Skip to main content
Add-on settings control how ArgoCD manages the lifecycle of your deployed add-ons. These settings apply to both standalone add-ons and add-ons within stacks.

Overview

Every add-on deployed through Ankra is backed by an ArgoCD Application. The settings page lets you fine-tune how ArgoCD synchronizes, monitors, and recovers your add-on. You can configure these settings from:
  • Stack Builder — click any add-on and open the Settings tab
  • Standalone Add-ons — open the add-on and click Settings
Changes made in the Stack Builder are applied when you save the stack. Changes to standalone add-ons are applied to ArgoCD immediately.

Settings Profiles

Profiles are pre-configured bundles of settings optimized for common scenarios. Select a profile to quickly apply recommended values, or choose Custom to configure each setting individually.
ProfileAutomated SyncAuto PruneSelf HealHealth CheckRevision LimitBest For
DefaultOnOnOnOff10Most add-ons
DevelopmentOnOnOnOff5Fast iteration, dev/staging clusters
Production CriticalOffOffOffOn20Critical workloads requiring manual control
StatefulOnOffOnOff10Databases, message queues, stateful apps
Changing any individual setting automatically switches the profile to Custom.

Sync Policy

The sync policy determines how ArgoCD responds to changes in your Git repository and drift in your cluster.

Automated Sync

When enabled, ArgoCD automatically syncs your add-on whenever changes are detected in Git. When disabled, you must trigger syncs manually.

Auto Prune

When enabled alongside Automated Sync, ArgoCD automatically deletes Kubernetes resources that are no longer defined in Git. This keeps your cluster clean but means removing a resource from your stack will delete it from the cluster.
Auto Prune can delete resources that were removed from your Git repository. Make sure you intend to remove them before enabling this option.

Self Heal

When enabled alongside Automated Sync, ArgoCD automatically reverts any manual changes made directly to the cluster. If someone modifies a resource with kubectl, ArgoCD will detect the drift and restore the resource to match Git.

Sync Options

Sync options are flags that control specific ArgoCD behaviors during synchronization. You can select multiple options.
OptionDescription
Create NamespaceAutomatically create the target namespace if it does not exist
Server-Side ApplyUse Kubernetes server-side apply instead of client-side. Recommended for large resources and CRDs
Apply Out-of-Sync OnlyOnly apply resources that are out of sync, skipping unchanged resources. Reduces sync time
Respect Ignore DifferencesHonor ignore difference rules during sync. Automatically enabled when ignore rules are present
Prune Propagation: ForegroundWait for dependent resources to be deleted before removing the parent
Prune Propagation: BackgroundDelete the parent immediately and let Kubernetes garbage-collect dependents
Prune Propagation: OrphanRemove the parent but leave dependent resources in place
Prune LastPrune resources only after all other sync operations complete
ReplaceUse kubectl replace instead of kubectl apply. Useful when apply fails due to field conflicts
Fail on Shared ResourceFail the sync if a resource is already managed by another ArgoCD Application
Server-Side Apply and Create Namespace are enabled by default in most profiles. Server-Side Apply is recommended because it handles large objects and field conflicts better than client-side apply.

Health & Revisions

Strict Health Check

When enabled, ArgoCD requires all resources created by the add-on to report a healthy status before considering the deployment successful. This is useful for production-critical add-ons where partial deployments are unacceptable. When disabled (default), ArgoCD considers the sync successful as soon as resources are applied, regardless of their health status.

Revision History Limit

Controls how many previous application revisions ArgoCD retains (1—100). Higher values consume more storage but make it easier to audit changes and understand deployment history. The default is 10.

Retry Policy

The retry policy controls automatic retry behavior when a sync operation fails.
FieldDescriptionDefault
Retry LimitMaximum number of retry attempts (0—100)5
Backoff FactorMultiplier applied to delay between retries (1—10)2
Initial DelayWait time before the first retry (e.g. 5s, 1m)5s
Max DelayMaximum wait time between retries (e.g. 3m, 10m)3m
Retries use exponential backoff: each retry waits longer than the previous one, up to the max delay. For example, with the defaults, retries happen at approximately 5s, 10s, 20s, 40s, and 80s (capped at 3m).

Sync Window

Sync windows restrict when ArgoCD is allowed to synchronize your add-on. This is useful for enforcing change-management policies, such as only allowing deployments during business hours or maintenance windows.
FieldDescriptionExample
ScheduleCron expression defining when the window opens0 22 * * * (daily at 10 PM)
DurationHow long the window stays open1h, 30m, 2h
TimezoneTimezone for the cron scheduleUTC, Europe/Berlin, US/Eastern
When a sync window is active, ArgoCD will only sync during the defined window. Outside the window, changes accumulate in Git and are applied when the next window opens.

Ignore Differences

Ignore Differences lets you tell ArgoCD to skip specific fields when comparing the desired state (Git) with the live state (cluster). This prevents false “OutOfSync” reports caused by fields that are mutated at runtime by Kubernetes controllers, webhooks, or operators.

Why Ignore Differences?

ArgoCD continuously compares your Git repository with the live cluster state. When they differ, ArgoCD reports the resource as OutOfSync. However, some fields are legitimately modified after deployment:
  • Webhook controllers inject caBundle values into webhook configurations
  • Kubernetes assigns clusterIP to Services automatically
  • Operators update status fields and annotations on custom resources
  • Controllers like kube-controller-manager set default values on resources
Without ignore rules, these runtime mutations cause constant OutOfSync status, triggering unnecessary syncs (with auto-sync) or masking real configuration drift.

