Add .status.inventory to track managed objects

This adds the `.status.inventory` field to HelmRelease, similar to
Kustomization, to expose managed Kubernetes objects.

The inventory includes:
- Objects from the release manifest (with namespace complement)
- CRDs from the chart's crds/ directory

Helm hooks are excluded as they are ephemeral resources deleted
after execution.

Signed-off-by: cappyzawa <cappyzawa@gmail.com>

Author: cappyzawa

.github/workflows/e2e.yaml

@@ -60,6 +60,23 @@ jobs:
         run: |
           kubectl -n helm-system apply -f config/testdata/podinfo
           kubectl -n helm-system wait helmreleases/podinfo --for=condition=ready --timeout=4m
+
+          # Inventory tracking enables drift detection and garbage collection.
+          # Ensure it captures managed objects from the Helm release.
+          INVENTORY=$(kubectl -n helm-system get helmrelease/podinfo -o jsonpath='{.status.inventory.entries}')
+          INVENTORY_COUNT=$(echo "$INVENTORY" | jq 'length')
+          if [ "$INVENTORY_COUNT" -lt 1 ]; then
+            echo "Expected inventory entries, got $INVENTORY_COUNT"
+            exit 1
+          fi
+          # Deployment is a primary workload resource; its presence confirms
+          # that the inventory correctly tracks resources from the rendered manifests.
+          if ! echo "$INVENTORY" | jq -e '.[] | select(.id | contains("_Deployment"))' > /dev/null; then
+            echo "Expected Deployment in inventory"
+            echo "Inventory: $INVENTORY"
+            exit 1
+          fi
+
           kubectl -n helm-system wait helmreleases/podinfo-git --for=condition=ready --timeout=4m
           kubectl -n helm-system wait helmreleases/podinfo-oci --for=condition=ready --timeout=4m
           kubectl -n helm-system delete -f config/testdata/podinfo

api/v2/helmrelease_types.go

@@ -1182,6 +1182,11 @@ type HelmReleaseStatus struct {
 	// +optional
 	History Snapshots `json:"history,omitempty"`
 
+	// Inventory contains the list of Kubernetes resource object references
+	// that have been applied for this release.
+	// +optional
+	Inventory *ResourceInventory `json:"inventory,omitempty"`
+
 	// LastAttemptedReleaseAction is the last release action performed for this
 	// HelmRelease. It is used to determine the active retry or remediation
 	// strategy.

api/v2/inventory_types.go

@@ -0,0 +1,34 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2
+
+// ResourceInventory contains a list of Kubernetes resource object references
+// that have been applied by a HelmRelease.
+type ResourceInventory struct {
+	// Entries of Kubernetes resource object references.
+	Entries []ResourceRef `json:"entries"`
+}
+
+// ResourceRef contains the information necessary to locate a resource within a cluster.
+type ResourceRef struct {
+	// ID is the string representation of the Kubernetes resource object's metadata,
+	// in the format '<namespace>_<name>_<group>_<kind>'.
+	ID string `json:"id"`
+
+	// Version is the API version of the Kubernetes resource object's kind.
+	Version string `json:"v"`
+}

api/v2/zz_generated.deepcopy.go

@@ -1248,6 +1248,34 @@ spec:
                   state. It is reset after a successful reconciliation.
                 format: int64
                 type: integer
+              inventory:
+                description: |-
+                  Inventory contains the list of Kubernetes resource object references
+                  that have been applied for this release.
+                properties:
+                  entries:
+                    description: Entries of Kubernetes resource object references.
+                    items:
+                      description: ResourceRef contains the information necessary
+                        to locate a resource within a cluster.
+                      properties:
+                        id:
+                          description: |-
+                            ID is the string representation of the Kubernetes resource object's metadata,
+                            in the format '<namespace>_<name>_<group>_<kind>'.
+                          type: string
+                        v:
+                          description: Version is the API version of the Kubernetes
+                            resource object's kind.
+                          type: string
+                      required:
+                      - id
+                      - v
+                      type: object
+                    type: array
+                required:
+                - entries
+                type: object
               lastAttemptedConfigDigest:
                 description: |-
                   LastAttemptedConfigDigest is the digest for the config (better known as

