I am trying to configure Bitnami SealedSecrets with ArgoCD and Kustomize.
I have managed to encrypt the secrets using the kubeseal CLI, these are already deployed on the Kubernetes cluster as Sealed secrets and can be unsealed by the Sealed Secret Controller running on the cluster. The unsealed Secrets contain the expected values. I have defined the secrets using Kustomize Secret Generators - as described in this tutorial: Sealing Secrets with Kustomize. This is also working fine, since ArgoCD recognizes that there should be Secrets generated.
However, ArgoCD expects the secrets to be empty, as they are defined as empty in the Secret Generator part of my kustomization.yaml for the application:
secretGenerator:
- name: secret1
type: Opaque
- name: secret2
type: Opaque
- name: secret3
type: Opaque
...
Since ArgoCD expects the secrets to be empty, they are detected to be "out of sync" after the Sealed Secrets Controller unseals and decrypts the secrets:
Since ArgoCD thinks that the secrets should be empty, these are replaced by empty secrets. Then the Sealed Secrets Operator updates the Secrets once again and populates the data fields with the decrypted data - leading to an endless loop of ArgoCD synchronization.
The secrets are marked to be managed by Bitnami Sealed Secrets using the sealedsecrets.bitnami.com/managed: "true" annotation. So they are being updated by the Sealed Secrets controller.
How could I change the manifest to make sure that the unsealed secrets are recognized as "in sync" and ArgoCD doesn't keep on syncing beceause of the "OutOfSync" status of the unsealed secrets? (Which seems to be caused by the decrypted data in the unsealed secrets - as shown in the diff on the screenshot above.)
