Add --override-manager flag for server-side apply drift detection

This flag allows specifying field managers whose ownership should be
transferred to the helm-controller before performing drift detection.
When a disallowed field manager is detected on a managed resource, its
field ownership is replaced with the helm-controller's field owner,
enabling proper drift detection for fields that were previously
modified by other controllers or tools (e.g., kubectl).

This feature mirrors the --override-manager flag available in FluxCD's
kustomize-controller, providing consistent behavior across Flux
components for managing server-side apply field ownership conflicts.

Author: yozel

internal/action/diff.go

@@ -27,13 +27,16 @@ import (
 	helmaction "helm.sh/helm/v3/pkg/action"
 	helmrelease "helm.sh/helm/v3/pkg/release"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/types"
 	apierrutil "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 
 	"github.com/fluxcd/cli-utils/pkg/object"
+
 	"github.com/fluxcd/pkg/ssa"
 	"github.com/fluxcd/pkg/ssa/jsondiff"
 	ssanormalize "github.com/fluxcd/pkg/ssa/normalize"
@@ -45,7 +48,7 @@ import (
 
 // Diff returns a jsondiff.DiffSet of the changes between the state of the
 // cluster and the Helm release.Release manifest.
-func Diff(ctx context.Context, config *helmaction.Configuration, rls *helmrelease.Release, fieldOwner string, ignore ...v2.IgnoreRule) (jsondiff.DiffSet, error) {
+func Diff(ctx context.Context, config *helmaction.Configuration, rls *helmrelease.Release, fieldOwner string, disallowedFieldManagers []string, ignore ...v2.IgnoreRule) (jsondiff.DiffSet, error) {
 	// Create a dry-run only client to use solely for diffing.
 	cfg, err := config.RESTClientGetter.ToRESTConfig()
 	if err != nil {
@@ -96,6 +99,19 @@ func Diff(ctx context.Context, config *helmaction.Configuration, rls *helmreleas
 		}
 	}
 
+	if len(disallowedFieldManagers) > 0 {
+		c, err := client.New(cfg, client.Options{})
+		if err != nil {
+			return nil, err
+		}
+		for _, obj := range objects {
+			err = replaceDisallowedFieldManagers(ctx, c, fieldOwner, disallowedFieldManagers, obj)
+			if err != nil {
+				return nil, fmt.Errorf("failed to clean-up disallowed field managers: %w", err)
+			}
+		}
+	}
+
 	// Base configuration for the diffing of the object.
 	diffOpts := []jsondiff.ListOption{
 		jsondiff.FieldOwner(fieldOwner),
@@ -278,3 +294,39 @@ func (s sortableDiffs) Less(i, j int) bool {
 
 	return iDiff.GetName() < jDiff.GetName()
 }
+
+func replaceDisallowedFieldManagers(ctx context.Context, c client.Client, fieldOwner string, disallowedFieldManagers []string, obj *unstructured.Unstructured) error {
+	existingObj := &unstructured.Unstructured{}
+	existingObj.SetGroupVersionKind(obj.GroupVersionKind())
+	if err := c.Get(ctx, client.ObjectKeyFromObject(obj), existingObj); client.IgnoreNotFound(err) != nil {
+		return err
+	}
+
+	fieldManagers := []ssa.FieldManager{}
+	for _, fieldManager := range disallowedFieldManagers {
+		fieldManagers = append(fieldManagers, ssa.FieldManager{
+			Name:          fieldManager,
+			OperationType: metav1.ManagedFieldsOperationApply,
+		})
+		fieldManagers = append(fieldManagers, ssa.FieldManager{
+			Name:          fieldManager,
+			OperationType: metav1.ManagedFieldsOperationUpdate,
+		})
+	}
+
+	patches, err := ssa.PatchReplaceFieldsManagers(existingObj, fieldManagers, fieldOwner)
+	if err != nil {
+		return err
+	}
+	if len(patches) > 0 {
+		rawPatch, err := json.Marshal(patches)
+		if err != nil {
+			return err
+		}
+		err = c.Patch(ctx, existingObj, client.RawPatch(types.JSONPatchType, rawPatch), client.FieldOwner(fieldOwner))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

