update dependencies (#6267)

Signed-off-by: hongming <coder.scala@gmail.com>

vendor/sigs.k8s.io/kustomize/api/filters/imagetag/updater.go

@@ -6,7 +6,7 @@ package imagetag
 import (
 	"sigs.k8s.io/kustomize/api/filters/filtersutil"
 
-	"sigs.k8s.io/kustomize/api/image"
+	"sigs.k8s.io/kustomize/api/internal/image"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )

vendor/sigs.k8s.io/kustomize/api/filters/nameref/nameref.go

@@ -284,9 +284,9 @@ func (f Filter) roleRefFilter() sieveFunc {
 	return previousIdSelectedByGvk(roleRefGvk)
 }
 
-func prefixSuffixEquals(other resource.ResCtx) sieveFunc {
+func prefixSuffixEquals(other resource.ResCtx, allowEmpty bool) sieveFunc {
 	return func(r *resource.Resource) bool {
-		return r.PrefixesSuffixesEquals(other)
+		return r.PrefixesSuffixesEquals(other, allowEmpty)
 	}
 }
 
@@ -325,7 +325,10 @@ func (f Filter) selectReferral(
 	if len(candidates) == 1 {
 		return candidates[0], nil
 	}
-	candidates = doSieve(candidates, prefixSuffixEquals(f.Referrer))
+	candidates = doSieve(candidates, prefixSuffixEquals(f.Referrer, true))
+	if len(candidates) > 1 {
+		candidates = doSieve(candidates, prefixSuffixEquals(f.Referrer, false))
+	}
 	if len(candidates) == 1 {
 		return candidates[0], nil
 	}

vendor/sigs.k8s.io/kustomize/api/filters/patchjson6902/patchjson6902.go

@@ -6,7 +6,7 @@ package patchjson6902
 import (
 	"strings"
 
-	jsonpatch "github.com/evanphx/json-patch"
+	jsonpatch "gopkg.in/evanphx/json-patch.v4"
 	"sigs.k8s.io/kustomize/kyaml/kio"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 	k8syaml "sigs.k8s.io/yaml"

vendor/sigs.k8s.io/kustomize/api/filters/replacement/replacement.go

@@ -126,8 +126,8 @@ func applyReplacement(nodes []*yaml.RNode, value *yaml.RNode, targetSelectors []
 			}
 
 			// filter targets by matching resource IDs
-			for i, id := range ids {
-				if id.IsSelectedBy(selector.Select.ResId) && !rejectId(selector.Reject, &ids[i]) {
+			for _, id := range ids {
+				if id.IsSelectedBy(selector.Select.ResId) && !containsRejectId(selector.Reject, ids) {
 					err := copyValueToTarget(possibleTarget, value, selector)
 					if err != nil {
 						return nil, err
@@ -168,10 +168,15 @@ func matchesAnnoAndLabelSelector(n *yaml.RNode, selector *types.Selector) (bool,
 	return annoMatch && labelMatch, nil
 }
 
-func rejectId(rejects []*types.Selector, id *resid.ResId) bool {
+func containsRejectId(rejects []*types.Selector, ids []resid.ResId) bool {
 	for _, r := range rejects {
-		if !r.ResId.IsEmpty() && id.IsSelectedBy(r.ResId) {
-			return true
+		if r.ResId.IsEmpty() {
+			continue
+		}
+		for _, id := range ids {
+			if id.IsSelectedBy(r.ResId) {
+				return true
+			}
 		}
 	}
 	return false

vendor/sigs.k8s.io/kustomize/api/internal/accumulator/loadconfigfromcrds.go

@@ -144,7 +144,7 @@ func loadCrdIntoConfig(
 		}
 		_, label := property.Extensions.GetString(xLabelSelector)
 		if label {
-			err = theConfig.AddLabelFieldSpec(
+			err = theConfig.AddCommonLabelsFieldSpec(
 				makeFs(theGvk, append(path, propName)))
 			if err != nil {
 				return

vendor/sigs.k8s.io/kustomize/api/internal/builtins/HelmChartInflationGenerator.go

@@ -12,11 +12,12 @@ import (
 	"regexp"
 	"strings"
 
-	"github.com/imdario/mergo"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/errors"
 	"sigs.k8s.io/kustomize/kyaml/kio"
+	kyaml "sigs.k8s.io/kustomize/kyaml/yaml"
+	"sigs.k8s.io/kustomize/kyaml/yaml/merge2"
 	"sigs.k8s.io/yaml"
 )
 
@@ -53,6 +54,15 @@ func (p *HelmChartInflationGeneratorPlugin) Config(
 	if h.GeneralConfig().HelmConfig.Command == "" {
 		return fmt.Errorf("must specify --helm-command")
 	}
+
+	// CLI args takes precedence
+	if h.GeneralConfig().HelmConfig.KubeVersion != "" {
+		p.HelmChart.KubeVersion = h.GeneralConfig().HelmConfig.KubeVersion
+	}
+	if len(h.GeneralConfig().HelmConfig.ApiVersions) != 0 {
+		p.HelmChart.ApiVersions = h.GeneralConfig().HelmConfig.ApiVersions
+	}
+
 	p.h = h
 	if err = yaml.Unmarshal(config, p); err != nil {
 		return
@@ -91,7 +101,7 @@ func (p *HelmChartInflationGeneratorPlugin) validateArgs() (err error) {
 	// be under the loader root (unless root restrictions are
 	// disabled).
 	if p.ValuesFile == "" {
-		p.ValuesFile = filepath.Join(p.ChartHome, p.Name, "values.yaml")
+		p.ValuesFile = filepath.Join(p.absChartHome(), p.Name, "values.yaml")
 	}
 	for i, file := range p.AdditionalValuesFiles {
 		// use Load() to enforce root restrictions
@@ -132,10 +142,17 @@ func (p *HelmChartInflationGeneratorPlugin) errIfIllegalValuesMerge() error {
 }
 
 func (p *HelmChartInflationGeneratorPlugin) absChartHome() string {
+	var chartHome string
 	if filepath.IsAbs(p.ChartHome) {
-		return p.ChartHome
+		chartHome = p.ChartHome
+	} else {
+		chartHome = filepath.Join(p.h.Loader().Root(), p.ChartHome)
 	}
-	return filepath.Join(p.h.Loader().Root(), p.ChartHome)
+
+	if p.Version != "" && p.Repo != "" {
+		return filepath.Join(chartHome, fmt.Sprintf("%s-%s", p.Name, p.Version))
+	}
+	return chartHome
 }
 
 func (p *HelmChartInflationGeneratorPlugin) runHelmCommand(
@@ -185,18 +202,33 @@ func (p *HelmChartInflationGeneratorPlugin) replaceValuesInline() error {
 	if err != nil {
 		return err
 	}
-	chValues := make(map[string]interface{})
-	if err = yaml.Unmarshal(pValues, &chValues); err != nil {
-		return err
+	chValues, err := kyaml.Parse(string(pValues))
+	if err != nil {
+		return errors.WrapPrefixf(err, "could not parse values file into rnode")
 	}
+	inlineValues, err := kyaml.FromMap(p.ValuesInline)
+	if err != nil {
+		return errors.WrapPrefixf(err, "could not parse values inline into rnode")
+	}
+	var outValues *kyaml.RNode
 	switch p.ValuesMerge {
+	// Function `merge2.Merge` overrides values in dest with values from src.
+	// To achieve override or merge behavior, we pass parameters in different order.
+	// Object passed as dest will be modified, so we copy it just in case someone
+	// decides to use it after this is called.
 	case valuesMergeOptionOverride:
-		err = mergo.Merge(
-			&chValues, p.ValuesInline, mergo.WithOverride)
+		outValues, err = merge2.Merge(inlineValues, chValues.Copy(), kyaml.MergeOptions{})
 	case valuesMergeOptionMerge:
-		err = mergo.Merge(&chValues, p.ValuesInline)
+		outValues, err = merge2.Merge(chValues, inlineValues.Copy(), kyaml.MergeOptions{})
 	}
-	p.ValuesInline = chValues
+	if err != nil {
+		return errors.WrapPrefixf(err, "could not merge values")
+	}
+	mapValues, err := outValues.Map()
+	if err != nil {
+		return errors.WrapPrefixf(err, "could not parse merged values into map")
+	}
+	p.ValuesInline = mapValues
 	return err
 }
 
