wildcard.bert.local-tls certificate has OutOfSync status on ArgoCD #1
Description
Describe the bug
We have deployed a Certificate resource which is a cert-manager CRD via:
https://github.com/aaronsgithub/homelab/blob/1a0f7eef5275e8cb5a313e71f6c7524203777e65/appsets/system/certificates/resources/wildcard.bert.local-tls.certificate.cert-manager.yaml
with the following patch which gets updated when we want to add a new namespace to the certificate:
https://github.com/aaronsgithub/homelab/blob/1a0f7eef5275e8cb5a313e71f6c7524203777e65/appsets/system/certificates/patches/wildcard.bert.local-tls.certificate.cert-manager.reflector.namespaces.yaml
This has been deployed by ArgoCD as an Application via an ApplicationSet defined here:
https://github.com/aaronsgithub/homelab/blob/1a0f7eef5275e8cb5a313e71f6c7524203777e65/appsets/system/system.applicationset.yaml
There is an OutOfSync status with a diff showing between the "live" and the "desired" manifest in ArgoCD
Expected Behaviour
There should be no OutOfSync error.
Current Behaviour
live| desired diff
107 | 107 | - bert.local
108 | | duration: 8760h0m0s
| 108 | duration: 8760h
| 109 | isCA: false
109 | 110 | issuerRef:
110 | 111 | group: cert-manager.io
116 | 117 | rotationPolicy: Always
117 | 118 | size: 384
118 | | renewBefore: 720h0m0s
| 119 | renewBefore: 720h
119 | 120 | secretName: wildcard.bert.local-tls
120 | 121 | secretTemplate:
It is not clear why isCA disappears from the live manifest.
Possible Solutions
- Get ArgoCD to ignore the difference:
https://argo-cd.readthedocs.io/en/stable/user-guide/diffing/ - Change manifest deployment to add minutes and seconds to renewBefore.
- Investigate why isCA does not appear in live manifest.