Resource Selectors

Each ignore rule can be scoped to specific resources using optional selectors:
FieldDescriptionExample
KindKubernetes resource kindValidatingWebhookConfiguration
GroupAPI group of the resourceadmissionregistration.k8s.io
NameSpecific resource nameistio-validator-istio-system
NamespaceNamespace of the resourceistio-system
All selectors are optional. Omitting a selector means the rule matches all values for that field. For example, a rule with only Kind: Service and no name or namespace applies to every Service in the add-on.

Matching Methods

Each rule must include at least one of the following methods to specify which fields to ignore.

JSON Pointers

JSON Pointers (RFC 6901) are path-based references into a JSON document. They use / as a separator and numeric indices for arrays. Syntax: /path/to/field or /path/0/arrayElement Examples:
PointerWhat it targets
/spec/clusterIPThe clusterIP field on a Service
/webhooks/0/clientConfig/caBundleThe caBundle of the first webhook
/metadata/annotations/kubectl.kubernetes.io~1last-applied-configurationAn annotation (note: / in keys is escaped as ~1)
/statusThe entire status subresource
Use JSON Pointers when you need to target a specific array index or a straightforward field path. They are simple and well-suited for most use cases.

JQ Path Expressions

JQ path expressions use the jq query language syntax to target fields. They are more powerful than JSON Pointers and support wildcards and array iteration. Syntax: .path.to.field or .path[0].arrayElement Examples:
ExpressionWhat it targets
.spec.clusterIPThe clusterIP field on a Service
.webhooks[0].clientConfig.caBundleThe caBundle of the first webhook
.webhooks[].clientConfig.caBundleThe caBundle of all webhooks (wildcard)
.metadata.annotations["kubectl.kubernetes.io/last-applied-configuration"]An annotation with special characters in the key
.statusThe entire status subresource
Use JQ Path Expressions when you need wildcards (e.g. .webhooks[] to match all array elements) or when targeting fields with special characters in their keys.

Managed Fields Managers

Instead of targeting specific fields, you can ignore all fields managed by a particular controller or process. Kubernetes tracks which controller “owns” each field through its Server-Side Apply mechanism. Examples:
ManagerWhat it covers
kube-controller-managerFields set by the Kubernetes controller manager (e.g. default values, status updates)
clusterrole-aggregation-controllerAggregated rules on ClusterRoles
cert-manager-cainjectorCA bundle fields injected by cert-manager
Managed Fields Managers is the broadest matching method. It ignores all fields owned by that manager, which may include fields you want ArgoCD to track. Use it only when you trust the controller’s mutations entirely.

Common Examples

Webhook controllers like cert-manager inject a caBundle into webhook configurations after deployment. This is one of the most common causes of false OutOfSync status.
FieldValue
KindValidatingWebhookConfiguration
Groupadmissionregistration.k8s.io
JSON Pointer/webhooks/0/clientConfig/caBundle
Or to cover all webhooks in the configuration using JQ:
FieldValue
KindValidatingWebhookConfiguration
Groupadmissionregistration.k8s.io
JQ Path Expression.webhooks[].clientConfig.caBundle
This also applies to MutatingWebhookConfiguration resources.
Kubernetes assigns clusterIP and clusterIPs automatically when a Service is created. These values are not in your Helm chart but will appear in the live resource.
FieldValue
KindService
JSON Pointers/spec/clusterIP, /spec/clusterIPs
When using ClusterRole aggregation, the kube-controller-manager merges rules from multiple ClusterRoles. The aggregated rules field will differ from what is defined in Git.
FieldValue
KindClusterRole
Grouprbac.authorization.k8s.io
Managed Fields Managerclusterrole-aggregation-controller
Operators and controllers frequently update the .status subresource on CRDs. Since status is managed by controllers and not by your Helm chart, these changes cause false diffs.
FieldValue
KindYour CRD kind (e.g. Certificate, IngressRoute)
JQ Path Expression.status
Some controllers add or modify annotations on resources. For example, kubectl.kubernetes.io/last-applied-configuration is added by client-side apply.
FieldValue
JSON Pointer/metadata/annotations/kubectl.kubernetes.io~1last-applied-configuration
Or with JQ (no escaping needed):
FieldValue
JQ Path Expression.metadata.annotations["kubectl.kubernetes.io/last-applied-configuration"]
Kubernetes mutates volumeClaimTemplates on StatefulSets after creation, adding defaults like storageClassName, volumeMode, and status. These fields are not in your Helm chart but appear in the live resource.
FieldValue
KindStatefulSet
Groupapps
JQ Path Expression.spec.volumeClaimTemplates[]
For more targeted ignoring, you can narrow to specific subfields:
FieldValue
KindStatefulSet
Groupapps
JSON Pointers/spec/volumeClaimTemplates/0/spec/volumeMode, /spec/volumeClaimTemplates/0/status
The Kubernetes controller manager sets default values on many resources (e.g. default service account tokens, pod tolerations). Use a Managed Fields Manager rule to ignore all of them at once.
FieldValue
Managed Fields Managerkube-controller-manager
This applies broadly, so only use it on resources where you want to ignore all controller-managed fields.

Important Behaviors

Rules need a diff specifier. Each ignore rule must include at least one JSON Pointer, JQ Path Expression, or Managed Fields Manager. Rules with only resource selectors (Kind, Group, Name, Namespace) and no diff specifier are silently ignored.
RespectIgnoreDifferences is automatic. When you add ignore rules, the RespectIgnoreDifferences=true sync option is automatically enabled. You do not need to add it manually.
Custom profile. Adding or modifying ignore rules automatically switches your settings profile to Custom.

Add-ons

Learn about add-on architecture and deployment.

Stacks

Bundle add-ons into reusable stacks.

GitOps

Understand the GitOps workflow.

SOPS Encryption

Encrypt sensitive add-on values.