diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1bc2b164..45ab91cf 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -95,6 +95,10 @@ jobs: - uses: actions/download-artifact@v4 with: name: built-binaries-${{ github.run_id }} + - name: install semver + run: go install github.com/ffurrer2/semver/v2/cmd/semver@latest + - name: semver help + run: semver help - name: Extract tar to get built binaries run: tar -xvf built-binaries.tar - name: Display built binaries diff --git a/test/integration/test-cases/suppress-output-line-regex.sh b/test/integration/test-cases/suppress-output-line-regex.sh index e7ebdb62..82371d73 100644 --- a/test/integration/test-cases/suppress-output-line-regex.sh +++ b/test/integration/test-cases/suppress-output-line-regex.sh @@ -10,6 +10,10 @@ if [[ $EXTRA_HELMFILE_FLAGS == *--enable-live-output* ]]; then diff_out_file=${suppress_output_line_regex_output_dir}/diff-live fi +if [[ $(semver compare $HELM_DIFF_VERSION "3.11.0") == "1" ]]; then + diff_out_file=${diff_out_file}-after-helm-diff-3.11.0 +fi + if version_lt $HELM_DIFF_VERSION "3.9.0"; then echo "Skipping ${case_title} because helm-diff version is less than 3.9.0" else diff --git a/test/integration/test-cases/suppress-output-line-regex/output/diff-after-helm-diff-3.11.0 b/test/integration/test-cases/suppress-output-line-regex/output/diff-after-helm-diff-3.11.0 new file mode 100644 index 00000000..327d2158 --- /dev/null +++ b/test/integration/test-cases/suppress-output-line-regex/output/diff-after-helm-diff-3.11.0 @@ -0,0 +1,530 @@ +Comparing release=ingress-nginx, chart=ingress-nginx/ingress-nginx, namespace=helmfile-tests +helmfile-tests, ingress-nginx, ClusterRole (rbac.authorization.k8s.io) has changed, but diff is empty after suppression. +helmfile-tests, ingress-nginx, ClusterRoleBinding (rbac.authorization.k8s.io) has changed: + # Source: ingress-nginx/templates/clusterrolebinding.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + name: ingress-nginx + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx + subjects: + - kind: ServiceAccount + name: ingress-nginx +- namespace: "helmfile-tests" ++ namespace: helmfile-tests +helmfile-tests, ingress-nginx, Role (rbac.authorization.k8s.io) has changed: + # Source: ingress-nginx/templates/controller-role.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx + namespace: helmfile-tests + rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch ++ # Omit Ingress status permissions if `--update-status` is disabled. + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - ingress-nginx-leader + verbs: + - get + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +helmfile-tests, ingress-nginx, RoleBinding (rbac.authorization.k8s.io) has changed: + # Source: ingress-nginx/templates/controller-rolebinding.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx + namespace: helmfile-tests + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx + subjects: + - kind: ServiceAccount + name: ingress-nginx +- namespace: "helmfile-tests" ++ namespace: helmfile-tests +helmfile-tests, ingress-nginx, ServiceAccount (v1) has changed, but diff is empty after suppression. +helmfile-tests, ingress-nginx-admission, ClusterRole (rbac.authorization.k8s.io) has changed, but diff is empty after suppression. +helmfile-tests, ingress-nginx-admission, ClusterRoleBinding (rbac.authorization.k8s.io) has changed: + # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: ingress-nginx-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission + subjects: + - kind: ServiceAccount + name: ingress-nginx-admission +- namespace: "helmfile-tests" ++ namespace: helmfile-tests +helmfile-tests, ingress-nginx-admission, Role (rbac.authorization.k8s.io) has changed: + # Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: +- name: ingress-nginx-admission ++ name: ingress-nginx-admission + namespace: helmfile-tests + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +helmfile-tests, ingress-nginx-admission, RoleBinding (rbac.authorization.k8s.io) has changed: + # Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: ingress-nginx-admission + namespace: helmfile-tests + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission + subjects: + - kind: ServiceAccount + name: ingress-nginx-admission +- namespace: "helmfile-tests" ++ namespace: helmfile-tests +helmfile-tests, ingress-nginx-admission, ServiceAccount (v1) has changed: +helmfile-tests, ingress-nginx-admission, ValidatingWebhookConfiguration (admissionregistration.k8s.io) has changed: + # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml + # before changing this value, check the required kubernetes version + # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + metadata: + annotations: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + name: ingress-nginx-admission + webhooks: + - name: validate.nginx.ingress.kubernetes.io + matchPolicy: Equivalent + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: +- namespace: "helmfile-tests" + name: ingress-nginx-controller-admission ++ namespace: helmfile-tests + path: /networking/v1/ingresses +helmfile-tests, ingress-nginx-admission-create, Job (batch) has changed: + # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml + apiVersion: batch/v1 + kind: Job + metadata: + name: ingress-nginx-admission-create + namespace: helmfile-tests + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + spec: + template: + metadata: + name: ingress-nginx-admission-create + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + spec: + containers: + - name: create +- image: "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80" ++ image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80 + imagePullPolicy: IfNotPresent + args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false ++ capabilities: ++ drop: ++ - ALL ++ readOnlyRootFilesystem: true ++ runAsNonRoot: true ++ runAsUser: 65532 ++ seccompProfile: ++ type: RuntimeDefault + restartPolicy: OnFailure + serviceAccountName: ingress-nginx-admission + nodeSelector: + kubernetes.io/os: linux +- securityContext: +- fsGroup: 2000 +- runAsNonRoot: true +- runAsUser: 2000 +helmfile-tests, ingress-nginx-admission-patch, Job (batch) has changed: + # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml + apiVersion: batch/v1 + kind: Job + metadata: + name: ingress-nginx-admission-patch + namespace: helmfile-tests + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + spec: + template: + metadata: + name: ingress-nginx-admission-patch + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + spec: + containers: + - name: patch +- image: "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80" ++ image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80 + imagePullPolicy: IfNotPresent + args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false ++ capabilities: ++ drop: ++ - ALL ++ readOnlyRootFilesystem: true ++ runAsNonRoot: true ++ runAsUser: 65532 ++ seccompProfile: ++ type: RuntimeDefault + restartPolicy: OnFailure + serviceAccountName: ingress-nginx-admission + nodeSelector: + kubernetes.io/os: linux +- securityContext: +- fsGroup: 2000 +- runAsNonRoot: true +- runAsUser: 2000 +helmfile-tests, ingress-nginx-controller, ConfigMap (v1) has changed: +helmfile-tests, ingress-nginx-controller, Deployment (apps) has changed: + # Source: ingress-nginx/templates/controller-deployment.yaml + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller + namespace: helmfile-tests + spec: + selector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller + replicas: 1 + revisionHistoryLimit: 10 + minReadySeconds: 0 + template: + metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + spec: + dnsPolicy: ClusterFirst + containers: + - name: controller +- image: "registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3" ++ image: registry.k8s.io/ingress-nginx/controller:v1.9.5@sha256:b3aba22b1da80e7acfc52b115cae1d4c687172cbf2b742d5b502419c25ff340e + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown +- args: ++ args: + - /nginx-ingress-controller + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller + - --election-id=ingress-nginx-leader + - --controller-class=k8s.io/ingress-nginx + - --ingress-class=nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + securityContext: ++ runAsNonRoot: true ++ runAsUser: 101 ++ allowPrivilegeEscalation: false ++ seccompProfile: ++ type: RuntimeDefault + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +- runAsUser: 101 +- allowPrivilegeEscalation: true ++ readOnlyRootFilesystem: false + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + ports: + - name: http + containerPort: 80 + protocol: TCP + - name: https + containerPort: 443 + protocol: TCP + - name: webhook + containerPort: 8443 + protocol: TCP + volumeMounts: + - name: webhook-cert + mountPath: /usr/local/certificates/ + readOnly: true + resources: + requests: + cpu: 100m + memory: 90Mi + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: ingress-nginx + terminationGracePeriodSeconds: 300 + volumes: + - name: webhook-cert + secret: + secretName: ingress-nginx-admission +helmfile-tests, ingress-nginx-controller, Service (v1) has changed, but diff is empty after suppression. +helmfile-tests, ingress-nginx-controller-admission, Service (v1) has changed, but diff is empty after suppression. +helmfile-tests, nginx, IngressClass (networking.k8s.io) has changed, but diff is empty after suppression. +helmfile-tests, ingress-nginx-admission, NetworkPolicy (networking.k8s.io) has been removed: +- # Source: ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml +- apiVersion: networking.k8s.io/v1 +- kind: NetworkPolicy +- metadata: +- name: ingress-nginx-admission +- namespace: helmfile-tests +- annotations: +- "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade +- "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +- labels: +- app.kubernetes.io/name: ingress-nginx +- app.kubernetes.io/instance: ingress-nginx +- app.kubernetes.io/part-of: ingress-nginx +- app.kubernetes.io/managed-by: Helm +- app.kubernetes.io/component: admission-webhook +- spec: +- podSelector: +- matchLabels: +- app.kubernetes.io/name: ingress-nginx +- app.kubernetes.io/instance: ingress-nginx +- app.kubernetes.io/component: admission-webhook +- policyTypes: +- - Ingress +- - Egress +- egress: +- - {} ++ + diff --git a/test/integration/test-cases/suppress-output-line-regex/output/diff-live-after-helm-diff-3.11.0 b/test/integration/test-cases/suppress-output-line-regex/output/diff-live-after-helm-diff-3.11.0 new file mode 100644 index 00000000..aa4311aa --- /dev/null +++ b/test/integration/test-cases/suppress-output-line-regex/output/diff-live-after-helm-diff-3.11.0 @@ -0,0 +1,530 @@ +"ingress-nginx" has been added to your repositories +helmfile-tests, ingress-nginx, ClusterRole (rbac.authorization.k8s.io) has changed, but diff is empty after suppression. +helmfile-tests, ingress-nginx, ClusterRoleBinding (rbac.authorization.k8s.io) has changed: + # Source: ingress-nginx/templates/clusterrolebinding.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + name: ingress-nginx + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx + subjects: + - kind: ServiceAccount + name: ingress-nginx +- namespace: "helmfile-tests" ++ namespace: helmfile-tests +helmfile-tests, ingress-nginx, Role (rbac.authorization.k8s.io) has changed: + # Source: ingress-nginx/templates/controller-role.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx + namespace: helmfile-tests + rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch ++ # Omit Ingress status permissions if `--update-status` is disabled. + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - ingress-nginx-leader + verbs: + - get + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +helmfile-tests, ingress-nginx, RoleBinding (rbac.authorization.k8s.io) has changed: + # Source: ingress-nginx/templates/controller-rolebinding.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx + namespace: helmfile-tests + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx + subjects: + - kind: ServiceAccount + name: ingress-nginx +- namespace: "helmfile-tests" ++ namespace: helmfile-tests +helmfile-tests, ingress-nginx, ServiceAccount (v1) has changed: +helmfile-tests, ingress-nginx-admission, ClusterRole (rbac.authorization.k8s.io) has changed, but diff is empty after suppression. +helmfile-tests, ingress-nginx-admission, ClusterRoleBinding (rbac.authorization.k8s.io) has changed: + # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: ingress-nginx-admission + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission + subjects: + - kind: ServiceAccount + name: ingress-nginx-admission +- namespace: "helmfile-tests" ++ namespace: helmfile-tests +helmfile-tests, ingress-nginx-admission, Role (rbac.authorization.k8s.io) has changed: + # Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: +- name: ingress-nginx-admission ++ name: ingress-nginx-admission + namespace: helmfile-tests + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +helmfile-tests, ingress-nginx-admission, RoleBinding (rbac.authorization.k8s.io) has changed: + # Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: ingress-nginx-admission + namespace: helmfile-tests + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission + subjects: + - kind: ServiceAccount + name: ingress-nginx-admission +- namespace: "helmfile-tests" ++ namespace: helmfile-tests +helmfile-tests, ingress-nginx-admission, ServiceAccount (v1) has changed, but diff is empty after suppression. +helmfile-tests, ingress-nginx-admission, ValidatingWebhookConfiguration (admissionregistration.k8s.io) has changed: + # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml + # before changing this value, check the required kubernetes version + # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites + apiVersion: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + metadata: + annotations: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + name: ingress-nginx-admission + webhooks: + - name: validate.nginx.ingress.kubernetes.io + matchPolicy: Equivalent + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: +- namespace: "helmfile-tests" + name: ingress-nginx-controller-admission ++ namespace: helmfile-tests + path: /networking/v1/ingresses +helmfile-tests, ingress-nginx-admission-create, Job (batch) has changed: + # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml + apiVersion: batch/v1 + kind: Job + metadata: + name: ingress-nginx-admission-create + namespace: helmfile-tests + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + spec: + template: + metadata: + name: ingress-nginx-admission-create + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + spec: + containers: + - name: create +- image: "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80" ++ image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80 + imagePullPolicy: IfNotPresent + args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false ++ capabilities: ++ drop: ++ - ALL ++ readOnlyRootFilesystem: true ++ runAsNonRoot: true ++ runAsUser: 65532 ++ seccompProfile: ++ type: RuntimeDefault + restartPolicy: OnFailure + serviceAccountName: ingress-nginx-admission + nodeSelector: + kubernetes.io/os: linux +- securityContext: +- fsGroup: 2000 +- runAsNonRoot: true +- runAsUser: 2000 +helmfile-tests, ingress-nginx-admission-patch, Job (batch) has changed: + # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml + apiVersion: batch/v1 + kind: Job + metadata: + name: ingress-nginx-admission-patch + namespace: helmfile-tests + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + spec: + template: + metadata: + name: ingress-nginx-admission-patch + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + spec: + containers: + - name: patch +- image: "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80" ++ image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80 + imagePullPolicy: IfNotPresent + args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false ++ capabilities: ++ drop: ++ - ALL ++ readOnlyRootFilesystem: true ++ runAsNonRoot: true ++ runAsUser: 65532 ++ seccompProfile: ++ type: RuntimeDefault + restartPolicy: OnFailure + serviceAccountName: ingress-nginx-admission + nodeSelector: + kubernetes.io/os: linux +- securityContext: +- fsGroup: 2000 +- runAsNonRoot: true +- runAsUser: 2000 +helmfile-tests, ingress-nginx-controller, ConfigMap (v1) has changed, but diff is empty after suppression. +helmfile-tests, ingress-nginx-controller, Deployment (apps) has changed: + # Source: ingress-nginx/templates/controller-deployment.yaml + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller + namespace: helmfile-tests + spec: + selector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller + replicas: 1 + revisionHistoryLimit: 10 + minReadySeconds: 0 + template: + metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + spec: + dnsPolicy: ClusterFirst + containers: + - name: controller +- image: "registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3" ++ image: registry.k8s.io/ingress-nginx/controller:v1.9.5@sha256:b3aba22b1da80e7acfc52b115cae1d4c687172cbf2b742d5b502419c25ff340e + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown +- args: ++ args: + - /nginx-ingress-controller + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller + - --election-id=ingress-nginx-leader + - --controller-class=k8s.io/ingress-nginx + - --ingress-class=nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + securityContext: ++ runAsNonRoot: true ++ runAsUser: 101 ++ allowPrivilegeEscalation: false ++ seccompProfile: ++ type: RuntimeDefault + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +- runAsUser: 101 +- allowPrivilegeEscalation: true ++ readOnlyRootFilesystem: false + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + ports: + - name: http + containerPort: 80 + protocol: TCP + - name: https + containerPort: 443 + protocol: TCP + - name: webhook + containerPort: 8443 + protocol: TCP + volumeMounts: + - name: webhook-cert + mountPath: /usr/local/certificates/ + readOnly: true + resources: + requests: + cpu: 100m + memory: 90Mi + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: ingress-nginx + terminationGracePeriodSeconds: 300 + volumes: + - name: webhook-cert + secret: + secretName: ingress-nginx-admission +helmfile-tests, ingress-nginx-controller, Service (v1) has changed, but diff is empty after suppression. +helmfile-tests, ingress-nginx-controller-admission, Service (v1) has changed, but diff is empty after suppression. +helmfile-tests, nginx, IngressClass (networking.k8s.io) has changed, but diff is empty after suppression. +helmfile-tests, ingress-nginx-admission, NetworkPolicy (networking.k8s.io) has been removed: +- # Source: ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml +- apiVersion: networking.k8s.io/v1 +- kind: NetworkPolicy +- metadata: +- name: ingress-nginx-admission +- namespace: helmfile-tests +- annotations: +- "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade +- "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +- labels: +- app.kubernetes.io/name: ingress-nginx +- app.kubernetes.io/instance: ingress-nginx +- app.kubernetes.io/part-of: ingress-nginx +- app.kubernetes.io/managed-by: Helm +- app.kubernetes.io/component: admission-webhook +- spec: +- podSelector: +- matchLabels: +- app.kubernetes.io/name: ingress-nginx +- app.kubernetes.io/instance: ingress-nginx +- app.kubernetes.io/component: admission-webhook +- policyTypes: +- - Ingress +- - Egress +- egress: +- - {} ++ +Comparing release=ingress-nginx, chart=ingress-nginx/ingress-nginx, namespace=helmfile-tests