fix(k8s,service): Hide fields first before creating diffs (#915)

SUMMARY By hiding fields first before creating a diff hidden fields will not be shown in the resulting diffs and therefore will also not trigger the changed condition. The issue can only be reproduced when a mutating webhook changes the object while the kubernetes.core.k8s module is working with it. kubevirt/kubevirt.core#145 ISSUE TYPE Bugfix Pull Request COMPONENT NAME kubernetes.core.module_utils.k8s.service ADDITIONAL INFORMATION Run kubernetes.core.k8s and create object with hidden fields. After run kubernetes.core.k8s again and let a webhook mutate the object that the module is working with. The module should return with changed: no. Reviewed-by: Bikouo Aubin Reviewed-by: Mike Graves <mgraves@redhat.com>
2026-03-26 21:33:02 +00:00 · 2025-07-15 18:10:26 +02:00
parent f568c9da62
commit 6a0635a2bb
3 changed files with 8 additions and 8 deletions
--- a/changelogs/fragments/20250428-k8s-service-hide-fields-first.yaml
+++ b/changelogs/fragments/20250428-k8s-service-hide-fields-first.yaml
@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - module_utils/k8s/service - hide fields first before creating diffs (https://github.com/ansible-collections/kubernetes.core/pull/915).
--- a/plugins/module_utils/k8s/service.py
+++ b/plugins/module_utils/k8s/service.py
@@ -498,8 +498,8 @@ def diff_objects(
    if not diff:
        return True, result

-    result["before"] = diff[0]
-    result["after"] = diff[1]
+    result["before"] = hide_fields(diff[0], hidden_fields)
+    result["after"] = hide_fields(diff[1], hidden_fields)

    if list(result["after"].keys()) == ["metadata"] and list(
        result["before"].keys()
@@ -512,9 +512,6 @@ def diff_objects(
        ).issubset(ignored_keys):
            return True, result

-    result["before"] = hide_fields(result["before"], hidden_fields)
-    result["after"] = hide_fields(result["after"], hidden_fields)
-
    return False, result


--- a/tests/integration/targets/k8s_hide_fields/tasks/main.yml
+++ b/tests/integration/targets/k8s_hide_fields/tasks/main.yml
@@ -58,7 +58,7 @@
          - "'managedFields' not in hf4.resources[0]['metadata']"


-    - name: Hiding a changed field should still result in a change
+    - name: Hiding a changed field should not result in a change
      k8s:
        definition: "{{ hide_fields_base_configmap | combine({'data':{'hello':'different'}}) }}"
        hidden_fields:
@@ -67,10 +67,10 @@
      register: hf5
      diff: true

-    - name: Ensure that hidden changed field changed
+    - name: Ensure that hidden changed field not changed
      assert:
        that:
-          - hf5.changed
+          - not hf5.changed

    - name: Apply works with hidden fields
      k8s: