wip

Fix selection of kustomization resource from multi doc yaml

.github/workflows/action.yaml

@@ -0,0 +1,29 @@
+name: test-gh-action
+
+on:
+  pull_request:
+    paths:
+      - 'action/**'
+  push:
+    paths:
+      - 'action/**'
+    branches:
+      - 'main'
+      - 'release/**'
+
+permissions: read-all
+
+jobs:
+  actions:
+    strategy:
+      fail-fast: false
+      matrix:
+        version: [ubuntu-latest, macos-latest, windows-latest]
+
+    runs-on: ${{ matrix.version }}
+    name: action on ${{ matrix.version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Setup flux
+        uses: ./action

.github/workflows/backport.yaml

@@ -8,7 +8,8 @@ jobs:
   pull-request:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write
+      pull-requests: write
     if: github.event.pull_request.state == 'closed' && github.event.pull_request.merged && (github.event_name != 'labeled' || startsWith('backport:', github.event.label.name))
     steps:
       - name: Checkout

.github/workflows/e2e-bootstrap.yaml

@@ -26,7 +26,7 @@ jobs:
             **/go.sum
             **/go.mod
       - name: Setup Kubernetes
-        uses: helm/kind-action@fa81e57adff234b2908110485695db0f181f3c67 # v1.7.0
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
         with:
           version: v0.20.0
           cluster_name: kind

.github/workflows/e2e.yaml

@@ -30,7 +30,7 @@ jobs:
             **/go.sum
             **/go.mod
       - name: Setup Kubernetes
-        uses: helm/kind-action@fa81e57adff234b2908110485695db0f181f3c67 # v1.7.0
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
         with:
           version: v0.20.0
           cluster_name: kind

.github/workflows/release.yaml

@@ -32,7 +32,7 @@ jobs:
         uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a  # v2.8.0
+        uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1  # v2.9.1
       - name: Setup Syft
         uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
       - name: Setup Cosign
@@ -94,10 +94,10 @@ jobs:
         run: |
           set -euo pipefail
           
-          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
           echo "hashes=$hashes" >> $GITHUB_OUTPUT
           
-          image_url=fluxcd/flux-cli:${{ steps.prep.outputs.version }}
+          image_url=fluxcd/flux-cli:$GITHUB_REF_NAME
           echo "image_url=$image_url" >> $GITHUB_OUTPUT
           
           image_digest=$(docker buildx imagetools inspect ${image_url}  --format '{{json .}}' | jq -r .manifest.digest)

action/README.md

@@ -1,216 +1,22 @@
 # Flux GitHub Action
 
-Usage:
+To install the latest Flux CLI on Linux, macOS or Windows GitHub runners:
 
 ```yaml
-    steps:
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Run Flux commands
-        run: flux -v
+steps:
+  - name: Setup Flux CLI
+    uses: fluxcd/flux2/action@main
+    with:
+      version: 'latest'
+  - name: Run Flux CLI
+    run: flux version --client
 ```
 
-The latest stable version of the `flux` binary is downloaded from
-GitHub [releases](https://github.com/fluxcd/flux2/releases)
-and placed at `/usr/local/bin/flux`.
+The Flux GitHub Action can be used to automate various tasks in CI, such as:
 
-Note that this action can only be used on GitHub **Linux** runners.
-You can change the arch (defaults to `amd64`) with:
+- [Automate Flux upgrades on clusters via Pull Requests](https://fluxcd.io/flux/flux-gh-action/#automate-flux-updates)
+- [Push Kubernetes manifests to container registries](https://fluxcd.io/flux/flux-gh-action/#push-kubernetes-manifests-to-container-registries)
+- [Run end-to-end testing with Flux and Kubernetes Kind](https://fluxcd.io/flux/flux-gh-action/#end-to-end-testing)
 
-```yaml
-    steps:
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-        with:
-          arch: arm64 # can be amd64, arm64 or arm
-```
+For more information, please see the [Flux GitHub Action documentation](/flux/flux-gh-action.md).
 
-You can download a specific version with:
-
-```yaml
-    steps:
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-        with:
-          version: 0.32.0
-```
-
-You can also authenticate against the GitHub API using GitHub Actions' `GITHUB_TOKEN` secret.
-
-For more information, please [read about the GitHub token secret](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret).
-
-```yaml
-    steps:
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-```
-
-This is useful if you are seeing failures on shared runners, those failures are usually API limits being hit.
-
-### Automate Flux updates
-
-Example workflow for updating Flux's components generated with `flux bootstrap --path=clusters/production`:
-
-```yaml
-name: update-flux
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 * * * *"
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  components:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Check for updates
-        id: update
-        run: |
-          flux install \
-            --export > ./clusters/production/flux-system/gotk-components.yaml
-
-          VERSION="$(flux -v)"
-          echo "flux_version=$VERSION" >> $GITHUB_OUTPUT
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
-        with:
-            token: ${{ secrets.GITHUB_TOKEN }}
-            branch: update-flux
-            commit-message: Update to ${{ steps.update.outputs.flux_version }}
-            title: Update to ${{ steps.update.outputs.flux_version }}
-            body: |
-              ${{ steps.update.outputs.flux_version }}
-```
-
-### Push Kubernetes manifests to container registries
-
-Example workflow for publishing Kubernetes manifests bundled as OCI artifacts to GitHub Container Registry:
-
-```yaml
-name: push-artifact-staging
-
-on:
-  push:
-    branches:
-      - 'main'
-
-permissions:
-  packages: write # needed for ghcr.io access
-
-env:
-  OCI_REPO: "oci://ghcr.io/my-org/manifests/${{ github.event.repository.name }}"
-
-jobs:
-  kubernetes:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Login to GHCR
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Generate manifests
-        run: |
-          kustomize build ./manifests/staging > ./deploy/app.yaml
-      - name: Push manifests
-        run: |
-          flux push artifact $OCI_REPO:$(git rev-parse --short HEAD) \
-            --path="./deploy" \
-            --source="$(git config --get remote.origin.url)" \
-            --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)"
-      - name: Deploy manifests to staging
-        run: |
-          flux tag artifact $OCI_REPO:$(git rev-parse --short HEAD) --tag staging
-```
-
-### Push and sign Kubernetes manifests to container registries
-
-Example workflow for publishing Kubernetes manifests bundled as OCI artifacts
-which are signed with Cosign and GitHub OIDC:
-
-```yaml
-name: push-sign-artifact
-
-on:
-  push:
-    branches:
-      - 'main'
-
-permissions:
-  packages: write # needed for ghcr.io access
-  id-token: write # needed for keyless signing
-
-env:
-  OCI_REPO: "oci://ghcr.io/my-org/manifests/${{ github.event.repository.name }}"
-
-jobs:
-  kubernetes:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Setup Cosign
-        uses: sigstore/cosign-installer@main
-      - name: Login to GHCR
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Push and sign manifests
-        run: |
-          digest_url=$(flux push artifact \
-          $OCI_REPO:$(git rev-parse --short HEAD) \
-          --path="./manifests" \
-          --source="$(git config --get remote.origin.url)" \
-          --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)" |\
-          jq -r '. | .repository + "@" + .digest')
-
-          cosign sign $digest_url
-```
-
-### End-to-end testing
-
-Example workflow for running Flux in Kubernetes Kind:
-
-```yaml
-name: e2e
-
-on:
-  push:
-    branches:
-      - '*'
-
-jobs:
-  kubernetes:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Setup Kubernetes Kind
-        uses: engineerd/setup-kind@v0.5.0
-      - name: Install Flux in Kubernetes Kind
-        run: flux install
-```
-
-A complete e2e testing workflow is available here
-[flux2-kustomize-helm-example](https://github.com/fluxcd/flux2-kustomize-helm-example/blob/main/.github/workflows/e2e.yaml)

