From 4050b480fc28dd08f0b51a1f7e2aeddfeb81f700 Mon Sep 17 00:00:00 2001
From: Matheus Pimenta <matheuscscp@gmail.com>
Date: Mon, 22 Sep 2025 23:04:30 +0100
Subject: [PATCH] Fix skipped entries from SSA being stored in the inventory

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
---
 go.mod                                          |  2 +-
 go.sum                                          |  4 ++--
 internal/controller/kustomization_controller.go | 15 +++++++++++++--
 .../controller/kustomization_inventory_test.go  | 10 ++++++++++
 internal/inventory/inventory.go                 | 15 ++++++++++++---
 internal/inventory/inventory_test.go            | 17 ++++++++++++++++-
 6 files changed, 54 insertions(+), 9 deletions(-)

diff --git a/go.mod b/go.mod
index 71e261a83..dcb591488 100644
--- a/go.mod
+++ b/go.mod
@@ -29,7 +29,7 @@ require (
 	github.com/fluxcd/pkg/http/fetch v0.19.0
 	github.com/fluxcd/pkg/kustomize v1.22.0
 	github.com/fluxcd/pkg/runtime v0.86.0
-	github.com/fluxcd/pkg/ssa v0.56.0
+	github.com/fluxcd/pkg/ssa v0.57.0
 	github.com/fluxcd/pkg/tar v0.14.0
 	github.com/fluxcd/pkg/testserver v0.13.0
 	github.com/fluxcd/source-controller/api v1.7.0
diff --git a/go.sum b/go.sum
index b41e61536..4a2b5d079 100644
--- a/go.sum
+++ b/go.sum
@@ -211,8 +211,8 @@ github.com/fluxcd/pkg/runtime v0.86.0 h1:q7aBSerJwt0N9hpurPVElG+HWpVhZcs6t96bcNQ
 github.com/fluxcd/pkg/runtime v0.86.0/go.mod h1:Wt9mUzQgMPQMu2D/wKl5pG4zh5vu/tfF5wq9pPobxOQ=
 github.com/fluxcd/pkg/sourceignore v0.14.0 h1:ZiZzbXtXb/Qp7I7JCStsxOlX8ri8rWwCvmvIrJ0UzQQ=
 github.com/fluxcd/pkg/sourceignore v0.14.0/go.mod h1:E3zKvyTyB+oQKqm/2I/jS6Rrt3B7fNuig/4bY2vi3bg=
-github.com/fluxcd/pkg/ssa v0.56.0 h1:OuWTPr0kI0alQYX1B3byJmUQol4BrpnrsXOoBmaTCPY=
-github.com/fluxcd/pkg/ssa v0.56.0/go.mod h1:iN/QDMqdJaVXKkqwbXqGa4PyWQwtyIy2WkeM2+9kfXA=
+github.com/fluxcd/pkg/ssa v0.57.0 h1:G2cKyeyOtEdOdLeMBWZe0XT+J0rBWSBzy9xln2myTaI=
+github.com/fluxcd/pkg/ssa v0.57.0/go.mod h1:iN/QDMqdJaVXKkqwbXqGa4PyWQwtyIy2WkeM2+9kfXA=
 github.com/fluxcd/pkg/tar v0.14.0 h1:9Gku8FIvPt2bixKldZnzXJ/t+7SloxePlzyVGOK8GVQ=
 github.com/fluxcd/pkg/tar v0.14.0/go.mod h1:+rOWYk93qLEJ8WwmkvJOkB8i0dna1mrwJFybE8i9Udo=
 github.com/fluxcd/pkg/testserver v0.13.0 h1:xEpBcEYtD7bwvZ+i0ZmChxKkDo/wfQEV3xmnzVybSSg=
diff --git a/internal/controller/kustomization_controller.go b/internal/controller/kustomization_controller.go
index 9ffec2bde..6ab99d7af 100644
--- a/internal/controller/kustomization_controller.go
+++ b/internal/controller/kustomization_controller.go
@@ -441,13 +441,24 @@ func (r *KustomizationReconciler) reconcile(
 	}
 
 	// Validate and apply resources in stages.
-	drifted, changeSet, err := r.apply(ctx, resourceManager, obj, revision, originRevision, objects)
+	drifted, changeSetWithSkipped, err := r.apply(ctx, resourceManager, obj, revision, originRevision, objects)
 	if err != nil {
 		obj.Status.History.Upsert(checksum, time.Now(), time.Since(reconcileStart), meta.ReconciliationFailedReason, historyMeta)
 		conditions.MarkFalse(obj, meta.ReadyCondition, meta.ReconciliationFailedReason, "%s", err)
 		return err
 	}
 
+	// Filter out skipped entries from the change set.
+	changeSet := ssa.NewChangeSet()
+	skippedSet := make(map[object.ObjMetadata]struct{})
+	for _, entry := range changeSetWithSkipped.Entries {
+		if entry.Action == ssa.SkippedAction {
+			skippedSet[entry.ObjMetadata] = struct{}{}
+		} else {
+			changeSet.Add(entry)
+		}
+	}
+
 	// Create an inventory from the reconciled resources.
 	newInventory := inventory.New()
 	err = inventory.AddChangeSet(newInventory, changeSet)
@@ -461,7 +472,7 @@ func (r *KustomizationReconciler) reconcile(
 	obj.Status.Inventory = newInventory
 
 	// Detect stale resources which are subject to garbage collection.
-	staleObjects, err := inventory.Diff(oldInventory, newInventory)
+	staleObjects, err := inventory.Diff(oldInventory, newInventory, skippedSet)
 	if err != nil {
 		obj.Status.History.Upsert(checksum, time.Now(), time.Since(reconcileStart), meta.ReconciliationFailedReason, historyMeta)
 		conditions.MarkFalse(obj, meta.ReadyCondition, meta.ReconciliationFailedReason, "%s", err)
diff --git a/internal/controller/kustomization_inventory_test.go b/internal/controller/kustomization_inventory_test.go
index f11c38bb4..039b76b18 100644
--- a/internal/controller/kustomization_inventory_test.go
+++ b/internal/controller/kustomization_inventory_test.go
@@ -63,6 +63,16 @@ data:
   key: "%[2]s"
 ---
 apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "%[1]s-ssa-ignore"
+  annotations:
+    # This tests that objects with the SSA ignore annotation are not stored in the inventory.
+    kustomize.toolkit.fluxcd.io/ssa: ignore
+data:
+  key: "%[2]s"
+---
+apiVersion: v1
 kind: Secret
 metadata:
   name: "%[1]s"
diff --git a/internal/inventory/inventory.go b/internal/inventory/inventory.go
index a92c6946b..9fb41d8c3 100644
--- a/internal/inventory/inventory.go
+++ b/internal/inventory/inventory.go
@@ -94,8 +94,11 @@ func ListMetadata(inv *kustomizev1.ResourceInventory) (object.ObjMetadataSet, er
 	return metas, nil
 }
 
-// Diff returns the slice of objects that do not exist in the target inventory.
-func Diff(inv *kustomizev1.ResourceInventory, target *kustomizev1.ResourceInventory) ([]*unstructured.Unstructured, error) {
+// Diff returns the slice of objects that do not exist in the target inventory,
+// ignoring those in the skippedSet.
+func Diff(inv *kustomizev1.ResourceInventory, target *kustomizev1.ResourceInventory,
+	skippedSet map[object.ObjMetadata]struct{}) ([]*unstructured.Unstructured, error) {
+
 	versionOf := func(i *kustomizev1.ResourceInventory, objMetadata object.ObjMetadata) string {
 		for _, entry := range i.Entries {
 			if entry.ID == objMetadata.String() {
@@ -106,10 +109,16 @@ func Diff(inv *kustomizev1.ResourceInventory, target *kustomizev1.ResourceInvent
 	}
 
 	objects := make([]*unstructured.Unstructured, 0)
-	aList, err := ListMetadata(inv)
+	aListWithSkipped, err := ListMetadata(inv)
 	if err != nil {
 		return nil, err
 	}
+	var aList object.ObjMetadataSet
+	for _, m := range aListWithSkipped {
+		if _, found := skippedSet[m]; !found {
+			aList = append(aList, m)
+		}
+	}
 
 	bList, err := ListMetadata(target)
 	if err != nil {
diff --git a/internal/inventory/inventory_test.go b/internal/inventory/inventory_test.go
index b1450f039..e35113fe5 100644
--- a/internal/inventory/inventory_test.go
+++ b/internal/inventory/inventory_test.go
@@ -24,6 +24,7 @@ import (
 	"github.com/fluxcd/pkg/ssa"
 	ssautil "github.com/fluxcd/pkg/ssa/utils"
 	. "github.com/onsi/gomega"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 
 	"github.com/fluxcd/cli-utils/pkg/object"
 )
@@ -60,11 +61,25 @@ func Test_Inventory(t *testing.T) {
 	})
 
 	t.Run("diff objects in inventory", func(t *testing.T) {
-		unList, err := Diff(inv2, inv1)
+		unList, err := Diff(inv2, inv1, nil)
 		g.Expect(err).ToNot(HaveOccurred())
 		g.Expect(len(unList)).To(BeIdenticalTo(1))
 		g.Expect(unList[0].GetName()).To(BeIdenticalTo("test2"))
 	})
+
+	t.Run("diff objects in inventory ignoring skipped", func(t *testing.T) {
+		skipped := object.ObjMetadata{
+			Name:      "test2",
+			Namespace: "test",
+			GroupKind: schema.GroupKind{
+				Group: "",
+				Kind:  "ConfigMap",
+			},
+		}
+		unList, err := Diff(inv2, inv1, map[object.ObjMetadata]struct{}{skipped: {}})
+		g.Expect(err).ToNot(HaveOccurred())
+		g.Expect(len(unList)).To(BeIdenticalTo(0))
+	})
 }
 
 func readManifest(manifest string) (*ssa.ChangeSet, error) {