OCPBUGS-36246: Improve resource merge diffs

[2uasimojo]

Resource merges -- where CVO asserts the shape of "owned" resources based on manifests from the release payload -- were trying to display useful information when an update was triggered. However:

• In some places, we were comparing objects after syncing, so the output would never show the discrepancy that actually triggered the update.
• We were using cmp.Diff() without any filters, so the diff would always show mismatches in Metadata like UID, CreationTimestamp, etc.

Here we fix the instances of the former; and address the latter via a helper that filters (ignores):

• All TypeMeta, since by the time we get to this code, we're already sure the GVKs are correct (but sometimes the values from the manifest side can be blank?).
• Status
• ObjectMeta fields not explicitly synced by EnsureObjectMeta()

Summary by CodeRabbit

• Refactor
  • Improved reconciliation change detection across multiple Kubernetes resource types by refining how “diffs” are computed for update decisions and reconciling logs.
• Bug Fixes
  • Reduces noisy or misleading “empty diff / hotloop” behavior by comparing only relevant fields (while ignoring status and other non-impactful metadata), leading to more consistent updates when manifests truly change.

[openshift-ci-robot]

@2uasimojo: This pull request references Jira Issue OCPBUGS-36246, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Resource merges -- where CVO asserts the shape of "owned" resources based on manifests from the release payload -- were trying to display useful information when an update was triggered. However:

• In some places, we were comparing objects after syncing, so the output would never show the discrepancy that actually triggered the update.
• We were using cmp.Diff() without any filters, so the diff would always show mismatches in Metadata like UID, CreationTimestamp, etc.

Here we fix the instances of the former; and address the latter via a helper that filters (ignores):

• All TypeMeta, since by the time we get to this code, we're already sure the GVKs are correct (but sometimes the values from the manifest side can be blank?).
• Status
• ObjectMeta fields not explicitly synced by EnsureObjectMeta()

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f18d63d4-bdda-4347-a15a-59b7ba3ce064

📥 Commits

Reviewing files that changed from the base of the PR and between c916190 and 4dbfdec.

📒 Files selected for processing (13)

• lib/resourceapply/admissionregistration.go
• lib/resourceapply/apiext.go
• lib/resourceapply/apps.go
• lib/resourceapply/batch.go
• lib/resourceapply/core.go
• lib/resourceapply/cv.go
• lib/resourceapply/imagestream.go
• lib/resourceapply/interface.go
• lib/resourceapply/operators.go
• lib/resourceapply/rbac.go
• lib/resourceapply/security.go
• pkg/cvo/internal/generic.go
• pkg/cvo/internal/operatorstatus.go

✅ Files skipped from review due to trivial changes (2)

• lib/resourceapply/cv.go
• pkg/cvo/internal/generic.go

🚧 Files skipped from review as they are similar to previous changes (10)

• lib/resourceapply/core.go
• lib/resourceapply/rbac.go
• lib/resourceapply/batch.go
• lib/resourceapply/operators.go
• lib/resourceapply/interface.go
• pkg/cvo/internal/operatorstatus.go
• lib/resourceapply/security.go
• lib/resourceapply/apps.go
• lib/resourceapply/apiext.go
• lib/resourceapply/admissionregistration.go

---

Walkthrough

A new exported ManifestDiff function is added to lib/resourceapply/interface.go. It wraps cmp.Diff with filters that exclude TypeMeta, Status, and most ObjectMeta fields (keeping only Name, Namespace, Labels, Annotations, and OwnerReferences). All Apply* resource helpers in lib/resourceapply/ and pkg/cvo/internal/operatorstatus.go then replace their direct cmp.Diff calls with ManifestDiff, removing per-file go-cmp imports. Several helpers also add a pre-merge deep-copy (original) to ensure the diff reflects state before Ensure* mutations.

Changes

ManifestDiff helper introduction and adoption

Layer / File(s)	Summary
ManifestDiff helper definition lib/resourceapply/interface.go	Adds go-cmp/cmp import and exports ManifestDiff(fromKAS, fromManifest any) string, which computes a filtered cmp.Diff excluding TypeMeta, Status, and non-identity ObjectMeta fields.
Apply* helpers switched to ManifestDiff lib/resourceapply/admissionregistration.go, lib/resourceapply/apiext.go, lib/resourceapply/apps.go, lib/resourceapply/batch.go, lib/resourceapply/core.go, lib/resourceapply/cv.go, lib/resourceapply/imagestream.go, lib/resourceapply/operators.go, lib/resourceapply/rbac.go, lib/resourceapply/security.go	Each Apply* function replaces cmp.Diff with ManifestDiff for reconciliation diff logging; files that previously compared post-merge state now capture a pre-merge deep copy (original) so the diff reflects actual changes made. The go-cmp/cmp import is removed from each file.
CVO internal packages adopt ManifestDiff pkg/cvo/internal/operatorstatus.go, pkg/cvo/internal/generic.go	operatorstatus.go removes go-cmp and switches ClusterOperator metadata diff to resourceapply.ManifestDiff. generic.go updates skipKeys initialization to infer its type parameter and revises the empty-diff comment.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 71.43% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main objective of the PR: improving resource merge diffs throughout multiple resource apply functions by replacing cmp.Diff with a filtered ManifestDiff helper.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no test files or Ginkgo test definitions; the check for stable test names is not applicable.
Test Structure And Quality	✅ Passed	No Ginkgo test code was added or modified in this PR; all changes are in source files (resourceapply and cvo packages). The check is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. All changes are to production code files in lib/resourceapply/ and pkg/cvo/internal/ directories. The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR does not add new Ginkgo e2e tests. It only modifies resource reconciliation logic in production code files, so SNO test compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains no deployment manifests, scheduling constraints, replica count changes, node selectors, affinity rules, or topology-related modifications. Changes are purely internal refactoring of dif...
Ote Binary Stdout Contract	✅ Passed	PR modifies only library resource apply functions (Apply*) to compute diffs via ManifestDiff helper. No process-level code (main/init/TestMain/suite setup) changes. All logging uses klog.V(2) which...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. All changes are to internal resource application logic files in lib/resourceapply/ and pkg/cvo/internal/. The check is not applicable.
No-Weak-Crypto	✅ Passed	PR contains no weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons. Changes involve resource merge diff reporting us...
Container-Privileges	✅ Passed	PR makes no changes to container security configurations, privileged settings, or Kubernetes security contexts. All changes are limited to resource apply diff computation and logging improvements.
No-Sensitive-Data-In-Logs	✅ Passed	PR improves diff logging without introducing sensitive data exposure. All changes use debug-level logging (klog.V(2)) for internal CVO operations; diff filtering reduces metadata noise previously s...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[2uasimojo]

