Skip to content
English
  • There are no suggestions because the search field is empty.

Handling Persistent Diffs from External Secrets in Argo CD

How to use ignoreDifferences to avoid unnecessary syncs for resources managed by external-secrets.io

When Argo CD manages Kubernetes resources that are also reconciled by External Secrets Operator, it often detects continuous diffs and performs unnecessary resyncs. This happens because External Secrets updates specific fields (e.g., metadata, status, or extracted secret keys) after Argo CD applies the manifest.

For example, ExternalSecret resources may show persistent differences like:

dataFrom:
  - extract:
      conversionStrategy: Default
      decodingStrategy: None
      key: /SERVICE/DASHBOARD-WEB
      metadataPolicy: None
refreshInterval: 120s
secretStoreRef:
  name: some-store

Argo CD repeatedly detects changes even when there are no functional differences in Git.

Root Cause

Argo CD’s ignoreDifferences setting only ignores specific fields within a resource, not an entire GroupVersionKind (GVK) or all resources of a type. If a field in the resource spec or metadata is continuously reconciled by the External Secrets controller, Argo CD considers it a drift unless explicitly ignored.

To prevent Argo CD from re-syncing continuously, configure ignoreDifferences at the application level to target the ExternalSecret resource fields that are known to change under external-secrets.io.

Rather than using managedFieldsManagers, which may be unreliable or version-dependent, it’s best to target specific JSON fields using jsonPointers.

Here’s an example:

spec:
  ignoreDifferences:
  - group: external-secrets.io
    kind: ExternalSecret
    jsonPointers:
      - /spec/dataFrom
      - /spec/data
      - /spec/refreshInterval

Explanation:

  • group: external-secrets.io — API group for the External Secrets CRD.

  • kind: ExternalSecret — type of resource managed by the operator.

  • jsonPointers: specific fields within the spec that External Secrets updates.

You can add more paths here depending on which fields are observed to cause constant drift in your environment.

References