Fix skipped entries from SSA being stored in the inventory

Signed-off-by: Matheus Pimenta <[email protected]>

Author: matheuscscp

go.mod

@@ -29,7 +29,7 @@ require (
 	github.com/fluxcd/pkg/http/fetch v0.19.0
 	github.com/fluxcd/pkg/kustomize v1.22.0
 	github.com/fluxcd/pkg/runtime v0.86.0
-	github.com/fluxcd/pkg/ssa v0.56.0
+	github.com/fluxcd/pkg/ssa v0.56.1-0.20250922213907-018ecdf4fc5f
 	github.com/fluxcd/pkg/tar v0.14.0
 	github.com/fluxcd/pkg/testserver v0.13.0
 	github.com/fluxcd/source-controller/api v1.7.0

go.sum

@@ -211,8 +211,8 @@ github.com/fluxcd/pkg/runtime v0.86.0 h1:q7aBSerJwt0N9hpurPVElG+HWpVhZcs6t96bcNQ
 github.com/fluxcd/pkg/runtime v0.86.0/go.mod h1:Wt9mUzQgMPQMu2D/wKl5pG4zh5vu/tfF5wq9pPobxOQ=
 github.com/fluxcd/pkg/sourceignore v0.14.0 h1:ZiZzbXtXb/Qp7I7JCStsxOlX8ri8rWwCvmvIrJ0UzQQ=
 github.com/fluxcd/pkg/sourceignore v0.14.0/go.mod h1:E3zKvyTyB+oQKqm/2I/jS6Rrt3B7fNuig/4bY2vi3bg=
-github.com/fluxcd/pkg/ssa v0.56.0 h1:OuWTPr0kI0alQYX1B3byJmUQol4BrpnrsXOoBmaTCPY=
-github.com/fluxcd/pkg/ssa v0.56.0/go.mod h1:iN/QDMqdJaVXKkqwbXqGa4PyWQwtyIy2WkeM2+9kfXA=
+github.com/fluxcd/pkg/ssa v0.56.1-0.20250922213907-018ecdf4fc5f h1:NDWjceiwSc1c0FNPWlop0FrLeCWT9yryQKKYxodTUMo=
+github.com/fluxcd/pkg/ssa v0.56.1-0.20250922213907-018ecdf4fc5f/go.mod h1:iN/QDMqdJaVXKkqwbXqGa4PyWQwtyIy2WkeM2+9kfXA=
 github.com/fluxcd/pkg/tar v0.14.0 h1:9Gku8FIvPt2bixKldZnzXJ/t+7SloxePlzyVGOK8GVQ=
 github.com/fluxcd/pkg/tar v0.14.0/go.mod h1:+rOWYk93qLEJ8WwmkvJOkB8i0dna1mrwJFybE8i9Udo=
 github.com/fluxcd/pkg/testserver v0.13.0 h1:xEpBcEYtD7bwvZ+i0ZmChxKkDo/wfQEV3xmnzVybSSg=

internal/controller/kustomization_controller.go

@@ -441,13 +441,24 @@ func (r *KustomizationReconciler) reconcile(
 	}
 
 	// Validate and apply resources in stages.
-	drifted, changeSet, err := r.apply(ctx, resourceManager, obj, revision, originRevision, objects)
+	drifted, changeSetWithSkipped, err := r.apply(ctx, resourceManager, obj, revision, originRevision, objects)
 	if err != nil {
 		obj.Status.History.Upsert(checksum, time.Now(), time.Since(reconcileStart), meta.ReconciliationFailedReason, historyMeta)
 		conditions.MarkFalse(obj, meta.ReadyCondition, meta.ReconciliationFailedReason, "%s", err)
 		return err
 	}
 
+	// Filter out skipped entries from the change set.
+	changeSet := ssa.NewChangeSet()
+	skippedSet := make(map[object.ObjMetadata]struct{})
+	for _, entry := range changeSetWithSkipped.Entries {
+		if entry.Action == ssa.SkippedAction {
+			skippedSet[entry.ObjMetadata] = struct{}{}
+		} else {
+			changeSet.Add(entry)
+		}
+	}
+
 	// Create an inventory from the reconciled resources.
 	newInventory := inventory.New()
 	err = inventory.AddChangeSet(newInventory, changeSet)
@@ -461,7 +472,7 @@ func (r *KustomizationReconciler) reconcile(
 	obj.Status.Inventory = newInventory
 
