helm-secrets
helm-secrets copied to clipboard
jkroepke
ArgoCD detecting drift when applying SOPS encrypted secret
Current Behavior
When I apply a SOPS encrypted secret using ArgoCD, ArgoCD keeps thinking the resources is out of sync, and if auto-sync is enabled it keeps applying the same resource in a loop.
The secret is correctly applied, unencrypted, to the cluster, but ArgoCD is seemingly not decrypting the source when calculating the drift.
Expected Behavior
When I apply a SOPS encrypted secret using ArgoCD, I expect it to apply to the cluster unencrypted and stay "synced", when deciding if a resource needs updating, ArgoCD should decrypt the secret.
Steps To Reproduce
1. ArgoCD v1.11.7, v1.12.0
2. Apply a SOPS encrypted secret (in my setup I was using a GCP key with a workload identity to access)
3. Sync the manifest, verify the secret is applied using kubectl or the ArgoCD web UI
4. See that ArgoCD wants to apply the SOPS encryption fields
Environment
- Helm Secrets Version: 4.6.0
- ArgoCD Version: v1.11.7 and v1.12.0
Anything else?
Followed the guidelines in the repo to install plugins using an initcontainer.
I'm hoping I've overlooked something, on a broader scale I'm trying to rely on external charts as much as possible, and apply the secret manifest as part of the argo "app of apps" so that I can pass a reference to the secrets to the external chart, without having to maintain a dedicated secrets repo.
