From 6a2ade41a9ddead0a5ad324c66b7f3835c532da7 Mon Sep 17 00:00:00 2001
From: dvirlabs <dvirlabs@gmail.com>
Date: Sat, 21 Mar 2026 21:08:34 +0200
Subject: [PATCH] Fix cert-manager-stack ArgoCD sync issues

- Move retry policy under syncPolicy (correct placement)
- Add ignoreDifferences for CRD and webhook caBundle fields
- Add RespectIgnoreDifferences sync option
- Prevents false out-of-sync states caused by cert-manager controller modifications
---
 argocd-apps/cert-manager-stack.yaml | 30 ++++++++++++++++++++++-------
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/argocd-apps/cert-manager-stack.yaml b/argocd-apps/cert-manager-stack.yaml
index 16269d1..43ab0e9 100644
--- a/argocd-apps/cert-manager-stack.yaml
+++ b/argocd-apps/cert-manager-stack.yaml
@@ -24,10 +24,26 @@ spec:
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true
-  # Retry policy for handling transient errors during sync
-  retry:
-    limit: 3
-    backoff:
-      duration: 5s
-      factor: 2
-      maxDuration: 3m
+      - RespectIgnoreDifferences=true
+    retry:
+      limit: 3
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+  # Ignore differences in fields that are modified by controllers
+  ignoreDifferences:
+    # Ignore CRD conversion webhook changes
+    - group: apiextensions.k8s.io
+      kind: CustomResourceDefinition
+      jqPathExpressions:
+        - .spec.conversion.webhook.clientConfig.caBundle
+    # Ignore webhook caBundle updates by cert-manager
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      jqPathExpressions:
+        - .webhooks[].clientConfig.caBundle
+    - group: admissionregistration.k8s.io
+      kind: MutatingWebhookConfiguration
+      jqPathExpressions:
+        - .webhooks[].clientConfig.caBundle