From 92e1f581fedefe17b472dda42204790fd54cb40a Mon Sep 17 00:00:00 2001
From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com>
Date: Mon, 4 Aug 2025 18:03:21 +0000
Subject: [PATCH] fix(k8s,service): Hide fields first before creating diffs
 (#915) (#963)

This is a backport of PR #915 as merged into main (6a0635a).
SUMMARY

By hiding fields first before creating a diff hidden fields will not be shown in the resulting diffs and therefore will also not trigger the changed condition.
The issue can only be reproduced when a mutating webhook changes the object while the kubernetes.core.k8s module is working with it.

kubevirt/kubevirt.core#145
ISSUE TYPE


Bugfix Pull Request

COMPONENT NAME

kubernetes.core.module_utils.k8s.service
ADDITIONAL INFORMATION


Run kubernetes.core.k8s and create object with hidden fields. After run kubernetes.core.k8s again and let a webhook mutate the object that the module is working with. The module should return with changed: no.

Reviewed-by: Alina Buzachis
---
 .../fragments/20250428-k8s-service-hide-fields-first.yaml  | 3 +++
 plugins/module_utils/k8s/service.py                        | 7 ++-----
 tests/integration/targets/k8s_hide_fields/tasks/main.yml   | 6 +++---
 3 files changed, 8 insertions(+), 8 deletions(-)
 create mode 100644 changelogs/fragments/20250428-k8s-service-hide-fields-first.yaml

diff --git a/changelogs/fragments/20250428-k8s-service-hide-fields-first.yaml b/changelogs/fragments/20250428-k8s-service-hide-fields-first.yaml
new file mode 100644
index 00000000..4d1bc200
--- /dev/null
+++ b/changelogs/fragments/20250428-k8s-service-hide-fields-first.yaml
@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - module_utils/k8s/service - hide fields first before creating diffs (https://github.com/ansible-collections/kubernetes.core/pull/915).
diff --git a/plugins/module_utils/k8s/service.py b/plugins/module_utils/k8s/service.py
index abfa59e3..087fc2d7 100644
--- a/plugins/module_utils/k8s/service.py
+++ b/plugins/module_utils/k8s/service.py
@@ -498,8 +498,8 @@ def diff_objects(
     if not diff:
         return True, result
 
-    result["before"] = diff[0]
-    result["after"] = diff[1]
+    result["before"] = hide_fields(diff[0], hidden_fields)
+    result["after"] = hide_fields(diff[1], hidden_fields)
 
     if list(result["after"].keys()) == ["metadata"] and list(
         result["before"].keys()
@@ -512,9 +512,6 @@ def diff_objects(
         ).issubset(ignored_keys):
             return True, result
 
-    result["before"] = hide_fields(result["before"], hidden_fields)
-    result["after"] = hide_fields(result["after"], hidden_fields)
-
     return False, result
 
 
diff --git a/tests/integration/targets/k8s_hide_fields/tasks/main.yml b/tests/integration/targets/k8s_hide_fields/tasks/main.yml
index f54fe9eb..746384e9 100644
--- a/tests/integration/targets/k8s_hide_fields/tasks/main.yml
+++ b/tests/integration/targets/k8s_hide_fields/tasks/main.yml
@@ -58,7 +58,7 @@
           - "'managedFields' not in hf4.resources[0]['metadata']"
 
 
-    - name: Hiding a changed field should still result in a change
+    - name: Hiding a changed field should not result in a change
       k8s:
         definition: "{{ hide_fields_base_configmap | combine({'data':{'hello':'different'}}) }}"
         hidden_fields:
@@ -67,10 +67,10 @@
       register: hf5
       diff: true
 
-    - name: Ensure that hidden changed field changed
+    - name: Ensure that hidden changed field not changed
       assert:
         that:
-          - hf5.changed
+          - not hf5.changed
 
     - name: Apply works with hidden fields
       k8s: