wip

Fix selection of kustomization resource from multi doc yaml

.github/workflows/action.yaml

@@ -0,0 +1,29 @@
+name: test-gh-action
+
+on:
+  pull_request:
+    paths:
+      - 'action/**'
+  push:
+    paths:
+      - 'action/**'
+    branches:
+      - 'main'
+      - 'release/**'
+
+permissions: read-all
+
+jobs:
+  actions:
+    strategy:
+      fail-fast: false
+      matrix:
+        version: [ubuntu-latest, macos-latest, windows-latest]
+
+    runs-on: ${{ matrix.version }}
+    name: action on ${{ matrix.version }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Setup flux
+        uses: ./action

.github/workflows/e2e-bootstrap.yaml

@@ -26,7 +26,7 @@ jobs:
             **/go.sum
             **/go.mod
       - name: Setup Kubernetes
-        uses: helm/kind-action@fa81e57adff234b2908110485695db0f181f3c67 # v1.7.0
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
         with:
           version: v0.20.0
           cluster_name: kind

.github/workflows/e2e.yaml

@@ -30,7 +30,7 @@ jobs:
             **/go.sum
             **/go.mod
       - name: Setup Kubernetes
-        uses: helm/kind-action@fa81e57adff234b2908110485695db0f181f3c67 # v1.7.0
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
         with:
           version: v0.20.0
           cluster_name: kind

.github/workflows/release.yaml

@@ -32,7 +32,7 @@ jobs:
         uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a  # v2.8.0
+        uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1  # v2.9.1
       - name: Setup Syft
         uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
       - name: Setup Cosign

action/README.md

@@ -1,216 +1,22 @@
 # Flux GitHub Action
 
-Usage:
+To install the latest Flux CLI on Linux, macOS or Windows GitHub runners:
 
 ```yaml
-    steps:
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Run Flux commands
-        run: flux -v
+steps:
+  - name: Setup Flux CLI
+    uses: fluxcd/flux2/action@main
+    with:
+      version: 'latest'
+  - name: Run Flux CLI
+    run: flux version --client
 ```
 
-The latest stable version of the `flux` binary is downloaded from
-GitHub [releases](https://github.com/fluxcd/flux2/releases)
-and placed at `/usr/local/bin/flux`.
+The Flux GitHub Action can be used to automate various tasks in CI, such as:
 
-Note that this action can only be used on GitHub **Linux** runners.
-You can change the arch (defaults to `amd64`) with:
+- [Automate Flux upgrades on clusters via Pull Requests](https://fluxcd.io/flux/flux-gh-action/#automate-flux-updates)
+- [Push Kubernetes manifests to container registries](https://fluxcd.io/flux/flux-gh-action/#push-kubernetes-manifests-to-container-registries)
+- [Run end-to-end testing with Flux and Kubernetes Kind](https://fluxcd.io/flux/flux-gh-action/#end-to-end-testing)
 
-```yaml
-    steps:
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-        with:
-          arch: arm64 # can be amd64, arm64 or arm
-```
+For more information, please see the [Flux GitHub Action documentation](/flux/flux-gh-action.md).
 
