feat: enable self registration of agents

Assisted by: Cursor

Signed-off-by: Jayendra Parsai <jparsai@redhat.com>

Author: jparsai

cmd/argocd-agent/principal.go

@@ -73,6 +73,7 @@ func NewPrincipalRunCommand() *cobra.Command {
 		autoNamespaceLabels       []string
 		enableWebSocket           bool
 		enableResourceProxy       bool
+		resourceProxyAddress      string
 		pprofPort                 int
 		resourceProxySecretName   string
 		resourceProxyCertPath     string
@@ -97,6 +98,8 @@ func NewPrincipalRunCommand() *cobra.Command {
 		// OpenTelemetry configuration
 		otlpAddress  string
 		otlpInsecure bool
+
+		enableSelfClusterRegistration bool
 	)
 	command := &cobra.Command{
 		Use:   "principal",
@@ -236,6 +239,7 @@ func NewPrincipalRunCommand() *cobra.Command {
 					cmdutil.Fatal("Error reading TLS config for resource proxy: %v", err)
 				}
 				opts = append(opts, principal.WithResourceProxyTLS(proxyTLS))
+				opts = append(opts, principal.WithResourceProxyAddress(resourceProxyAddress))
 			}
 
 			if jwtKey != "" {
@@ -324,6 +328,9 @@ func NewPrincipalRunCommand() *cobra.Command {
 			opts = append(opts, principal.WithRedis(redisAddress, redisPassword, redisCompressionType))
 			opts = append(opts, principal.WithHealthzPort(healthzPort))
 
+			// Self cluster registration options
+			opts = append(opts, principal.WithClusterRegistration(enableSelfClusterRegistration))
+
 			s, err := principal.NewServer(ctx, kubeConfig, namespace, opts...)
 			if err != nil {
 				cmdutil.Fatal("Could not create new server instance: %v", err)
@@ -445,6 +452,10 @@ func NewPrincipalRunCommand() *cobra.Command {
 	command.Flags().BoolVar(&enableResourceProxy, "enable-resource-proxy",
 		env.BoolWithDefault("ARGOCD_PRINCIPAL_ENABLE_RESOURCE_PROXY", true),
 		"Whether to enable the resource proxy")
+	command.Flags().StringVar(&resourceProxyAddress, "resource-proxy-address",
+		env.StringWithDefault("ARGOCD_PRINCIPAL_RESOURCE_PROXY_ADDRESS", nil, "argocd-agent-resource-proxy:9090"),
+		"Resource proxy address on principal side")
+
 	command.Flags().DurationVar(&keepAliveMinimumInterval, "keepalive-min-interval",
 		env.DurationWithDefault("ARGOCD_PRINCIPAL_KEEP_ALIVE_MIN_INTERVAL", nil, 0),
 		"Drop agent connections that send keepalive pings more often than the specified interval") // It should be less than "keep-alive-ping-interval" of agent
@@ -476,6 +487,10 @@ func NewPrincipalRunCommand() *cobra.Command {
 	command.Flags().StringVar(&kubeConfig, "kubeconfig", "", "Path to a kubeconfig file to use")
 	command.Flags().StringVar(&kubeContext, "kubecontext", "", "Override the default kube context")
 
+	command.Flags().BoolVar(&enableSelfClusterRegistration, "enable-self-cluster-registration",
+		env.BoolWithDefault("ARGOCD_PRINCIPAL_ENABLE_SELF_CLUSTER_REGISTRATION", false),
+		"Allow agents with valid client certificates to self-register on connection")
+
 	return command
 }
 

hack/dev-env/start-principal.sh

@@ -44,13 +44,17 @@ E2E_ENV_FILE="/tmp/argocd-agent-e2e"
 if [ -f "$E2E_ENV_FILE" ]; then
     source "$E2E_ENV_FILE"
     export ARGOCD_PRINCIPAL_ENABLE_WEBSOCKET=${ARGOCD_PRINCIPAL_ENABLE_WEBSOCKET:-false}
+    export ARGOCD_PRINCIPAL_ENABLE_SELF_CLUSTER_REGISTRATION=${ARGOCD_PRINCIPAL_ENABLE_SELF_CLUSTER_REGISTRATION:-false}
 fi
 
