ArgoCD managed controller restoration process

I've recently deployed my OpenZiti controller into an EKS cluster, using ArgoCD to manage the deployment, and this has prompted some investigation into how controller persistence and recovery would work.

When the new controller stands up, I'm not sure what the best method is to restore the configuration and PKI. Considering these are being mounted as read-only within /etc/ziti and populated from the secrets and configmap, I am unable to manually restore by copying the backed up files. If I attempt to manually edit the secrets and configmap, then ArgoCD's auto-sync feature will revert back to the deployed values.

The route I've started going down is to persist the PKI as an external-secret and change the chart to use that instead of the generated files from the cert-manager, but I'd appreciate if anyone has a similar use-case and/or a better solution.

Many thanks.