Problem
fleet-plan produces false positive diffs when comparing repo YAML against the Fleet API:
Config (default.yml)
Keys like agent_options.*, org_settings.sso_settings.*, and org_settings.certificate_authorities.* show as adds even though they exist in both the repo YAML and the live Fleet API. Root cause: getNestedValue fails to find the API value, returns "", and the comparison treats it as a new key.
Likely causes:
agent_options lookup assumes apiConfig["agent_options"] exists as a nested map, but the /api/v1/fleet/config response may structure it differentlyorg_settings maps to the API top level, but nested keys like sso_settings may not be directly accessible via dot-path traversal if the API nests them differently than expected
Software (fleet-maintained apps)
All fleet-maintained apps show as adds for every team. This is because the gitops API token returns 403 on /software/titles (see Known Limitations in README), so fleet-plan has no current-state software data to compare against. Every proposed software entry appears as "new."
This will be resolved upstream by fleetdm/fleet#38044.
apple_business_manager serialization
The API returns {"ios_team":"","ipados_team":"","macos_team":"Endpoints",...} while the YAML omits empty keys: {"macos_team":"Endpoints",...}. These are semantically equivalent but string comparison sees them as different.
Expected
- Config keys that match between repo and API should not appear in the diff
- Software section should be omitted entirely when the API returns 403 (rather than showing all proposed software as adds)
- Slice/map comparison should ignore empty/zero-value keys
Problem
fleet-planproduces false positive diffs when comparing repo YAML against the Fleet API:Config (default.yml)
Keys like
agent_options.*,org_settings.sso_settings.*, andorg_settings.certificate_authorities.*show as adds even though they exist in both the repo YAML and the live Fleet API. Root cause:getNestedValuefails to find the API value, returns"", and the comparison treats it as a new key.Likely causes:
agent_optionslookup assumesapiConfig["agent_options"]exists as a nested map, but the/api/v1/fleet/configresponse may structure it differentlyorg_settingsmaps to the API top level, but nested keys likesso_settingsmay not be directly accessible via dot-path traversal if the API nests them differently than expectedSoftware (fleet-maintained apps)
All fleet-maintained apps show as adds for every team. This is because the gitops API token returns 403 on
/software/titles(see Known Limitations in README), sofleet-planhas no current-state software data to compare against. Every proposed software entry appears as "new."This will be resolved upstream by fleetdm/fleet#38044.
apple_business_manager serialization
The API returns
{"ios_team":"","ipados_team":"","macos_team":"Endpoints",...}while the YAML omits empty keys:{"macos_team":"Endpoints",...}. These are semantically equivalent but string comparison sees them as different.Expected