From 0c52e6f35a159a4693a561b639cc05cdd24801f2 Mon Sep 17 00:00:00 2001
From: Felix Matouschek <fmatouschek@redhat.com>
Date: Tue, 15 Jul 2025 18:10:26 +0200
Subject: [PATCH] fix(k8s,service): Hide fields first before creating diffs
 (#915)

SUMMARY

By hiding fields first before creating a diff hidden fields will not be shown in the resulting diffs and therefore will also not trigger the changed condition.
The issue can only be reproduced when a mutating webhook changes the object while the kubernetes.core.k8s module is working with it.

kubevirt/kubevirt.core#145
ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME

kubernetes.core.module_utils.k8s.service
ADDITIONAL INFORMATION

Run kubernetes.core.k8s and create object with hidden fields. After run kubernetes.core.k8s again and let a webhook mutate the object that the module is working with. The module should return with changed: no.

Reviewed-by: Bikouo Aubin
Reviewed-by: Mike Graves <mgraves@redhat.com>
(cherry picked from commit 6a0635a2bb4d467944e511f470491c798edde647)
---
 .../fragments/20250428-k8s-service-hide-fields-first.yaml  | 3 +++
 plugins/module_utils/k8s/service.py                        | 7 ++-----
 tests/integration/targets/k8s_hide_fields/tasks/main.yml   | 6 +++---
 3 files changed, 8 insertions(+), 8 deletions(-)
 create mode 100644 changelogs/fragments/20250428-k8s-service-hide-fields-first.yaml

diff --git a/changelogs/fragments/20250428-k8s-service-hide-fields-first.yaml b/changelogs/fragments/20250428-k8s-service-hide-fields-first.yaml
new file mode 100644
index 0000000000..4d1bc20060
--- /dev/null
+++ b/changelogs/fragments/20250428-k8s-service-hide-fields-first.yaml
@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - module_utils/k8s/service - hide fields first before creating diffs (https://github.com/ansible-collections/kubernetes.core/pull/915).
diff --git a/plugins/module_utils/k8s/service.py b/plugins/module_utils/k8s/service.py
index abfa59e3cc..087fc2d71e 100644
--- a/plugins/module_utils/k8s/service.py
+++ b/plugins/module_utils/k8s/service.py
@@ -498,8 +498,8 @@ def diff_objects(
     if not diff:
         return True, result
 
-    result["before"] = diff[0]
-    result["after"] = diff[1]
+    result["before"] = hide_fields(diff[0], hidden_fields)
+    result["after"] = hide_fields(diff[1], hidden_fields)
 
     if list(result["after"].keys()) == ["metadata"] and list(
         result["before"].keys()
@@ -512,9 +512,6 @@ def diff_objects(
         ).issubset(ignored_keys):
             return True, result
 
-    result["before"] = hide_fields(result["before"], hidden_fields)
-    result["after"] = hide_fields(result["after"], hidden_fields)
-
     return False, result
 
 
diff --git a/tests/integration/targets/k8s_hide_fields/tasks/main.yml b/tests/integration/targets/k8s_hide_fields/tasks/main.yml
index f54fe9eb6a..746384e983 100644
--- a/tests/integration/targets/k8s_hide_fields/tasks/main.yml
+++ b/tests/integration/targets/k8s_hide_fields/tasks/main.yml
@@ -58,7 +58,7 @@
           - "'managedFields' not in hf4.resources[0]['metadata']"
 
 
-    - name: Hiding a changed field should still result in a change
+    - name: Hiding a changed field should not result in a change
       k8s:
         definition: "{{ hide_fields_base_configmap | combine({'data':{'hello':'different'}}) }}"
         hidden_fields:
@@ -67,10 +67,10 @@
       register: hf5
       diff: true
 
-    - name: Ensure that hidden changed field changed
+    - name: Ensure that hidden changed field not changed
       assert:
         that:
-          - hf5.changed
+          - not hf5.changed
 
     - name: Apply works with hidden fields
       k8s: