CrestHelm 0.3: drift detection and policy bundles

CrestHelm 0.3 adds live cluster drift detection — you can now see in real time how a deployed release diverges from the chart it was installed from.

Drift detection

The cresthelm diff command takes a release name and a chart directory and computes the diff between the live cluster state and what a fresh helm template would produce. Fields managed by controllers (like status blocks and some annotations) are excluded from the diff by default via a configurable ignore list.

The output format is the same unified diff you'd get from git diff, which makes it easy to pipe into review tooling or paste into a PR comment.

Policy bundles

OPA policy bundles are now loaded from a directory, not a single file. This makes it practical to maintain a shared policy library in a separate repository and pull it in as a submodule. Policies can declare dependencies on other policies using Rego's built-in import mechanism.

The repository includes a starter bundle with policies for resource limits, security context, and disallowed image tags.