refactor: use new filesys/fs_memory for in-memory layer

Signed-off-by: rycli <cyril@ryc.li>

Author: rycli

go.mod

@@ -268,4 +268,4 @@ require (
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect
 )
 
-replace github.com/fluxcd/pkg/kustomize => github.com/rycli/fluxcd-pkg/kustomize v0.0.0-20260329153243-0671cee33351
+replace github.com/fluxcd/pkg/kustomize => github.com/rycli/fluxcd-pkg/kustomize v0.0.0-20260329192052-94b031e1aca6

go.sum

@@ -502,8 +502,8 @@ github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0t
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/rycli/fluxcd-pkg/kustomize v0.0.0-20260329153243-0671cee33351 h1:HqutfZNQ2KtDfrgryyjBOmVTRW8c4T2LXNxpDYOL2q8=
-github.com/rycli/fluxcd-pkg/kustomize v0.0.0-20260329153243-0671cee33351/go.mod h1:cW08mnngSP8MJYb6mDmMvxH8YjNATdiML0udb37dk+M=
+github.com/rycli/fluxcd-pkg/kustomize v0.0.0-20260329192052-94b031e1aca6 h1:a231NZKoN+nuPkqivk8u0kKA6OaWdB30CCurQigx/Tg=
+github.com/rycli/fluxcd-pkg/kustomize v0.0.0-20260329192052-94b031e1aca6/go.mod h1:cW08mnngSP8MJYb6mDmMvxH8YjNATdiML0udb37dk+M=
 github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw=
 github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=

internal/build/build.go

@@ -45,6 +45,7 @@ import (
 
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
 	"github.com/fluxcd/pkg/kustomize"
+	buildfs "github.com/fluxcd/pkg/kustomize/filesys"
 	runclient "github.com/fluxcd/pkg/runtime/client"
 	ssautil "github.com/fluxcd/pkg/ssa/utils"
 	"sigs.k8s.io/kustomize/kyaml/filesys"
@@ -65,51 +66,64 @@ const (
 
 var defaultTimeout = 80 * time.Second
 
-// buildBackend controls how the kustomization manifest is generated
+// fsBackend controls how the kustomization manifest is generated
 // and which filesystem is used for the kustomize build.
-type buildBackend interface {
+type fsBackend interface {
 	Generate(gen *kustomize.Generator, dirPath string) (filesys.FileSystem, string, kustomize.Action, error)
 	Cleanup(dirPath string, action kustomize.Action) error
 }
 
-// onDiskBackend writes to the source directory, matching upstream behaviour.
-type onDiskBackend struct{}
+// onDiskFsBackend writes to the source directory.
+type onDiskFsBackend struct{}
 
-func (onDiskBackend) Generate(gen *kustomize.Generator, dirPath string) (filesys.FileSystem, string, kustomize.Action, error) {
+func (onDiskFsBackend) Generate(gen *kustomize.Generator, dirPath string) (filesys.FileSystem, string, kustomize.Action, error) {
 	action, err := gen.WriteFile(dirPath, kustomize.WithSaveOriginalKustomization())
 	if err != nil {
 		return nil, "", action, err
 	}
 	return filesys.MakeFsOnDisk(), dirPath, action, nil
 }
 
-func (onDiskBackend) Cleanup(dirPath string, action kustomize.Action) error {
+func (onDiskFsBackend) Cleanup(dirPath string, action kustomize.Action) error {
 	return kustomize.CleanDirectory(dirPath, action)
 }
 
-const memFSRoot = "/work"
+// inMemoryFsBackend builds in an in-memory filesystem without modifying the source directory.
+type inMemoryFsBackend struct{}
 
-// inMemoryBackend builds in an in-memory filesystem without modifying the source directory.
-type inMemoryBackend struct{}
-
-func (inMemoryBackend) Generate(gen *kustomize.Generator, dirPath string) (filesys.FileSystem, string, kustomize.Action, error) {
+func (inMemoryFsBackend) Generate(gen *kustomize.Generator, dirPath string) (filesys.FileSystem, string, kustomize.Action, error) {
 	manifest, kfilePath, action, err := gen.GenerateManifest(dirPath)
 	if err != nil {
 		return nil, "", action, err
 	}
 
-	memFS := filesys.MakeFsInMemory()
-	if err := loadDirToMemFS(dirPath, memFSRoot, memFS); err != nil {
-		return nil, "", action, fmt.Errorf("failed to load source dir: %w", err)
+	absDirPath, err := filepath.Abs(dirPath)
+	if err != nil {
+		return nil, "", action, fmt.Errorf("failed to resolve dirPath: %w", err)
+	}
+	absDirPath, err = filepath.EvalSymlinks(absDirPath)
+	if err != nil {
+		return nil, "", action, fmt.Errorf("failed to eval symlinks: %w", err)
+	}
+
+	cwd, err := os.Getwd()
+	if err != nil {
+		return nil, "", action, fmt.Errorf("failed to get working directory: %w", err)
+	}
+
+	diskFS, err := buildfs.MakeFsOnDiskSecure(cwd)
+	if err != nil {
+		return nil, "", action, fmt.Errorf("failed to create secure filesystem: %w", err)
 	}
+	fs := buildfs.MakeFsInMemory(diskFS)
 