@@ -281,8 +313,18 @@ func (p *HelmChartInflationGeneratorPlugin) pullCommand() []string {
 		"pull",
 		"--untar",
 		"--untardir", p.absChartHome(),
-		"--repo", p.Repo,
-		p.Name}
+	}
+
+	switch {
+	case strings.HasPrefix(p.Repo, "oci://"):
+		args = append(args, strings.TrimSuffix(p.Repo, "/")+"/"+p.Name)
+	case p.Repo != "":
+		args = append(args, "--repo", p.Repo)
+		fallthrough
+	default:
+		args = append(args, p.Name)
+	}
+
 	if p.Version != "" {
 		args = append(args, "--version", p.Version)
 	}

vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchJson6902Transformer.go

@@ -6,7 +6,7 @@ package builtins
 import (
 	"fmt"
 
-	jsonpatch "github.com/evanphx/json-patch"
+	jsonpatch "gopkg.in/evanphx/json-patch.v4"
 	"sigs.k8s.io/kustomize/api/filters/patchjson6902"
 	"sigs.k8s.io/kustomize/api/ifc"
 	"sigs.k8s.io/kustomize/api/resmap"

vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchTransformer.go

@@ -7,104 +7,123 @@ import (
 	"fmt"
 	"strings"
 
-	jsonpatch "github.com/evanphx/json-patch"
+	jsonpatch "gopkg.in/evanphx/json-patch.v4"
 	"sigs.k8s.io/kustomize/api/filters/patchjson6902"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
 	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
 	"sigs.k8s.io/yaml"
 )
 
 type PatchTransformerPlugin struct {
-	loadedPatch  *resource.Resource
-	decodedPatch jsonpatch.Patch
-	Path         string          `json:"path,omitempty" yaml:"path,omitempty"`
-	Patch        string          `json:"patch,omitempty" yaml:"patch,omitempty"`
-	Target       *types.Selector `json:"target,omitempty" yaml:"target,omitempty"`
-	Options      map[string]bool `json:"options,omitempty" yaml:"options,omitempty"`
+	smPatches   []*resource.Resource // strategic-merge patches
+	jsonPatches jsonpatch.Patch      // json6902 patch
+	// patchText is pure patch text created by Path or Patch
+	patchText string
+	// patchSource is patch source message
+	patchSource string
+	Path        string          `json:"path,omitempty"    yaml:"path,omitempty"`
+	Patch       string          `json:"patch,omitempty"   yaml:"patch,omitempty"`
+	Target      *types.Selector `json:"target,omitempty"  yaml:"target,omitempty"`
+	Options     map[string]bool `json:"options,omitempty" yaml:"options,omitempty"`
 }
 
-func (p *PatchTransformerPlugin) Config(
-	h *resmap.PluginHelpers, c []byte) error {
-	err := yaml.Unmarshal(c, p)
-	if err != nil {
+func (p *PatchTransformerPlugin) Config(h *resmap.PluginHelpers, c []byte) error {
+	if err := yaml.Unmarshal(c, p); err != nil {
 		return err
 	}
+
 	p.Patch = strings.TrimSpace(p.Patch)
-	if p.Patch == "" && p.Path == "" {
-		return fmt.Errorf(
-			"must specify one of patch and path in\n%s", string(c))
-	}
-	if p.Patch != "" && p.Path != "" {
-		return fmt.Errorf(
-			"patch and path can't be set at the same time\n%s", string(c))
-	}
-	if p.Path != "" {
-		loaded, loadErr := h.Loader().Load(p.Path)
-		if loadErr != nil {
-			return loadErr
+	switch {
+	case p.Patch == "" && p.Path == "":
+		return fmt.Errorf("must specify one of patch and path in\n%s", string(c))
+	case p.Patch != "" && p.Path != "":
+		return fmt.Errorf("patch and path can't be set at the same time\n%s", string(c))
+	case p.Patch != "":
+		p.patchText = p.Patch
+		p.patchSource = fmt.Sprintf("[patch: %q]", p.patchText)
+	case p.Path != "":
+		loaded, err := h.Loader().Load(p.Path)
+		if err != nil {
+			return fmt.Errorf("failed to get the patch file from path(%s): %w", p.Path, err)
 		}
-		p.Patch = string(loaded)
+		p.patchText = string(loaded)
+		p.patchSource = fmt.Sprintf("[path: %q]", p.Path)
 	}
 
-	patchSM, errSM := h.ResmapFactory().RF().FromBytes([]byte(p.Patch))
-	patchJson, errJson := jsonPatchFromBytes([]byte(p.Patch))
+	patchesSM, errSM := h.ResmapFactory().RF().SliceFromBytes([]byte(p.patchText))
+	patchesJson, errJson := jsonPatchFromBytes([]byte(p.patchText))
+
 	if (errSM == nil && errJson == nil) ||
-		(patchSM != nil && patchJson != nil) {
+		(patchesSM != nil && patchesJson != nil) {
 		return fmt.Errorf(
-			"illegally qualifies as both an SM and JSON patch: [%v]",
-			p.Patch)
+			"illegally qualifies as both an SM and JSON patch: %s",
+			p.patchSource)
 	}
 	if errSM != nil && errJson != nil {
 		return fmt.Errorf(
-			"unable to parse SM or JSON patch from [%v]", p.Patch)
+			"unable to parse SM or JSON patch from %s", p.patchSource)
 	}
 	if errSM == nil {
-		p.loadedPatch = patchSM
-		if p.Options["allowNameChange"] {
-			p.loadedPatch.AllowNameChange()
-		}
-		if p.Options["allowKindChange"] {
-			p.loadedPatch.AllowKindChange()
+		p.smPatches = patchesSM
+		for _, loadedPatch := range p.smPatches {
+			if p.Options["allowNameChange"] {
+				loadedPatch.AllowNameChange()
+			}
+			if p.Options["allowKindChange"] {
+				loadedPatch.AllowKindChange()
+			}
 		}
 	} else {
-		p.decodedPatch = patchJson
+		p.jsonPatches = patchesJson
 	}
 	return nil
 }
 
 func (p *PatchTransformerPlugin) Transform(m resmap.ResMap) error {
-	if p.loadedPatch == nil {
-		return p.transformJson6902(m, p.decodedPatch)
+	if p.smPatches != nil {
+		return p.transformStrategicMerge(m)
 	}
-	// The patch was a strategic merge patch
-	return p.transformStrategicMerge(m, p.loadedPatch)
+	return p.transformJson6902(m)
 }
 
-// transformStrategicMerge applies the provided strategic merge patch
-// to all the resources in the ResMap that match either the Target or
-// the identifier of the patch.
-func (p *PatchTransformerPlugin) transformStrategicMerge(m resmap.ResMap, patch *resource.Resource) error {
-	if p.Target == nil {
+// transformStrategicMerge applies each loaded strategic merge patch
+// to the resource in the ResMap that matches the identifier of the patch.
+// If only one patch is specified, the Target can be used instead.
+func (p *PatchTransformerPlugin) transformStrategicMerge(m resmap.ResMap) error {
+	if p.Target != nil {
+		if len(p.smPatches) > 1 {
+			// detail: https://github.com/kubernetes-sigs/kustomize/issues/5049#issuecomment-1440604403
+			return fmt.Errorf("Multiple Strategic-Merge Patches in one `patches` entry is not allowed to set `patches.target` field: %s", p.patchSource)
+		}
+
+		// single patch
+		patch := p.smPatches[0]
+		selected, err := m.Select(*p.Target)
+		if err != nil {
+			return fmt.Errorf("unable to find patch target %q in `resources`: %w", p.Target, err)
+		}
+		return errors.Wrap(m.ApplySmPatch(resource.MakeIdSet(selected), patch))
+	}
+
+	for _, patch := range p.smPatches {
 		target, err := m.GetById(patch.OrgId())
 		if err != nil {
-			return err
+			return fmt.Errorf("no resource matches strategic merge patch %q: %w", patch.OrgId(), err)
+		}
+		if err := target.ApplySmPatch(patch); err != nil {
+			return errors.Wrap(err)
 		}
-		return target.ApplySmPatch(patch)
 	}
-	selected, err := m.Select(*p.Target)
-	if err != nil {
-		return err
-	}
-	return m.ApplySmPatch(resource.MakeIdSet(selected), patch)
+	return nil
 }
 
