From 7bddc78c8a0f5567620a4da2b1630b767ab82ff2 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Thu, 5 Mar 2026 09:11:23 -0800
Subject: [PATCH] Add ExternalSecret default fields to prevent ArgoCD drift

The external-secrets operator adds conversionStrategy, decodingStrategy,
and metadataPolicy defaults to the live object, causing perpetual
OutOfSync in ArgoCD. Declare them explicitly to match.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 argocd/manifests/argocd/external-secret-oidc-authentik.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/argocd/manifests/argocd/external-secret-oidc-authentik.yaml b/argocd/manifests/argocd/external-secret-oidc-authentik.yaml
index 776d88f..475a713 100644
--- a/argocd/manifests/argocd/external-secret-oidc-authentik.yaml
+++ b/argocd/manifests/argocd/external-secret-oidc-authentik.yaml
@@ -24,5 +24,8 @@ spec:
   data:
     - secretKey: client-secret
       remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
         key: "Authentik (blumeops)"
+        metadataPolicy: None
         property: argocd-client-secret