wildcard.bert.local-tls certificate has OutOfSync status on ArgoCD

[aaronsgithub]

Describe the bug

We have deployed a Certificate resource which is a cert-manager CRD via:
https://github.com/aaronsgithub/homelab/blob/1a0f7eef5275e8cb5a313e71f6c7524203777e65/appsets/system/certificates/resources/wildcard.bert.local-tls.certificate.cert-manager.yaml

with the following patch which gets updated when we want to add a new namespace to the certificate:
https://github.com/aaronsgithub/homelab/blob/1a0f7eef5275e8cb5a313e71f6c7524203777e65/appsets/system/certificates/patches/wildcard.bert.local-tls.certificate.cert-manager.reflector.namespaces.yaml

This has been deployed by ArgoCD as an Application via an ApplicationSet defined here:
https://github.com/aaronsgithub/homelab/blob/1a0f7eef5275e8cb5a313e71f6c7524203777e65/appsets/system/system.applicationset.yaml

There is an OutOfSync status with a diff showing between the "live" and the "desired" manifest in ArgoCD

Expected Behaviour

There should be no OutOfSync error.

Current Behaviour

live| desired diff
107 | 107 | - bert.local  
108 |     | duration: 8760h0m0s 
    | 108 | duration: 8760h 
    | 109 | isCA: false 
109 | 110 | issuerRef: 
110 | 111 | group: cert-manager.io 
116 | 117 | rotationPolicy: Always 
117 | 118 | size: 384 
118 |     | renewBefore: 720h0m0s 
    | 119 | renewBefore: 720h 
119 | 120 | secretName: wildcard.bert.local-tls 
120 | 121 | secretTemplate: 

It is not clear why isCA disappears from the live manifest.

Possible Solutions

• Get ArgoCD to ignore the difference:
  https://argo-cd.readthedocs.io/en/stable/user-guide/diffing/
• Change manifest deployment to add minutes and seconds to renewBefore.
• Investigate why isCA does not appear in live manifest.

[aaronsgithub]

See the following for similar issue:

• OutOfSync should provide better help for elided fields argoproj/argo-cd#5116 (comment)