action/action.yml

@@ -1,64 +1,120 @@
 name: Setup Flux CLI
-description: A GitHub Action for running Flux commands
-author: Stefan Prodan
+description: A GitHub Action for installing the Flux CLI
+author: Flux project
 branding:
   color: blue
   icon: command
 inputs:
   version:
-    description: "Flux version e.g. 0.8.0 (defaults to latest stable release)"
+    description: "Flux version e.g. 2.0.0 (defaults to latest stable release)"
     required: false
   arch:
     description: "arch can be amd64, arm64 or arm"
-    required: true
-    default: "amd64"
+    required: false
+    deprecationMessage: "No longer required, action will now detect runner arch."
   bindir:
-    description: "Optional location of the Flux binary. Will not use sudo if set. Updates System Path."
+    description: "Alternative location for the Flux binary, defaults to path relative to $RUNNER_TOOL_CACHE."
     required: false
   token:
-    description: "GitHub Token used to authentication against the API (generally only needed to prevent quota limit errors)"
+    description: "Token used to authentication against the GitHub.com API. Defaults to the token from the GitHub context of the workflow."
     required: false
 runs:
   using: composite
   steps:
-    - name: "Download flux binary to tmp"
+    - name: "Download the binary to the runner's cache dir"
       shell: bash
       run: |
-        ARCH=${{ inputs.arch }}
         VERSION=${{ inputs.version }}
-        TOKEN=${{ inputs.token }}
 
-        if [ -z "${VERSION}" ]; then
-          if [ -n "${TOKEN}" ]; then
-            VERSION_SLUG=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest --silent --location --header "Authorization: token ${TOKEN}" | grep tag_name)
-          else
-            # With no GITHUB_TOKEN you will experience occasional failures due to rate limiting
-            # Ref: https://github.com/fluxcd/flux2/issues/3509#issuecomment-1400820992
-            VERSION_SLUG=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest --silent --location | grep tag_name)
+        TOKEN=${{ inputs.token }}
+        if [[ -z "$TOKEN" ]]; then
+          TOKEN=${{ github.token }}
+        fi
+
+        if [[ -z "$VERSION" ]] || [[ "$VERSION" = "latest" ]]; then
+          VERSION=$(curl -fsSL -H "Authorization: token ${TOKEN}" https://api.github.com/repos/fluxcd/flux2/releases/latest | grep tag_name | cut -d '"' -f 4)
+        fi
+        if [[ -z "$VERSION" ]]; then
+          echo "Unable to determine Flux CLI version"
+          exit 1
+        fi
+        if [[ $VERSION = v* ]]; then
+          VERSION="${VERSION:1}"
+        fi
+
+        OS=$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$OS" == "macos" ]]; then
+          OS="darwin"
+        fi
+
+        ARCH=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ARCH" == "x64" ]]; then
+          ARCH="amd64"
+        elif [[ "$ARCH" == "x86" ]]; then
+          ARCH="386"
+        fi
+
+        FLUX_EXEC_FILE="flux"
+        if [[ "$OS" == "windows" ]]; then
+            FLUX_EXEC_FILE="${FLUX_EXEC_FILE}.exe"
+        fi
+
+        FLUX_TOOL_DIR=${{ inputs.bindir }}
+        if [[ -z "$FLUX_TOOL_DIR" ]]; then
+          FLUX_TOOL_DIR="${RUNNER_TOOL_CACHE}/flux2/${VERSION}/${OS}/${ARCH}"
+        fi
+        if [[ ! -x "$FLUX_TOOL_DIR/FLUX_EXEC_FILE" ]]; then
+          DL_DIR="$(mktemp -dt flux2-XXXXXX)"
+          trap 'rm -rf $DL_DIR' EXIT
+
+          echo "Downloading flux ${VERSION} for ${OS}/${ARCH}"
+          FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.tar.gz"
+          if [[ "$OS" == "windows" ]]; then
+            FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.zip"
           fi
 
