Kustomize replacements does not work with patches

[Stringls]

What happened?

I am changing the existing code by replacingvars with replacements following the warning here.
I have a _base folder that has a default set of resources, in kustomization.yaml I define replacements to patch a Role resource with a secret name that is stored in ConfigMap (I'll share manifests in 3rd section) to restrict access only to that secret that is generated lately by Deployment. The var $(KUBE_SECRET) is replaced, it's working fine.
But when I patch a secret name in the ConfigMap via patches in overlay kustomization, replacements does not update a secret name in a Role resource, it just passes the default name set in ConfigMap in a base folder.

What did you expect to happen?

Since it's working with vars, I expect replacements to substitute a variable in Role resource with a value provided by patch from overlay.

How can we reproduce it (as minimally and precisely as possible)?

# _base/kustomization.yaml
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- resources.yaml
replacements:
- source:
    fieldPath: data.KUBE_SECRET
    kind: ConfigMap
    name: credentials-sync
    version: v1
  targets:
  - fieldPaths:
    - rules.[apiGroups=""].resourceNames.0
    select:
      kind: Role
      name: credentials-sync
      version: v1

# _base/resources.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: credentials-sync
data:
  KUBE_SECRET: my-token
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: credentials-sync
  namespace: flux-system
rules:
- apiGroups: [""]
  resources:
  - secrets
  verbs:
  - get
  - create
  - update
  - patch
  # Lock this down to the specific Secret name  (Optional)
  resourceNames:
  - $(KUBE_SECRET)

# aws/kustomization.yaml
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../_base
patches:
- path: config-map-patch.yaml

# aws/config-map-patch.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: credentials-sync
data:
  KUBE_SECRET: something-else # does not yet exist -- will be created in the same Namespace

Expected output

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: credentials-sync
  namespace: flux-system
rules:
- apiGroups:
  - ""
  resourceNames:
  - something-else
  resources:
  - secrets
  verbs:
  - get
  - create
  - update
  - patch
---
apiVersion: v1
data:
  KUBE_SECRET: something-else
kind: ConfigMap
metadata:
  name: credentials-sync

Actual output

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: credentials-sync
  namespace: flux-system
rules:
- apiGroups:
  - ""
  resourceNames:
  - my-token
  resources:
  - secrets
  verbs:
  - get
  - create
  - update
  - patch
---
apiVersion: v1
data:
  KUBE_SECRET: something-else
kind: ConfigMap
metadata:
  name: credentials-sync

Kustomize version

5.0.3

Operating system

Linux

[k8s-ci-robot]

This issue is currently awaiting triage.

SIG CLI takes a lead on issue triage for this repo, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Mlundm]

Replacements is not a full replacement of vars iirc. So it may need some adapting.

Replacements only takes into account the resources in the same kustomization and not above.
So moving the replacement section of the base level kustomization into the top level kustomization that has the configmap patch will make it work.

[Stringls]

@Mlundm Sorry for the late response.
Thank you for an answer, I'll close the issue then