# Filename: argocd-app-cert-manager-issuer.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: cert-manager-clusterissuer-cloudflare
  namespace: argocd # The namespace where Argo CD runs
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  project: default # Or your specific Argo CD project name

  source:
    repoURL: 'https://git.james-mellors.com/mello/cert-manager.git' # Replace with your Git repository URL
    path: 'argocd/apps/cert-manager-issuer'  # Replace with the path to your SEALED secret and ClusterIssuer manifests
    targetRevision: main # Or 'main', 'master', a specific tag, or commit hash

  destination:
    server: 'https://kubernetes.default.svc' # Target cluster URL (use this for in-cluster)
    # The namespace where the *final decrypted* Secret needs to exist,
    # matching the namespace in the SealedSecret metadata.
    namespace: cert-manager

  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true # Ensures the cert-manager namespace exists
      # Optional: Might be needed if the controller adds annotations/labels
      # - RespectIgnoreDifferences=true
    # Optional: Ignore fields modified by the Sealed Secrets controller
    # ignoreDifferences:
    # - group: bitnami.com
    #   kind: SealedSecret
    #   jsonPointers:
    #   - /metadata/annotations
    #   - /metadata/creationTimestamp
    #   - /metadata/generation
    #   - /metadata/resourceVersion
    #   - /metadata/uid

  # IMPORTANT DEPENDENCY:
  # Ensure the Sealed Secrets controller is running and healthy *before* this
  # application syncs, otherwise the SealedSecret won't be unsealed.
  # If you manage Sealed Secrets via Argo CD, consider using Sync Waves or App of Apps patterns.