/jira refresh

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: 2uasimojo
Once this PR has been reviewed and has the lgtm label, please assign pratikmahajan for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@2uasimojo: This pull request references Jira Issue OCPBUGS-36246, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @dis016

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@2uasimojo: This pull request references Jira Issue OCPBUGS-36246, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @dis016

Details

In response to this:

Resource merges -- where CVO asserts the shape of "owned" resources based on manifests from the release payload -- were trying to display useful information when an update was triggered. However:

• In some places, we were comparing objects after syncing, so the output would never show the discrepancy that actually triggered the update.
• We were using cmp.Diff() without any filters, so the diff would always show mismatches in Metadata like UID, CreationTimestamp, etc.

Here we fix the instances of the former; and address the latter via a helper that filters (ignores):

• All TypeMeta, since by the time we get to this code, we're already sure the GVKs are correct (but sometimes the values from the manifest side can be blank?).
• Status
• ObjectMeta fields not explicitly synced by EnsureObjectMeta()

Summary by CodeRabbit

• Refactor
• Enhanced resource update detection during reconciliation by refining which object fields are compared for changes, filtering out status and irrelevant metadata while preserving comparisons of names, namespaces, labels, annotations, and owner references across multiple resource types.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@lib/resourceapply/interface.go`:
- Around line 33-36: The allow-list filter in the switch statement (checking
parts[1] against "Name", "Namespace", "Labels", "Annotations",
"OwnerReferences") fails when paths contain bracket notation or array indices
like `Labels["key"]` or `OwnerReferences[0].Name`. Extract the base field name
from parts[1] by removing any content after the first bracket character (such as
"[") before performing the switch case comparison, so that paths with bracket
notation or array indices still match the allow-listed field names and are not
incorrectly filtered out.

In `@lib/resourceapply/security.go`:
- Around line 39-41: The ManifestDiff comparison on line 40 is comparing
`original` vs `existing`, but the actual Update call on line 47 is updating with
`reconcile`. This mismatch can hide real changes in logs. Change the
ManifestDiff call to compare `&required` vs `existing` or the appropriate
objects that reflect what is actually being updated with the reconcile object,
ensuring the diff accurately shows what changes will be applied.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c20f1549-1bc8-44a1-ae3f-7b75c3047348

📥 Commits

Reviewing files that changed from the base of the PR and between 810bfc1 and c916190.

📒 Files selected for processing (13)

• lib/resourceapply/admissionregistration.go
• lib/resourceapply/apiext.go
• lib/resourceapply/apps.go
• lib/resourceapply/batch.go
• lib/resourceapply/core.go
• lib/resourceapply/cv.go
• lib/resourceapply/imagestream.go
• lib/resourceapply/interface.go
• lib/resourceapply/operators.go
• lib/resourceapply/rbac.go
• lib/resourceapply/security.go
• pkg/cvo/internal/generic.go
• pkg/cvo/internal/operatorstatus.go

[wking]

I'm slightly concerend about the things-we-care-about list approach. If the list goes stale, we could fail to log a change we do care about. If instead we had a things-we-don't-care-about list, the risk of the list going stale is just distracting output when we're actually updating a resource, and that seems like a lesser problem (the logs are there, complaining about some field we don't care about changing, and we can use that to extend our things-we-don't-care-about list).

[2uasimojo]

Ack, that makes sense. I chose this list because it’s shorter and already explicitly enumerated (via EnsureObjectMeta) but I agree it’s better to err such that later changes produce false positives vs (opposite kind of changes) mask true ones. Will fix.

[openshift-ci]

@2uasimojo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-agnostic-ovn	4dbfdec	link	true	/test e2e-agnostic-ovn
ci/prow/e2e-agnostic-ovn-upgrade-out-of-change	4dbfdec	link	true	/test e2e-agnostic-ovn-upgrade-out-of-change
ci/prow/e2e-agnostic-ovn-upgrade-into-change	4dbfdec	link	true	/test e2e-agnostic-ovn-upgrade-into-change
ci/prow/verify-update	4dbfdec	link	true	/test verify-update
ci/prow/e2e-aws-ovn-techpreview	4dbfdec	link	true	/test e2e-aws-ovn-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.