From 7d2e0dfa0fbd7a822fdb63e14e359960b8d37791 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 24 May 2026 00:07:02 +1000 Subject: [PATCH] fix(kanidm): prevent ArgoCD from overwriting repl-cert ConfigMap data Remove the data keys from kanidm-repl-certs in git so ArgoCD never takes SSA ownership of them. Add ignoreDifferences for /data on that ConfigMap in the ApplicationSet template so ArgoCD doesn't flag sidecar-patched cert values as out-of-sync. --- apps/base/kanidm/configmap.yaml | 5 +---- argocd/applicationsets/platform.yaml | 6 ++++++ 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/apps/base/kanidm/configmap.yaml b/apps/base/kanidm/configmap.yaml index bd68434..d74ed18 100644 --- a/apps/base/kanidm/configmap.yaml +++ b/apps/base/kanidm/configmap.yaml @@ -37,7 +37,4 @@ metadata: labels: app.kubernetes.io/name: kanidm app.kubernetes.io/instance: kanidm -data: - kanidm-0: "" - kanidm-1: "" - kanidm-2: "" +data: {} diff --git a/argocd/applicationsets/platform.yaml b/argocd/applicationsets/platform.yaml index 8974f77..9b538c9 100644 --- a/argocd/applicationsets/platform.yaml +++ b/argocd/applicationsets/platform.yaml @@ -44,6 +44,12 @@ spec: destination: server: https://kubernetes.default.svc namespace: '{{path[3]}}' # Use directory name as namespace + ignoreDifferences: + - group: "" + kind: ConfigMap + name: kanidm-repl-certs + jsonPointers: + - /data syncPolicy: automated: prune: true