Skip to content

fix(operator): add helm.sh/resource-policy: keep when recreate is false#2172

Open
tmohanvamsi wants to merge 1 commit intoopen-telemetry:mainfrom
tmohanvamsi:fix/argocd-cert-recreation
Open

fix(operator): add helm.sh/resource-policy: keep when recreate is false#2172
tmohanvamsi wants to merge 1 commit intoopen-telemetry:mainfrom
tmohanvamsi:fix/argocd-cert-recreation

Conversation

@tmohanvamsi
Copy link
Copy Markdown

@tmohanvamsi tmohanvamsi commented Apr 30, 2026

Summary

When autoGenerateCert.recreate is set to false, the webhook secret is now annotated with helm.sh/resource-policy: keep. This prevents ArgoCD from deleting and recreating the certificate on every sync.

Root Cause

ArgoCD uses helm template (dry-run mode) which does not support the Helm lookup function. As a result, the existing secret is never found, the else branch always executes, and a new certificate is generated on every sync — even when recreate: false is set.

Fix

  • Added helm.sh/resource-policy: keep annotation to the webhook Secret when autoGenerateCert.recreate: false
  • Updated values.yaml documentation to explain ArgoCD behavior

Testing

  • Helm chart template rendering verified
  • Users with ArgoCD + recreate: false will no longer see certificate diffs on every sync

Related Issue

Fixes #2168

@tmohanvamsi
fix(operator): add helm.sh/resource-policy: keep when recreate is false
2ca62d4 
When autoGenerateCert.recreate is set to false, the webhook secret is
now annotated with helm.sh/resource-policy: keep. This prevents ArgoCD
from deleting and recreating the certificate on every sync, which was
caused by ArgoCD's dry-run mode not supporting the Helm lookup function.

Updated values.yaml documentation to explain the ArgoCD behavior.

Fixes open-telemetry#2168

Signed-off-by: tadepmo <tmohanvamsi@gmail.com>
@tmohanvamsi tmohanvamsi requested review from a team, Allex1 and jvoravong as code owners April 30, 2026 13:30
@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla Bot commented Apr 30, 2026
edited
Loading

CLA Signed
The committers listed above are authorized under a signed CLA.

  • ✅ login: tmohanvamsi / name: tadepmo (2ca62d4)

@tmohanvamsi tmohanvamsi mentioned this pull request Apr 30, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Allex1 Allex1 Awaiting requested review from Allex1 Allex1 is a code owner

@jvoravong jvoravong Awaiting requested review from jvoravong jvoravong is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

opentelemetry-operator generated certificate is always recreated

1 participant

@tmohanvamsi