-// transformJson6902 applies the provided json6902 patch
-// to all the resources in the ResMap that match the Target.
-func (p *PatchTransformerPlugin) transformJson6902(m resmap.ResMap, patch jsonpatch.Patch) error {
+// transformJson6902 applies json6902 Patch to all the resources in the ResMap that match Target.
+func (p *PatchTransformerPlugin) transformJson6902(m resmap.ResMap) error {
 	if p.Target == nil {
-		return fmt.Errorf("must specify a target for patch %s", p.Patch)
+		return fmt.Errorf("must specify a target for JSON patch %s", p.patchSource)
 	}
 	resources, err := m.Select(*p.Target)
 	if err != nil {
@@ -114,7 +133,7 @@ func (p *PatchTransformerPlugin) transformJson6902(m resmap.ResMap, patch jsonpa
 		res.StorePreviousId()
 		internalAnnotations := kioutil.GetInternalAnnotations(&res.RNode)
 		err = res.ApplyFilter(patchjson6902.Filter{
-			Patch: p.Patch,
+			Patch: p.patchText,
 		})
 		if err != nil {
 			return err
@@ -129,16 +148,17 @@ func (p *PatchTransformerPlugin) transformJson6902(m resmap.ResMap, patch jsonpa
 	return nil
 }
 
-// jsonPatchFromBytes loads a Json 6902 patch from
-// a bytes input
-func jsonPatchFromBytes(
-	in []byte) (jsonpatch.Patch, error) {
+// jsonPatchFromBytes loads a Json 6902 patch from a bytes input
+func jsonPatchFromBytes(in []byte) (jsonpatch.Patch, error) {
 	ops := string(in)
 	if ops == "" {
 		return nil, fmt.Errorf("empty json patch operations")
 	}
 
 	if ops[0] != '[' {
+		// TODO(5049):
+		//   In the case of multiple yaml documents, return error instead of ignoring all but first.
+		//   Details: https://github.com/kubernetes-sigs/kustomize/pull/5194#discussion_r1256686728
 		jsonOps, err := yaml.YAMLToJSON(in)
 		if err != nil {
 			return nil, err

vendor/sigs.k8s.io/kustomize/api/internal/builtins/SortOrderTransformer.go

@@ -74,34 +74,16 @@ func (p *SortOrderTransformerPlugin) Transform(m resmap.ResMap) (err error) {
 
 	// Sort
 	if p.SortOptions.Order == types.LegacySortOrder {
-		s := newLegacyIDSorter(m.AllIds(), p.SortOptions.LegacySortOptions)
+		s := newLegacyIDSorter(m.Resources(), p.SortOptions.LegacySortOptions)
 		sort.Sort(s)
-		err = applyOrdering(m, s.resids)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
 
-// applyOrdering takes resources (given in ResMap) and a desired ordering given
-// as a sequence of ResIds, and updates the ResMap's resources to match the
-// ordering.
-func applyOrdering(m resmap.ResMap, ordering []resid.ResId) error {
-	var err error
-	resources := make([]*resource.Resource, m.Size())
-	// Clear and refill with the correct order
-	for i, id := range ordering {
-		resources[i], err = m.GetByCurrentId(id)
-		if err != nil {
-			return errors.WrapPrefixf(err, "expected match for sorting")
-		}
-	}
-	m.Clear()
-	for _, r := range resources {
-		err = m.Append(r)
-		if err != nil {
-			return errors.WrapPrefixf(err, "SortOrderTransformer: Failed to append to resources")
+		// Clear the map and re-add the resources in the sorted order.
+		m.Clear()
+		for _, r := range s.resources {
+			err := m.Append(r)
+			if err != nil {
+				return errors.WrapPrefixf(err, "SortOrderTransformer: Failed to append to resources")
+			}
 		}
 	}
 	return nil
@@ -117,12 +99,17 @@ func applyOrdering(m resmap.ResMap, ordering []resid.ResId) error {
 type legacyIDSorter struct {
 	// resids only stores the metadata of the object. This is an optimization as
 	// it's expensive to compute these again and again during ordering.
-	resids     []resid.ResId
+	resids []resid.ResId
+	// Initially, we sorted the metadata (ResId) of each object and then called GetByCurrentId on each to construct the final list.
+	// The problem is that GetByCurrentId is inefficient and does a linear scan in a list every time we do that.
+	// So instead, we sort resources alongside the ResIds.
+	resources []*resource.Resource
+
 	typeOrders map[string]int
 }
 
 func newLegacyIDSorter(
-	resids []resid.ResId,
+	resources []*resource.Resource,
 	options *types.LegacySortOptions) *legacyIDSorter {
 	// Precalculate a resource ranking based on the priority lists.
 	var typeOrders = func() map[string]int {
@@ -135,10 +122,13 @@ func newLegacyIDSorter(
 		}
 		return m
 	}()
-	return &legacyIDSorter{
-		resids:     resids,
-		typeOrders: typeOrders,
+
+	ret := &legacyIDSorter{typeOrders: typeOrders}
+	for _, res := range resources {
+		ret.resids = append(ret.resids, res.CurId())
+		ret.resources = append(ret.resources, res)
 	}
+	return ret
 }
 
 var _ sort.Interface = legacyIDSorter{}
@@ -146,6 +136,7 @@ var _ sort.Interface = legacyIDSorter{}
 func (a legacyIDSorter) Len() int { return len(a.resids) }
 func (a legacyIDSorter) Swap(i, j int) {
 	a.resids[i], a.resids[j] = a.resids[j], a.resids[i]
+	a.resources[i], a.resources[j] = a.resources[j], a.resources[i]
 }
 func (a legacyIDSorter) Less(i, j int) bool {
 	if !a.resids[i].Gvk.Equals(a.resids[j].Gvk) {

vendor/sigs.k8s.io/kustomize/api/internal/git/cloner.go

@@ -22,10 +22,16 @@ func ClonerUsingGitExec(repoSpec *RepoSpec) error {
 	if err = r.run("init"); err != nil {
 		return err
 	}
+	// git relative submodule need origin, see https://github.com/kubernetes-sigs/kustomize/issues/5131
+	if err = r.run("remote", "add", "origin", repoSpec.CloneSpec()); err != nil {
+		return err
+	}
 	ref := "HEAD"
 	if repoSpec.Ref != "" {
 		ref = repoSpec.Ref
 	}
+	// we use repoSpec.CloneSpec() instead of origin because on error,
+	// the prior prints the actual repo url for the user.
 	if err = r.run("fetch", "--depth=1", repoSpec.CloneSpec(), ref); err != nil {
 		return err
 	}

vendor/sigs.k8s.io/kustomize/api/internal/loader/fileloader.go

@@ -25,7 +25,7 @@ func IsRemoteFile(path string) bool {
 	return err == nil && (u.Scheme == "http" || u.Scheme == "https")
 }
 
-// fileLoader is a kustomization's interface to files.
+// FileLoader is a kustomization's interface to files.
 //
 // The directory in which a kustomization file sits
 // is referred to below as the kustomization's _root_.
@@ -38,49 +38,48 @@ func IsRemoteFile(path string) bool {
 //
 // * supplemental data paths
 //
-//   `Load` is used to visit these paths.
+//	`Load` is used to visit these paths.
 //
-//   These paths refer to resources, patches,
-//   data for ConfigMaps and Secrets, etc.
+//	These paths refer to resources, patches,
+//	data for ConfigMaps and Secrets, etc.
 //
-//   The loadRestrictor may disallow certain paths
-//   or classes of paths.
+//	The loadRestrictor may disallow certain paths
+//	or classes of paths.
 //
 // * bases (other kustomizations)
 //
-//   `New` is used to load bases.
+//	`New` is used to load bases.
 //
-//   A base can be either a remote git repo URL, or
-//   a directory specified relative to the current
-//   root. In the former case, the repo is locally
-//   cloned, and the new loader is rooted on a path
-//   in that clone.
+//	A base can be either a remote git repo URL, or
+//	a directory specified relative to the current
+//	root. In the former case, the repo is locally
+//	cloned, and the new loader is rooted on a path
+//	in that clone.
 //
-//   As loaders create new loaders, a root history
-//   is established, and used to disallow:
+//	As loaders create new loaders, a root history
+//	is established, and used to disallow:
 //
-//   - A base that is a repository that, in turn,
-//     specifies a base repository seen previously
-//     in the loading stack (a cycle).
+//	- A base that is a repository that, in turn,
+//	  specifies a base repository seen previously
+//	  in the loading stack (a cycle).
 //
-//   - An overlay depending on a base positioned at
-//     or above it.  I.e. '../foo' is OK, but '.',
-//     '..', '../..', etc. are disallowed.  Allowing
-//     such a base has no advantages and encourages
-//     cycles, particularly if some future change
-//     were to introduce globbing to file
-//     specifications in the kustomization file.
+//	- An overlay depending on a base positioned at
+//	  or above it.  I.e. '../foo' is OK, but '.',
+//	  '..', '../..', etc. are disallowed.  Allowing
+//	  such a base has no advantages and encourages
+//	  cycles, particularly if some future change
+//	  were to introduce globbing to file
+//	  specifications in the kustomization file.
 //
 // These restrictions assure that kustomizations
 // are self-contained and relocatable, and impose
 // some safety when relying on remote kustomizations,
 // e.g. a remotely loaded ConfigMap generator specified
 // to read from /etc/passwd will fail.
-//
-type fileLoader struct {
+type FileLoader struct {
 	// Loader that spawned this loader.
 	// Used to avoid cycles.
-	referrer *fileLoader
+	referrer *FileLoader
 
