diff --git a/src/common/k8s.ts b/src/common/k8s.ts
index 5582447b59..185a83c7f1 100644
--- a/src/common/k8s.ts
+++ b/src/common/k8s.ts
@@ -4,6 +4,7 @@ import {
   CoreV1Api,
   CustomObjectsApi,
   KubeConfig,
+  NetworkingV1Api,
   PatchStrategy,
   setHeaderOptions,
   V1ResourceRequirements,
@@ -21,7 +22,7 @@ import { ARGOCD_APP_PARAMS, DEPLOYMENT_PASSWORDS_SECRET, DEPLOYMENT_STATUS_CONFI
 import { OtomiDebugger, terminal } from './debug'
 import { env } from './envalid'
 import { hfValues } from './hf'
-import { getParsedArgs, parser } from './yargs'
+import { parser } from './yargs'
 import { askYesNo } from './zx-enhance'
 
 export const secretId = `secret/otomi/${DEPLOYMENT_PASSWORDS_SECRET}`
@@ -31,6 +32,7 @@ let kc: KubeConfig
 let coreClient: CoreV1Api
 let appClient: AppsV1Api
 let batchClient: BatchV1Api
+let networkingClient: NetworkingV1Api
 let customClient: CustomObjectsApi
 export const k8s = {
   kc: (): KubeConfig => {
@@ -54,6 +56,11 @@ export const k8s = {
     batchClient = k8s.kc().makeApiClient(BatchV1Api)
     return batchClient
   },
+  networking: (): NetworkingV1Api => {
+    if (networkingClient) return networkingClient
+    networkingClient = k8s.kc().makeApiClient(NetworkingV1Api)
+    return networkingClient
+  },
   custom: (): CustomObjectsApi => {
     if (customClient) return customClient
     customClient = k8s.kc().makeApiClient(CustomObjectsApi)
diff --git a/src/common/runtime-upgrades/runtime-upgrades.ts b/src/common/runtime-upgrades/runtime-upgrades.ts
index a7895eedd0..236c7d6e8f 100644
--- a/src/common/runtime-upgrades/runtime-upgrades.ts
+++ b/src/common/runtime-upgrades/runtime-upgrades.ts
@@ -1,10 +1,9 @@
-import { logLevelString, OtomiDebugger } from '../debug'
+import { OtomiDebugger } from '../debug'
 import { applyServerSide, k8s, restartOtomiApiDeployment } from '../k8s'
 import { getParsedArgs } from '../yargs'
 import { detectAndRestartOutdatedIstioSidecars } from './restart-istio-sidecars'
 import { upgradeKnativeServing } from './upgrade-knative-serving-cr'
-import { hf, HF_DEFAULT_SYNC_ARGS } from '../hf'
-import { PatchStrategy, setHeaderOptions } from '@kubernetes/client-node'
+import { ApiException, PatchStrategy, setHeaderOptions } from '@kubernetes/client-node'
 
 export interface RuntimeUpgradeContext {
   debug: OtomiDebugger
@@ -98,22 +97,28 @@ export const runtimeUpgrades: RuntimeUpgrades = [
           )
         }),
       )
-    },
-    applications: {
-      'istio-system-oauth2-proxy-artifacts': {
-        post: async (context: RuntimeUpgradeContext) => {
-          // Perform one sync as ArgoCD does not perform diffs on annotations
-          const d = context.debug
-          await hf(
-            {
-              labelOpts: ['name=oauth2-proxy-artifacts'],
-              logLevel: logLevelString(),
-              args: [...HF_DEFAULT_SYNC_ARGS, '--take-ownership'],
+      // Perform manual patch as ArgoCD does not perform diffs on annotations
+      context.debug.info("Removing obsolete annotation from Ingress 'oauth2-proxy'")
+      try {
+        await k8s.networking().patchNamespacedIngress(
+          {
+            namespace: 'istio-system',
+            name: 'oauth2-proxy',
+            body: {
+              metadata: {
+                'nginx.ingress.kubernetes.io/configuration-snippet': null,
+              },
             },
-            { streams: { stdout: d.stream.log, stderr: d.stream.error } },
-          )
-        },
-      },
+          },
+          setHeaderOptions('Content-Type', PatchStrategy.StrategicMergePatch),
+        )
+      } catch (error) {
+        if (error instanceof ApiException && error.code === 404) {
+          context.debug.info("Ingress 'oauth2-proxy' not found, patch not required")
+        } else {
+          context.debug.error("Failed to patch ingress 'oauth2-proxy'", error)
+        }
+      }
     },
   },
 ]