Fix cert-manager-stack ArgoCD sync issues

- Move retry policy under syncPolicy (correct placement)
- Add ignoreDifferences for CRD and webhook caBundle fields
- Add RespectIgnoreDifferences sync option
- Prevents false out-of-sync states caused by cert-manager controller modifications

argocd-apps/cert-manager-stack.yaml

@@ -24,10 +24,26 @@ spec:
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true
-  # Retry policy for handling transient errors during sync
+      - RespectIgnoreDifferences=true
     retry:
       limit: 3
       backoff:
         duration: 5s
         factor: 2
         maxDuration: 3m
+  # Ignore differences in fields that are modified by controllers
+  ignoreDifferences:
+    # Ignore CRD conversion webhook changes
+    - group: apiextensions.k8s.io
+      kind: CustomResourceDefinition
+      jqPathExpressions:
+        - .spec.conversion.webhook.clientConfig.caBundle
+    # Ignore webhook caBundle updates by cert-manager
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      jqPathExpressions:
+        - .webhooks[].clientConfig.caBundle
+    - group: admissionregistration.k8s.io
+      kind: MutatingWebhookConfiguration
+      jqPathExpressions:
+        - .webhooks[].clientConfig.caBundle