 	// An absolute, cleaned path to a directory.
 	// The Load function will read non-absolute
@@ -107,23 +106,9 @@ type fileLoader struct {
 	cleaner func() error
 }
 
-// NewFileLoaderAtCwd returns a loader that loads from PWD.
-// A convenience for kustomize edit commands.
-func NewFileLoaderAtCwd(fSys filesys.FileSystem) *fileLoader {
-	return newLoaderOrDie(
-		RestrictionRootOnly, fSys, filesys.SelfDir)
-}
-
-// NewFileLoaderAtRoot returns a loader that loads from "/".
-// A convenience for tests.
-func NewFileLoaderAtRoot(fSys filesys.FileSystem) *fileLoader {
-	return newLoaderOrDie(
-		RestrictionRootOnly, fSys, filesys.Separator)
-}
-
 // Repo returns the absolute path to the repo that contains Root if this fileLoader was created from a url
 // or the empty string otherwise.
-func (fl *fileLoader) Repo() string {
+func (fl *FileLoader) Repo() string {
 	if fl.repoSpec != nil {
 		return fl.repoSpec.Dir.String()
 	}
@@ -132,13 +117,13 @@ func (fl *fileLoader) Repo() string {
 
 // Root returns the absolute path that is prepended to any
 // relative paths used in Load.
-func (fl *fileLoader) Root() string {
+func (fl *FileLoader) Root() string {
 	return fl.root.String()
 }
 
-func newLoaderOrDie(
+func NewLoaderOrDie(
 	lr LoadRestrictorFunc,
-	fSys filesys.FileSystem, path string) *fileLoader {
+	fSys filesys.FileSystem, path string) *FileLoader {
 	root, err := filesys.ConfirmDir(fSys, path)
 	if err != nil {
 		log.Fatalf("unable to make loader at '%s'; %v", path, err)
@@ -147,12 +132,12 @@ func newLoaderOrDie(
 		lr, root, fSys, nil, git.ClonerUsingGitExec)
 }
 
-// newLoaderAtConfirmedDir returns a new fileLoader with given root.
+// newLoaderAtConfirmedDir returns a new FileLoader with given root.
 func newLoaderAtConfirmedDir(
 	lr LoadRestrictorFunc,
 	root filesys.ConfirmedDir, fSys filesys.FileSystem,
-	referrer *fileLoader, cloner git.Cloner) *fileLoader {
-	return &fileLoader{
+	referrer *FileLoader, cloner git.Cloner) *FileLoader {
+	return &FileLoader{
 		loadRestrictor: lr,
 		root:           root,
 		referrer:       referrer,
@@ -164,7 +149,7 @@ func newLoaderAtConfirmedDir(
 
 // New returns a new Loader, rooted relative to current loader,
 // or rooted in a temp directory holding a git repo clone.
-func (fl *fileLoader) New(path string) (ifc.Loader, error) {
+func (fl *FileLoader) New(path string) (ifc.Loader, error) {
 	if path == "" {
 		return nil, errors.Errorf("new root cannot be empty")
 	}
@@ -200,7 +185,7 @@ func (fl *fileLoader) New(path string) (ifc.Loader, error) {
 // directory holding a cloned git repo.
 func newLoaderAtGitClone(
 	repoSpec *git.RepoSpec, fSys filesys.FileSystem,
-	referrer *fileLoader, cloner git.Cloner) (ifc.Loader, error) {
+	referrer *FileLoader, cloner git.Cloner) (ifc.Loader, error) {
 	cleaner := repoSpec.Cleaner(fSys)
 	err := cloner(repoSpec)
 	if err != nil {
@@ -229,7 +214,7 @@ func newLoaderAtGitClone(
 		return nil, fmt.Errorf("%q refers to directory outside of repo %q", repoSpec.AbsPath(),
 			repoSpec.CloneDir())
 	}
-	return &fileLoader{
+	return &FileLoader{
 		// Clones never allowed to escape root.
 		loadRestrictor: RestrictionRootOnly,
 		root:           root,
@@ -241,7 +226,7 @@ func newLoaderAtGitClone(
 	}, nil
 }
 
-func (fl *fileLoader) errIfGitContainmentViolation(
+func (fl *FileLoader) errIfGitContainmentViolation(
 	base filesys.ConfirmedDir) error {
 	containingRepo := fl.containingRepo()
 	if containingRepo == nil {
@@ -259,7 +244,7 @@ func (fl *fileLoader) errIfGitContainmentViolation(
 
 // Looks back through referrers for a git repo, returning nil
 // if none found.
-func (fl *fileLoader) containingRepo() *git.RepoSpec {
+func (fl *FileLoader) containingRepo() *git.RepoSpec {
 	if fl.repoSpec != nil {
 		return fl.repoSpec
 	}
@@ -271,7 +256,7 @@ func (fl *fileLoader) containingRepo() *git.RepoSpec {
 
 // errIfArgEqualOrHigher tests whether the argument,
 // is equal to or above the root of any ancestor.
-func (fl *fileLoader) errIfArgEqualOrHigher(
+func (fl *FileLoader) errIfArgEqualOrHigher(
 	candidateRoot filesys.ConfirmedDir) error {
 	if fl.root.HasPrefix(candidateRoot) {
 		return fmt.Errorf(
@@ -288,7 +273,7 @@ func (fl *fileLoader) errIfArgEqualOrHigher(
 // I.e. Allow a distinction between git URI with
 // path foo and tag bar and a git URI with the same
 // path but a different tag?
-func (fl *fileLoader) errIfRepoCycle(newRepoSpec *git.RepoSpec) error {
+func (fl *FileLoader) errIfRepoCycle(newRepoSpec *git.RepoSpec) error {
 	// TODO(monopole): Use parsed data instead of Raw().
 	if fl.repoSpec != nil &&
 		strings.HasPrefix(fl.repoSpec.Raw(), newRepoSpec.Raw()) {
@@ -305,7 +290,7 @@ func (fl *fileLoader) errIfRepoCycle(newRepoSpec *git.RepoSpec) error {
 // Load returns the content of file at the given path,
 // else an error. Relative paths are taken relative
 // to the root.
-func (fl *fileLoader) Load(path string) ([]byte, error) {
+func (fl *FileLoader) Load(path string) ([]byte, error) {
 	if IsRemoteFile(path) {
 		return fl.httpClientGetContent(path)
 	}
@@ -319,7 +304,7 @@ func (fl *fileLoader) Load(path string) ([]byte, error) {
 	return fl.fSys.ReadFile(path)
 }
 
-func (fl *fileLoader) httpClientGetContent(path string) ([]byte, error) {
+func (fl *FileLoader) httpClientGetContent(path string) ([]byte, error) {
 	var hc *http.Client
 	if fl.http != nil {
 		hc = fl.http
@@ -344,6 +329,6 @@ func (fl *fileLoader) httpClientGetContent(path string) ([]byte, error) {
 }
 
 // Cleanup runs the cleaner.
-func (fl *fileLoader) Cleanup() error {
+func (fl *FileLoader) Cleanup() error {
 	return fl.cleaner()
 }

vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/loaddefaultconfig.go

@@ -33,7 +33,7 @@ func loadDefaultConfig(
 // makeTransformerConfigFromBytes returns a TransformerConfig object from bytes
 func makeTransformerConfigFromBytes(data []byte) (*TransformerConfig, error) {
 	var t TransformerConfig
-	err := yaml.Unmarshal(data, &t)
+	err := yaml.UnmarshalStrict(data, &t)
 	if err != nil {
 		return nil, err
 	}

vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/namebackreferences.go

@@ -47,6 +47,8 @@ type NameBackReferences struct {
 	// TODO: rename json 'fieldSpecs' to 'referrers' for clarity.
 	// This will, however, break anyone using a custom config.
 	Referrers types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+
+	// Note: If any new pointer based members are added, DeepCopy needs to be updated
 }
 
 func (n NameBackReferences) String() string {
@@ -66,6 +68,17 @@ func (s nbrSlice) Less(i, j int) bool {
 	return s[i].Gvk.IsLessThan(s[j].Gvk)
 }
 
