Application shows differences in Deployment's annotations when syncPolicy.managedNamespaceMetadata is set

[mtougeron]

Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug

When an Application or ApplicationSet is using the syncPolicy.managedNamespaceMetadata field with the RespectIgnoreDifferences=true flag is set and the resource.customizations.ignoreDifferences.apps_Deployment (and StatefulSet) is set in the argocd-cm ConfigMap, Argo CD will incorrectly calculate the differences in the .spec.template.metadata.annotations field. It will show that the live manifest has

  template:
    metadata:
      annotations: {}

instead of not being set at all when the only annotation set is the one being ignored in the resource.customizations.ignoreDifferences settings.

To Reproduce

Update the argocd-cm ConfigMap to contain

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  resource.customizations.ignoreDifferences.apps_Deployment: |
    jqPathExpressions:
      - .spec.template.metadata.annotations."kubectl.kubernetes.io/restartedAt"
      - .spec.template.metadata.annotations."shredder.ethos.adobe.net/restartedAt"
  resource.customizations.ignoreDifferences.apps_StatefulSet: |
    jqPathExpressions:
      - .spec.template.metadata.annotations."kubectl.kubernetes.io/restartedAt"
      - .spec.template.metadata.annotations."shredder.ethos.adobe.net/restartedAt"

Restart Argo CD pods

Create an Application using the guestbook example app.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: guestbook
  namespace: argocd
spec:
  destination:
    namespace: guestbook
    server: https://kubernetes.default.svc
  project: default
  source:
    path: helm-guestbook
    repoURL: https://github.com/argoproj/argocd-example-apps.git
  syncPolicy:
#    managedNamespaceMetadata:
#      labels:
#        some-custom-label: somevalue
    retry:
      limit: 5
      backoff:
        duration: 5s
        factor: 2
        maxDuration: 3m
    automated:
      prune: false
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - Prune=false
    - Validate=true
    - CreateNamespace=true
    - PrunePropagationPolicy=foreground
    - PruneLast=true
    - RespectIgnoreDifferences=true

Apply the Application to the Argo CD instance.

Once the Deployment exists, do a kubectl rollout restart deploy/guestbook-helm-guestbook -n guestbook to add the kubectl.kubernetes.io/restartedAt annotation.

Verify that the Application in Argo CD shows no differences.

Edit the Application to set a label on the Namespace using the syncPolicy.managedNamespaceMetadata field and apply it

The Application will show that there is a difference because the Namespace label has not been applied.

Click sync to sync the Application and have the Namespace label applied.

After this, the Application will always show that there is a difference in the guestbook-helm-guestbook Deployment's annotations.
 
Expected behavior

The Application should not show that there are any differences in the Application.

Screenshots

Version

v2.12.6+4dab5bd

I also tested this with the latest v2.13.0-rc5 release as well and was able to reproduce it.

Tested reproduction steps with Kubernetes Server Version: v1.29.4 and Server Version: v1.31.1 using kind.