filter /status override from target normalization guard

Author: BEvgeniyS

controller/sync.go

@@ -424,7 +424,7 @@ func normalizeTargetResources(cr *comparisonResult) ([]*unstructured.Unstructure
 	if err != nil {
 		return nil, err
 	}
-	idc := diff.NewIgnoreDiffConfig(cr.diffConfig.Ignores(), cr.diffConfig.Overrides())
+	idc := diff.NewIgnoreDiffConfig(cr.diffConfig.Ignores(), filterOverridesForTargetNormalization(cr.diffConfig.Overrides()))
 	patchedTargets := []*unstructured.Unstructured{}
 	for idx, live := range cr.reconciliationResult.Live {
 		normalizedTarget := normalized.Targets[idx]
@@ -477,6 +477,29 @@ func normalizeTargetResources(cr *comparisonResult) ([]*unstructured.Unstructure
 	return patchedTargets, nil
 }
 
+// filterOverridesForTargetNormalization removes /status from override ignore
+// differences because status fields are irrelevant to target normalization.
+// Status is managed by controllers, not present in desired state from git,
+// and stripped by the API server on apply. Without this filter, the default
+// */* /status override causes HasIgnoreDifference to match every resource,
+// defeating the per-resource skip logic.
+func filterOverridesForTargetNormalization(overrides map[string]v1alpha1.ResourceOverride) map[string]v1alpha1.ResourceOverride {
+	filtered := make(map[string]v1alpha1.ResourceOverride, len(overrides))
+	for key, override := range overrides {
+		var pointers []string
+		for _, p := range override.IgnoreDifferences.JSONPointers {
+			if p != "/status" {
+				pointers = append(pointers, p)
+			}
+		}
+		if len(pointers) > 0 || len(override.IgnoreDifferences.JQPathExpressions) > 0 || len(override.IgnoreDifferences.ManagedFieldsManagers) > 0 {
+			override.IgnoreDifferences.JSONPointers = pointers
+			filtered[key] = override
+		}
+	}
+	return filtered
+}
+
 // getMergePatch calculates and returns the patch between the original and the
 // modified unstructures.
 func getMergePatch(original, modified *unstructured.Unstructured, lookupPatchMeta *strategicpatch.PatchMetaFromStruct) ([]byte, error) {

controller/sync_test.go

@@ -486,14 +486,24 @@ func TestNormalizeTargetResources(t *testing.T) {
 	})
 }
 
+// defaultOverrides returns the resource overrides that the controller always
+// injects via GetResourceOverrides(). By default, status is ignored for all
+// resources ("*/*"), which adds a wildcard entry that HasIgnoreDifference
+// matches for every resource.
+func defaultOverrides() map[string]v1alpha1.ResourceOverride {
+	return map[string]v1alpha1.ResourceOverride{
+		"*/*": {IgnoreDifferences: v1alpha1.OverrideIgnoreDiff{JSONPointers: []string{"/status"}}},
+	}
+}
+
 func TestNormalizeTargetResourcesPDB(t *testing.T) {
 	type fixture struct {
 		comparisonResult *comparisonResult
 	}
 	setup := func(t *testing.T, ignores []v1alpha1.ResourceIgnoreDifferences) *fixture {
 		t.Helper()
 		dc, err := diff.NewDiffConfigBuilder().
-			WithDiffSettings(ignores, nil, true, normalizers.IgnoreNormalizerOpts{}).
+			WithDiffSettings(ignores, defaultOverrides(), true, normalizers.IgnoreNormalizerOpts{}).
 			WithNoCache().
 			Build()
 		require.NoError(t, err)
@@ -582,7 +592,7 @@ func TestNormalizeTargetResourcesPDB(t *testing.T) {
 			},
 		}
 		dc, err := diff.NewDiffConfigBuilder().
-			WithDiffSettings(ignores, nil, true, normalizers.IgnoreNormalizerOpts{}).
+			WithDiffSettings(ignores, defaultOverrides(), true, normalizers.IgnoreNormalizerOpts{}).
 			WithNoCache().
 			Build()
 		require.NoError(t, err)
@@ -648,46 +658,6 @@ func TestNormalizeTargetResourcesPDB(t *testing.T) {
 	})
 }
 
-func TestNormalizeTargetResourcesCRD(t *testing.T) {
-	// CRDs are not in the k8s scheme, so normalizeTargetResources falls back
-	// to JSON merge patch which replaces arrays wholesale. Without matching
-	// ignore rules the merge patch must be skipped entirely.
-	setup := func(t *testing.T, ignores []v1alpha1.ResourceIgnoreDifferences) *comparisonResult {
-		t.Helper()
-		dc, err := diff.NewDiffConfigBuilder().
-			WithDiffSettings(ignores, nil, true, normalizers.IgnoreNormalizerOpts{}).
-			WithNoCache().
-			Build()
-		require.NoError(t, err)
-		live := test.YamlToUnstructured(testdata.LiveHTTPProxy)
-		target := test.YamlToUnstructured(testdata.TargetHTTPProxy)
-		return &comparisonResult{
-			reconciliationResult: sync.ReconciliationResult{
-				Live:   []*unstructured.Unstructured{live},
-				Target: []*unstructured.Unstructured{target},
-			},
-			diffConfig: dc,
-		}
-	}
-	t.Run("will not corrupt CRD arrays when no ignore rules match", func(t *testing.T) {
-		cr := setup(t, []v1alpha1.ResourceIgnoreDifferences{})
-
-		targets, err := normalizeTargetResources(cr)
-
-		require.NoError(t, err)
-		require.Len(t, targets, 1)
-		// Target HTTPProxy has 2 descriptors; live has 1.
-		// Without fix the JSON merge patch would replace the array with live's single entry.
-		descriptors, ok, err := unstructured.NestedSlice(targets[0].Object, "spec", "routes")
-		require.NoError(t, err)
-		require.True(t, ok)
-		route := descriptors[0].(map[string]any)
-		global := route["rateLimitPolicy"].(map[string]any)["global"].(map[string]any)
-		descs := global["descriptors"].([]any)
-		assert.Len(t, descs, 2, "target should retain both descriptors, not be overwritten with live's single entry")
-	})
-}
-
 func TestNormalizeTargetResourcesWithList(t *testing.T) {
 	type fixture struct {
 		comparisonResult *comparisonResult