Component not correctly honoring fields from parent Kustomization

[Joker9944]

What happened?

I'm trying to write a Component which generates a Certificate which needs some replacements with the given namespace from the parent Kustomization.

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: garage
components:
  - ../../../components/namespace-cert

---
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
resources:
  - manifests/certificate.yaml
replacements:
  - source:
      kind: Certificate
      fieldPath: metadata.namespace
    targets:
      - select:
          kind: Certificate
          name: wildcard-PLACEHOLDER
        fieldPaths:
          - spec.dnsNames.0
          - spec.dnsNames.1
        options:
          delimiter: .
          index: 1
      - select:
          kind: Certificate
          name: wildcard-PLACEHOLDER
        fieldPaths:
          - spec.secretName
          - metadata.name
        options:
          delimiter: '-'
          index: 1

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-PLACEHOLDER
spec:
  dnsNames:
    - "*.PLACEHOLDER.svc.cluster.local"
    - "*.PLACEHOLDER"
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: nyx-intermediate-ca
  secretName: wildcard-PLACEHOLDER-cert

This leads to the following error, implying that the namespace has not been set:

$ kubectl kustomize
error: accumulating components: accumulateDirectory: "recursed accumulation of path 'k8s-config/components/namespace-cert': fieldPath `metadata.namespace` is missing for replacement source Certificate.[noVer].[noGrp]/[noName].[noNs]"

What did you expect to happen?

However when I add a test namespace to the Component the generation works flawlessly.

---
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
namespace: test
resources:
  - manifests/certificate.yaml
replacements:
  - source:
      kind: Certificate
      fieldPath: metadata.namespace
    targets:
      - select:
          kind: Certificate
          name: wildcard-PLACEHOLDER
        fieldPaths:
          - spec.dnsNames.0
          - spec.dnsNames.1
        options:
          delimiter: .
          index: 1
      - select:
          kind: Certificate
          name: wildcard-PLACEHOLDER
        fieldPaths:
          - spec.secretName
          - metadata.name
        options:
          delimiter: '-'
          index: 1

$ kubectl kustomize
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-test
  namespace: garage
spec:
  dnsNames:
  - '*.test.svc.cluster.local'
  - '*.test'
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: nyx-intermediate-ca
  secretName: wildcard-test-cert

How can we reproduce it (as minimally and precisely as possible)?

# app/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: test
components:
  - ../component

# component/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
resources:
  - certificate.yaml
replacements:
  - source:
      kind: Certificate
      fieldPath: metadata.namespace
    targets:
      - select:
          kind: Certificate
          name: wildcard-PLACEHOLDER
        fieldPaths:
          - spec.dnsNames.0
          - spec.dnsNames.1
        options:
          delimiter: .
          index: 1
      - select:
          kind: Certificate
          name: wildcard-PLACEHOLDER
        fieldPaths:
          - spec.secretName
          - metadata.name
        options:
          delimiter: '-'
          index: 1

# component/certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-PLACEHOLDER
spec:
  dnsNames:
    - "*.PLACEHOLDER.svc.cluster.local"
    - "*.PLACEHOLDER"
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: nyx-intermediate-ca
  secretName: wildcard-PLACEHOLDER-cert

cd app
kubectl kustomize

Expected output

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-garage
  namespace: garage
spec:
  dnsNames:
  - '*.garage.svc.cluster.local'
  - '*.garage'
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: nyx-intermediate-ca
  secretName: wildcard-garage-cert

Actual output

error: accumulating components: accumulateDirectory: "recursed accumulation of path '/home/joker9944/Workspace/k8s-config/components/namespace-cert': fieldPath `metadata.namespace` is missing for replacement source Certificate.[noVer].[noGrp]/[noName].[noNs]"

Kustomize version

v5.6.0

Operating system

Linux

[k8s-ci-robot]

This issue is currently awaiting triage.

SIG CLI takes a lead on issue triage for this repo, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[sda399]

when processing the replacement in your component, the namespace does not exist yet (not applied yet).

for this to work we need to apply replacement a bit later, after the namespace transformation is applied to components.

My suggestion in the Details block below:

#! /bin/sh

R=root
[ ! -d $R ] || rm -r $R
mk() { mkdir -p ${1%/*}  && echo "$2" >$1 ; }

mk $R/kustomization.yaml '
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: garage
components:
  - components/namespace-cert
replacements:
  - path: components/namespace-cert/ns-replacement.yaml
'

mk $R/components/namespace-cert/kustomization.yaml '
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
resources:
  - manifests/certificate.yaml
'

mk $R/components/namespace-cert/ns-replacement.yaml '
source:
  kind: Certificate
  fieldPath: metadata.namespace
targets:
  - select:
      kind: Certificate
      name: wildcard-PLACEHOLDER
    fieldPaths:
      - spec.dnsNames.0
      - spec.dnsNames.1
    options:
      delimiter: .
      index: 1
  - select:
      kind: Certificate
      name: wildcard-PLACEHOLDER
    fieldPaths:
      - spec.secretName
      - metadata.name
    options:
      delimiter: "-"
      index: 1
'

mk $R/components/namespace-cert/manifests/certificate.yaml '
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-PLACEHOLDER
spec:
  dnsNames:
    - "*.PLACEHOLDER.svc.cluster.local"
    - "*.PLACEHOLDER"
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: nyx-intermediate-ca
  secretName: wildcard-PLACEHOLDER-cert
'

#---
cat <<EOF > expected.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-garage
  namespace: garage
spec:
  dnsNames:
  - '*.garage.svc.cluster.local'
  - '*.garage'
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: nyx-intermediate-ca
  secretName: wildcard-garage-cert
EOF
#---
kustomize build --stack-trace $R/ > result.yaml
printf "%-64s%s\n" expected.yaml result.yaml
printf "%130s\n" " " | tr ' ' '-'
diff -W130 -y expected.yaml result.yaml