-          VERSION=$(echo "${VERSION_SLUG}" | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
+          FLUX_CHECKSUMS_FILE="flux_${VERSION}_checksums.txt"
+
+          FLUX_DOWNLOAD_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/"
+
+          curl -fsSL -o "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_TARGET_FILE"
+          curl -fsSL -o "$DL_DIR/$FLUX_CHECKSUMS_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_CHECKSUMS_FILE"
+
+          echo "Verifying checksum"
+          sum=""
+          if command -v openssl > /dev/null; then
+            sum=$(openssl sha256 "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $2}')
+          elif command -v sha256sum > /dev/null; then
+            sum=$(sha256sum "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $1}')
+          fi
+
+          if [[ -z "$sum" ]]; then
+            echo "Neither openssl nor sha256sum found. Cannot calculate checksum."
+            exit 1
+          fi
+
+          expected_sum=$(grep " $FLUX_TARGET_FILE\$" "$DL_DIR/$FLUX_CHECKSUMS_FILE" | awk '{print $1}')
+          if [ "$sum" != "$expected_sum" ]; then
+            echo "SHA sum of ${FLUX_TARGET_FILE} does not match. Aborting."
+            exit 1
+          fi
+
+          echo "Installing flux to ${FLUX_TOOL_DIR}"
+          mkdir -p "$FLUX_TOOL_DIR"
+        
+          if [[ "$OS" == "windows" ]]; then
+            unzip "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_EXEC_FILE" -d "$FLUX_TOOL_DIR"
+          else
+            tar xzf "$DL_DIR/$FLUX_TARGET_FILE" -C "$FLUX_TOOL_DIR" $FLUX_EXEC_FILE
+          fi
+
+          chmod +x "$FLUX_TOOL_DIR/$FLUX_EXEC_FILE"
         fi
 
-        BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_${ARCH}.tar.gz"
-        curl --silent --fail --location "${BIN_URL}" --output /tmp/flux.tar.gz
-        mkdir -p /tmp/flux
-        tar -C /tmp/flux/ -zxvf /tmp/flux.tar.gz
-    - name: "Copy Flux binary to execute location"
-      shell: bash
-      run: |
-        BINDIR=${{ inputs.bindir }}
-        if [ -z "${BINDIR}" ]; then
-          sudo cp /tmp/flux/flux /usr/local/bin
-        else
-          cp /tmp/flux/flux "${BINDIR}"
-          echo "${BINDIR}" >> $GITHUB_PATH
-        fi
-    - name: "Cleanup tmp"
-      shell: bash
-      run: |
-        rm -rf /tmp/flux/ /tmp/flux.tar.gz
-    - name: "Verify correct installation of binary"
+        echo "Adding flux to path"
+        echo "$FLUX_TOOL_DIR" >> "$GITHUB_PATH"
+
+    - name: "Print installed flux version"
       shell: bash
       run: |
         flux -v

cmd/flux/build_kustomization_test.go

@@ -159,6 +159,7 @@ spec:
 	tmpl := map[string]string{
 		"fluxns": allocateNamespace("flux-system"),
 	}
+	setup(t, tmpl)
 
 	testEnv.CreateObjectFile("./testdata/build-kustomization/podinfo-source.yaml", tmpl, t)
 

cmd/flux/check.go

@@ -57,7 +57,7 @@ type checkFlags struct {
 }
 
 var kubernetesConstraints = []string{
-	">=1.24.0-0",
+	">=1.25.0-0",
 }
 
 var checkArgs checkFlags

cmd/flux/create_image_repository.go

@@ -101,7 +101,7 @@ func createImageRepositoryRun(cmd *cobra.Command, args []string) error {
 	var repo = imagev1.ImageRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      objectName,
-			Namespace: *kubeconfigArgs.Namespace,
+			Namespace: GetDesiredNamespace(kubeconfigArgs),
 			Labels:    labels,
 		},
 		Spec: imagev1.ImageRepositorySpec{

cmd/flux/diff_kustomization_test.go

@@ -91,6 +91,12 @@ func TestDiffKustomization(t *testing.T) {
 			objectFile: "./testdata/diff-kustomization/stringdata-sops-secret.yaml",
 			assert:     assertGoldenFile("./testdata/diff-kustomization/diff-with-drifted-stringdata-sops-secret.golden"),
 		},
+		{
+			name:       "diff where kustomization file has multiple objects with the same name",
+			args:       "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo --progress-bar=false --kustomization-file ./testdata/diff-kustomization/flux-kustomization-multiobj.yaml",
+			objectFile: "",
+			assert:     assertGoldenFile("./testdata/diff-kustomization/nothing-is-deployed.golden"),
+		},
 	}
 
 	tmpl := map[string]string{

cmd/flux/get.go

@@ -146,9 +146,11 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	ns := GetDesiredNamespace(kubeconfigArgs)
+
 	var listOpts []client.ListOption
 	if !getArgs.allNamespaces {
-		listOpts = append(listOpts, client.InNamespace(*kubeconfigArgs.Namespace))
+		listOpts = append(listOpts, client.InNamespace(ns))
 	}
 
 	if len(args) > 0 {
@@ -190,12 +192,12 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 			logger.Failuref("%s object '%s' not found in %s namespace",
 				get.kind,
 				args[0],
-				namespaceNameOrAny(getArgs.allNamespaces, *kubeconfigArgs.Namespace),
+				namespaceNameOrAny(getArgs.allNamespaces, ns),
 			)
 		} else if !getAll {
 			logger.Failuref("no %s objects found in %s namespace",
 				get.kind,
-				namespaceNameOrAny(getArgs.allNamespaces, *kubeconfigArgs.Namespace),
+				namespaceNameOrAny(getArgs.allNamespaces, ns),
 			)
 		}
 		return nil

cmd/flux/install.go

@@ -146,7 +146,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	opts := install.Options{
 		BaseURL:                installArgs.manifestsPath,
 		Version:                installArgs.version,
-		Namespace:              *kubeconfigArgs.Namespace,
+		Namespace:              GetDesiredNamespace(kubeconfigArgs),
 		Components:             components,
 		Registry:               installArgs.registry,
 		ImagePullSecret:        installArgs.imagePullSecret,
@@ -181,7 +181,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Successf("manifests build completed")
-	logger.Actionf("installing components in %s namespace", *kubeconfigArgs.Namespace)
+	logger.Actionf("installing components in %s namespace", opts.Namespace)
 
 	applyOutput, err := utils.Apply(ctx, kubeconfigArgs, kubeclientOptions, tmpDir, filepath.Join(tmpDir, manifest.Path))
 	if err != nil {

cmd/flux/main.go

@@ -105,6 +105,10 @@ Command line utility for assembling Kubernetes CD pipelines the GitOps way.`,
 			return fmt.Errorf("error getting namespace: %w", err)
 		}
 
+		if ns == "" {
+			return nil
+		}
+
 		if e := validation.IsDNS1123Label(ns); len(e) > 0 {
 			return fmt.Errorf("namespace must be a valid DNS label: %q", ns)
 		}
@@ -140,7 +144,6 @@ func init() {
 	rootCmd.PersistentFlags().DurationVar(&rootArgs.timeout, "timeout", 5*time.Minute, "timeout for this operation")
 	rootCmd.PersistentFlags().BoolVar(&rootArgs.verbose, "verbose", false, "print generated objects")
 
