fix: server-side diff shows duplicate containerPorts (#791)

* fix: server-side diff shows duplicate containerPorts

Signed-off-by: Peter Jiang <[email protected]>

* lint

Signed-off-by: Peter Jiang <[email protected]>

---------

Signed-off-by: Peter Jiang <[email protected]>

Author: pjiang-dev

go.mod

@@ -97,6 +97,7 @@ require (
 	sigs.k8s.io/kustomize/api v0.20.1 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
 )
 
 replace (

go.sum

@@ -49,6 +49,7 @@ github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
 github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -249,9 +250,13 @@ sigs.k8s.io/kustomize/api v0.20.1 h1:iWP1Ydh3/lmldBnH/S5RXgT98vWYMaTUL1ADcr+Sv7I
 sigs.k8s.io/kustomize/api v0.20.1/go.mod h1:t6hUFxO+Ph0VxIk1sKp1WS0dOjbPCtLJ4p8aADLwqjM=
 sigs.k8s.io/kustomize/kyaml v0.20.1 h1:PCMnA2mrVbRP3NIB6v9kYCAc38uvFLVs8j/CD567A78=
 sigs.k8s.io/kustomize/kyaml v0.20.1/go.mod h1:0EmkQHRUsJxY8Ug9Niig1pUMSCGHxQ5RklbpV/Ri6po=
+sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=

pkg/diff/diff.go

@@ -267,7 +267,7 @@ func removeWebhookMutation(predictedLive, live *unstructured.Unstructured, gvkPa
 	}
 
 	// In case any of the removed fields cause schema violations, we will keep those fields
-	nonArgoFieldsSet = safelyRemoveFieldsSet(typedPredictedLive, nonArgoFieldsSet)
+	nonArgoFieldsSet = filterOutCompositeKeyFields(typedPredictedLive, nonArgoFieldsSet)
 	typedPredictedLive = typedPredictedLive.RemoveItems(nonArgoFieldsSet)
 
 	// Apply the predicted live state to the live state to get a diff without mutation webhook fields
@@ -289,29 +289,58 @@ func removeWebhookMutation(predictedLive, live *unstructured.Unstructured, gvkPa
 	return &unstructured.Unstructured{Object: pl}, nil
 }
 
-// safelyRemoveFieldSet will validate if removing the fieldsToRemove set from predictedLive maintains
-// a valid schema. If removing a field in fieldsToRemove is invalid and breaks the schema, it is not safe
-// to remove and will be skipped from removal from predictedLive.
-func safelyRemoveFieldsSet(predictedLive *typed.TypedValue, fieldsToRemove *fieldpath.Set) *fieldpath.Set {
-	// In some cases, we cannot remove fields due to violation of the predicted live schema. In such cases we validate the removal
-	// of each field and only include it if the removal is valid.
-	testPredictedLive := predictedLive.RemoveItems(fieldsToRemove)
-	err := testPredictedLive.Validate()
-	if err != nil {
-		adjustedFieldsToRemove := fieldpath.NewSet()
-		fieldsToRemove.Iterate(func(p fieldpath.Path) {
-			singleFieldSet := fieldpath.NewSet(p)
-			testSingleRemoval := predictedLive.RemoveItems(singleFieldSet)
-			// Check if removing this single field maintains a valid schema
-			if testSingleRemoval.Validate() == nil {
-				// If valid, add this field to the adjusted set to remove
-				adjustedFieldsToRemove.Insert(p)
+// filterOutCompositeKeyFields filters out fields that are part of composite keys in associative lists.
+// These fields must be preserved to maintain list element identity during merge operations.
+func filterOutCompositeKeyFields(_ *typed.TypedValue, fieldsToRemove *fieldpath.Set) *fieldpath.Set {
+	filteredFields := fieldpath.NewSet()
+
+	fieldsToRemove.Iterate(func(fieldPath fieldpath.Path) {
+		isCompositeKey := isCompositeKeyField(fieldPath)
+		if !isCompositeKey {
+			// Only keep fields that are NOT composite keys - these are safe to remove
+			filteredFields.Insert(fieldPath)
+		}
+	})
+
+	return filteredFields
+}
+
+// isCompositeKeyField checks if a field path represents a field that is part of a composite key
+// in an associative list by examining the PathElement structure.
+// Example: .spec.containers[name="nginx"].ports[containerPort=80,protocol="TCP"].protocol
+// The path elements include:
+//   - PathElement{Key: {name: "nginx"}} - single key (not composite)
+//   - PathElement{Key: {containerPort: 80, protocol: "TCP"}} - composite key with 2 fields
+func isCompositeKeyField(fieldPath fieldpath.Path) bool {
+	if len(fieldPath) == 0 {
+		return false
+	}
+
+	// Get the last path element
+	lastElement := fieldPath[len(fieldPath)-1]
+	if lastElement.FieldName == nil {
+		return false
+	}
+	finalFieldName := *lastElement.FieldName
+
+	// Look backwards through the path to find the most recent associative list key
+	for i := len(fieldPath) - 2; i >= 0; i-- {
+		pe := fieldPath[i]
+		if pe.Key == nil {
+			continue
+		}
+		if len(*pe.Key) <= 1 {
+			continue
+		}
+		// This is a composite key
+		for _, keyField := range *pe.Key {
+			if keyField.Name == finalFieldName {
+				return true
 			}
-		})
-		return adjustedFieldsToRemove
+		}
 	}
-	// If no violations, return the original set to remove
-	return fieldsToRemove
+
+	return false
 }
 