internal/action/diff_test.go

@@ -72,12 +72,15 @@ func TestDiff(t *testing.T) {
 	}
 
 	const testOwner = "helm-controller"
+	const ownerToOverride = "kubectl"
+	const ownerToKeep = "kube-controller-manager"
 
 	tests := []struct {
 		name          string
 		manifest      string
 		ignoreRules   []v2.IgnoreRule
 		mutateCluster func(objs []*unstructured.Unstructured, namespace string) ([]*unstructured.Unstructured, error)
+		updateCluster func(objs []*unstructured.Unstructured, namespace string) ([]*unstructured.Unstructured, client.FieldOwner, error)
 		want          func(namespace string, desired, cluster []*unstructured.Unstructured) jsondiff.DiffSet
 		wantErr       bool
 	}{
@@ -151,6 +154,91 @@ data:
 				}
 			},
 		},
+		{
+			name: "detects drift after kubectl edit",
+			manifest: `---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: changed
+data:
+  key: value`,
+			mutateCluster: func(objs []*unstructured.Unstructured, namespace string) ([]*unstructured.Unstructured, error) {
+				var clusterObjs []*unstructured.Unstructured
+				for _, obj := range objs {
+					obj := obj.DeepCopy()
+					obj.SetNamespace(namespace)
+					clusterObjs = append(clusterObjs, obj)
+				}
+				return clusterObjs, nil
+			},
+			updateCluster: func(objs []*unstructured.Unstructured, namespace string) ([]*unstructured.Unstructured, client.FieldOwner, error) {
+				var clusterObjs []*unstructured.Unstructured
+				for _, obj := range objs {
+					obj := obj.DeepCopy()
+					if err := unstructured.SetNestedField(obj.Object, "changed", "data", "anotherKey"); err != nil {
+						return nil, "", fmt.Errorf("failed to set nested field: %w", err)
+					}
+					clusterObjs = append(clusterObjs, obj)
+				}
+				return clusterObjs, ownerToOverride, nil
+			},
+			want: func(namespace string, desired, cluster []*unstructured.Unstructured) jsondiff.DiffSet {
+				return jsondiff.DiffSet{
+					{
+						Type:          jsondiff.DiffTypeUpdate,
+						DesiredObject: namespacedUnstructured(desired[0], namespace),
+						ClusterObject: cluster[0],
+						Patch: extjsondiff.Patch{
+							{
+								Type:     extjsondiff.OperationRemove,
+								Path:     "/data/anotherKey",
+								OldValue: "changed",
+							},
+						},
+					},
+				}
+			},
+		},
+		{
+			name: "detect no drift if edited by kube-controller-manager",
+			manifest: `---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: changed
+data:
+  key: value`,
+			mutateCluster: func(objs []*unstructured.Unstructured, namespace string) ([]*unstructured.Unstructured, error) {
+				var clusterObjs []*unstructured.Unstructured
+				for _, obj := range objs {
+					obj := obj.DeepCopy()
+					obj.SetNamespace(namespace)
+					clusterObjs = append(clusterObjs, obj)
+				}
+				return clusterObjs, nil
+			},
+			updateCluster: func(objs []*unstructured.Unstructured, namespace string) ([]*unstructured.Unstructured, client.FieldOwner, error) {
+				var clusterObjs []*unstructured.Unstructured
+				for _, obj := range objs {
+					obj := obj.DeepCopy()
+					if err := unstructured.SetNestedField(obj.Object, "changed", "data", "anotherKey"); err != nil {
+						return nil, "", fmt.Errorf("failed to set nested field: %w", err)
+					}
+					clusterObjs = append(clusterObjs, obj)
+				}
+				return clusterObjs, ownerToKeep, nil
+			},
+			want: func(namespace string, desired, cluster []*unstructured.Unstructured) jsondiff.DiffSet {
+				return jsondiff.DiffSet{
+					{
+						Type:          jsondiff.DiffTypeNone,
+						DesiredObject: namespacedUnstructured(desired[0], namespace),
+						ClusterObject: cluster[0],
+					},
+				}
+			},
+		},
 		{
 			name:     "empty release manifest",
 			manifest: "",
@@ -440,12 +528,34 @@ data:
 				}
 			}
 