-	configureDefaultNamespace()
 	kubeconfigArgs.APIServer = nil // prevent AddFlags from configuring --server flag
 	kubeconfigArgs.Timeout = nil   // prevent AddFlags from configuring --request-timeout flag, we have --timeout instead
 	kubeconfigArgs.AddFlags(rootCmd.PersistentFlags())
@@ -198,8 +201,10 @@ func main() {
 	}
 }
 
-func configureDefaultNamespace() {
-	*kubeconfigArgs.Namespace = rootArgs.defaults.Namespace
+func GetDesiredNamespace(cfg *genericclioptions.ConfigFlags) string {
+	if *cfg.Namespace != "" {
+		return *cfg.Namespace
+	}
 	fromEnv := os.Getenv("FLUX_SYSTEM_NAMESPACE")
 	if fromEnv != "" {
 		// namespace must be a valid DNS label. Assess against validation
@@ -207,11 +212,28 @@ func configureDefaultNamespace() {
 		// may not be actively provided by end-user.
 		if e := validation.IsDNS1123Label(fromEnv); len(e) > 0 {
 			logger.Warningf(" ignoring invalid FLUX_SYSTEM_NAMESPACE: %q", fromEnv)
-			return
+		} else {
+			return fromEnv
 		}
-
-		kubeconfigArgs.Namespace = &fromEnv
 	}
+
+	if _, has := os.LookupEnv("FLUX_NS_FOLLOW_KUBECONTEXT"); has {
+		rawCfg, err := cfg.ToRawKubeConfigLoader().RawConfig()
+		if err != nil {
+			logger.Warningf(" failed parsing kubeconfig, ignoring: %q", fromEnv)
+		} else {
+			ctx := *cfg.Context
+			if ctx == "" {
+				ctx = rawCfg.CurrentContext
+			}
+			ns := rawCfg.Contexts[ctx].Namespace
+			if ns != "" {
+				return ns
+			}
+		}
+	}
+
+	return rootArgs.defaults.Namespace
 }
 
 // readPasswordFromStdin reads a password from stdin and returns the input

cmd/flux/status.go

@@ -85,7 +85,7 @@ func buildComponentObjectRefs(components ...string) ([]object.ObjMetadata, error
 	var objRefs []object.ObjMetadata
 	for _, deployment := range components {
 		objRefs = append(objRefs, object.ObjMetadata{
-			Namespace: *kubeconfigArgs.Namespace,
+			Namespace: GetDesiredNamespace(kubeconfigArgs),
 			Name:      deployment,
 			GroupKind: schema.GroupKind{Group: "apps", Kind: "Deployment"},
 		})

cmd/flux/testdata/check/check_pre.golden

@@ -1,3 +1,3 @@
 ► checking prerequisites
-✔ Kubernetes {{ .serverVersion }} >=1.24.0-0
+✔ Kubernetes {{ .serverVersion }} >=1.25.0-0
 ✔ prerequisites checks passed

cmd/flux/testdata/diff-kustomization/flux-kustomization-multiobj.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: podinfo
+
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: podinfo
+spec:
+  interval: 5m0s
+  path: ./kustomize
+  force: true
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: podinfo
+  targetNamespace: default

go.mod

@@ -7,28 +7,28 @@ replace github.com/go-git/go-git/v5 => github.com/go-git/go-git/v5 v5.7.1-0.2023
 
 require (
 	github.com/Masterminds/semver/v3 v3.2.1
-	github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec
+	github.com/ProtonMail/go-crypto v0.0.0-20230710112148-e01326fd72eb
 	github.com/cyphar/filepath-securejoin v0.2.3
-	github.com/distribution/distribution/v3 v3.0.0-20230629214736-bac7f02e02a1
+	github.com/distribution/distribution/v3 v3.0.0-20230711080520-40ef2353fa4f
 	github.com/fluxcd/go-git-providers v0.18.0
 	github.com/fluxcd/helm-controller/api v0.35.0
 	github.com/fluxcd/image-automation-controller/api v0.35.0
-	github.com/fluxcd/image-reflector-controller/api v0.29.0
-	github.com/fluxcd/kustomize-controller/api v1.0.0
+	github.com/fluxcd/image-reflector-controller/api v0.29.1
+	github.com/fluxcd/kustomize-controller/api v1.0.1
 	github.com/fluxcd/notification-controller/api v1.0.0
 	github.com/fluxcd/pkg/apis/event v0.5.1
 	github.com/fluxcd/pkg/apis/meta v1.1.1
 	github.com/fluxcd/pkg/git v0.12.3
 	github.com/fluxcd/pkg/git/gogit v0.12.1
 	github.com/fluxcd/pkg/kustomize v1.3.4
-	github.com/fluxcd/pkg/oci v0.28.0
+	github.com/fluxcd/pkg/oci v0.29.0
 	github.com/fluxcd/pkg/runtime v0.40.0
 	github.com/fluxcd/pkg/sourceignore v0.3.4
 	github.com/fluxcd/pkg/ssa v0.28.2
 	github.com/fluxcd/pkg/ssh v0.8.0
 	github.com/fluxcd/pkg/tar v0.2.0
 	github.com/fluxcd/pkg/version v0.2.2
-	github.com/fluxcd/source-controller/api v1.0.0
+	github.com/fluxcd/source-controller/api v1.0.1
 	github.com/go-git/go-git/v5 v5.7.0
 	github.com/go-logr/logr v1.2.4
 	github.com/gonvenience/bunt v1.3.5
@@ -45,8 +45,8 @@ require (
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
 	github.com/theckman/yacspin v0.13.12
-	golang.org/x/crypto v0.10.0
-	golang.org/x/term v0.9.0
+	golang.org/x/crypto v0.11.0
+	golang.org/x/term v0.10.0
 	k8s.io/api v0.27.3
 	k8s.io/apiextensions-apiserver v0.27.3
 	k8s.io/apimachinery v0.27.3
@@ -202,8 +202,8 @@ require (
 	golang.org/x/net v0.11.0 // indirect
 	golang.org/x/oauth2 v0.7.0 // indirect
 	golang.org/x/sync v0.3.0 // indirect
-	golang.org/x/sys v0.9.0 // indirect
-	golang.org/x/text v0.10.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.10.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect

go.sum

@@ -23,8 +23,8 @@ github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec h1:vV3RryLxt42+ZIVOFbYJCH1jsZNTNmj2NYru5zfx+4E=
-github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
+github.com/ProtonMail/go-crypto v0.0.0-20230710112148-e01326fd72eb h1:RU+Ff2vE68zFQSoBqlb/LChFztEWWJ9EZ8LU4gA3ubU=
+github.com/ProtonMail/go-crypto v0.0.0-20230710112148-e01326fd72eb/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs=
 github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ=
 github.com/acomagu/bufpipe v1.0.4 h1:e3H4WUzM3npvo5uv95QuJM3cQspFNtFBzvJ2oNjKIDQ=
@@ -105,8 +105,8 @@ github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxG
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/distribution/distribution/v3 v3.0.0-20230629214736-bac7f02e02a1 h1:yRwt9RluqBtKyDLRY7J0Cf/TVqvG56vKx2Eyndy8qNQ=
-github.com/distribution/distribution/v3 v3.0.0-20230629214736-bac7f02e02a1/go.mod h1:+fqBJ4vPYo4Uu1ZE4d+bUtTLRXfdSL3NvCZIZ9GHv58=
+github.com/distribution/distribution/v3 v3.0.0-20230711080520-40ef2353fa4f h1:Df8k7piYnfycy7zSBLkN2oQaoIz1vw+msSgajUA+yKE=
+github.com/distribution/distribution/v3 v3.0.0-20230711080520-40ef2353fa4f/go.mod h1:+fqBJ4vPYo4Uu1ZE4d+bUtTLRXfdSL3NvCZIZ9GHv58=
 github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
 github.com/docker/cli v23.0.5+incompatible h1:ufWmAOuD3Vmr7JP2G5K3cyuNC4YZWiAsuDEvFVVDafE=
 github.com/docker/cli v23.0.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
@@ -155,10 +155,10 @@ github.com/fluxcd/helm-controller/api v0.35.0 h1:UyhKXPni5z69DzPW7GtECGGdUwKsB+O
 github.com/fluxcd/helm-controller/api v0.35.0/go.mod h1:CdHMtr5wM0xgDt/PS147H7QQS+zDxAFgDW3ZN8MnUlU=
 github.com/fluxcd/image-automation-controller/api v0.35.0 h1:B7yJdAbnx0hwI6ffVu0YAyc3d3sqjXrv6ySK++g3t28=
 github.com/fluxcd/image-automation-controller/api v0.35.0/go.mod h1:67HbnrXDy550zJKZZbzAZ0yfzL0Ge1O18yn/shcgy0Y=
-github.com/fluxcd/image-reflector-controller/api v0.29.0 h1:Epzq0b2sYxgSwKPBN0BWEInQwMLsvU7sjqKJuzGtyIg=
-github.com/fluxcd/image-reflector-controller/api v0.29.0/go.mod h1:aYwq15SpkAD/urQme2iEsNouTscfR1Qo39KBlJ+0EW8=
-github.com/fluxcd/kustomize-controller/api v1.0.0 h1:BVz6lEpfGbny0ppQ82LloLSK0OoEGC51YQaw31j4vT8=
-github.com/fluxcd/kustomize-controller/api v1.0.0/go.mod h1:rYUovoofr3bVPgQowWj/CSGw73qoH0tOCopJ3oNh7lM=
+github.com/fluxcd/image-reflector-controller/api v0.29.1 h1:mnFaO60b8WyCxpc72utmAJ7J1ZtZjGGThH9NdxVeEyo=
+github.com/fluxcd/image-reflector-controller/api v0.29.1/go.mod h1:aYwq15SpkAD/urQme2iEsNouTscfR1Qo39KBlJ+0EW8=
+github.com/fluxcd/kustomize-controller/api v1.0.1 h1:zz9zx4Mc7rw9gqdgdhMWX1uDM2uR1x7WBUujKs4mdx8=
+github.com/fluxcd/kustomize-controller/api v1.0.1/go.mod h1:rYUovoofr3bVPgQowWj/CSGw73qoH0tOCopJ3oNh7lM=
 github.com/fluxcd/notification-controller/api v1.0.0 h1:WiXS116pwhFp7Qe/Fc1GmKCfLBRnZu+rYCeIn07cO+4=
 github.com/fluxcd/notification-controller/api v1.0.0/go.mod h1:uamWZwmhSHE7xdJkgRhH4Eo5/SKKILFI4o+CoQjlczc=
 github.com/fluxcd/pkg/apis/acl v0.1.0 h1:EoAl377hDQYL3WqanWCdifauXqXbMyFuK82NnX6pH4Q=
@@ -176,8 +176,8 @@ github.com/fluxcd/pkg/git/gogit v0.12.1/go.mod h1:Z4Ysp8VifKTvWpjJMKncJsgb2iBqHu
 github.com/fluxcd/pkg/gittestserver v0.8.4 h1:rA/QUZnfH77ZZG+5xfMqjgEHJdzeeE6Nn1o8cops/bU=
 github.com/fluxcd/pkg/kustomize v1.3.4 h1:+XA4umfhkFqrNYQp3ZmKSJy4i3LWjbgoi6H4PllkkkA=
 github.com/fluxcd/pkg/kustomize v1.3.4/go.mod h1:nsbsNGe6nQY6DGYYPowFGQlhxFRcaRFvbwqhCbwAQuE=
-github.com/fluxcd/pkg/oci v0.28.0 h1:E8VvMFzU/+9vgM4IFbiwmCwaMPCq1WXPiKUmHtDVSbc=
-github.com/fluxcd/pkg/oci v0.28.0/go.mod h1:eFP5sQH4yWghFbcLWxdo0eI6wZ4h3HiTW0UoG33S2pg=
+github.com/fluxcd/pkg/oci v0.29.0 h1:LACJNooDB4ZWVqRkB+V5MSPE04327DBbI/8BdWFzP8Y=
+github.com/fluxcd/pkg/oci v0.29.0/go.mod h1:x91ESIQjUimZSElpJTVRx3yPFBmimvulni9iBsCwXlw=
 github.com/fluxcd/pkg/runtime v0.40.0 h1:uGiiEbMZwd7xmbKaVmcH7iilCFW9betWbz0r1taK3G0=
 github.com/fluxcd/pkg/runtime v0.40.0/go.mod h1:BqHEOVrZmt19p0q1OlGFWAYh3rZ28+IBpxLB2yPjjQ4=
 github.com/fluxcd/pkg/sourceignore v0.3.4 h1:0cfS2Pj7xp2qpaerMjYqOBr82LC+/mGHl6v6pRbi5hs=
@@ -190,8 +190,8 @@ github.com/fluxcd/pkg/tar v0.2.0 h1:HEUHgONQYsJGeZZ4x6h5nQU9Aox1I4T3bOp1faWTqf8=
 github.com/fluxcd/pkg/tar v0.2.0/go.mod h1:w0/TOC7kwBJhnSJn7TCABkc/I7ib1f2Yz6vOsbLBnhw=
 github.com/fluxcd/pkg/version v0.2.2 h1:ZpVXECeLA5hIQMft11iLp6gN3cKcz6UNuVTQPw/bRdI=
 github.com/fluxcd/pkg/version v0.2.2/go.mod h1:NGnh/no8S6PyfCDxRFrPY3T5BUnqP48MxfxNRU0z8C0=
-github.com/fluxcd/source-controller/api v1.0.0 h1:lPjmCXmEiI3tY4pReeVQBMuyLgdH8462W5ewUa9kgYM=
-github.com/fluxcd/source-controller/api v1.0.0/go.mod h1:rAY5FRFGZUKpIFNyYANHIgPgJPvbALBHWsq/zHw/cXQ=
+github.com/fluxcd/source-controller/api v1.0.1 h1:nycylbNBnQd+EO4UHpqXqAQJ1cGAPxgBbrfERCQ1pp8=
+github.com/fluxcd/source-controller/api v1.0.1/go.mod h1:rAY5FRFGZUKpIFNyYANHIgPgJPvbALBHWsq/zHw/cXQ=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
@@ -525,8 +525,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM=
-golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
+golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
+golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -605,16 +605,16 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s=
-golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.9.0 h1:GRRCnKYhdQrD8kfRAdQ6Zcw1P0OcELxGLKJvtjVMZ28=
-golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo=
+golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c=
+golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -624,8 +624,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58=
-golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
+golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

internal/build/build.go

@@ -204,19 +204,36 @@ func NewBuilder(name, resources string, opts ...BuilderOptionFunc) (*Builder, er
 	return b, nil
 }
 
+func (b *Builder) resolveKustomization(liveKus *kustomizev1.Kustomization) (k *kustomizev1.Kustomization, err error) {
+	// local kustomization file takes precedence over live kustomization
+	if b.kustomizationFile != "" {
+		k, err = b.unMarshallKustomization()
+		if err != nil {
+			return
+		}
+		if !b.dryRun && liveKus != nil && liveKus.Status.Inventory != nil {
+			// merge the live kustomization status with the local kustomization in order to get the
+			// live resources status
+			k.Status = *liveKus.Status.DeepCopy()
+		}
+	} else {
+		k = liveKus
+	}
+	return
+}
+
 func (b *Builder) getKustomization(ctx context.Context) (*kustomizev1.Kustomization, error) {
+	liveKus := &kustomizev1.Kustomization{}
 	namespacedName := types.NamespacedName{
 		Namespace: b.namespace,
 		Name:      b.name,
 	}
-
-	k := &kustomizev1.Kustomization{}
-	err := b.client.Get(ctx, namespacedName, k)
+	err := b.client.Get(ctx, namespacedName, liveKus)
 	if err != nil {
 		return nil, err
 	}
 
-	return k, nil
+	return liveKus, nil
 }
 
 // Build builds the yaml manifests from the kustomization object
@@ -251,19 +268,18 @@ func (b *Builder) build() (m resmap.ResMap, err error) {
 	defer cancel()
 
 	// Get the kustomization object
-	var k *kustomizev1.Kustomization
-	if b.kustomizationFile != "" {
-		k, err = b.unMarshallKustomization()
+	liveKus := &kustomizev1.Kustomization{}
+	if !b.dryRun {
+		liveKus, err = b.getKustomization(ctx)
 		if err != nil {
-			return
-		}
-	} else {
-		k, err = b.getKustomization(ctx)
-		if err != nil {
-			err = fmt.Errorf("failed to get kustomization object: %w", err)
-			return
+			return nil, fmt.Errorf("failed to get kustomization object: %w", err)
 		}
 	}
+	k, err := b.resolveKustomization(liveKus)
+	if err != nil {
+		err = fmt.Errorf("failed to get kustomization object: %w", err)
+		return
+	}
 
 	// store the kustomization object
 	b.kustomization = k
@@ -317,7 +333,7 @@ func (b *Builder) unMarshallKustomization() (*kustomizev1.Kustomization, error)
 	k := &kustomizev1.Kustomization{}
 	decoder := k8syaml.NewYAMLOrJSONDecoder(bytes.NewBuffer(data), len(data))
 	// check for kustomization in yaml with the same name and namespace
-	for !(k.Name == b.name && (k.Namespace == b.namespace || k.Namespace == "")) {
+	for {
 		err = decoder.Decode(k)
 		if err != nil {
 			if err == io.EOF {
@@ -327,6 +343,13 @@ func (b *Builder) unMarshallKustomization() (*kustomizev1.Kustomization, error)
 				return nil, fmt.Errorf("failed to unmarshall kustomization file %s: %w", b.kustomizationFile, err)
 			}
 		}
+
+		if strings.HasPrefix(k.APIVersion, kustomizev1.GroupVersion.Group+"/") &&
+			k.Kind == kustomizev1.KustomizationKind &&
+			k.Name == b.name &&
+			(k.Namespace == b.namespace || k.Namespace == "") {
+			break
+		}
 	}
 	return k, nil
 }

internal/build/build_test.go

@@ -17,10 +17,15 @@ limitations under the License.
 package build
 
 import (
+	"fmt"
 	"strings"
 	"testing"
+	"time"
 