 func jsonStrToUnstructured(jsonString string) (*unstructured.Unstructured, error) {

pkg/diff/diff_test.go

@@ -1106,6 +1106,66 @@ func TestServerSideDiff(t *testing.T) {
 		// Other fields should still be visible (not ignored)
 		assert.Contains(t, predictedLiveStr, "selector", "Other fields should remain visible")
 	})
+
+	t.Run("will preserve composite key fields during diff", func(t *testing.T) {
+		// given
+		t.Parallel()
+		liveState := StrToUnstructured(testdata.DeploymentCompositeKeyLiveYAMLSSD)
+		desiredState := StrToUnstructured(testdata.DeploymentCompositeKeyConfigYAMLSSD)
+		opts := buildOpts(testdata.DeploymentCompositeKeyPredictedLiveJSONSSD)
+
+		// when
+		result, err := serverSideDiff(desiredState, liveState, opts...)
+
+		// then
+		require.NoError(t, err)
+		assert.NotNil(t, result)
+		assert.True(t, result.Modified)
+
+		predictedDeploy := YamlToDeploy(t, result.PredictedLive)
+		liveDeploy := YamlToDeploy(t, result.NormalizedLive)
+
+		// Verify the nginx container has all 3 ports in predicted live
+		assert.Len(t, predictedDeploy.Spec.Template.Spec.Containers, 2, "Should have 2 containers")
+		nginxContainer := predictedDeploy.Spec.Template.Spec.Containers[0]
+		assert.Equal(t, "nginx", nginxContainer.Name)
+		assert.Len(t, nginxContainer.Ports, 3, "nginx should have 3 ports in predicted")
+
+		// Verify live still has only 2 ports for nginx
+		liveNginxContainer := liveDeploy.Spec.Template.Spec.Containers[0]
+		assert.Len(t, liveNginxContainer.Ports, 2, "nginx should have 2 ports in live")
+
+		// Check that the new port 8080 has protocol field preserved (composite key field)
+		port8080Found := false
+		for _, port := range nginxContainer.Ports {
+			if port.ContainerPort == 8080 {
+				port8080Found = true
+				assert.Equal(t, "metrics", port.Name, "Port 8080 should have name 'metrics'")
+				assert.Equal(t, corev1.ProtocolTCP, port.Protocol, "Port 8080 protocol (composite key field) must be preserved from webhook")
+			}
+		}
+		assert.True(t, port8080Found, "Port 8080 should be present in predicted live")
+
+		// Verify existing ports still have their protocol (also composite key fields)
+		port80Found := false
+		port443Found := false
+		for _, port := range nginxContainer.Ports {
+			if port.ContainerPort == 80 {
+				port80Found = true
+				assert.Equal(t, corev1.ProtocolTCP, port.Protocol)
+			}
+			if port.ContainerPort == 443 {
+				port443Found = true
+				assert.Equal(t, corev1.ProtocolTCP, port.Protocol)
+			}
+		}
+		assert.True(t, port80Found, "Port 80 should be present")
+		assert.True(t, port443Found, "Port 443 should be present")
+
+		// Verify that mutation webhook changes are still filtered out from diff
+		assert.Empty(t, predictedDeploy.Annotations[AnnotationLastAppliedConfig])
+		assert.Empty(t, liveDeploy.Annotations[AnnotationLastAppliedConfig])
+	})
 }
 
