, revision s
 
 	repo.ManagedFields = nil
 	repo.Status = status
-	if err := k8sClient.Status().Patch(context.Background(), repo, client.Apply, opt...); err != nil {
+
+	statusOpts := &client.SubResourcePatchOptions{
+		PatchOptions: client.PatchOptions{
+			FieldManager: "source-controller",
+		},
+	}
+
+	if err := k8sClient.Status().Patch(context.Background(), repo, client.Apply, statusOpts); err != nil {
 		return err
 	}
 	return nil
@@ -700,7 +728,7 @@ func createArtifact(artifactServer *testserver.ArtifactServer, fixture, path str
 		return "", err
 	}
 
-	if err := os.Chmod(f.Name(), 0644); err != nil {
+	if err := os.Chmod(f.Name(), 0o600); err != nil {
 		return "", err
 	}
 

internal/controller/kustomization_impersonation_test.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package controllers
+package controller
 
 import (
 	"context"
@@ -22,10 +22,9 @@ import (
 	"testing"
 	"time"
 
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/fluxcd/pkg/testserver"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	. "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -34,6 +33,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 )
 
 func TestKustomizationReconciler_Impersonation(t *testing.T) {
@@ -91,8 +92,8 @@ data:
 		Spec: kustomizev1.KustomizationSpec{
 			Interval: metav1.Duration{Duration: time.Minute},
 			Path:     "./",
-			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.SecretKeyReference{
+			KubeConfig: &meta.KubeConfigReference{
+				SecretRef: &meta.SecretKeyReference{
 					Name: "kubeconfig",
 				},
 			},
@@ -118,7 +119,7 @@ data:
 			return resultK.Status.LastAppliedRevision == revision
 		}, timeout, time.Second).Should(BeTrue())
 
-		g.Expect(readyCondition.Reason).To(Equal(kustomizev1.ReconciliationSucceededReason))
+		g.Expect(readyCondition.Reason).To(Equal(meta.ReconciliationSucceededReason))
 	})
 
 	t.Run("fails to reconcile impersonating the default service account", func(t *testing.T) {
@@ -130,10 +131,9 @@ data:
 		g.Eventually(func() bool {
 			_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
 			readyCondition = apimeta.FindStatusCondition(resultK.Status.Conditions, meta.ReadyCondition)
-			return apimeta.IsStatusConditionFalse(resultK.Status.Conditions, meta.ReadyCondition)
+			return readyCondition.Reason == meta.ReconciliationFailedReason
 		}, timeout, time.Second).Should(BeTrue())
 
-		g.Expect(readyCondition.Reason).To(Equal(kustomizev1.ReconciliationFailedReason))
 		g.Expect(readyCondition.Message).To(ContainSubstring("system:serviceaccount:%s:default", id))
 	})
 
@@ -187,7 +187,7 @@ data:
 			return resultK.Status.LastAppliedRevision == revision
 		}, timeout, time.Second).Should(BeTrue())
 
-		g.Expect(readyCondition.Reason).To(Equal(kustomizev1.ReconciliationSucceededReason))
+		g.Expect(readyCondition.Reason).To(Equal(meta.ReconciliationSucceededReason))
 	})
 
 	t.Run("can finalize impersonating service account", func(t *testing.T) {
@@ -260,8 +260,8 @@ data:
 		Spec: kustomizev1.KustomizationSpec{
 			Interval: metav1.Duration{Duration: time.Minute},
 			Path:     "./",
-			KubeConfig: &kustomizev1.KubeConfig{
-				SecretRef: meta.SecretKeyReference{
+			KubeConfig: &meta.KubeConfigReference{
+				SecretRef: &meta.SecretKeyReference{
 					Name: secretName,
 					Key:  secretKey,
 				},
@@ -288,7 +288,7 @@ data:
 			return apimeta.IsStatusConditionFalse(resultK.Status.Conditions, meta.ReadyCondition)
 		}, timeout, time.Second).Should(BeTrue())
 
-		g.Expect(readyCondition.Reason).To(Equal(kustomizev1.ReconciliationFailedReason))
+		g.Expect(readyCondition.Reason).To(Equal(meta.ReconciliationFailedReason))
 		g.Expect(readyCondition.Message).To(ContainSubstring(`Secret "%s" not found`, secretName))
 	})
 
@@ -314,7 +314,7 @@ data:
 			return resultK.Status.LastAppliedRevision == revision
 		}, timeout, time.Second).Should(BeTrue())
 
-		g.Expect(readyCondition.Reason).To(Equal(kustomizev1.ReconciliationSucceededReason))
+		g.Expect(readyCondition.Reason).To(Equal(meta.ReconciliationSucceededReason))
 	})
 
 }