Fixing Argo CD Out-of-Sync Due to Cilium Identity on RKE2 // Support Tools

Fixing Argo CD Out-of-Sync Due to Cilium Identity on RKE2

If you’re running a Kubernetes cluster with RKE2 and Cilium as your networking solution, you might encounter a situation where Argo CD shows an out-of-sync status due to the presence of CiliumIdentity resources. Although the actual application is in sync and functioning normally, this false out-of-sync status can be frustrating to see in your CI/CD workflows.

Problem

When using Argo CD on RKE2 with Cilium as the CNI, CiliumIdentity objects may appear in Argo CD as out of sync. This happens even though they are auto-generated by Cilium and have no direct impact on the application’s state. This can cause the entire application to show as out of sync, even though everything is working correctly.

Solution

The solution is to configure Argo CD to exclude CiliumIdentity objects from being tracked, as these resources are not needed for application state reconciliation. This can be done by adding a resource exclusion rule in Argo CD’s configuration.

Step-by-Step Fix

Access the Argo CD ConfigMap
To fix this issue, the first step is to access and edit the Argo CD configuration to exclude the CiliumIdentity resource type. You can view the current configmap for Argo CD with the following command:
```
kubectl get cm -n argocd
```
Find the configmap named argocd-cm, which holds the main configuration for Argo CD.
Edit the ConfigMap
Use the following command to open the configmap in a text editor (we’ll use nano here for simplicity, but you can use any editor):
```
KUBE_EDITOR="nano" kubectl edit cm argocd-cm -n argocd
```
Add Resource Exclusion Rules
In the configmap, add the following exclusion rule under the data section to tell Argo CD to ignore Cilium Identity resources:
```
data:
  resource.exclusions: |
    - apiGroups:
      - cilium.io
      kinds:
      - CiliumIdentity
      clusters:
      - "*"    
```
This configuration tells Argo CD to ignore all CiliumIdentity resources across all clusters. The apiGroups field matches resources belonging to cilium.io, and the kinds field targets the CiliumIdentity resource specifically.
Save and Exit
Press CTRL + O to save the changes, and then CTRL + X to exit the nano editor.
Apply Changes
Once you’ve updated the configmap, the Cilium Identity resources will no longer be tracked by Argo CD. The out-of-sync status caused by these resources will disappear, and your application’s actual sync status will be displayed correctly.

Why This Works

By adding this resource exclusion rule, Argo CD is instructed to ignore CiliumIdentity objects, which are dynamically managed by Cilium and aren’t essential for Argo CD to track. This keeps your Argo CD dashboard clean and ensures that only application-related resources are synced.

Conclusion

Fixing the out-of-sync status in Argo CD caused by CiliumIdentity resources is a simple configuration change that can help you maintain a clean and accurate view of your application’s state. By excluding these non-essential resources, you can focus on the actual application components and avoid unnecessary alerts or confusion in your CI/CD pipelines.