 // testIgnoreDifferencesNormalizer implements a simple normalizer that removes specified fields

pkg/diff/testdata/data.go

@@ -77,4 +77,13 @@ var (
 
 	//go:embed ssd-svc-no-label-predicted-live.json
 	ServicePredictedLiveNoLabelJSONSSD string
+
+	//go:embed ssd-deploy-composite-key-config.yaml
+	DeploymentCompositeKeyConfigYAMLSSD string
+
+	//go:embed ssd-deploy-composite-key-live.yaml
+	DeploymentCompositeKeyLiveYAMLSSD string
+
+	//go:embed ssd-deploy-composite-key-predicted-live.json
+	DeploymentCompositeKeyPredictedLiveJSONSSD string
 )

pkg/diff/testdata/ssd-deploy-composite-key-config.yaml

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-container-ports
+  namespace: default
+  labels:
+    app: test-app
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: test-app
+  template:
+    metadata:
+      labels:
+        app: test-app
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.21
+        ports:
+        - containerPort: 80
+          name: http
+        - containerPort: 443
+          name: https
+        - containerPort: 8080
+          name: metrics
+      - name: sidecar
+        image: busybox:1.35
+        command: ["sleep", "3600"]
+        ports:
+        - containerPort: 9090
+          name: sidecar-port

pkg/diff/testdata/ssd-deploy-composite-key-live.yaml

@@ -0,0 +1,92 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-container-ports
+  namespace: default
+  labels:
+    app: test-app
+  uid: 12345678-1234-1234-1234-123456789012
+  resourceVersion: "12345"
+  generation: 1
+  creationTimestamp: "2024-01-01T00:00:00Z"
+  managedFields:
+  - apiVersion: apps/v1
+    fieldsType: FieldsV1
+    fieldsV1:
+      f:spec:
+        f:template:
+          f:spec:
+            f:containers:
+              k:{"name":"nginx"}:
+                f:ports:
+                  k:{"containerPort":80,"protocol":"TCP"}:
+                    .: {}
+                    f:containerPort: {}
+                    f:name: {}
+                    f:protocol: {}
+                  k:{"containerPort":443,"protocol":"TCP"}:
+                    .: {}
+                    f:containerPort: {}
+                    f:name: {}
+                    f:protocol: {}
+              k:{"name":"sidecar"}:
+                f:ports:
+                  k:{"containerPort":9090,"protocol":"TCP"}:
+                    .: {}
+                    f:containerPort: {}
+                    f:name: {}
+                    f:protocol: {}
+    manager: argocd-controller
+    operation: Apply
+    time: "2024-01-01T00:00:00Z"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: test-app
+  template:
+    metadata:
+      labels:
+        app: test-app
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.21
+        ports:
+        - containerPort: 80
+          name: http
+          protocol: TCP
+        - containerPort: 443
+          name: https
+          protocol: TCP
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        imagePullPolicy: IfNotPresent
+      - name: sidecar
+        image: busybox:1.35
+        command: ["sleep", "3600"]
+        ports:
+        - containerPort: 9090
+          name: sidecar-port
+          protocol: TCP
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        imagePullPolicy: IfNotPresent
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
+      dnsPolicy: ClusterFirst
+      securityContext: {}
+      schedulerName: default-scheduler
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 25%
+      maxSurge: 25%
+  revisionHistoryLimit: 10
+  progressDeadlineSeconds: 600
+status:
+  observedGeneration: 1
+  replicas: 1
+  updatedReplicas: 1
+  readyReplicas: 1
+  availableReplicas: 1