+// DeepCopy returns a new copy of nbrSlice
+func (s nbrSlice) DeepCopy() nbrSlice {
+	ret := make(nbrSlice, len(s))
+	copy(ret, s)
+	for i, slice := range ret {
+		ret[i].Referrers = slice.Referrers.DeepCopy()
+	}
+
+	return ret
+}
+
 func (s nbrSlice) mergeAll(o nbrSlice) (result nbrSlice, err error) {
 	result = s
 	for _, r := range o {

vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/transformerconfig.go

@@ -6,19 +6,22 @@ package builtinconfig
 import (
 	"log"
 	"sort"
+	"sync"
 
 	"sigs.k8s.io/kustomize/api/ifc"
-	"sigs.k8s.io/kustomize/api/konfig/builtinpluginconsts"
+	"sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts"
 	"sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/kustomize/kyaml/errors"
 )
 
 // TransformerConfig holds the data needed to perform transformations.
 type TransformerConfig struct {
+	// if any fields are added, update the DeepCopy implementation
 	NamePrefix        types.FsSlice `json:"namePrefix,omitempty" yaml:"namePrefix,omitempty"`
 	NameSuffix        types.FsSlice `json:"nameSuffix,omitempty" yaml:"nameSuffix,omitempty"`
 	NameSpace         types.FsSlice `json:"namespace,omitempty" yaml:"namespace,omitempty"`
 	CommonLabels      types.FsSlice `json:"commonLabels,omitempty" yaml:"commonLabels,omitempty"`
+	Labels            types.FsSlice `json:"labels,omitempty" yaml:"labels,omitempty"`
 	TemplateLabels    types.FsSlice `json:"templateLabels,omitempty" yaml:"templateLabels,omitempty"`
 	CommonAnnotations types.FsSlice `json:"commonAnnotations,omitempty" yaml:"commonAnnotations,omitempty"`
 	NameReference     nbrSlice      `json:"nameReference,omitempty" yaml:"nameReference,omitempty"`
@@ -32,14 +35,44 @@ func MakeEmptyConfig() *TransformerConfig {
 	return &TransformerConfig{}
 }
 
+// DeepCopy returns a new copy of TransformerConfig
+func (t *TransformerConfig) DeepCopy() *TransformerConfig {
+	return &TransformerConfig{
+		NamePrefix:        t.NamePrefix.DeepCopy(),
+		NameSuffix:        t.NameSuffix.DeepCopy(),
+		NameSpace:         t.NameSpace.DeepCopy(),
+		CommonLabels:      t.CommonLabels.DeepCopy(),
+		Labels:            t.Labels.DeepCopy(),
+		TemplateLabels:    t.TemplateLabels.DeepCopy(),
+		CommonAnnotations: t.CommonAnnotations.DeepCopy(),
+		NameReference:     t.NameReference.DeepCopy(),
+		VarReference:      t.VarReference.DeepCopy(),
+		Images:            t.Images.DeepCopy(),
+		Replicas:          t.Replicas.DeepCopy(),
+	}
+}
+
+// the default transformer config is initialized by MakeDefaultConfig,
+// and must only be accessed via that function.
+var (
+	initDefaultConfig sync.Once          //nolint:gochecknoglobals
+	defaultConfig     *TransformerConfig //nolint:gochecknoglobals
+)
+
 // MakeDefaultConfig returns a default TransformerConfig.
 func MakeDefaultConfig() *TransformerConfig {
-	c, err := makeTransformerConfigFromBytes(
-		builtinpluginconsts.GetDefaultFieldSpecs())
-	if err != nil {
-		log.Fatalf("Unable to make default transformconfig: %v", err)
-	}
-	return c
+	// parsing is expensive when having a large tree with many kustomization modules, so only do it once
+	initDefaultConfig.Do(func() {
+		var err error
+		defaultConfig, err = makeTransformerConfigFromBytes(
+			builtinpluginconsts.GetDefaultFieldSpecs())
+		if err != nil {
+			log.Fatalf("Unable to make default transformconfig: %v", err)
+		}
+	})
+
+	// return a copy to avoid any mutations to protect the reference copy
+	return defaultConfig.DeepCopy()
 }
 
 // MakeTransformerConfig returns a merger of custom config,
@@ -63,6 +96,7 @@ func (t *TransformerConfig) sortFields() {
 	sort.Sort(t.NameSuffix)
 	sort.Sort(t.NameSpace)
 	sort.Sort(t.CommonLabels)
+	sort.Sort(t.Labels)
 	sort.Sort(t.TemplateLabels)
 	sort.Sort(t.CommonAnnotations)
 	sort.Sort(t.NameReference)
@@ -83,12 +117,18 @@ func (t *TransformerConfig) AddSuffixFieldSpec(fs types.FieldSpec) (err error) {
 	return err
 }
 
-// AddLabelFieldSpec adds a FieldSpec to CommonLabels
-func (t *TransformerConfig) AddLabelFieldSpec(fs types.FieldSpec) (err error) {
+// AddCommonLabelsFieldSpec adds a FieldSpec to CommonLabels
+func (t *TransformerConfig) AddCommonLabelsFieldSpec(fs types.FieldSpec) (err error) {
 	t.CommonLabels, err = t.CommonLabels.MergeOne(fs)
 	return err
 }
 
+// AddLabelsFieldSpec adds a FieldSpec to Labels
+func (t *TransformerConfig) AddLabelsFieldSpec(fs types.FieldSpec) (err error) {
+	t.Labels, err = t.Labels.MergeOne(fs)
+	return err //nolint:wrapcheck
+}
+
 // AddAnnotationFieldSpec adds a FieldSpec to CommonAnnotations
 func (t *TransformerConfig) AddAnnotationFieldSpec(fs types.FieldSpec) (err error) {
 	t.CommonAnnotations, err = t.CommonAnnotations.MergeOne(fs)
@@ -131,6 +171,10 @@ func (t *TransformerConfig) Merge(input *TransformerConfig) (
 	if err != nil {
 		return nil, errors.WrapPrefixf(err, "failed to merge CommonLabels fieldSpec")
 	}
+	merged.Labels, err = t.Labels.MergeAll(input.Labels)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "failed to merge Labels fieldSpec")
+	}
 	merged.TemplateLabels, err = t.TemplateLabels.MergeAll(input.TemplateLabels)
 	if err != nil {
 		return nil, errors.WrapPrefixf(err, "failed to merge TemplateLabels fieldSpec")

vendor/sigs.k8s.io/kustomize/api/internal/plugins/execplugin/execplugin.go

@@ -6,6 +6,7 @@ package execplugin
 import (
 	"bytes"
 	"fmt"
+	"log"
 	"os"
 	"os/exec"
 	"runtime"
@@ -21,6 +22,7 @@ import (
 
 const (
 	tmpConfigFilePrefix = "kust-plugin-config-"
+	maxArgStringLength  = 131071
 )
 
 // ExecPlugin record the name and args of an executable
@@ -169,23 +171,35 @@ func (p *ExecPlugin) invokePlugin(input []byte) ([]byte, error) {
 		p.path, append([]string{f.Name()}, p.args...)...)
 	cmd.Env = p.getEnv()
 	cmd.Stdin = bytes.NewReader(input)
-	cmd.Stderr = os.Stderr
+	var stdErr bytes.Buffer
+	cmd.Stderr = &stdErr
 	if _, err := os.Stat(p.h.Loader().Root()); err == nil {
 		cmd.Dir = p.h.Loader().Root()
 	}
 	result, err := cmd.Output()
 	if err != nil {
 		return nil, errors.WrapPrefixf(
-			err, "failure in plugin configured via %s; %v",
-			f.Name(), err.Error())
+			fmt.Errorf("failure in plugin configured via %s; %w",
+				f.Name(), err), stdErr.String())
 	}
 	return result, os.Remove(f.Name())
 }
 