+export ARGOCD_AGENT_RESOURCE_PROXY=$(ip r show default | sed -e 's,.*\ src\ ,,' | sed -e 's,\ metric.*$,,')
+
 SCRIPTPATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
 go run github.com/argoproj-labs/argocd-agent/cmd/argocd-agent principal \
 	--allowed-namespaces '*' \
 	--kubecontext vcluster-control-plane \
 	--log-level ${ARGOCD_AGENT_LOG_LEVEL:-trace} \
 	--namespace argocd \
 	--auth "mtls:CN=([^,]+)" \
+    --resource-proxy-address "${ARGOCD_AGENT_RESOURCE_PROXY}:9090" \
 	$ARGS

internal/argocd/cluster/cluster.go

@@ -15,21 +15,30 @@
 package cluster
 
 import (
+	"context"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"time"
 
+	"github.com/argoproj-labs/argocd-agent/internal/config"
 	"github.com/argoproj-labs/argocd-agent/internal/event"
+	"github.com/argoproj-labs/argocd-agent/internal/tlsutil"
 	"github.com/redis/go-redis/v9"
 	"github.com/redis/go-redis/v9/maintnotifications"
 	"github.com/sirupsen/logrus"
 
 	appv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 	cacheutil "github.com/argoproj/argo-cd/v3/util/cache"
 	appstatecache "github.com/argoproj/argo-cd/v3/util/cache/appstate"
+	v1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
 )
 
+const LabelKeySelfRegisteredCluster = "argocd-agent.argoproj-labs.io/self-registered-cluster"
+
 // SetAgentConnectionStatus updates cluster info with connection state and time in mapped cluster at principal.
 // This is called when the agent is connected or disconnected with the principal.
 func (m *Manager) SetAgentConnectionStatus(agentName, status appv1.ConnectionStatus, modifiedAt time.Time) {
@@ -181,3 +190,101 @@ func NewClusterCacheInstance(redisAddress, redisPassword string, redisCompressio
 
