Endless Sync Loop when installing Helm Chart via ArgoCD

[jstewart612]

Describe the bug:
Helm chart's ValidatingWebhookConfiguration is missing a configuration section which Kubernetes adds in on Azure Kubernetes Service to every ValidatingWebhookConfiguration which causes ArgoCD to place the Helm chart into a constant sync loop and never become healthy.

Expected behaviour:
This ValidatingWebhookConfiguration

Steps to reproduce the bug:
Install this Application CRD on your cluster running ArgoCD 2.0.3 on an Azure Kubernetes Service cluster:

---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  finalizers:
    - resources-finalizer.argocd.argoproj.io
  name: cert-manager
spec:
  project: default
  destination:
    namespace: cert-manager
    server: 'https://kubernetes.default.svc'
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
  source:
    chart: cert-manager
    repoURL: 'https://charts.jetstack.io'
    targetRevision: v1.4.0
    helm:
      releaseName: cert-manager
      values: |+
        global:
          logLevel: 2
        ingressShim:
          defaultIssuerName: letsencrypt
          defaultIssuerKind: ClusterIssuer
        installCRDs: true
        prometheus:
          enabled: true
          servicemonitor:
            enabled: true

Once you do, this section will repeatedly want to delete webhooks[0].namespaceSelector.matchExpressions[2]:

- key: control-plane
  operator: DoesNotExist

Anything else we need to know?:
Nope.

Environment details::

• Kubernetes version: 1.20.7
• Cloud-provider/provisioner: Azure Kubernetes Service
• cert-manager version: v1.4.0
• Install method: e.g. helm/static manifests: ArgoCD 2.0.3 using above Application CRD instance.

/kind bug

[jstewart612]

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[jetstack-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

[jemag]

Had the same problem after adding it to argocd using kustomize. In my case, I added the following patch:

patchesJson6902:
- target:
    group: admissionregistration.k8s.io
    version: v1
    kind: ValidatingWebhookConfiguration
    name: cert-manager-webhook
  patch: |-
    - op: add
      path: /webhooks/0/namespaceSelector/matchExpressions/-
      value:
        key: control-plane
        operator: DoesNotExist

[jetstack-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

[jetstack-bot]

@jetstack-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.