 func (p *ExecPlugin) getEnv() []string {
 	env := os.Environ()
-	env = append(env,
-		"KUSTOMIZE_PLUGIN_CONFIG_STRING="+string(p.cfg),
-		"KUSTOMIZE_PLUGIN_CONFIG_ROOT="+p.h.Loader().Root())
+	pluginConfigString := "KUSTOMIZE_PLUGIN_CONFIG_STRING=" + string(p.cfg)
+	if len(pluginConfigString) <= maxArgStringLength {
+		env = append(env, pluginConfigString)
+	} else {
+		log.Printf("KUSTOMIZE_PLUGIN_CONFIG_STRING exceeds hard limit of %d characters, the environment variable "+
+			"will be omitted", maxArgStringLength)
+	}
+	pluginConfigRoot := "KUSTOMIZE_PLUGIN_CONFIG_ROOT=" + p.h.Loader().Root()
+	if len(pluginConfigRoot) <= maxArgStringLength {
+		env = append(env, pluginConfigRoot)
+	} else {
+		log.Printf("KUSTOMIZE_PLUGIN_CONFIG_ROOT exceeds hard limit of %d characters, the environment variable "+
+			"will be omitted", maxArgStringLength)
+	}
 	return env
 }

vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/load_go_plugin.go

@@ -0,0 +1,62 @@
+// Copyright 2024 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+//go:build !kustomize_disable_go_plugin_support
+
+package loader
+
+import (
+	"fmt"
+	"log"
+	"plugin"
+	"reflect"
+
+	"sigs.k8s.io/kustomize/api/internal/plugins/utils"
+	"sigs.k8s.io/kustomize/api/konfig"
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/kyaml/errors"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+)
+
+// registry is a means to avoid trying to load the same .so file
+// into memory more than once, which results in an error.
+// Each test makes its own loader, and tries to load its own plugins,
+// but the loaded .so files are in shared memory, so one will get
+// "this plugin already loaded" errors if the registry is maintained
+// as a Loader instance variable.  So make it a package variable.
+var registry = make(map[string]resmap.Configurable) //nolint:gochecknoglobals
+
+func copyPlugin(c resmap.Configurable) resmap.Configurable {
+	indirect := reflect.Indirect(reflect.ValueOf(c))
+	newIndirect := reflect.New(indirect.Type())
+	newIndirect.Elem().Set(reflect.ValueOf(indirect.Interface()))
+	newNamed := newIndirect.Interface()
+	return newNamed.(resmap.Configurable) //nolint:forcetypeassert
+}
+
+func (l *Loader) loadGoPlugin(id resid.ResId, absPath string) (resmap.Configurable, error) {
+	regId := relativePluginPath(id)
+	if c, ok := registry[regId]; ok {
+		return copyPlugin(c), nil
+	}
+	if !utils.FileExists(absPath) {
+		return nil, fmt.Errorf(
+			"expected file with Go object code at: %s", absPath)
+	}
+	log.Printf("Attempting plugin load from %q", absPath)
+	p, err := plugin.Open(absPath)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "plugin %s fails to load", absPath)
+	}
+	symbol, err := p.Lookup(konfig.PluginSymbol)
+	if err != nil {
+		return nil, errors.WrapPrefixf(
+			err, "plugin %s doesn't have symbol %s",
+			regId, konfig.PluginSymbol)
+	}
+	c, ok := symbol.(resmap.Configurable)
+	if !ok {
+		return nil, fmt.Errorf("plugin %q not configurable", regId)
+	}
+	registry[regId] = c
+	return copyPlugin(c), nil
+}

vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/load_go_plugin_disabled.go

@@ -0,0 +1,25 @@
+// Copyright 2024 The Kubernetes Authors.
+// SPDX-License-Identifier: Apache-2.0
+
+// The build tag "kustomize_disable_go_plugin_support" is used to deactivate the
+// kustomize API's dependency on the "plugins" package. This is beneficial for
+// applications that need to embed it but do not have requirements for dynamic
+// Go plugins.
+// Including plugins as a dependency can lead to an increase in binary size due
+// to the population of ELF's sections such as .dynsym and .dynstr.
+// By utilizing this flag, applications have the flexibility to exclude the
+// import if they do not require support for dynamic Go plugins.
+//go:build kustomize_disable_go_plugin_support
+
+package loader
+
+import (
+	"fmt"
+
+	"sigs.k8s.io/kustomize/api/resmap"
+	"sigs.k8s.io/kustomize/kyaml/resid"
+)
+
+func (l *Loader) loadGoPlugin(_ resid.ResId, _ string) (resmap.Configurable, error) {
+	return nil, fmt.Errorf("plugin load is disabled")
+}

vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/loader.go

@@ -5,18 +5,14 @@ package loader
 
 import (
 	"fmt"
-	"log"
 	"os"
 	"path/filepath"
-	"plugin"
-	"reflect"
 	"strings"
 
 	"sigs.k8s.io/kustomize/api/ifc"
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers"
 	"sigs.k8s.io/kustomize/api/internal/plugins/execplugin"
 	"sigs.k8s.io/kustomize/api/internal/plugins/fnplugin"
-	"sigs.k8s.io/kustomize/api/internal/plugins/utils"
 	"sigs.k8s.io/kustomize/api/konfig"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
@@ -287,46 +283,3 @@ func (l *Loader) loadExecOrGoPlugin(resId resid.ResId) (resmap.Configurable, err
 	return c, nil
 }
 
-// registry is a means to avoid trying to load the same .so file
-// into memory more than once, which results in an error.
-// Each test makes its own loader, and tries to load its own plugins,
-// but the loaded .so files are in shared memory, so one will get
-// "this plugin already loaded" errors if the registry is maintained
-// as a Loader instance variable.  So make it a package variable.
-var registry = make(map[string]resmap.Configurable)
-
-func (l *Loader) loadGoPlugin(id resid.ResId, absPath string) (resmap.Configurable, error) {
-	regId := relativePluginPath(id)
-	if c, ok := registry[regId]; ok {
-		return copyPlugin(c), nil
-	}
-	if !utils.FileExists(absPath) {
-		return nil, fmt.Errorf(
-			"expected file with Go object code at: %s", absPath)
-	}
-	log.Printf("Attempting plugin load from '%s'", absPath)
-	p, err := plugin.Open(absPath)
-	if err != nil {
-		return nil, errors.WrapPrefixf(err, "plugin %s fails to load", absPath)
-	}
-	symbol, err := p.Lookup(konfig.PluginSymbol)
-	if err != nil {
-		return nil, errors.WrapPrefixf(
-			err, "plugin %s doesn't have symbol %s",
-			regId, konfig.PluginSymbol)
-	}
-	c, ok := symbol.(resmap.Configurable)
-	if !ok {
-		return nil, fmt.Errorf("plugin '%s' not configurable", regId)
-	}
-	registry[regId] = c
-	return copyPlugin(c), nil
-}
-
-func copyPlugin(c resmap.Configurable) resmap.Configurable {
-	indirect := reflect.Indirect(reflect.ValueOf(c))
-	newIndirect := reflect.New(indirect.Type())
-	newIndirect.Elem().Set(reflect.ValueOf(indirect.Interface()))
-	newNamed := newIndirect.Interface()
-	return newNamed.(resmap.Configurable)
-}

vendor/sigs.k8s.io/kustomize/api/internal/target/kusttarget.go

@@ -13,12 +13,12 @@ import (
 	"sigs.k8s.io/kustomize/api/internal/accumulator"
 	"sigs.k8s.io/kustomize/api/internal/builtins"
 	"sigs.k8s.io/kustomize/api/internal/kusterr"
+	load "sigs.k8s.io/kustomize/api/internal/loader"
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig"
 	"sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers"
 	"sigs.k8s.io/kustomize/api/internal/plugins/loader"
 	"sigs.k8s.io/kustomize/api/internal/utils"
 	"sigs.k8s.io/kustomize/api/konfig"
-	load "sigs.k8s.io/kustomize/api/loader"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/api/types"
@@ -202,10 +202,6 @@ func (kt *KustTarget) accumulateTarget(ra *accumulator.ResAccumulator) (
 	if err != nil {
 		return nil, errors.WrapPrefixf(err, "accumulating resources")
 	}
-	ra, err = kt.accumulateComponents(ra, kt.kustomization.Components)
-	if err != nil {
-		return nil, errors.WrapPrefixf(err, "accumulating components")
-	}
 	tConfig, err := builtinconfig.MakeTransformerConfig(
 		kt.ldr, kt.kustomization.Configurations)
 	if err != nil {
@@ -230,6 +226,14 @@ func (kt *KustTarget) accumulateTarget(ra *accumulator.ResAccumulator) (
 	if err != nil {
 		return nil, err
 	}
+
+	// components are expected to execute after reading resources and adding generators ,before applying transformers and validation.
+	// https://github.com/kubernetes-sigs/kustomize/pull/5170#discussion_r1212101287
+	ra, err = kt.accumulateComponents(ra, kt.kustomization.Components)
+	if err != nil {
+		return nil, errors.WrapPrefixf(err, "accumulating components")
+	}
+
 	err = kt.runTransformers(ra)
 	if err != nil {
 		return nil, err
@@ -421,7 +425,14 @@ func (kt *KustTarget) accumulateResources(
 			}
 			ldr, err := kt.ldr.New(path)
 			if err != nil {
-				if kusterr.IsMalformedYAMLError(errF) { // Some error occurred while tyring to decode YAML file
+				// If accumulateFile found malformed YAML and there was a failure
+				// loading the resource as a base, then the resource is likely a
+				// file. The loader failure message is unnecessary, and could be
+				// confusing. Report only the file load error.
+				//
+				// However, a loader timeout implies there is a git repo at the
+				// path. In that case, both errors could be important.
+				if kusterr.IsMalformedYAMLError(errF) && !utils.IsErrTimeout(err) {
 					return nil, errF
 				}
 				return nil, errors.WrapPrefixf(