 	return clusterCache, nil
 }
+
+// CreateCluster creates a cluster secret for an agent's cluster on the principal.
+func CreateCluster(ctx context.Context, kubeclient kubernetes.Interface, namespace, agentName, resourceProxyAddress string) error {
+
+	// Generate client certificate signed by principal's CA.
+	clientCert, clientKey, caData, err := generateAgentClientCert(ctx, kubeclient, namespace, agentName, config.SecretNamePrincipalCA)
+	if err != nil {
+		return fmt.Errorf("could not generate client certificate: %w", err)
+	}
+
+	// Note: this structure has to be same as manual creation done by `argocd-agentctl agent create <agent_name>`
+	cluster := &appv1.Cluster{
+		Server: fmt.Sprintf("https://%s?agentName=%s", resourceProxyAddress, agentName),
+		Name:   agentName,
+		Labels: map[string]string{
+			LabelKeyClusterAgentMapping:   agentName,
+			LabelKeySelfRegisteredCluster: "true",
+		},
+		Config: appv1.ClusterConfig{
+			TLSClientConfig: appv1.TLSClientConfig{
+				CertData: []byte(clientCert),
+				KeyData:  []byte(clientKey),
+				CAData:   []byte(caData),
+			},
+		},
+	}
+
+	// Convert cluster object to Kubernetes secret object
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      getClusterSecretName(agentName),
+			Namespace: namespace,
+		},
+	}
+	if err := ClusterToSecret(cluster, secret); err != nil {
+		return fmt.Errorf("could not convert cluster to secret: %w", err)
+	}
+
+	// Create the secret to register the agent's cluster.
+	// Handle AlreadyExists as success to make this idempotent and avoid TOCTOU race
+	// conditions where concurrent registrations both pass the existence check.
+	if _, err = kubeclient.CoreV1().Secrets(namespace).Create(ctx, secret, metav1.CreateOptions{}); err != nil {
+		if apierrors.IsAlreadyExists(err) {
+			return nil
+		}
+		return fmt.Errorf("could not create cluster secret to register agent's cluster: %w", err)
+	}
+
+	return nil
+}
+
+// ClusterSecretExists checks if a cluster secret exists for the given agent.
+func ClusterSecretExists(ctx context.Context, kubeclient kubernetes.Interface, namespace, agentName string) (bool, error) {
+	if _, err := kubeclient.CoreV1().Secrets(namespace).Get(ctx, getClusterSecretName(agentName), metav1.GetOptions{}); err != nil {
+		if apierrors.IsNotFound(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	return true, nil
+}
+
+func generateAgentClientCert(ctx context.Context, kubeclient kubernetes.Interface, namespace, agentName, caSecretName string) (clientCert, clientKey, caData string, err error) {
+
+	// Read the CA certificate from the principal's CA secret
+	tlsCert, err := tlsutil.TLSCertFromSecret(ctx, kubeclient, namespace, caSecretName)
+	if err != nil {
+		err = fmt.Errorf("could not read CA secret: %w", err)
+		return
+	}
+
+	// Parse CA certificate from PEM format
+	signerCert, err := x509.ParseCertificate(tlsCert.Certificate[0])
+	if err != nil {
+		err = fmt.Errorf("could not parse CA certificate: %w", err)
+		return
+	}
+
+	// Generate a client cert with agent name as CN and sign it with the CA's cert and key
+	clientCert, clientKey, err = tlsutil.GenerateClientCertificate(agentName, signerCert, tlsCert.PrivateKey)
+	if err != nil {
+		err = fmt.Errorf("could not create client cert: %w", err)
+		return
+	}
+
+	// Convert CA certificate to PEM format
+	caData, err = tlsutil.CertDataToPEM(tlsCert.Certificate[0])
+	if err != nil {
+		err = fmt.Errorf("could not convert CA certificate to PEM format: %w", err)
+		return
+	}
+
+	return
+}
+
+func getClusterSecretName(agentName string) string {
+	return "cluster-" + agentName
+}

internal/argocd/cluster/cluster_test.go

@@ -21,11 +21,16 @@ import (
 	"time"
 
 	"github.com/alicebob/miniredis/v2"
+	"github.com/argoproj-labs/argocd-agent/internal/config"
 	"github.com/argoproj-labs/argocd-agent/internal/event"
+	"github.com/argoproj-labs/argocd-agent/internal/tlsutil"
 	"github.com/argoproj-labs/argocd-agent/test/fake/kube"
 	appv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 	cacheutil "github.com/argoproj/argo-cd/v3/util/cache"
 	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
 )
 
 func setup(t *testing.T, redisAddress string) (string, *Manager) {
@@ -43,6 +48,25 @@ func setup(t *testing.T, redisAddress string) (string, *Manager) {
 	return agentName, m
 }
 