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
+	"github.com/fluxcd/pkg/apis/meta"
 	"github.com/google/go-cmp/cmp"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
@@ -184,6 +189,12 @@ func Test_unMarshallKustomization(t *testing.T) {
 			wantErr:     true,
 			errString:   "failed find kustomization with name",
 		},
+		{
+			name:        "yaml containing other resource with same name as kustomization",
+			localKsFile: "testdata/local-kustomization/invalid-resource.yaml",
+			wantErr:     true,
+			errString:   "failed find kustomization with name",
+		},
 	}
 
 	b := &Builder{
@@ -215,3 +226,138 @@ func Test_unMarshallKustomization(t *testing.T) {
 		})
 	}
 }
+
+func Test_ResolveKustomization(t *testing.T) {
+	tests := []struct {
+		name              string
+		localKsFile       string
+		liveKustomization *kustomizev1.Kustomization
+		dryrun            bool
+	}{
+		{
+			name:        "valid kustomization",
+			localKsFile: "testdata/local-kustomization/valid.yaml",
+		},
+		{
+			name:        "local and live kustomization",
+			localKsFile: "testdata/local-kustomization/valid.yaml",
+			liveKustomization: &kustomizev1.Kustomization{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "podinfo",
+					Namespace: "flux-system",
+				},
+				Spec: kustomizev1.KustomizationSpec{
+					Interval: metav1.Duration{Duration: time.Minute * 5},
+					Path:     "./testdata/local-kustomization/valid.yaml",
+				},
+				Status: kustomizev1.KustomizationStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type:   meta.ReadyCondition,
+							Status: metav1.ConditionTrue,
+						},
+					},
+					Inventory: &kustomizev1.ResourceInventory{
+						Entries: []kustomizev1.ResourceRef{
+							{
+								ID:      "flux-system_podinfo_v1_service_podinfo",
+								Version: "v1",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:        "local and live kustomization with dryrun",
+			localKsFile: "testdata/local-kustomization/valid.yaml",
+			liveKustomization: &kustomizev1.Kustomization{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "podinfo",
+					Namespace: "flux-system",
+				},
+				Spec: kustomizev1.KustomizationSpec{
+					Interval: metav1.Duration{Duration: time.Minute * 5},
+					Path:     "./testdata/local-kustomization/valid.yaml",
+				},
+				Status: kustomizev1.KustomizationStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type:   meta.ReadyCondition,
+							Status: metav1.ConditionTrue,
+						},
+					},
+					Inventory: &kustomizev1.ResourceInventory{
+						Entries: []kustomizev1.ResourceRef{
+							{
+								ID:      "flux-system_podinfo_v1_service_podinfo",
+								Version: "v1",
+							},
+						},
+					},
+				},
+			},
+			dryrun: true,
+		},
+		{
+			name: "live kustomization",
+			liveKustomization: &kustomizev1.Kustomization{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "podinfo",
+					Namespace: "flux-system",
+				},
+				Spec: kustomizev1.KustomizationSpec{
+					Interval: metav1.Duration{Duration: time.Minute * 5},
+					Path:     "./testdata/local-kustomization/valid.yaml",
+				},
+				Status: kustomizev1.KustomizationStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type:   meta.ReadyCondition,
+							Status: metav1.ConditionTrue,
+						},
+					},
+					Inventory: &kustomizev1.ResourceInventory{
+						Entries: []kustomizev1.ResourceRef{
+							{
+								ID:      "flux-system_podinfo_v1_service_podinfo",
+								Version: "v1",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	b := &Builder{
+		name:      "podinfo",
+		namespace: "flux-system",
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			b.kustomizationFile = tt.localKsFile
+			b.dryRun = tt.dryrun
+			ks, err := b.resolveKustomization(tt.liveKustomization)
+			if err != nil {
+				t.Errorf("unexpected err '%s'", err)
+			}
+			if !tt.dryrun {
+				if b.kustomizationFile == "" {
+					if cmp.Diff(ks, tt.liveKustomization) != "" {
+						t.Errorf("expected kustomization to match live kustomization")
+					}
+				} else {
+					if tt.liveKustomization != nil && cmp.Diff(ks.Status, tt.liveKustomization.Status) != "" {
+						t.Errorf("expected kustomization status to match live kustomization status")
+					}
+				}
+			} else {
+				if ks.Status.Inventory != nil {
+					fmt.Println(ks.Status.Inventory)
+					t.Errorf("expected kustomization status to be nil")
+				}
+			}
+		})
+	}
+}

internal/build/diff.go

@@ -136,11 +136,14 @@ func (b *Builder) Diff() (string, bool, error) {
 	if b.kustomization.Spec.Prune && len(diffErrs) == 0 {
 		oldStatus := b.kustomization.Status.DeepCopy()
 		if oldStatus.Inventory != nil {
-			diffObjects, err := diffInventory(oldStatus.Inventory, newInventory)
+			staleObjects, err := diffInventory(oldStatus.Inventory, newInventory)
 			if err != nil {
 				return "", createdOrDrifted, err
 			}
-			for _, object := range diffObjects {
+			if len(staleObjects) > 0 {
+				createdOrDrifted = true
+			}
+			for _, object := range staleObjects {
 				output.WriteString(writeString(fmt.Sprintf("► %s deleted\n", ssa.FmtUnstructured(object)), bunt.OrangeRed))
 			}
 		}

internal/build/testdata/local-kustomization/invalid-resource.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: podinfo

manifests/bases/image-reflector-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.29.0/image-reflector-controller.crds.yaml
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.29.0/image-reflector-controller.deployment.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.29.1/image-reflector-controller.crds.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.29.1/image-reflector-controller.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml

manifests/bases/kustomize-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/kustomize-controller/releases/download/v1.0.0/kustomize-controller.crds.yaml
-- https://github.com/fluxcd/kustomize-controller/releases/download/v1.0.0/kustomize-controller.deployment.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v1.0.1/kustomize-controller.crds.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v1.0.1/kustomize-controller.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml

manifests/bases/source-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v1.0.0/source-controller.crds.yaml
-- https://github.com/fluxcd/source-controller/releases/download/v1.0.0/source-controller.deployment.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v1.0.1/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v1.0.1/source-controller.deployment.yaml
 - account.yaml
 transformers:
 - labels.yaml