vendor/sigs.k8s.io/kustomize/api/internal/target/kusttarget_configplugin.go

@@ -275,13 +275,25 @@ var transformerConfigurators = map[builtinhelpers.BuiltinPluginType]func(
 		if len(kt.kustomization.Labels) == 0 && len(kt.kustomization.CommonLabels) == 0 {
 			return
 		}
+
+		type labelStruct struct {
+			Labels     map[string]string
+			FieldSpecs []types.FieldSpec
+		}
+
 		for _, label := range kt.kustomization.Labels {
-			var c struct {
-				Labels     map[string]string
-				FieldSpecs []types.FieldSpec
-			}
+			var c labelStruct
+
 			c.Labels = label.Pairs
 			fss := types.FsSlice(label.FieldSpecs)
+
+			// merge labels specified in the label section of transformer configs
+			// these apply to selectors and templates
+			fss, err := fss.MergeAll(tc.Labels)
+			if err != nil {
+				return nil, fmt.Errorf("failed to merge labels: %w", err)
+			}
+
 			// merge the custom fieldSpecs with the default
 			if label.IncludeSelectors {
 				fss, err = fss.MergeAll(tc.CommonLabels)
@@ -297,7 +309,7 @@ var transformerConfigurators = map[builtinhelpers.BuiltinPluginType]func(
 				fss, err = fss.MergeOne(types.FieldSpec{Path: "metadata/labels", CreateIfNotPresent: true})
 			}
 			if err != nil {
-				return nil, err
+				return nil, fmt.Errorf("failed to merge labels: %w", err)
 			}
 			c.FieldSpecs = fss
 			p := f()
@@ -307,10 +319,9 @@ var transformerConfigurators = map[builtinhelpers.BuiltinPluginType]func(
 			}
 			result = append(result, p)
 		}
-		var c struct {
-			Labels     map[string]string
-			FieldSpecs []types.FieldSpec
-		}
+
+		var c labelStruct
+
 		c.Labels = kt.kustomization.CommonLabels
 		c.FieldSpecs = tc.CommonLabels
 		p := f()

vendor/sigs.k8s.io/kustomize/api/internal/utils/errtimeout.go

@@ -15,11 +15,11 @@ type errTimeOut struct {
 	cmd      string
 }
 
-func NewErrTimeOut(d time.Duration, c string) errTimeOut {
-	return errTimeOut{duration: d, cmd: c}
+func NewErrTimeOut(d time.Duration, c string) *errTimeOut {
+	return &errTimeOut{duration: d, cmd: c}
 }
 
-func (e errTimeOut) Error() string {
+func (e *errTimeOut) Error() string {
 	return fmt.Sprintf("hit %s timeout running '%s'", e.duration, e.cmd)
 }
 

vendor/sigs.k8s.io/kustomize/api/internal/utils/timedcall.go

@@ -10,7 +10,7 @@ import (
 // TimedCall runs fn, failing if it doesn't complete in the given duration.
 // The description is used in the timeout error message.
 func TimedCall(description string, d time.Duration, fn func() error) error {
-	done := make(chan error)
+	done := make(chan error, 1)
 	timer := time.NewTimer(d)
 	defer timer.Stop()
 	go func() { done <- fn() }()

vendor/sigs.k8s.io/kustomize/api/krusty/kustomizer.go

@@ -8,11 +8,11 @@ import (
 	"log"
 
 	"sigs.k8s.io/kustomize/api/internal/builtins"
+	fLdr "sigs.k8s.io/kustomize/api/internal/loader"
 	pLdr "sigs.k8s.io/kustomize/api/internal/plugins/loader"
 	"sigs.k8s.io/kustomize/api/internal/target"
 	"sigs.k8s.io/kustomize/api/internal/utils"
 	"sigs.k8s.io/kustomize/api/konfig"
-	fLdr "sigs.k8s.io/kustomize/api/loader"
 	"sigs.k8s.io/kustomize/api/provenance"
 	"sigs.k8s.io/kustomize/api/provider"
 	"sigs.k8s.io/kustomize/api/resmap"

vendor/sigs.k8s.io/kustomize/api/provenance/provenance.go

@@ -8,6 +8,8 @@ import (
 	"runtime"
 	"runtime/debug"
 	"strings"
+
+	"github.com/blang/semver/v4"
 )
 
 // These variables are set at build time using ldflags.
@@ -62,9 +64,42 @@ func GetProvenance() Provenance {
 			p.GitCommit = setting.Value
 		}
 	}
+
+	for _, dep := range info.Deps {
+		if dep != nil && dep.Path == "sigs.k8s.io/kustomize/kustomize/v5" {
+			if dep.Version != "devel" {
+				continue
+			}
+			v, err := GetMostRecentTag(*dep)
+			if err != nil {
+				fmt.Printf("failed to get most recent tag for %s: %v\n", dep.Path, err)
+				continue
+			}
+			p.Version = v
+		}
+	}
+
 	return p
 }
 
+func GetMostRecentTag(m debug.Module) (string, error) {
+	for m.Replace != nil {
+		m = *m.Replace
+	}
+
+	split := strings.Split(m.Version, "-")
+	sv, err := semver.Parse(strings.TrimPrefix(split[0], "v"))
+
+	if err != nil {
+		return "", fmt.Errorf("failed to parse version %s: %w", m.Version, err)
+	}
+
+	if len(split) > 1 && sv.Patch > 0 {
+		sv.Patch -= 1
+	}
+	return fmt.Sprintf("v%s", sv.FinalizeVersion()), nil
+}
+
 // Short returns the shortened provenance stamp.
 func (v Provenance) Short() string {
 	return fmt.Sprintf(

vendor/sigs.k8s.io/kustomize/api/resmap/reswrangler.go

@@ -696,8 +696,7 @@ func (m *resWrangler) DeAnchor() (err error) {
 }
 
 // ApplySmPatch applies the patch, and errors on Id collisions.
-func (m *resWrangler) ApplySmPatch(
-	selectedSet *resource.IdSet, patch *resource.Resource) error {
+func (m *resWrangler) ApplySmPatch(selectedSet *resource.IdSet, patch *resource.Resource) error {
 	var list []*resource.Resource
 	for _, res := range m.rList {
 		if selectedSet.Contains(res.CurId()) {

vendor/sigs.k8s.io/kustomize/api/resource/factory.go

@@ -41,30 +41,36 @@ func (rf *Factory) Hasher() ifc.KustHasher {
 }
 
 // FromMap returns a new instance of Resource.
-func (rf *Factory) FromMap(m map[string]interface{}) *Resource {
-	return rf.FromMapAndOption(m, nil)
+func (rf *Factory) FromMap(m map[string]interface{}) (*Resource, error) {
+	res, err := rf.FromMapAndOption(m, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create resource from map: %w", err)
+	}
+	return res, nil
 }
 
 // FromMapWithName returns a new instance with the given "original" name.
-func (rf *Factory) FromMapWithName(n string, m map[string]interface{}) *Resource {
+func (rf *Factory) FromMapWithName(n string, m map[string]interface{}) (*Resource, error) {
 	return rf.FromMapWithNamespaceAndName(resid.DefaultNamespace, n, m)
 }
 
