argocd app shows 'degraded' though the key unsealed sucessfully and sealed secret health status shows wrong

[sandeepk8s]

Controller version - v0.17.1

I just deployed argocd and declared the argocd creds using sealed secrets - secrets got unsealed successfully and everything's working fine BUT the argocd app health shows as DEGRADED as it failed first few times App health status still shows the previous error while the live state is good

https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories

Expected behavior
App status should be healthy and sealed secret health status should show the correct message 'unsealed sealed secret successfully'

Version of Kubernetes:

v1.21
Actual behavior:

Output:

sealed secrets got decrypted and argocd is working fine. Only problem is the app status shows degraded and sealed secrets health status shows wrong

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions]

Due to the lack of activity in the last 7 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

[Yeicor]

This issue is still relevant: if the secret fails to decrypt at least once (i.e. the master key is not uploaded yet), the status.conditions is not updated when the secret is correctly decrypted.

This can cause the whole Argo CD deployment to get stuck because the sealed secrets are not detected as healthy.

Searching through at the code, it looks like this condition is the reason the status is not updated:

sealed-secrets/pkg/controller/controller.go

Lines 356 to 360 in 58b8864

	// No need to update the status if we already have observed it from the
	// current generation of the resource.
	if ssecret.Status.ObservedGeneration == ssecret.ObjectMeta.Generation {
	return nil
	}

Is this condition required for some reason or can it be removed to fix this issue? I guess it is also possible to bump the generation when a secret is successfully decrypted.

[stand-sure]

commenting as the issue still exists

a major concern with an app being stuck in degraded even though it succeeded is that it conditions users to stop checking why the app shows as degraded, which could cause a real issue to be missed

[zatricky]

@agarcia-oss can this issue be re-opened?

[DreamingRaven]

can confirm I am also having the very same issue. My secrets are decrypting, but argocd is still reporting a degraded sealed secret.

[lhbarry]

Same issue here, and very interested in a resolution

[jgracindexcom]

Same issue.

[bernardab0806]

Also having the same issue.