helm_release does not track drift in digest for OCI charts

[apjoseph]

helm_release and helm_template should be tracking the digest for OCI charts, but it appears that the sha hash is completely ignored. This means that there is no way to update to the latest version of a development chart with a static development tag like v0.0.0-latest

Even after using terraform state rm <helm_template_data_source> the provider fails to check if the digest for a given tag has changed.

Example

data "helm_template" "envoy_gateway" {
  chart            = "oci://registry-1.docker.io/envoyproxy/gateway-helm"
  name             = "gateway-helm"
  version = "v0.0.0-latest"
  devel = true
  create_namespace = false
  namespace        = kubernetes_namespace_v1.envoy_gateway.metadata[0].name
  skip_crds        = false
  include_crds     = true
  values           = local.envoy_gateway_helm_values
}

Terraform, Provider, Kubernetes and Helm Versions

Terraform v1.6.6-dev
on linux_amd64
+ provider registry.terraform.io/alekc/kubectl v2.0.4
+ provider registry.terraform.io/hashicorp/helm v2.12.1
+ provider registry.terraform.io/hashicorp/kubernetes v2.24.0

Affected Resource(s)

• helm_release

Affected Data Sources

• helm_template

[apjoseph]

Helm itself inexplicably also does not track the digest. However, regardless of Helm's deficiencies, two different SHAs mean two different manifests. That is drift regardless of whether helm acknowledges it or not and it needs to be tracked by the provider.

See: helm/helm#10678 helm/helm#10799 helm/helm#12647