[Bug] Can't get jqPathExpressions based ignoreDifferences to work with various WebhookConfigurations

[spkane]

Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug

Setting this ignoreDifferences block applies fine, but doesn't do anything.

  ignoreDifferences:
  - kind: MutatingWebhookConfiguration
    name: istio-sidecar-injector
    jqPathExpressions:
    - '.webhooks[]?.clientConfig.caBundle'
  - kind: ValidatingWebhookConfiguration
    name: istiod-default-validator
    jqPathExpressions:
    - '.webhooks[]?.failurePolicy'

To Reproduce

Applying this ArgoCD application:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: tetrate-istio
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
spec:
  project: default
  source:
    repoURL: https://github.com/aws-samples/eks-blueprints-add-ons
    path: add-ons/tetrate-istio
    targetRevision: HEAD
  destination:
    server: https://kubernetes.default.svc
    namespace: istio-system
  syncPolicy:
    automated:
      prune: true
    retry:
      limit: 1
      backoff:
        duration: 5s
        factor: 2
        maxDuration: 1m
  ignoreDifferences:
  - group: apps
    kind: MutatingWebhookConfiguration
    name: istio-sidecar-injector
    jqPathExpressions:
    - '.webhooks[]?.clientConfig.caBundle'
  - group: apps
    kind: ValidatingWebhookConfiguration
    name: istiod-default-validator
    jqPathExpressions:
    - '.webhooks[]?.failurePolicy'

Should install istio and then you get two webhook configs which show diffs that aren't ignored.

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: istiod-default-validator

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: istio-sidecar-injector

Expected behavior

I can ignore these expected diffs from the application manifest level.

Screenshots

Version

v2.3.3+07ac038

cc/ aws-samples/eks-blueprints-add-ons#37

[spkane]

I also have set this in the ArgoCD ConfigMap and it does not work either. ignoreAggregatedRoles works fine, but the admissionregistration.k8s.io/MutatingWebhookConfiguration section does not appear to do anything.

data:
  application.instanceLabelKey: argocd.argoproj.io/instance
  resource.compareoptions: |
    ignoreAggregatedRoles: true
    admissionregistration.k8s.io/MutatingWebhookConfiguration:
      ignoreDifferences: |
        jqPathExpressions:
        - '.webhooks[]?.clientConfig.caBundle'

[zostay]

I had some difficulty with this as well. I suspect it came down to the namespace setting. I haven't dug into the code for argocd, but based on behavior, I'd guess that all/most fields in the spec have to be given. I was specifically struggling to find a way to ignore the failurePolicy field you mentioned. I found that this works:

  ignoreDifferences:                                                                                                                   
  - group: admissionregistration.k8s.io                                                                                                
    jqPathExpressions:                                                                                                                 
    - .webhooks[].failurePolicy                                                                                                        
    kind: ValidatingWebhookConfiguration                                                                                               
    name: istio-validator-istio-system   

I explicitly set namespace: "" when I edited the Application record, but I don't know if that was helpful or just a red herring. I don't really have time to dig further into it now. I hope that's helpful to someone.

[HenryXie1]

I use below to fix

ignoreDifferences:
    - group: admissionregistration.k8s.io
      kind: ValidatingWebhookConfiguration
      name: istiod-default-validator
      jsonPointers:
        - /webhooks/0/failurePolicy

[tyler-harpool]

To keep istio-sidecar-injector in sync here is what you would need.

  ignoreDifferences:
  - group: admissionregistration.k8s.io
    kind: MutatingWebhookConfiguration
    name: istio-sidecar-injector
    jqPathExpressions:
    - .webhooks[].namespaceSelector.matchExpressions[] | select(.key == "control-plane")

[blakepettersson]

Seems like a duplicate of #9678?

[spkane]

Seems like a duplicate of #9678?

Well officially, this one came first, but if the problem is being worked on via the other issue that is good to hear.