manifests/crds/kustomization.yaml

@@ -1,9 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v1.0.0/source-controller.crds.yaml
-- https://github.com/fluxcd/kustomize-controller/releases/download/v1.0.0/kustomize-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v1.0.1/source-controller.crds.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v1.0.1/kustomize-controller.crds.yaml
 - https://github.com/fluxcd/helm-controller/releases/download/v0.35.0/helm-controller.crds.yaml
 - https://github.com/fluxcd/notification-controller/releases/download/v1.0.0/notification-controller.crds.yaml
-- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.29.0/image-reflector-controller.crds.yaml
+- https://github.com/fluxcd/image-reflector-controller/releases/download/v0.29.1/image-reflector-controller.crds.yaml
 - https://github.com/fluxcd/image-automation-controller/releases/download/v0.35.0/image-automation-controller.crds.yaml

tests/azure/go.mod

@@ -9,14 +9,14 @@ require (
 	github.com/Azure/azure-event-hubs-go/v3 v3.6.0
 	github.com/fluxcd/helm-controller/api v0.35.0
 	github.com/fluxcd/image-automation-controller/api v0.35.0
-	github.com/fluxcd/image-reflector-controller/api v0.29.0
-	github.com/fluxcd/kustomize-controller/api v1.0.0
+	github.com/fluxcd/image-reflector-controller/api v0.29.1
+	github.com/fluxcd/kustomize-controller/api v1.0.1
 	github.com/fluxcd/notification-controller/api v1.0.0
 	github.com/fluxcd/pkg/apis/event v0.5.1
 	github.com/fluxcd/pkg/apis/meta v1.1.1
 	github.com/fluxcd/pkg/git v0.12.3
 	github.com/fluxcd/pkg/git/gogit v0.12.1
-	github.com/fluxcd/source-controller/api v1.0.0
+	github.com/fluxcd/source-controller/api v1.0.1
 	github.com/go-git/go-git/v5 v5.7.0
 	github.com/hashicorp/hc-install v0.5.2
 	github.com/hashicorp/terraform-exec v0.18.1

tests/azure/go.sum

@@ -89,10 +89,10 @@ github.com/fluxcd/helm-controller/api v0.35.0 h1:UyhKXPni5z69DzPW7GtECGGdUwKsB+O
 github.com/fluxcd/helm-controller/api v0.35.0/go.mod h1:CdHMtr5wM0xgDt/PS147H7QQS+zDxAFgDW3ZN8MnUlU=
 github.com/fluxcd/image-automation-controller/api v0.35.0 h1:B7yJdAbnx0hwI6ffVu0YAyc3d3sqjXrv6ySK++g3t28=
 github.com/fluxcd/image-automation-controller/api v0.35.0/go.mod h1:67HbnrXDy550zJKZZbzAZ0yfzL0Ge1O18yn/shcgy0Y=
-github.com/fluxcd/image-reflector-controller/api v0.29.0 h1:Epzq0b2sYxgSwKPBN0BWEInQwMLsvU7sjqKJuzGtyIg=
-github.com/fluxcd/image-reflector-controller/api v0.29.0/go.mod h1:aYwq15SpkAD/urQme2iEsNouTscfR1Qo39KBlJ+0EW8=
-github.com/fluxcd/kustomize-controller/api v1.0.0 h1:BVz6lEpfGbny0ppQ82LloLSK0OoEGC51YQaw31j4vT8=
-github.com/fluxcd/kustomize-controller/api v1.0.0/go.mod h1:rYUovoofr3bVPgQowWj/CSGw73qoH0tOCopJ3oNh7lM=
+github.com/fluxcd/image-reflector-controller/api v0.29.1 h1:mnFaO60b8WyCxpc72utmAJ7J1ZtZjGGThH9NdxVeEyo=
+github.com/fluxcd/image-reflector-controller/api v0.29.1/go.mod h1:aYwq15SpkAD/urQme2iEsNouTscfR1Qo39KBlJ+0EW8=
+github.com/fluxcd/kustomize-controller/api v1.0.1 h1:zz9zx4Mc7rw9gqdgdhMWX1uDM2uR1x7WBUujKs4mdx8=
+github.com/fluxcd/kustomize-controller/api v1.0.1/go.mod h1:rYUovoofr3bVPgQowWj/CSGw73qoH0tOCopJ3oNh7lM=
 github.com/fluxcd/notification-controller/api v1.0.0 h1:WiXS116pwhFp7Qe/Fc1GmKCfLBRnZu+rYCeIn07cO+4=
 github.com/fluxcd/notification-controller/api v1.0.0/go.mod h1:uamWZwmhSHE7xdJkgRhH4Eo5/SKKILFI4o+CoQjlczc=
 github.com/fluxcd/pkg/apis/acl v0.1.0 h1:EoAl377hDQYL3WqanWCdifauXqXbMyFuK82NnX6pH4Q=
@@ -112,8 +112,8 @@ github.com/fluxcd/pkg/ssh v0.8.0 h1:CqHIsWYfAtGxh2D6ZvzGTkFout6MaQnFpytPzJPbDLA=
 github.com/fluxcd/pkg/ssh v0.8.0/go.mod h1:bo6HgWqIIuXU6r5HCxRFa7Uo7b4Nnzsz6MvdtAYn2XY=
 github.com/fluxcd/pkg/version v0.2.2 h1:ZpVXECeLA5hIQMft11iLp6gN3cKcz6UNuVTQPw/bRdI=
 github.com/fluxcd/pkg/version v0.2.2/go.mod h1:NGnh/no8S6PyfCDxRFrPY3T5BUnqP48MxfxNRU0z8C0=
-github.com/fluxcd/source-controller/api v1.0.0 h1:lPjmCXmEiI3tY4pReeVQBMuyLgdH8462W5ewUa9kgYM=
-github.com/fluxcd/source-controller/api v1.0.0/go.mod h1:rAY5FRFGZUKpIFNyYANHIgPgJPvbALBHWsq/zHw/cXQ=
+github.com/fluxcd/source-controller/api v1.0.1 h1:nycylbNBnQd+EO4UHpqXqAQJ1cGAPxgBbrfERCQ1pp8=
+github.com/fluxcd/source-controller/api v1.0.1/go.mod h1:rAY5FRFGZUKpIFNyYANHIgPgJPvbALBHWsq/zHw/cXQ=
 github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=