Argocd show as out-of-sync on every push for auto-generate certs / password

Question

We are using argocd to deploy our application from helmchart from git repo. Part of the service are generating random password or self-signed certification for TLS. When we are pushing a new change to any folder in the repo, argocd show the resrouce as out-of-sync, re-sync it and re-generate the password and certification. Of course this cause an issue to every service that tried to connect to the db.

Example: Kafka-bitnami helm chart with:

auth:
  interBrokerProtocol: tls
  controllerProtocol: tls
  clientProtocol: tls
  sasl:
    interBrokerMechanism: scram-sha-512
  tls:
    type: pem
    autoGenerated: true

And mongodb-bitnami helm chart with:

auth:
  enabled: true

This create the password / certs when first deploy the chart, but the issue is that it is regenerate them on every push.

For the moment we solve the issue by disabling the automated syncPolicy, but his means that on every change we need to manually sync the the selected services.

I am adding a screenshot of argocd example showing the 'out of sync' it get on kafka certs.

Anyone have some idea how can we solve this bug?

Answer 1

As said @Zackorrigan said, put the ignoreDifferences block into your Argocd Application manifest, i.e.:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: app-name
spec:
  ignoreDifferences:
  - group: ''
    kind: 'Secret'
    name: secret-name
    jsonPointers:
    - /data

Answer 2

As said @GaëlJ you have to put an ignoreDifference on the secret data, to avoid the secret comparaison. You want to ignore only the data field as the rest of the secret might change (for example an addition of annotation)

For example like this:

ignoreDifferences:
  - group: ''
    kind: 'Secret'
    name: secret-name
    jsonPointers:
      - /data