nelm icon indicating copy to clipboard operation
nelm copied to clipboard
verified publisher icon werf

Hide `release plan` diffs for chosen fields

Open maxout123 opened this issue 9 months ago • 8 comments

Before proceeding

  • [x] I didn't find a similar issue

Problem

Need a way to ignore some changes in "nelm release plan install" diff. Helm has --suppress-output-line-regex flag for that. It would be perfect if resource will be completely hidden from diff when it only differs by lines suppressed by this option.

Solution (if you have one)

No response

Additional information

No response

maxout123 avatar Apr 11 '25 07:04 maxout123

Can be solved with annotation like werf.io/no-diff-paths: $.spec.template.spec.containers[*].env[*].value, which will allow to hide some fields of the resources, or resources as a whole, from release plan diff output.

ilya-lesikov avatar Jul 11 '25 20:07 ilya-lesikov

This is a long-awaited feature. Would really appreciate the implementation! @ilya-lesikov variant looks good.

vizh avatar Sep 18 '25 15:09 vizh

We've recently added werf.io/sensitive-paths, which is probably exactly what you need. I guess I can close this issue.

ilya-lesikov avatar Sep 18 '25 16:09 ilya-lesikov

The werf.io/sensitive-paths label is for masking sensitive data without being able to see that it was changed. A very useful feature, we use it, but for other scenarios.

I would really like to hide from the release plan report usual changes that occur with every project deployment. For example, if only $.spec.template.spec.containers[*].image changed in the plan, then hide these changes and not display them in diff.

This would make it more visible when unusual changes occur, allowing for faster plan reviews and more focused analysis.

vizh avatar Sep 19 '25 08:09 vizh

Sure, +1 for previous post, we need to completely hide some changes as if they doesn't exist at all. Here is how helm diff does it:

test, web-app, ExternalSecret (external-secrets.io) has changed:

Just one line about a change, with empty content part.

And here is nelm:

┌ Update ExternalSecret/web-app
│   kind: ExternalSecret
│   metadata:
│     annotations:
│ -     force-sync: SENSITIVE (19 bytes, aa42432d7a8d)
│ +     force-sync: SENSITIVE (19 bytes, 0743801c1b95)
│     labels:
│       app: web-app
│       app.kubernetes.io/instance: preprod
└ Update ExternalSecret/web-app

The task initially was to hide all of these lines.

maxout123 avatar Sep 19 '25 09:09 maxout123

It may be acceptable like:

┌ Update ExternalSecret/web-app
│ <hidden insignificant changes>
└ Update ExternalSecret/web-app

but definitely not as werf.io/sensitive-paths annotation does

maxout123 avatar Sep 19 '25 09:09 maxout123

Alright, reopening.

ilya-lesikov avatar Sep 19 '25 12:09 ilya-lesikov

From the technical standpoint we just need to hide matching paths from both objects before we diff them. It will then automatically produce a diff like this if no other changes:

┌ Update ExternalSecret/web-app
│ <hidden insignificant changes>
└ Update ExternalSecret/web-app

Basically we already do this for werf.io and most helm.sh annotations, it's just hardcoded.

ilya-lesikov avatar Sep 19 '25 12:09 ilya-lesikov