-	if err := memFS.WriteFile(filepath.Join(memFSRoot, filepath.Base(kfilePath)), manifest); err != nil {
+	if err := fs.WriteFile(filepath.Join(absDirPath, filepath.Base(kfilePath)), manifest); err != nil {
 		return nil, "", action, err
 	}
-	return memFS, memFSRoot, action, nil
+	return fs, absDirPath, action, nil
 }
 
-func (inMemoryBackend) Cleanup(string, kustomize.Action) error { return nil }
+func (inMemoryFsBackend) Cleanup(string, kustomize.Action) error { return nil }
 
 // Builder builds yaml manifests
 // It retrieves the kustomization object from the k8s cluster
@@ -134,7 +148,7 @@ type Builder struct {
 	localSources  map[string]string
 	// diff needs to handle kustomizations one by one
 	singleKustomization bool
-	backend             buildBackend
+	fsBackend           fsBackend
 }
 
 // BuilderOptionFunc is a function that configures a Builder
@@ -249,7 +263,7 @@ func WithLocalSources(localSources map[string]string) BuilderOptionFunc {
 func WithInMemoryBuild(inMemoryBuild bool) BuilderOptionFunc {
 	return func(b *Builder) error {
 		if inMemoryBuild {
-			b.backend = inMemoryBackend{}
+			b.fsBackend = inMemoryFsBackend{}
 		}
 		return nil
 	}
@@ -280,10 +294,10 @@ func withSpinnerFrom(in *Builder) BuilderOptionFunc {
 	}
 }
 
-// withBackend sets the build backend
-func withBackend(s buildBackend) BuilderOptionFunc {
+// withFsBackend sets the build backend
+func withFsBackend(s fsBackend) BuilderOptionFunc {
 	return func(b *Builder) error {
-		b.backend = s
+		b.fsBackend = s
 		return nil
 	}
 }
@@ -323,8 +337,8 @@ func NewBuilder(name, resources string, opts ...BuilderOptionFunc) (*Builder, er
 		b.timeout = defaultTimeout
 	}
 
-	if b.backend == nil {
-		b.backend = onDiskBackend{}
+	if b.fsBackend == nil {
+		b.fsBackend = onDiskFsBackend{}
 	}
 
 	if b.dryRun && b.kustomizationFile == "" && b.kustomization == nil {
@@ -449,15 +463,15 @@ func (b *Builder) build() (m resmap.ResMap, err error) {
 	// generate kustomization.yaml if needed
 	buildFS, buildDir, action, er := b.generate(*k, b.resourcesPath)
 	if er != nil {
-		errf := b.backend.Cleanup(b.resourcesPath, action)
+		errf := b.fsBackend.Cleanup(b.resourcesPath, action)
 		err = fmt.Errorf("failed to generate kustomization.yaml: %w", fmt.Errorf("%v %v", er, errf))
 		return
 	}
 
 	b.action = action
 
 	defer func() {
-		errf := b.backend.Cleanup(b.resourcesPath, b.action)
+		errf := b.fsBackend.Cleanup(b.resourcesPath, b.action)
 		if err == nil {
 			err = errf
 		}
@@ -505,7 +519,7 @@ func (b *Builder) kustomizationBuild(k *kustomizev1.Kustomization) ([]*unstructu
 		WithRecursive(b.recursive),
 		WithLocalSources(b.localSources),
 		WithDryRun(b.dryRun),
-		withBackend(b.backend),
+		withFsBackend(b.fsBackend),
 	)
 	if err != nil {
 		return nil, err
@@ -575,29 +589,7 @@ func (b *Builder) generate(kustomization kustomizev1.Kustomization, dirPath stri
 	b.mu.Lock()
 	defer b.mu.Unlock()
 
-	return b.backend.Generate(gen, dirPath)
-}
-
-// loadDirToMemFS copies srcDir into dstDir on the given filesystem.
-func loadDirToMemFS(srcDir, dstDir string, fs filesys.FileSystem) error {
-	return filepath.Walk(srcDir, func(p string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		rel, err := filepath.Rel(srcDir, p)
-		if err != nil {
-			return err
-		}
-		target := filepath.Join(dstDir, rel)
-		if info.IsDir() {
-			return fs.MkdirAll(target)
-		}
-		data, err := os.ReadFile(p)
-		if err != nil {
-			return err
-		}
-		return fs.WriteFile(target, data)
-	})
+	return b.fsBackend.Generate(gen, dirPath)
 }
 
 func (b *Builder) do(ctx context.Context, kustomization kustomizev1.Kustomization, fs filesys.FileSystem, dirPath string) (resmap.ResMap, error) {
@@ -824,7 +816,7 @@ func (b *Builder) Cancel() error {
 	b.mu.Lock()
 	defer b.mu.Unlock()
 
-	return b.backend.Cleanup(b.resourcesPath, b.action)
+	return b.fsBackend.Cleanup(b.resourcesPath, b.action)
 }
 
 func (b *Builder) StartSpinner() error {