-You can download a specific version with:
-
-```yaml
-    steps:
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-        with:
-          version: 0.32.0
-```
-
-You can also authenticate against the GitHub API using GitHub Actions' `GITHUB_TOKEN` secret.
-
-For more information, please [read about the GitHub token secret](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret).
-
-```yaml
-    steps:
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-```
-
-This is useful if you are seeing failures on shared runners, those failures are usually API limits being hit.
-
-### Automate Flux updates
-
-Example workflow for updating Flux's components generated with `flux bootstrap --path=clusters/production`:
-
-```yaml
-name: update-flux
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 * * * *"
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  components:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Check for updates
-        id: update
-        run: |
-          flux install \
-            --export > ./clusters/production/flux-system/gotk-components.yaml
-
-          VERSION="$(flux -v)"
-          echo "flux_version=$VERSION" >> $GITHUB_OUTPUT
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
-        with:
-            token: ${{ secrets.GITHUB_TOKEN }}
-            branch: update-flux
-            commit-message: Update to ${{ steps.update.outputs.flux_version }}
-            title: Update to ${{ steps.update.outputs.flux_version }}
-            body: |
-              ${{ steps.update.outputs.flux_version }}
-```
-
-### Push Kubernetes manifests to container registries
-
-Example workflow for publishing Kubernetes manifests bundled as OCI artifacts to GitHub Container Registry:
-
-```yaml
-name: push-artifact-staging
-
-on:
-  push:
-    branches:
-      - 'main'
-
-permissions:
-  packages: write # needed for ghcr.io access
-
-env:
-  OCI_REPO: "oci://ghcr.io/my-org/manifests/${{ github.event.repository.name }}"
-
-jobs:
-  kubernetes:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Login to GHCR
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Generate manifests
-        run: |
-          kustomize build ./manifests/staging > ./deploy/app.yaml
-      - name: Push manifests
-        run: |
-          flux push artifact $OCI_REPO:$(git rev-parse --short HEAD) \
-            --path="./deploy" \
-            --source="$(git config --get remote.origin.url)" \
-            --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)"
-      - name: Deploy manifests to staging
-        run: |
-          flux tag artifact $OCI_REPO:$(git rev-parse --short HEAD) --tag staging
-```
-
-### Push and sign Kubernetes manifests to container registries
-
-Example workflow for publishing Kubernetes manifests bundled as OCI artifacts
-which are signed with Cosign and GitHub OIDC:
-
-```yaml
-name: push-sign-artifact
-
-on:
-  push:
-    branches:
-      - 'main'
-
-permissions:
-  packages: write # needed for ghcr.io access
-  id-token: write # needed for keyless signing
-
-env:
-  OCI_REPO: "oci://ghcr.io/my-org/manifests/${{ github.event.repository.name }}"
-
-jobs:
-  kubernetes:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Setup Cosign
-        uses: sigstore/cosign-installer@main
-      - name: Login to GHCR
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Push and sign manifests
-        run: |
-          digest_url=$(flux push artifact \
-          $OCI_REPO:$(git rev-parse --short HEAD) \
-          --path="./manifests" \
-          --source="$(git config --get remote.origin.url)" \
-          --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)" |\
-          jq -r '. | .repository + "@" + .digest')
-
-          cosign sign $digest_url
-```
-
-### End-to-end testing
-
-Example workflow for running Flux in Kubernetes Kind:
-
-```yaml
-name: e2e
-
-on:
-  push:
-    branches:
-      - '*'
-
-jobs:
-  kubernetes:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Flux CLI
-        uses: fluxcd/flux2/action@main
-      - name: Setup Kubernetes Kind
-        uses: engineerd/setup-kind@v0.5.0
-      - name: Install Flux in Kubernetes Kind
-        run: flux install
-```
-
-A complete e2e testing workflow is available here
-[flux2-kustomize-helm-example](https://github.com/fluxcd/flux2-kustomize-helm-example/blob/main/.github/workflows/e2e.yaml)

action/action.yml

@@ -1,64 +1,120 @@
 name: Setup Flux CLI
-description: A GitHub Action for running Flux commands
-author: Stefan Prodan
+description: A GitHub Action for installing the Flux CLI
+author: Flux project
 branding:
   color: blue
   icon: command
 inputs:
   version:
-    description: "Flux version e.g. 0.8.0 (defaults to latest stable release)"
+    description: "Flux version e.g. 2.0.0 (defaults to latest stable release)"
     required: false
   arch:
     description: "arch can be amd64, arm64 or arm"
-    required: true
-    default: "amd64"
+    required: false
+    deprecationMessage: "No longer required, action will now detect runner arch."
   bindir:
-    description: "Optional location of the Flux binary. Will not use sudo if set. Updates System Path."
+    description: "Alternative location for the Flux binary, defaults to path relative to $RUNNER_TOOL_CACHE."
     required: false
   token:
-    description: "GitHub Token used to authentication against the API (generally only needed to prevent quota limit errors)"
+    description: "Token used to authentication against the GitHub.com API. Defaults to the token from the GitHub context of the workflow."
     required: false
 runs:
   using: composite
   steps:
-    - name: "Download flux binary to tmp"
+    - name: "Download the binary to the runner's cache dir"
       shell: bash
       run: |
-        ARCH=${{ inputs.arch }}
         VERSION=${{ inputs.version }}
-        TOKEN=${{ inputs.token }}
 
-        if [ -z "${VERSION}" ]; then
-          if [ -n "${TOKEN}" ]; then
-            VERSION_SLUG=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest --silent --location --header "Authorization: token ${TOKEN}" | grep tag_name)
-          else
-            # With no GITHUB_TOKEN you will experience occasional failures due to rate limiting
-            # Ref: https://github.com/fluxcd/flux2/issues/3509#issuecomment-1400820992
-            VERSION_SLUG=$(curl https://api.github.com/repos/fluxcd/flux2/releases/latest --silent --location | grep tag_name)
+        TOKEN=${{ inputs.token }}
+        if [[ -z "$TOKEN" ]]; then
+          TOKEN=${{ github.token }}
+        fi
+
+        if [[ -z "$VERSION" ]] || [[ "$VERSION" = "latest" ]]; then
+          VERSION=$(curl -fsSL -H "Authorization: token ${TOKEN}" https://api.github.com/repos/fluxcd/flux2/releases/latest | grep tag_name | cut -d '"' -f 4)
+        fi
+        if [[ -z "$VERSION" ]]; then
+          echo "Unable to determine Flux CLI version"
+          exit 1
+        fi
+        if [[ $VERSION = v* ]]; then
+          VERSION="${VERSION:1}"
+        fi
+
+        OS=$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$OS" == "macos" ]]; then
+          OS="darwin"
+        fi
+
+        ARCH=$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')
+        if [[ "$ARCH" == "x64" ]]; then
+          ARCH="amd64"
+        elif [[ "$ARCH" == "x86" ]]; then
+          ARCH="386"
+        fi
+
+        FLUX_EXEC_FILE="flux"
+        if [[ "$OS" == "windows" ]]; then
+            FLUX_EXEC_FILE="${FLUX_EXEC_FILE}.exe"
+        fi
+
+        FLUX_TOOL_DIR=${{ inputs.bindir }}
+        if [[ -z "$FLUX_TOOL_DIR" ]]; then
+          FLUX_TOOL_DIR="${RUNNER_TOOL_CACHE}/flux2/${VERSION}/${OS}/${ARCH}"
+        fi
+        if [[ ! -x "$FLUX_TOOL_DIR/FLUX_EXEC_FILE" ]]; then
+          DL_DIR="$(mktemp -dt flux2-XXXXXX)"
+          trap 'rm -rf $DL_DIR' EXIT
+
+          echo "Downloading flux ${VERSION} for ${OS}/${ARCH}"
+          FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.tar.gz"
+          if [[ "$OS" == "windows" ]]; then
+            FLUX_TARGET_FILE="flux_${VERSION}_${OS}_${ARCH}.zip"
           fi
 
