plugin requires PATCH verb when using three way merge

[seboudry]

Hi!

We are using helm-diff plugin behind helmfile.

In our CD pipelines we need to use a "read only" service account to see changes.

When using three way merge, it seems that the PATCH verb is required on the role.

$ HELM_DIFF_THREE_WAY_MERGE=true helmfile diff
[...]

COMBINED OUTPUT:
  Enabled three way merge via the envvar
  Error: unable to generate manifests: cannot patch "my-release" with kind ServiceAccount: serviceaccounts "my-release" is forbidden: User "system:serviceaccount:my-namespace:readonly" cannot patch resource "serviceaccounts" in API group "" in the namespace "my-namespace"
  Error: plugin "diff" exited with error

Without HELM_DIFF_THREE_WAY_MERGE=true option no error occurs.

Unfortunatly, we can't allow this SA to have patch permission.

Is there a way to bypass this or change the code to not require this permission?

Thanks

$ helm diff version                                                                                              
3.7.0

[bsgrigorov]

what role do you use for helm diff? We need to do the same our CI pipelines such that no resources can be updated in PRs but only in merges to main.

[seboudry]

Hi @bsgrigorov, after some months...

We use something like this (custom CRD removed):

❯ kubectl describe clusterrole gitlab-readonly
Name:         gitlab-readonly
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources                                         Non-Resource URLs  Resource Names  Verbs
  ---------                                         -----------------  --------------  -----
  events                                            []                 []              [create get list watch]
  configmaps                                        []                 []              [get list watch]
  pods                                              []                 []              [get list watch]
  secrets                                           []                 []              [get list watch]
  serviceaccounts                                   []                 []              [get list watch]
  services                                          []                 []              [get list watch]
  customresourcedefinitions.apiextensions.k8s.io    []                 []              [get list watch]
  deployments.apps                                  []                 []              [get list watch]
  replicasets.apps                                  []                 []              [get list watch]
  statefulsets.apps                                 []                 []              [get list watch]
  certificates.cert-manager.io                      []                 []              [get list watch]
  issuers.cert-manager.io                           []                 []              [get list watch]
  kongplugins.configuration.konghq.com              []                 []              [get list watch]
  deployments.extensions                            []                 []              [get list watch]
  replicasets.extensions                            []                 []              [get list watch]
  statefulsets.extensions                           []                 []              [get list watch]
  podmonitors.monitoring.coreos.com                 []                 []              [get list watch]
  servicemonitors.monitoring.coreos.com             []                 []              [get list watch]
  ingresses.networking.k8s.io                       []                 []              [get list watch]
  poddisruptionbudgets.policy                       []                 []              [get list watch]
  rolebindings.rbac.authorization.k8s.io            []                 []              [get list watch]
  roles.rbac.authorization.k8s.io                   []                 []              [get list watch]
  replicationcontrollers                            []                 []              [list watch]

[kevinheins]

I am running into this issue as well. Has anyone found a workaround?

[Jonomir]

Same problem. Don't really understand why write permissions are needed for three way merge.

Error seems to be coming from here: https://github.com/databus23/helm-diff/blob/master/cmd/upgrade.go#L439