substituteFrom possible only from same namespace where Kustomization stored

[everythings-gonna-be-alright]

kustomize-controller/api/v1/kustomization_types.go

Line 223 in a1a33f2

// Name of the values referent. Should reside in the same namespace as the

In my case, the command created Kustomizations in different namespaces.
Such as
monitoring Kustomization -> namespace monitoring
logging Kustomization -> namespace logging
and so on.

How can I share basic variables between all clusters in this case?
Why is it restricted?

.spec.postBuild.substituteFrom[0].namespace: field not declared in schema

[stefanprodan]

Kubernetes Secrets and ConfigMaps are not meant to be shared across namespaces, it would break RBAC. Use Kyverno or some other tool that can sync them from one namespace to another.

[everythings-gonna-be-alright]

Oh, I did not know about it. Thanks.
But if it is incorrect, how can I inherit substitutes in child flux customization resources without syncing secrets between namespaces in some other way?

For now, I am forced to declare substitutes for all flux customization:

  postBuild:
    substitute:
      cluster_domain: "${cluster_domain}"

It is not convenient, especially when adding some new variables.
A shared secret is also not an option.
So, only Kyverno?

[stefanprodan]

See here what cert-manager team recommends https://cert-manager.io/docs/devops-tips/syncing-secrets-across-namespaces/ or do your own search on Google, there are lots of options to sync secrets between namespaces.

[everythings-gonna-be-alright]

Many thanks. I will try.
One more question.
Wouldn't it be better to implement substitutes inheritance between kustomize.toolkit.fluxcd.io/v1 internally, without the need to create secrets with substitutes?
Why was this approach chosen?