-          VERSION=$(echo "${VERSION_SLUG}" | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
+          FLUX_CHECKSUMS_FILE="flux_${VERSION}_checksums.txt"
+
+          FLUX_DOWNLOAD_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/"
+
+          curl -fsSL -o "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_TARGET_FILE"
+          curl -fsSL -o "$DL_DIR/$FLUX_CHECKSUMS_FILE" "$FLUX_DOWNLOAD_URL/$FLUX_CHECKSUMS_FILE"
+
+          echo "Verifying checksum"
+          sum=""
+          if command -v openssl > /dev/null; then
+            sum=$(openssl sha256 "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $2}')
+          elif command -v sha256sum > /dev/null; then
+            sum=$(sha256sum "$DL_DIR/$FLUX_TARGET_FILE" | awk '{print $1}')
+          fi
+
+          if [[ -z "$sum" ]]; then
+            echo "Neither openssl nor sha256sum found. Cannot calculate checksum."
+            exit 1
+          fi
+
+          expected_sum=$(grep " $FLUX_TARGET_FILE\$" "$DL_DIR/$FLUX_CHECKSUMS_FILE" | awk '{print $1}')
+          if [ "$sum" != "$expected_sum" ]; then
+            echo "SHA sum of ${FLUX_TARGET_FILE} does not match. Aborting."
+            exit 1
+          fi
+
+          echo "Installing flux to ${FLUX_TOOL_DIR}"
+          mkdir -p "$FLUX_TOOL_DIR"
+        
+          if [[ "$OS" == "windows" ]]; then
+            unzip "$DL_DIR/$FLUX_TARGET_FILE" "$FLUX_EXEC_FILE" -d "$FLUX_TOOL_DIR"
+          else
+            tar xzf "$DL_DIR/$FLUX_TARGET_FILE" -C "$FLUX_TOOL_DIR" $FLUX_EXEC_FILE
+          fi
+
+          chmod +x "$FLUX_TOOL_DIR/$FLUX_EXEC_FILE"
         fi
 
-        BIN_URL="https://github.com/fluxcd/flux2/releases/download/v${VERSION}/flux_${VERSION}_linux_${ARCH}.tar.gz"
-        curl --silent --fail --location "${BIN_URL}" --output /tmp/flux.tar.gz
-        mkdir -p /tmp/flux
-        tar -C /tmp/flux/ -zxvf /tmp/flux.tar.gz
-    - name: "Copy Flux binary to execute location"
-      shell: bash
-      run: |
-        BINDIR=${{ inputs.bindir }}
-        if [ -z "${BINDIR}" ]; then
-          sudo cp /tmp/flux/flux /usr/local/bin
-        else
-          cp /tmp/flux/flux "${BINDIR}"
-          echo "${BINDIR}" >> $GITHUB_PATH
-        fi
-    - name: "Cleanup tmp"
-      shell: bash
-      run: |
-        rm -rf /tmp/flux/ /tmp/flux.tar.gz
-    - name: "Verify correct installation of binary"
+        echo "Adding flux to path"
+        echo "$FLUX_TOOL_DIR" >> "$GITHUB_PATH"
+
+    - name: "Print installed flux version"
       shell: bash
       run: |
         flux -v

cmd/flux/check.go

@@ -57,7 +57,7 @@ type checkFlags struct {
 }
 
 var kubernetesConstraints = []string{
-	">=1.24.0-0",
+	">=1.25.0-0",
 }
 
 var checkArgs checkFlags

cmd/flux/create_image_repository.go

@@ -101,7 +101,7 @@ func createImageRepositoryRun(cmd *cobra.Command, args []string) error {
 	var repo = imagev1.ImageRepository{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      objectName,
-			Namespace: *kubeconfigArgs.Namespace,
+			Namespace: GetDesiredNamespace(kubeconfigArgs),
 			Labels:    labels,
 		},
 		Spec: imagev1.ImageRepositorySpec{

cmd/flux/diff_kustomization_test.go

@@ -91,6 +91,12 @@ func TestDiffKustomization(t *testing.T) {
 			objectFile: "./testdata/diff-kustomization/stringdata-sops-secret.yaml",
 			assert:     assertGoldenFile("./testdata/diff-kustomization/diff-with-drifted-stringdata-sops-secret.golden"),
 		},
+		{
+			name:       "diff where kustomization file has multiple objects with the same name",
+			args:       "diff kustomization podinfo --path ./testdata/build-kustomization/podinfo --progress-bar=false --kustomization-file ./testdata/diff-kustomization/flux-kustomization-multiobj.yaml",
+			objectFile: "",
+			assert:     assertGoldenFile("./testdata/diff-kustomization/nothing-is-deployed.golden"),
+		},
 	}
 
