The resource loader requires too many deps.

[monopole]

The resource loader was expanded (#2278) to use a fork of hashicorp/go-getter.

This getter conveniently allows fetching resource yaml from a wide variety of sources.

however

• the go-getter's license is not on the CNCF approved LICENSE list.
• using it explodes deps, because it wraps N adapters around N independent fetchers (and N grows).

This feature has to be quickly dropped, because it blocks #1500.

Users that rely on special URL's in resource fields will have to use v3.10.0 or earlier, or write a plugin that accepts such URLs, or wait for someone else to do so.

kustomize build, or any entry in the resources, generators, transormers, components or validators, is parsed into a RepoSpec to separate the url part from the directory part.

The URL is passed to a subprocess that runs git clone to pull into a temp dir. Then the YAML is pulled from the appropriate subdir of that temp dir. So kustomize still honor's whatever git clone honors.

Digging in to history:

• go-getter was added to the code in Add kustomize build {repoUrl} #260 and first released in v1.0.7 (Aug 27, 2018)
• I removed it in Turn off hashicorp cloner, turn on simple cloner. #578, Delete hashicorp cloner. #579, so it was gone in the v2.0.0 release (Feb 6, 2019), which was was the first release made for kubectl integration. The integration currently sits at v2.0.3.
• go-getter was re-added in Support various target and resource with go-getter #2278 (Mar 24, 2020), which made it into release v3.5.5 (May 11, 2020).
• I removed it a second time in Drop go-getter use. #3586

kustomize needs a deny list for go.mod files, and the presubmit should check go.mod changes against this deny list.

The only way hashicorp go-getter can be reintegrated as either

• a plugin (simplest from a programming pov, but user now needs docker to run it)
• a top level Go module that's a sibling to /api that the kustomize binary can depend on, but that kubectl won't depend on.