+func createTestCASecret(t *testing.T, kubeclient kubernetes.Interface, namespace string) {
+	t.Helper()
+	caCertPEM, caKeyPEM, err := tlsutil.GenerateCaCertificate(config.SecretNamePrincipalCA)
+	require.NoError(t, err, "generate CA certificate")
+
+	_, err = kubeclient.CoreV1().Secrets(namespace).Create(context.Background(), &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      config.SecretNamePrincipalCA,
+			Namespace: namespace,
+		},
+		Type: corev1.SecretTypeTLS,
+		Data: map[string][]byte{
+			"tls.crt": []byte(caCertPEM),
+			"tls.key": []byte(caKeyPEM),
+		},
+	}, metav1.CreateOptions{})
+	require.NoError(t, err, "create CA secret")
+}
+
 func Test_UpdateClusterInfo(t *testing.T) {
 	miniRedis, err := miniredis.Run()
 	require.NoError(t, err)
@@ -313,3 +337,38 @@ func Test_RefreshClusterInfo(t *testing.T) {
 		})
 	})
 }
+
+func Test_CreateCluster(t *testing.T) {
+	const testNamespace = "argocd"
+	const testResourceProxyAddr = "resource-proxy:8443"
+
+	t.Run("Returns error when CA secret is missing", func(t *testing.T) {
+		kubeclient := kube.NewFakeClientsetWithResources()
+
+		err := CreateCluster(context.Background(), kubeclient, testNamespace, "test-agent", testResourceProxyAddr)
+
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "could not generate client certificate")
+	})
+
+	t.Run("Creates cluster secret successfully with valid CA", func(t *testing.T) {
+		kubeclient := kube.NewFakeClientsetWithResources()
+		createTestCASecret(t, kubeclient, testNamespace)
+
+		agentName := "test-agent"
+		err := CreateCluster(context.Background(), kubeclient, testNamespace, agentName, testResourceProxyAddr)
+
+		require.NoError(t, err)
+
+		secret, err := kubeclient.CoreV1().Secrets(testNamespace).Get(
+			context.Background(),
+			getClusterSecretName(agentName),
+			metav1.GetOptions{},
+		)
+		require.NoError(t, err)
+		require.NotNil(t, secret)
+		require.Equal(t, getClusterSecretName(agentName), secret.Name)
+		require.Equal(t, agentName, secret.Labels[LabelKeyClusterAgentMapping])
+		require.Equal(t, "true", secret.Labels[LabelKeySelfRegisteredCluster])
+	})
+}

principal/apis/auth/auth.go

@@ -25,6 +25,7 @@ import (
 	"github.com/argoproj-labs/argocd-agent/internal/logging"
 	"github.com/argoproj-labs/argocd-agent/internal/queue"
 	"github.com/argoproj-labs/argocd-agent/pkg/api/grpc/authapi"
+	"github.com/argoproj-labs/argocd-agent/principal/clusterregistration"
 	"github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
@@ -36,6 +37,8 @@ type Server struct {
 	issuer      issuer.Issuer
 	options     *ServerOptions
 	queues      *queue.SendRecvQueues
+
+	clusterRegistrationManager *clusterregistration.ClusterRegistrationManager
 }
 
 const (
@@ -50,7 +53,9 @@ const (
 
 var errAuthenticationFailed = status.Error(codes.Unauthenticated, authFailedMessage)
 
-type ServerOptions struct{}
+type ServerOptions struct {
+	clusterRegistrationManager *clusterregistration.ClusterRegistrationManager
+}
 
 type ServerOption func(o *ServerOptions) error
 
@@ -72,6 +77,8 @@ func NewServer(queues *queue.SendRecvQueues, authMethods *auth.Methods, iss issu
 			return nil, err
 		}
 	}
+
+	s.clusterRegistrationManager = s.options.clusterRegistrationManager
 	return s, nil
 }
 
@@ -117,6 +124,15 @@ func (s *Server) Authenticate(ctx context.Context, ar *authapi.AuthRequest) (*au
 		return nil, errAuthenticationFailed
 	}
 	logCtx.WithField("client", clientID).Info("client authentication successful")
+
+	// If self cluster registration is enabled, register the agent's cluster and create cluster secret if it doesn't exist
+	if s.clusterRegistrationManager != nil && s.clusterRegistrationManager.IsSelfClusterRegistrationEnabled() {
+		if err := s.clusterRegistrationManager.RegisterCluster(ctx, clientID); err != nil {
+			logCtx.WithError(err).WithField("client", clientID).Error("Failed to self register agent's cluster")
+			return nil, errAuthenticationFailed
+		}
+	}
+
 	subject := &auth.AuthSubject{ClientID: clientID, Mode: ar.Mode}
 	accessToken, refreshToken, err := s.issueTokens(subject, true)
 	if err != nil {