 	tmpl := map[string]string{

cmd/flux/get.go

@@ -146,9 +146,11 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	ns := GetDesiredNamespace(kubeconfigArgs)
+
 	var listOpts []client.ListOption
 	if !getArgs.allNamespaces {
-		listOpts = append(listOpts, client.InNamespace(*kubeconfigArgs.Namespace))
+		listOpts = append(listOpts, client.InNamespace(ns))
 	}
 
 	if len(args) > 0 {
@@ -190,12 +192,12 @@ func (get getCommand) run(cmd *cobra.Command, args []string) error {
 			logger.Failuref("%s object '%s' not found in %s namespace",
 				get.kind,
 				args[0],
-				namespaceNameOrAny(getArgs.allNamespaces, *kubeconfigArgs.Namespace),
+				namespaceNameOrAny(getArgs.allNamespaces, ns),
 			)
 		} else if !getAll {
 			logger.Failuref("no %s objects found in %s namespace",
 				get.kind,
-				namespaceNameOrAny(getArgs.allNamespaces, *kubeconfigArgs.Namespace),
+				namespaceNameOrAny(getArgs.allNamespaces, ns),
 			)
 		}
 		return nil

cmd/flux/install.go

@@ -146,7 +146,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	opts := install.Options{
 		BaseURL:                installArgs.manifestsPath,
 		Version:                installArgs.version,
-		Namespace:              *kubeconfigArgs.Namespace,
+		Namespace:              GetDesiredNamespace(kubeconfigArgs),
 		Components:             components,
 		Registry:               installArgs.registry,
 		ImagePullSecret:        installArgs.imagePullSecret,
@@ -181,7 +181,7 @@ func installCmdRun(cmd *cobra.Command, args []string) error {
 	}
 
 	logger.Successf("manifests build completed")
-	logger.Actionf("installing components in %s namespace", *kubeconfigArgs.Namespace)
+	logger.Actionf("installing components in %s namespace", opts.Namespace)
 
 	applyOutput, err := utils.Apply(ctx, kubeconfigArgs, kubeclientOptions, tmpDir, filepath.Join(tmpDir, manifest.Path))
 	if err != nil {

cmd/flux/main.go

@@ -105,6 +105,10 @@ Command line utility for assembling Kubernetes CD pipelines the GitOps way.`,
 			return fmt.Errorf("error getting namespace: %w", err)
 		}
 
+		if ns == "" {
+			return nil
+		}
+
 		if e := validation.IsDNS1123Label(ns); len(e) > 0 {
 			return fmt.Errorf("namespace must be a valid DNS label: %q", ns)
 		}
@@ -140,7 +144,6 @@ func init() {
 	rootCmd.PersistentFlags().DurationVar(&rootArgs.timeout, "timeout", 5*time.Minute, "timeout for this operation")
 	rootCmd.PersistentFlags().BoolVar(&rootArgs.verbose, "verbose", false, "print generated objects")
 
-	configureDefaultNamespace()
 	kubeconfigArgs.APIServer = nil // prevent AddFlags from configuring --server flag
 	kubeconfigArgs.Timeout = nil   // prevent AddFlags from configuring --request-timeout flag, we have --timeout instead
 	kubeconfigArgs.AddFlags(rootCmd.PersistentFlags())
@@ -198,8 +201,10 @@ func main() {
 	}
 }
 
-func configureDefaultNamespace() {
-	*kubeconfigArgs.Namespace = rootArgs.defaults.Namespace
+func GetDesiredNamespace(cfg *genericclioptions.ConfigFlags) string {
+	if *cfg.Namespace != "" {
+		return *cfg.Namespace
+	}
 	fromEnv := os.Getenv("FLUX_SYSTEM_NAMESPACE")
 	if fromEnv != "" {
 		// namespace must be a valid DNS label. Assess against validation
@@ -207,11 +212,28 @@ func configureDefaultNamespace() {
 		// may not be actively provided by end-user.
 		if e := validation.IsDNS1123Label(fromEnv); len(e) > 0 {
 			logger.Warningf(" ignoring invalid FLUX_SYSTEM_NAMESPACE: %q", fromEnv)
-			return
+		} else {
+			return fromEnv
 		}
-
-		kubeconfigArgs.Namespace = &fromEnv
 	}
+
+	if _, has := os.LookupEnv("FLUX_NS_FOLLOW_KUBECONTEXT"); has {
+		rawCfg, err := cfg.ToRawKubeConfigLoader().RawConfig()
+		if err != nil {
+			logger.Warningf(" failed parsing kubeconfig, ignoring: %q", fromEnv)
+		} else {
+			ctx := *cfg.Context
+			if ctx == "" {
+				ctx = rawCfg.CurrentContext
+			}
+			ns := rawCfg.Contexts[ctx].Namespace
+			if ns != "" {
+				return ns
+			}
+		}
+	}
+
+	return rootArgs.defaults.Namespace
 }
 