-			got, err := Diff(ctx, &helmaction.Configuration{RESTClientGetter: getter}, rls, testOwner, tt.ignoreRules...)
+			if tt.updateCluster != nil {
+				// tt.updateCluster emulates out-of-band modifications like `kubectl edit`
+				var (
+					fieldOwner client.FieldOwner
+				)
+				if clusterObjs, fieldOwner, err = tt.updateCluster(clusterObjs, ns.Name); err != nil {
+					t.Fatalf("Failed to modify cluster resource: %v", err)
+				}
+				for _, obj := range clusterObjs {
+					if err := c.Update(ctx, obj, fieldOwner); err != nil {
+						t.Fatalf("Failed to update object: %v", err)
+					}
+				}
+			}
+
+			got, err := Diff(ctx, &helmaction.Configuration{RESTClientGetter: getter}, rls, testOwner, []string{ownerToOverride}, tt.ignoreRules...)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("Diff() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 
+			// Refresh all objects since Diff might do mutations and this would change resourceVersion
+			for _, obj := range clusterObjs {
+				if err := c.Get(ctx, client.ObjectKeyFromObject(obj), obj); err != nil {
+					t.Fatalf("Failed to create object: %v", err)
+				}
+			}
+
 			var want jsondiff.DiffSet
 			if tt.want != nil {
 				want = tt.want(ns.Name, objs, clusterObjs)

internal/controller/helmrelease_controller.go

@@ -89,13 +89,14 @@ type HelmReleaseReconciler struct {
 
 	// Kubernetes configuration
 
-	FieldManager          string
-	DefaultServiceAccount string
-	GetClusterConfig      func() (*rest.Config, error)
-	ClientOpts            runtimeClient.Options
-	KubeConfigOpts        runtimeClient.KubeConfigOptions
-	APIReader             client.Reader
-	TokenCache            *cache.TokenCache
+	FieldManager            string
+	DisallowedFieldManagers []string
+	DefaultServiceAccount   string
+	GetClusterConfig        func() (*rest.Config, error)
+	ClientOpts              runtimeClient.Options
+	KubeConfigOpts          runtimeClient.KubeConfigOptions
+	APIReader               client.Reader
+	TokenCache              *cache.TokenCache
 
 	// Retry and requeue configuration
 
@@ -393,7 +394,7 @@ func (r *HelmReleaseReconciler) reconcileRelease(ctx context.Context, patchHelpe
 	}
 
 	// Off we go!
-	if err = intreconcile.NewAtomicRelease(patchHelper, cfg, r.EventRecorder, r.FieldManager).Reconcile(ctx, &intreconcile.Request{
+	if err = intreconcile.NewAtomicRelease(patchHelper, cfg, r.EventRecorder, r.FieldManager, r.DisallowedFieldManagers).Reconcile(ctx, &intreconcile.Request{
 		Object: obj,
 		Chart:  loadedChart,
 		Values: values,

internal/reconcile/atomic_release.go

@@ -113,22 +113,24 @@ var (
 // For more information on the individual ActionReconcilers, refer to their
 // documentation.
 type AtomicRelease struct {
-	patchHelper   *patch.SerialPatcher
-	configFactory *action.ConfigFactory
-	eventRecorder record.EventRecorder
-	strategy      releaseStrategy
-	fieldManager  string
+	patchHelper             *patch.SerialPatcher
+	configFactory           *action.ConfigFactory
+	eventRecorder           record.EventRecorder
+	strategy                releaseStrategy
+	fieldManager            string
+	disallowedFieldManagers []string
 }
 
 // NewAtomicRelease returns a new AtomicRelease reconciler configured with the
 // provided values.
-func NewAtomicRelease(patchHelper *patch.SerialPatcher, cfg *action.ConfigFactory, recorder record.EventRecorder, fieldManager string) *AtomicRelease {
+func NewAtomicRelease(patchHelper *patch.SerialPatcher, cfg *action.ConfigFactory, recorder record.EventRecorder, fieldManager string, disallowedFieldManagers []string) *AtomicRelease {
 	return &AtomicRelease{
-		patchHelper:   patchHelper,
-		eventRecorder: recorder,
-		configFactory: cfg,
-		strategy:      &cleanReleaseStrategy{},
-		fieldManager:  fieldManager,
+		patchHelper:             patchHelper,
+		eventRecorder:           recorder,
+		configFactory:           cfg,
+		strategy:                &cleanReleaseStrategy{},
+		fieldManager:            fieldManager,
+		disallowedFieldManagers: disallowedFieldManagers,
 	}
 }
 