 	// Detect stale resources which are subject to garbage collection.
-	staleObjects, err := inventory.Diff(oldInventory, newInventory)
+	staleObjects, err := inventory.Diff(oldInventory, newInventory, skippedSet)
 	if err != nil {
 		obj.Status.History.Upsert(checksum, time.Now(), time.Since(reconcileStart), meta.ReconciliationFailedReason, historyMeta)
 		conditions.MarkFalse(obj, meta.ReadyCondition, meta.ReconciliationFailedReason, "%s", err)

internal/controller/kustomization_inventory_test.go

@@ -63,6 +63,16 @@ data:
   key: "%[2]s"
 ---
 apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "%[1]s-ssa-ignore"
+  annotations:
+    # This tests that objects with the SSA ignore annotation are not stored in the inventory.
+    kustomize.toolkit.fluxcd.io/ssa: ignore
+data:
+  key: "%[2]s"
+---
+apiVersion: v1
 kind: Secret
 metadata:
   name: "%[1]s"

internal/inventory/inventory.go

@@ -94,8 +94,11 @@ func ListMetadata(inv *kustomizev1.ResourceInventory) (object.ObjMetadataSet, er
 	return metas, nil
 }
 
-// Diff returns the slice of objects that do not exist in the target inventory.
-func Diff(inv *kustomizev1.ResourceInventory, target *kustomizev1.ResourceInventory) ([]*unstructured.Unstructured, error) {
+// Diff returns the slice of objects that do not exist in the target inventory,
+// ignoring those in the skippedSet.
+func Diff(inv *kustomizev1.ResourceInventory, target *kustomizev1.ResourceInventory,
+	skippedSet map[object.ObjMetadata]struct{}) ([]*unstructured.Unstructured, error) {
+
 	versionOf := func(i *kustomizev1.ResourceInventory, objMetadata object.ObjMetadata) string {
 		for _, entry := range i.Entries {
 			if entry.ID == objMetadata.String() {
@@ -106,10 +109,16 @@ func Diff(inv *kustomizev1.ResourceInventory, target *kustomizev1.ResourceInvent
 	}
 
 	objects := make([]*unstructured.Unstructured, 0)
-	aList, err := ListMetadata(inv)
+	aListWithSkipped, err := ListMetadata(inv)
 	if err != nil {
 		return nil, err
 	}
+	var aList object.ObjMetadataSet
+	for _, m := range aListWithSkipped {
+		if _, found := skippedSet[m]; !found {
+			aList = append(aList, m)
+		}
+	}
 
 	bList, err := ListMetadata(target)
 	if err != nil {

internal/inventory/inventory_test.go

@@ -24,6 +24,7 @@ import (
 	"github.com/fluxcd/pkg/ssa"
 	ssautil "github.com/fluxcd/pkg/ssa/utils"
 	. "github.com/onsi/gomega"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 
 	"github.com/fluxcd/cli-utils/pkg/object"
 )
@@ -60,11 +61,25 @@ func Test_Inventory(t *testing.T) {
 	})
 
 	t.Run("diff objects in inventory", func(t *testing.T) {
-		unList, err := Diff(inv2, inv1)
+		unList, err := Diff(inv2, inv1, nil)
 		g.Expect(err).ToNot(HaveOccurred())
 		g.Expect(len(unList)).To(BeIdenticalTo(1))
 		g.Expect(unList[0].GetName()).To(BeIdenticalTo("test2"))
 	})
+
+	t.Run("diff objects in inventory ignoring skipped", func(t *testing.T) {
+		skipped := object.ObjMetadata{
+			Name:      "test2",
+			Namespace: "test",
+			GroupKind: schema.GroupKind{
+				Group: "",
+				Kind:  "ConfigMap",
+			},
+		}
+		unList, err := Diff(inv2, inv1, map[object.ObjMetadata]struct{}{skipped: {}})
+		g.Expect(err).ToNot(HaveOccurred())
+		g.Expect(len(unList)).To(BeIdenticalTo(0))
+	})
 }
 
 func readManifest(manifest string) (*ssa.ChangeSet, error) {