From fb83c5c57736b4ee8f1a672c048281528f8dfd45 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Thu, 26 Feb 2026 07:02:28 -0800
Subject: [PATCH] Add explicit ExternalSecret defaults for SSA sync parity

The external-secrets webhook injects conversionStrategy, decodingStrategy,
and metadataPolicy defaults on admission. Declaring them explicitly prevents
ArgoCD SSA from flagging the resource as OutOfSync.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 argocd/manifests/argocd/external-secret-repo-forge.yaml | 3 +++
 docs/changelog.d/main.infra.md                          | 1 +
 2 files changed, 4 insertions(+)
 create mode 100644 docs/changelog.d/main.infra.md

diff --git a/argocd/manifests/argocd/external-secret-repo-forge.yaml b/argocd/manifests/argocd/external-secret-repo-forge.yaml
index a8022ad..f7fd74e 100644
--- a/argocd/manifests/argocd/external-secret-repo-forge.yaml
+++ b/argocd/manifests/argocd/external-secret-repo-forge.yaml
@@ -26,5 +26,8 @@ spec:
   data:
   - secretKey: privateKey
     remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
       key: argocd-forge-ssh-key
+      metadataPolicy: None
       property: private-key-openssh
diff --git a/docs/changelog.d/main.infra.md b/docs/changelog.d/main.infra.md
new file mode 100644
index 0000000..da6fc47
--- /dev/null
+++ b/docs/changelog.d/main.infra.md
@@ -0,0 +1 @@
+Add explicit ExternalSecret defaults for SSA sync parity with ArgoCD v3.3