[BUG] HELM chart renders

[noltedennis]

Describe the bug

We deploy image-mapper via ArgoCD. Typically, when lookup is used inside of HELM charts, we set an ignoreDifferences and the application is shown as healthy. Here, a lookup is used as well. The variable filled by this lookup, however, is used in the secret and the mutatingwebhookconfiguration.

If we were to enter either usage into ArgoCD's ignoreDifferences configuration, then the application would still show as healthy. But this can lead to just one of the two resources being synced. This leads to admission failures and creates image pull errors within the cluster.

We'd like to see an improvement to the CA & TLS generation to avoid this edge case, as it can have severe consequences on production clusters.

Tested with Version

HELM v0.4.54

To Reproduce

Steps to reproduce the behavior:

1. Deploy HELM chart via ArgoCD
2. Introduce ignoreDifferences to ignore the caBundle changes in the secret and mutatingwebhookconfiguration
3. Rollout a change that only affects the mutatingwebhookconfiguration
4. Observe that image pulls no longer work due to TLS failures

Expected behavior

The mutatingwebhook should somehow source the caBundle from the secret to avoid this edge case.

Screenshots

ArgoCD continuously shows the application to be out of sync due to the HELM lookup usage.

Additional context

N/A

[cbarbian-sap]

Not sure if I understand it right.

Unfortunately, we cannot reproduce since we have no argocd.

Regarding

The mutatingwebhook should somehow source the caBundle from the secret to avoid this edge case.

That is actually exactly what the helm chart is doing: it looks up the existing secret, renders the secret and the MutatingWebhookConfiguration in an identical way. See

https://github.com/SAP/image-mapper-helm/blob/main/chart/templates/webhook.yaml#L50-L53
https://github.com/SAP/image-mapper-helm/blob/main/chart/templates/webhook.yaml#L80

So nothing changes exactly because of the lookup. I don't know how argo calculates the new target state when doing the diff. Of course, if it renders the chart again (without executing the lookup), then a new certificate will be generated. But shouldn't a correct ignoreDifferences prevent that new state from being applied to the cluster?

As an alternative (if you have cert-manager or can install it) you can set .webhook.certManager.enabled: true in the chart, see https://github.com/SAP/image-mapper-helm/blob/main/chart/templates/webhook.yaml#L50-L53. That will avoid the problem.