How do I have ArgoCD/GitOps ignore a generated resource?

Using GitOps to configure LDAP for OAUTH is an excellent demonstration of the problem. You must create a secret to hold the LDAP bind password and a configmap to hold the LDAP CA (Certificate Authority) inside of an ArgoCD application that has both selfHeal and prune set to true. Once the secret and configmap get applied to the cluster, this triggers the cluster to generate the v4-0-config-user-idp-0-bind-password secret and the v4-0-config-user-idp-0-ca configmap. In the image below we can see the new configmap and secret that get dynamically created.

OAUTH

ArgoCD will then detect that these new resources exist in the live cluster but not it git so it proceeds to prune them. However, the cluster sees that they do not exist and they will get dynamically re-created which causes ArgoCD to prune them again, on and on. 

Simply setting self heal and prune to false stops the deletion cycle but then the app will constantly show that it is out of sync.

The workaround is to add these resources to git without an empty spec.

$> cat ignore-generated-sec-and-cm.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: v4-0-config-user-idp-0-ca
  namespace: openshift-authentication
---
apiVersion: v1
kind: Secret
metadata:
  name: v4-0-config-user-idp-0-bind-password
  namespace: openshift-authentication
---
apiVersion: v1
kind: Secret
metadata:
  name: v4-0-config-user-idp-1-file-data
  namespace: openshift-authentication

This will create empty stubs for each of the generated resources. The next part is to modify the oauth Argo CD application with the SyncOption “RespectIgnoreDifferences=true” and define ignoreDifferences for the Secrets and ConfigMap.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: oauth
  namespace: openshift-gitops
  annotations:
    argocd.argoproj.io/sync-wave:  "1"
spec:
  destination:
    namespace: openshift-gitops
    server: 'https://kubernetes.default.svc'
  source:
    path: 'infrastructure-gitops-app/oauth'
    repoURL: https://gitea.pepe.looneybin.net/svc-ansible/sno-gitops.git
    targetRevision: main
    directory:
      recurse: true
  project: default
  syncPolicy:
    syncOptions:
    - CreateNamespace=true
    - ServerSideApply=true
    - RespectIgnoreDifferences=true
    automated:
      prune: true
      selfHeal: true
  ignoreDifferences:
    - group: '*'
      kind: Secret
      name: argocd-secret
      jsonPointers:
        - /data
        - /stringData
    - group: '*'
      kind: ConfigMap
      name: argocd-cm
      jsonPointers:
        - /data/host
        - /data/url
        - /stringData/host
        - /stringData/url