@@ -188,7 +190,7 @@ func (r *AtomicRelease) Reconcile(ctx context.Context, req *Request) error {
 		default:
 			// Determine the current state of the Helm release.
 			log.V(logger.DebugLevel).Info("determining current state of Helm release")
-			state, err := DetermineReleaseState(ctx, r.configFactory, req)
+			state, err := DetermineReleaseState(ctx, r.configFactory, req, r.disallowedFieldManagers)
 			if err != nil {
 				conditions.MarkFalse(req.Object, meta.ReadyCondition, "StateError", "Could not determine release state: %s", err)
 				return fmt.Errorf("cannot determine release state: %w", err)

internal/reconcile/state.go

@@ -89,7 +89,7 @@ type ReleaseState struct {
 // DetermineReleaseState determines the state of the Helm release as compared
 // to the v2.HelmRelease object. It returns a ReleaseState that indicates
 // the status of the release, and an error if the state could not be determined.
-func DetermineReleaseState(ctx context.Context, cfg *action.ConfigFactory, req *Request) (ReleaseState, error) {
+func DetermineReleaseState(ctx context.Context, cfg *action.ConfigFactory, req *Request, disallowedFieldManagers []string) (ReleaseState, error) {
 	rls, err := action.LastRelease(cfg.Build(nil), req.Object.GetReleaseName())
 	if err != nil {
 		if errors.Is(err, action.ErrReleaseNotFound) {
@@ -188,7 +188,7 @@ func DetermineReleaseState(ctx context.Context, cfg *action.ConfigFactory, req *
 
 		// Confirm the cluster state matches the desired config.
 		if diffOpts := req.Object.GetDriftDetection(); diffOpts.MustDetectChanges() {
-			diffSet, err := action.Diff(ctx, cfg.Build(nil), rls, kube.ManagedFieldsManager, req.Object.GetDriftDetection().Ignore...)
+			diffSet, err := action.Diff(ctx, cfg.Build(nil), rls, kube.ManagedFieldsManager, disallowedFieldManagers, req.Object.GetDriftDetection().Ignore...)
 			hasChanges := diffSet.HasChanges()
 			if err != nil {
 				if !hasChanges {

main.go

@@ -105,6 +105,7 @@ func main() {
 		oomWatchMaxMemoryPath           string
 		oomWatchCurrentMemoryPath       string
 		snapshotDigestAlgo              string
+		disallowedFieldManagers         []string
 		tokenCacheOptions               cache.TokenFlags
 		defaultKubeConfigServiceAccount string
 	)
@@ -137,6 +138,8 @@ func main() {
 		"The path to the cgroup current memory usage file. Requires feature gate 'OOMWatch' to be enabled. If not set, the path will be automatically detected.")
 	flag.StringVar(&snapshotDigestAlgo, "snapshot-digest-algo", intdigest.Canonical.String(),
 		"The algorithm to use to calculate the digest of Helm release storage snapshots.")
+	flag.StringArrayVar(&disallowedFieldManagers, "override-manager", []string{},
+		"Field manager disallowed to perform changes on managed resources.")
 
 	clientOptions.BindFlags(flag.CommandLine)
 	logOptions.BindFlags(flag.CommandLine)
@@ -354,6 +357,7 @@ func main() {
 		DependencyRequeueInterval:  requeueDependency,
 		ArtifactFetchRetries:       httpRetry,
 		AllowExternalArtifact:      allowExternalArtifact,
+		DisallowedFieldManagers:    disallowedFieldManagers,
 	}).SetupWithManager(ctx, mgr, controller.HelmReleaseReconcilerOptions{
 		RateLimiter:            helper.GetRateLimiter(rateLimiterOptions),
 		WatchConfigs:           watchConfigs,