config/crd/bases/helm.toolkit.fluxcd.io_helmreleases.yaml

@@ -1669,6 +1669,21 @@ up to the last successfully completed release.</p>
 </tr>
 <tr>
 <td>
+<code>inventory</code><br>
+<em>
+<a href="#helm.toolkit.fluxcd.io/v2.ResourceInventory">
+ResourceInventory
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Inventory contains the list of Kubernetes resource object references
+that have been applied for this release.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>lastAttemptedReleaseAction</code><br>
 <em>
 <a href="#helm.toolkit.fluxcd.io/v2.ReleaseAction">
@@ -2342,6 +2357,85 @@ UpgradeRemediation.</p>
 </p>
 <p>RemediationStrategy returns the strategy to use to remediate a failed install
 or upgrade.</p>
+<h3 id="helm.toolkit.fluxcd.io/v2.ResourceInventory">ResourceInventory
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#helm.toolkit.fluxcd.io/v2.HelmReleaseStatus">HelmReleaseStatus</a>)
+</p>
+<p>ResourceInventory contains a list of Kubernetes resource object references
+that have been applied by a HelmRelease.</p>
+<div class="md-typeset__scrollwrap">
+<div class="md-typeset__table">
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>entries</code><br>
+<em>
+<a href="#helm.toolkit.fluxcd.io/v2.ResourceRef">
+[]ResourceRef
+</a>
+</em>
+</td>
+<td>
+<p>Entries of Kubernetes resource object references.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
+<h3 id="helm.toolkit.fluxcd.io/v2.ResourceRef">ResourceRef
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#helm.toolkit.fluxcd.io/v2.ResourceInventory">ResourceInventory</a>)
+</p>
+<p>ResourceRef contains the information necessary to locate a resource within a cluster.</p>
+<div class="md-typeset__scrollwrap">
+<div class="md-typeset__table">
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>id</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>ID is the string representation of the Kubernetes resource object&rsquo;s metadata,
+in the format &lsquo;<namespace><em><name></em><group>_<kind>&rsquo;.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>v</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Version is the API version of the Kubernetes resource object&rsquo;s kind.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
 <h3 id="helm.toolkit.fluxcd.io/v2.Retry">Retry
 </h3>
 <p>Retry defines a consistent interface for retry strategies from

docs/api/v2/helm.md

@@ -0,0 +1,127 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package inventory
+
+import (
+	"bytes"
+	"fmt"
+	"slices"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
+
+	"github.com/fluxcd/cli-utils/pkg/object"
+	ssautil "github.com/fluxcd/pkg/ssa/utils"
+
+	v2 "github.com/fluxcd/helm-controller/api/v2"
+	helmchart "helm.sh/helm/v4/pkg/chart/v2"
+	helmrelease "helm.sh/helm/v4/pkg/release/v1"
+)
+
+// New returns a new ResourceInventory with an empty Entries slice.
+func New() *v2.ResourceInventory {
+	return &v2.ResourceInventory{
+		Entries: []v2.ResourceRef{},
+	}
+}
+
+// AddManifest parses the manifest, complements namespaces, and adds the objects to the inventory.
+func AddManifest(inv *v2.ResourceInventory, manifest string, releaseNamespace string, c client.Client) error {
+	objects, err := parseManifest(manifest)
+	if err != nil {
+		return fmt.Errorf("failed to parse manifest: %w", err)
+	}
+
+	// NOTE: Helm hooks are ephemeral resources that are deleted after execution,
+	// so they should not be tracked in the inventory.
+	objects = slices.DeleteFunc(objects, func(obj *unstructured.Unstructured) bool {
+		annotations := obj.GetAnnotations()
+		if annotations == nil {
+			return false
+		}
+		_, isHook := annotations[helmrelease.HookAnnotation]
+		return isHook
+	})
+
+	if err := setNamespaces(objects, releaseNamespace, c); err != nil {
+		return fmt.Errorf("failed to set namespaces: %w", err)
+	}
+
+	for _, obj := range objects {
+		objMeta := object.UnstructuredToObjMetadata(obj)
+		inv.Entries = append(inv.Entries, v2.ResourceRef{
+			ID:      objMeta.String(),
+			Version: obj.GroupVersionKind().Version,
+		})
+	}
+	return nil
+}
+
+func parseManifest(manifest string) ([]*unstructured.Unstructured, error) {
+	return ssautil.ReadObjects(strings.NewReader(manifest))
+}
+
+// setNamespaces complements namespace for namespaced objects that don't have one set,
+// following the pattern established in internal/action/diff.go.
+// This is necessary because Helm manifests don't include namespace for namespaced resources.
+func setNamespaces(objects []*unstructured.Unstructured, releaseNamespace string, c client.Client) error {
+	isNamespacedGVK := map[string]bool{}
+
+	for _, obj := range objects {
+		if obj.GetNamespace() != "" {
+			continue
+		}
+
+		objGVK := obj.GetObjectKind().GroupVersionKind().String()
+		if _, ok := isNamespacedGVK[objGVK]; !ok {
+			namespaced, err := apiutil.IsObjectNamespaced(obj, c.Scheme(), c.RESTMapper())
+			if err != nil {
+				return fmt.Errorf("failed to determine if %s is namespace scoped: %w",
+					obj.GetObjectKind().GroupVersionKind().Kind, err)
+			}
+			isNamespacedGVK[objGVK] = namespaced
+		}
+
+		if isNamespacedGVK[objGVK] {
+			obj.SetNamespace(releaseNamespace)
+		}
+	}
+
+	return nil
+}
+
+// AddCRDs adds CRDs from the chart's crds/ directory to the inventory.
+// CRDs are cluster-scoped, so no namespace complement is needed.
+func AddCRDs(inv *v2.ResourceInventory, chart *helmchart.Chart) error {
+	for _, crd := range chart.CRDObjects() {
+		objects, err := ssautil.ReadObjects(bytes.NewBuffer(crd.File.Data))
+		if err != nil {
+			return fmt.Errorf("failed to parse CRD %s: %w", crd.Name, err)
+		}
+
+		for _, obj := range objects {
+			objMeta := object.UnstructuredToObjMetadata(obj)
+			inv.Entries = append(inv.Entries, v2.ResourceRef{
+				ID:      objMeta.String(),
+				Version: obj.GroupVersionKind().Version,
+			})
+		}
+	}
+	return nil
+}