postBuild substituteFrom should ignore keys which are not well-formed

[GottfriedGanssauge]

Describe the bug

We have a kubernetes app containing a configmap where we collect all kinds of configuration information from outside the cluster (e.g. aks-resourcegroup or node-resource-group).
We now would like to use one of the keys (nfs_host) for postBuild.substituteFrom in a kustomization.
The kustomization complains about the keys not being well-formed but doesn't subsitute the well-formed variable.

Steps to reproduce

Have a configmap in namespace flux-system

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-type
  namespace: flux-system
data:
  aks-resource-group: ''
  nfs_host: 194.55.168.40
  resource-group: ''

Have a kustomization in the same namespace:

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  labels:
    kustomize.toolkit.fluxcd.io/name: flux-system
    kustomize.toolkit.fluxcd.io/namespace: flux-system
  name: storage
  namespace: flux-system
spec:
  force: false
  interval: 1m
  path: ./infrastructure/dev/storage
  postBuild:
    substituteFrom:
      - kind: ConfigMap
        name: cluster-type
        optional: false
  prune: true
  retryInterval: 5s
  sourceRef:
    kind: GitRepository
    name: flux-system
  timeout: 30s
  wait: true

In path ./infrastructure/dev/storage have resource using variable nfs_host

apiVersion: v1
kind: PersistentVolume
metadata:
  labels:
    usage: idesk-products
  name: idesk-products
spec:
  accessModes:
    - ReadWriteMany
  capacity:
    storage: 1023Gi
  nfs:
    path: /data/products
    server: ${nfs_host}
  persistentVolumeReclaimPolicy: Retain

when trying to reconcile the kustomization files with error messages like

post build failed for 'data-backup': envsubst error: 'resource-group' var name is invalid, must match '^[_[:alpha:]][_[:alpha:][:digit:]]*$'

or

post build failed for 'data-backup': envsubst error: 'aks-resource-group' var name is invalid, must match '^[_[:alpha:]][_[:alpha:][:digit:]]*$'

data-backup is another persistentvolume in the same resource which does not even contain variable references

Expected behavior

I would expect that non-referenced keys from the configmap are simply ignored.
That error should only occur if invalid variable references are embedded in the resource

Screenshots and recordings

No response

OS / Distro

Ubuntu-Linux 22.04

Flux version

v2.3.0

Flux check

► checking prerequisites
✗ flux 2.2.2 <2.3.0 (new CLI version is available, please upgrade)
✔ Kubernetes 1.29.2 >=1.26.0-0
► checking version in cluster
✔ distribution: flux-v2.3.0
✔ bootstrapped: false
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/helm-controller:v1.0.1
✔ image-automation-controller: deployment ready
► ghcr.io/fluxcd/image-automation-controller:v0.38.0
✔ image-reflector-controller: deployment ready
► ghcr.io/fluxcd/image-reflector-controller:v0.32.0
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v1.3.0
✔ notification-controller: deployment ready
► ghcr.io/fluxcd/notification-controller:v1.3.0
✔ source-controller: deployment ready
► ghcr.io/fluxcd/source-controller:v1.3.0
► checking crds
✔ alerts.notification.toolkit.fluxcd.io/v1beta3
✔ buckets.source.toolkit.fluxcd.io/v1beta2
✔ gitrepositories.source.toolkit.fluxcd.io/v1
✔ helmcharts.source.toolkit.fluxcd.io/v1
✔ helmreleases.helm.toolkit.fluxcd.io/v2
✔ helmrepositories.source.toolkit.fluxcd.io/v1
✔ imagepolicies.image.toolkit.fluxcd.io/v1beta2
✔ imagerepositories.image.toolkit.fluxcd.io/v1beta2
✔ imageupdateautomations.image.toolkit.fluxcd.io/v1beta2
✔ kustomizations.kustomize.toolkit.fluxcd.io/v1
✔ ocirepositories.source.toolkit.fluxcd.io/v1beta2
✔ providers.notification.toolkit.fluxcd.io/v1beta3
✔ receivers.notification.toolkit.fluxcd.io/v1
✔ all checks passed

Git provider

No response

Container Registry provider

No response

Additional context

The cluster we're testing with is a 2 node kind cluster running on Ubuntu-22.04

Code of Conduct

• I agree to follow this project's Code of Conduct