From 4ec7c61757e4c78b03dd9ad3038fe3197b727ca7 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 23:39:42 +1000 Subject: [PATCH] fix(gateways): add explicit group: "" to all certificateRefs entries The Gateway API admission server defaults certificateRefs[].group to "" when it is omitted. ArgoCD diffed the desired state (no group field) against the live state (group: "") and flagged every gateway as out of sync. Fix: explicitly set group: "" in all certificateRefs entries so the rendered manifest matches the API server's canonical form exactly. Affected: artifactapi, cattle-system, consul, litellm, paperclip, puppet (puppetboard + puppetdb), vault. --- apps/base/artifactapi/gateway.yaml | 3 ++- apps/base/cattle-system/gateway.yaml | 3 ++- apps/base/consul/gateway.yaml | 6 ++++-- apps/base/litellm/gateway.yaml | 3 ++- apps/base/paperclip/gateway.yaml | 3 ++- apps/base/puppet/gateway_puppetboard.yaml | 3 ++- apps/base/puppet/gateway_puppetdb.yaml | 3 ++- apps/base/vault/gateway.yaml | 6 ++++-- 8 files changed, 20 insertions(+), 10 deletions(-) diff --git a/apps/base/artifactapi/gateway.yaml b/apps/base/artifactapi/gateway.yaml index b0ea6ed..fae401c 100644 --- a/apps/base/artifactapi/gateway.yaml +++ b/apps/base/artifactapi/gateway.yaml @@ -31,6 +31,7 @@ spec: protocol: HTTPS tls: certificateRefs: - - kind: Secret + - group: "" + kind: Secret name: artifactapi-tls mode: Terminate diff --git a/apps/base/cattle-system/gateway.yaml b/apps/base/cattle-system/gateway.yaml index c81bfdf..134db9c 100644 --- a/apps/base/cattle-system/gateway.yaml +++ b/apps/base/cattle-system/gateway.yaml @@ -31,6 +31,7 @@ spec: protocol: HTTPS tls: certificateRefs: - - kind: Secret + - group: "" + kind: Secret name: rancher-tls mode: Terminate diff --git a/apps/base/consul/gateway.yaml b/apps/base/consul/gateway.yaml index 30d7e9f..8e3ff9c 100644 --- a/apps/base/consul/gateway.yaml +++ b/apps/base/consul/gateway.yaml @@ -35,7 +35,8 @@ spec: tls: mode: Terminate certificateRefs: - - kind: Secret + - group: "" + kind: Secret name: consul-tls - name: consul-svc port: 443 @@ -47,5 +48,6 @@ spec: tls: mode: Terminate certificateRefs: - - kind: Secret + - group: "" + kind: Secret name: consul-tls diff --git a/apps/base/litellm/gateway.yaml b/apps/base/litellm/gateway.yaml index 88d987a..1f68e97 100644 --- a/apps/base/litellm/gateway.yaml +++ b/apps/base/litellm/gateway.yaml @@ -31,6 +31,7 @@ spec: protocol: HTTPS tls: certificateRefs: - - kind: Secret + - group: "" + kind: Secret name: litellm-tls mode: Terminate diff --git a/apps/base/paperclip/gateway.yaml b/apps/base/paperclip/gateway.yaml index 5690450..a080642 100644 --- a/apps/base/paperclip/gateway.yaml +++ b/apps/base/paperclip/gateway.yaml @@ -31,6 +31,7 @@ spec: protocol: HTTPS tls: certificateRefs: - - kind: Secret + - group: "" + kind: Secret name: paperclip-tls mode: Terminate diff --git a/apps/base/puppet/gateway_puppetboard.yaml b/apps/base/puppet/gateway_puppetboard.yaml index 6b7d0a0..a1ecdc2 100644 --- a/apps/base/puppet/gateway_puppetboard.yaml +++ b/apps/base/puppet/gateway_puppetboard.yaml @@ -35,6 +35,7 @@ spec: protocol: HTTPS tls: certificateRefs: - - kind: Secret + - group: "" + kind: Secret name: puppetboard-tls mode: Terminate diff --git a/apps/base/puppet/gateway_puppetdb.yaml b/apps/base/puppet/gateway_puppetdb.yaml index d61ed86..56a4803 100644 --- a/apps/base/puppet/gateway_puppetdb.yaml +++ b/apps/base/puppet/gateway_puppetdb.yaml @@ -28,6 +28,7 @@ spec: protocol: HTTPS tls: certificateRefs: - - kind: Secret + - group: "" + kind: Secret name: puppetdb-tls mode: Terminate diff --git a/apps/base/vault/gateway.yaml b/apps/base/vault/gateway.yaml index 7227dc7..2d9cbbf 100644 --- a/apps/base/vault/gateway.yaml +++ b/apps/base/vault/gateway.yaml @@ -35,7 +35,8 @@ spec: tls: mode: Terminate certificateRefs: - - kind: Secret + - group: "" + kind: Secret name: vault-tls - name: vault-direct port: 8200 @@ -46,5 +47,6 @@ spec: tls: mode: Terminate certificateRefs: - - kind: Secret + - group: "" + kind: Secret name: vault-tls