 // FromMapWithNamespaceAndName returns a new instance with the given "original" namespace.
-func (rf *Factory) FromMapWithNamespaceAndName(ns string, n string, m map[string]interface{}) *Resource {
-	r := rf.FromMapAndOption(m, nil)
-	return r.setPreviousId(ns, n, r.GetKind())
+func (rf *Factory) FromMapWithNamespaceAndName(ns string, n string, m map[string]interface{}) (*Resource, error) {
+	r, err := rf.FromMapAndOption(m, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create resource from map: %w", err)
+	}
+	return r.setPreviousId(ns, n, r.GetKind()), nil
 }
 
 // FromMapAndOption returns a new instance of Resource with given options.
 func (rf *Factory) FromMapAndOption(
-	m map[string]interface{}, args *types.GeneratorArgs) *Resource {
+	m map[string]interface{}, args *types.GeneratorArgs) (*Resource, error) {
 	n, err := yaml.FromMap(m)
 	if err != nil {
-		// TODO: return err instead of log.
-		log.Fatal(err)
+		return nil, fmt.Errorf("failed to convert map to YAML node: %w", err)
 	}
-	return rf.makeOne(n, args)
+	return rf.makeOne(n, args), nil
 }
 
 // makeOne returns a new instance of Resource.

vendor/sigs.k8s.io/kustomize/api/resource/resource.go

@@ -287,12 +287,25 @@ func (r *Resource) getCsvAnnotation(name string) []string {
 	return strings.Split(annotations[name], ",")
 }
 
-// PrefixesSuffixesEquals is conceptually doing the same task
-// as OutermostPrefixSuffix but performs a deeper comparison
-// of the suffix and prefix slices.
-func (r *Resource) PrefixesSuffixesEquals(o ResCtx) bool {
-	return utils.SameEndingSubSlice(r.GetNamePrefixes(), o.GetNamePrefixes()) &&
-		utils.SameEndingSubSlice(r.GetNameSuffixes(), o.GetNameSuffixes())
+// PrefixesSuffixesEquals is conceptually doing the same task as
+// OutermostPrefixSuffix but performs a deeper comparison of the suffix and
+// prefix slices.
+// The allowEmpty flag determines whether an empty prefix/suffix
+// should be considered a match on anything.
+// This is used when filtering, starting with a coarser pass allowing empty
+// matches, before requiring exact matches if there are multiple
+// remaining candidates.
+func (r *Resource) PrefixesSuffixesEquals(o ResCtx, allowEmpty bool) bool {
+	if allowEmpty {
+		eitherPrefixEmpty := len(r.GetNamePrefixes()) == 0 || len(o.GetNamePrefixes()) == 0
+		eitherSuffixEmpty := len(r.GetNameSuffixes()) == 0 || len(o.GetNameSuffixes()) == 0
+
+		return (eitherPrefixEmpty || utils.SameEndingSubSlice(r.GetNamePrefixes(), o.GetNamePrefixes())) &&
+			(eitherSuffixEmpty || utils.SameEndingSubSlice(r.GetNameSuffixes(), o.GetNameSuffixes()))
+	} else {
+		return utils.SameEndingSubSlice(r.GetNamePrefixes(), o.GetNamePrefixes()) &&
+			utils.SameEndingSubSlice(r.GetNameSuffixes(), o.GetNameSuffixes())
+	}
 }
 
 // RemoveBuildAnnotations removes annotations created by the build process.

vendor/sigs.k8s.io/kustomize/api/types/fieldspec.go

@@ -30,6 +30,8 @@ type FieldSpec struct {
 	resid.Gvk          `json:",inline,omitempty" yaml:",inline,omitempty"`
 	Path               string `json:"path,omitempty" yaml:"path,omitempty"`
 	CreateIfNotPresent bool   `json:"create,omitempty" yaml:"create,omitempty"`
+
+	// Note: If any new pointer based members are added, FsSlice.DeepCopy needs to be updated
 }
 
 func (fs FieldSpec) String() string {
@@ -50,6 +52,13 @@ func (s FsSlice) Less(i, j int) bool {
 	return s[i].Gvk.IsLessThan(s[j].Gvk)
 }
 
+// DeepCopy returns a new copy of FsSlice
+func (s FsSlice) DeepCopy() FsSlice {
+	ret := make(FsSlice, len(s))
+	copy(ret, s)
+	return ret
+}
+
 // MergeAll merges the argument into this, returning the result.
 // Items already present are ignored.
 // Items that conflict (primary key matches, but remain data differs)

vendor/sigs.k8s.io/kustomize/api/types/generatorargs.go

@@ -5,7 +5,7 @@ package types
 
 // GeneratorArgs contains arguments common to ConfigMap and Secret generators.
 type GeneratorArgs struct {
-	// Namespace for the configmap, optional
+	// Namespace for the resource, optional
 	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
 
 	// Name - actually the partial name - of the generated resource.

vendor/sigs.k8s.io/kustomize/api/types/helmchartargs.go

@@ -88,6 +88,9 @@ type HelmChart struct {
 	// ApiVersions is the kubernetes apiversions used for Capabilities.APIVersions
 	ApiVersions []string `json:"apiVersions,omitempty" yaml:"apiVersions,omitempty"`
 
+	// KubeVersion is the kubernetes version used by Helm for Capabilities.KubeVersion"
+	KubeVersion string `json:"kubeVersion,omitempty" yaml:"kubeVersion,omitempty"`
+
 	// NameTemplate is for specifying the name template used to name the release.
 	NameTemplate string `json:"nameTemplate,omitempty" yaml:"nameTemplate,omitempty"`
 
@@ -172,6 +175,10 @@ func (h HelmChart) AsHelmArgs(absChartHome string) []string {
 	for _, apiVer := range h.ApiVersions {
 		args = append(args, "--api-versions", apiVer)
 	}
+	if h.KubeVersion != "" {
+		args = append(args, "--kube-version", h.KubeVersion)
+	}
+
 	if h.IncludeCRDs {
 		args = append(args, "--include-crds")
 	}

vendor/sigs.k8s.io/kustomize/api/types/kustomization.go

@@ -188,6 +188,7 @@ const (
 	deprecatedPatchesJson6902Message           = "# Warning: 'patchesJson6902' is deprecated. Please use 'patches' instead." + " " + deprecatedWarningToRunEditFix
 	deprecatedPatchesStrategicMergeMessage     = "# Warning: 'patchesStrategicMerge' is deprecated. Please use 'patches' instead." + " " + deprecatedWarningToRunEditFix
 	deprecatedVarsMessage                      = "# Warning: 'vars' is deprecated. Please use 'replacements' instead." + " " + deprecatedWarningToRunEditFixExperimential
+	deprecatedCommonLabelsWarningMessage       = "# Warning: 'commonLabels' is deprecated. Please use 'labels' instead." + " " + deprecatedWarningToRunEditFix
 )
 
 // CheckDeprecatedFields check deprecated field is used or not.
@@ -196,6 +197,9 @@ func (k *Kustomization) CheckDeprecatedFields() *[]string {
 	if k.Bases != nil {
 		warningMessages = append(warningMessages, deprecatedBaseWarningMessage)
 	}
+	if k.CommonLabels != nil {
+		warningMessages = append(warningMessages, deprecatedCommonLabelsWarningMessage)
+	}
 	if k.ImageTags != nil {
 		warningMessages = append(warningMessages, deprecatedImageTagsWarningMessage)
 	}

vendor/sigs.k8s.io/kustomize/api/types/labels.go

@@ -6,12 +6,12 @@ package types
 type Label struct {
 	// Pairs contains the key-value pairs for labels to add
 	Pairs map[string]string `json:"pairs,omitempty" yaml:"pairs,omitempty"`
-	// IncludeSelectors inidicates should transformer include the
+	// IncludeSelectors indicates whether the transformer should include the
 	// fieldSpecs for selectors. Custom fieldSpecs specified by
 	// FieldSpecs will be merged with builtin fieldSpecs if this
 	// is true.
 	IncludeSelectors bool `json:"includeSelectors,omitempty" yaml:"includeSelectors,omitempty"`
-	// IncludeTemplates inidicates should transformer include the
+	// IncludeTemplates indicates whether the transformer should include the
 	// spec/template/metadata fieldSpec. Custom fieldSpecs specified by
 	// FieldSpecs will be merged with spec/template/metadata fieldSpec if this
 	// is true. If IncludeSelectors is true, IncludeTemplates is not needed.

vendor/sigs.k8s.io/kustomize/api/types/pluginconfig.go

@@ -4,8 +4,10 @@
 package types
 
 type HelmConfig struct {
-	Enabled bool
-	Command string
+	Enabled     bool
+	Command     string
+	ApiVersions []string
+	KubeVersion string
 }
 
 // PluginConfig holds plugin configuration.