 // readPasswordFromStdin reads a password from stdin and returns the input

cmd/flux/status.go

@@ -85,7 +85,7 @@ func buildComponentObjectRefs(components ...string) ([]object.ObjMetadata, error
 	var objRefs []object.ObjMetadata
 	for _, deployment := range components {
 		objRefs = append(objRefs, object.ObjMetadata{
-			Namespace: *kubeconfigArgs.Namespace,
+			Namespace: GetDesiredNamespace(kubeconfigArgs),
 			Name:      deployment,
 			GroupKind: schema.GroupKind{Group: "apps", Kind: "Deployment"},
 		})

cmd/flux/testdata/check/check_pre.golden

@@ -1,3 +1,3 @@
 ► checking prerequisites
-✔ Kubernetes {{ .serverVersion }} >=1.24.0-0
+✔ Kubernetes {{ .serverVersion }} >=1.25.0-0
 ✔ prerequisites checks passed

cmd/flux/testdata/diff-kustomization/flux-kustomization-multiobj.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: podinfo
+
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: podinfo
+spec:
+  interval: 5m0s
+  path: ./kustomize
+  force: true
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: podinfo
+  targetNamespace: default

internal/build/build.go

@@ -333,7 +333,7 @@ func (b *Builder) unMarshallKustomization() (*kustomizev1.Kustomization, error)
 	k := &kustomizev1.Kustomization{}
 	decoder := k8syaml.NewYAMLOrJSONDecoder(bytes.NewBuffer(data), len(data))
 	// check for kustomization in yaml with the same name and namespace
-	for !(k.Name == b.name && (k.Namespace == b.namespace || k.Namespace == "")) {
+	for {
 		err = decoder.Decode(k)
 		if err != nil {
 			if err == io.EOF {
@@ -343,6 +343,13 @@ func (b *Builder) unMarshallKustomization() (*kustomizev1.Kustomization, error)
 				return nil, fmt.Errorf("failed to unmarshall kustomization file %s: %w", b.kustomizationFile, err)
 			}
 		}
+
+		if strings.HasPrefix(k.APIVersion, kustomizev1.GroupVersion.Group+"/") &&
+			k.Kind == kustomizev1.KustomizationKind &&
+			k.Name == b.name &&
+			(k.Namespace == b.namespace || k.Namespace == "") {
+			break
+		}
 	}
 	return k, nil
 }

internal/build/build_test.go

@@ -189,6 +189,12 @@ func Test_unMarshallKustomization(t *testing.T) {
 			wantErr:     true,
 			errString:   "failed find kustomization with name",
 		},
+		{
+			name:        "yaml containing other resource with same name as kustomization",
+			localKsFile: "testdata/local-kustomization/invalid-resource.yaml",
+			wantErr:     true,
+			errString:   "failed find kustomization with name",
+		},
 	}
 
 	b := &Builder{
@@ -324,7 +330,10 @@ func Test_ResolveKustomization(t *testing.T) {
 		},
 	}
 
-	b := &Builder{}
+	b := &Builder{
+		name:      "podinfo",
+		namespace: "flux-system",
+	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			b.kustomizationFile = tt.localKsFile

internal/build/testdata/local-kustomization/invalid-resource.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: podinfo