Ignore resources from apply if it already exists

[emmetog]

There's an interesting situation in GKE when setting up cert manager to secure Ingress resources (same thing also happens for the alternative Gateway approach). It's a chicken and egg situation, GKE can only create the routes to allow the HTTP challenge to go ahead in the first place if there is already a "dummy" tls cert provisioned on the cluster. The need for this is explained here (an official tutorial from cert-manager explaining how to do it with Ingress) and here (similar community tutorial but with Gateway instead of Ingress).

This is arguably something that should be fixed by GKE so that the Ingress/Gateway can go ahead even with no placeholder secret created, but as it is it unfortunately means that provisioning cert-manager on GKE cannot be handled fully by flux, as even if flux initially created the dummy secret it would overwrite the real cert with the dummy again on every reconciliation. The cert must be initially created manually (outside of flux).

One idea that would solve this chicken and egg issue could be a "ignore this resource if it already exists, but create it as defined if not" kind of annotation, or even something more flexible to allow specifying individual fields in the resource to ignore when reconciling. Then we could use this to tell flux to create the dummy secret if it's not there already, but if cert-manager has updated it then flux would not overwrite it again.

Is there another solution (other than manually creating the initial tls secrets) which might get me closer to my aim of getting this situation fully managed by flux?

[stefanprodan]

You can do this via Git, after the initial sync, set the kustomize.toolkit.fluxcd.io/reconcile: disabled annotation on the secret.

Another way would be to use a Job that runs kubectl annotate, Flux will sync the Secret and Job, then it will ignore the secret.