We are using argocd to deploy our application from helmchart from git repo. Part of the service are generating random password or self-signed certification for TLS. When we are pushing a new change to any folder in the repo, argocd show the resrouce as out-of-sync, re-sync it and re-generate the password and certification. Of course this cause an issue to every service that tried to connect to the db.
Example: Kafka-bitnami helm chart with:
auth:
interBrokerProtocol: tls
controllerProtocol: tls
clientProtocol: tls
sasl:
interBrokerMechanism: scram-sha-512
tls:
type: pem
autoGenerated: true
And mongodb-bitnami helm chart with:
auth:
enabled: true
This create the password / certs when first deploy the chart, but the issue is that it is regenerate them on every push.
For the moment we solve the issue by disabling the automated syncPolicy, but his means that on every change we need to manually sync the the selected services.
I am adding a screenshot of argocd example showing the 'out of sync' it get on kafka certs.
As said @Zackorrigan said, put the ignoreDifferences
block into your Argocd Application manifest, i.e.:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: app-name
spec:
ignoreDifferences:
- group: ''
kind: 'Secret'
name: secret-name
jsonPointers:
- /data