[ArgoCD] ArgoCD and secrets

[dginther]

Description

ArgoCD thinks that some services which update their own secrets are out of sync.

• Kubernetes Dashboard
• Pomerium

Background/context

Because these services modify their own secret values, ArgoCD sees them as out of sync with what is in the manifests repo. Taylor tried to add an annotation to ignore changes to this item but it doesn't seem to be working.

There is a way to ignore specific changes in an ArgoCD Application Resource (kind: Application) of which there is an example here: https://github.com/DoubleGin/infrastructure/blob/master/k8s/argocd/applications/application-istio.yaml

The difficulty level here is that our Application Resources are defined in Jsonnet, which may complicate adding this to the spec. https://github.com/department-of-veterans-affairs/vsp-infra-application-manifests/blob/main/jsonnet/lib/argocd-application.libsonnet

---

Tasks

• [x] Investigate the annotations required for this and see if it is a viable solution (DOES NOT WORK)
• [ ] Add the ignoreDifferences clause to the Application Jsonnet

Acceptance Criteria

• [ ] Any applications which show as 'out of sync' in ArgoCD because they modify their own secrets no longer show as out of sync

---

Reminders

• [ ] Please connect to an epic (this will typically be done by the Platform Operations PM or TL)

[jbritt1]

Could this perhaps also be solved if we went the route of version pinning secrets in application manifests for department-of-veterans-affairs/va.gov-team#29036?