feat: enable self registration of agents

Assisted by: Cursor

Signed-off-by: Jayendra Parsai <jparsai@redhat.com>

Author: jparsai

cmd/argocd-agent/principal.go

@@ -99,7 +99,8 @@ func NewPrincipalRunCommand() *cobra.Command {
 		otlpAddress  string
 		otlpInsecure bool
 
-		enableSelfClusterRegistration bool
+		enableSelfClusterRegistration     bool
+		selfClusterRegistrationSharedCert string
 	)
 	command := &cobra.Command{
 		Use:   "principal",
@@ -330,6 +331,9 @@ func NewPrincipalRunCommand() *cobra.Command {
 
 			// Self cluster registration options
 			opts = append(opts, principal.WithClusterRegistration(enableSelfClusterRegistration))
+			if selfClusterRegistrationSharedCert != "" {
+				opts = append(opts, principal.WithSelfClusterRegistrationSharedCert(selfClusterRegistrationSharedCert))
+			}
 
 			s, err := principal.NewServer(ctx, kubeConfig, namespace, opts...)
 			if err != nil {
@@ -491,6 +495,10 @@ func NewPrincipalRunCommand() *cobra.Command {
 		env.BoolWithDefault("ARGOCD_PRINCIPAL_ENABLE_SELF_CLUSTER_REGISTRATION", false),
 		"Allow agents with valid client certificates to self-register on connection")
 
+	command.Flags().StringVar(&selfClusterRegistrationSharedCert, "self-cluster-registration-shared-cert",
+		env.StringWithDefault("ARGOCD_PRINCIPAL_SELF_CLUSTER_REGISTRATION_SHARED_CERT", nil, ""),
+		"Name of the TLS secret containing the shared client certificate for cluster secrets (requires ca.crt, tls.crt, tls.key)")
+
 	return command
 }
 

internal/argocd/cluster/cluster.go

@@ -192,12 +192,32 @@ func NewClusterCacheInstance(redisAddress, redisPassword string, redisCompressio
 }
 
 // CreateCluster creates a cluster secret for an agent's cluster on the principal.
-func CreateCluster(ctx context.Context, kubeclient kubernetes.Interface, namespace, agentName, resourceProxyAddress string) error {
+// If sharedClientCertSecretName is provided, it reads the TLS credentials from that secret
+// (shared client cert mode). Otherwise, it generates a new client certificate signed
+// by the principal's CA (legacy mode, requires CA private key).
+func CreateCluster(ctx context.Context, kubeclient kubernetes.Interface, namespace, agentName, resourceProxyAddress, sharedClientCertSecretName string) error {
+	var clientCert, clientKey, caData string
+	var err error
+
+	if sharedClientCertSecretName != "" {
+		// Shared client cert mode: read from existing secret
+		log().WithFields(logrus.Fields{
+			"agent":  agentName,
+			"secret": sharedClientCertSecretName,
+		}).Info("Using shared client certificate mode for cluster registration")
+
+		clientCert, clientKey, caData, err = readSharedClientCertFromSecret(ctx, kubeclient, namespace, sharedClientCertSecretName)
+		if err != nil {
+			return fmt.Errorf("could not read shared client certificate from secret %s: %v", sharedClientCertSecretName, err)
+		}
+	} else {
+		// Legacy mode: generate client certificate signed by principal's CA
+		log().WithField("agent", agentName).Info("Generating unique client certificate for cluster registration")
 
-	// Generate client certificate signed by principal's CA.
-	clientCert, clientKey, caData, err := generateAgentClientCert(ctx, kubeclient, namespace, agentName, config.SecretNamePrincipalCA)
-	if err != nil {
-		return fmt.Errorf("could not generate client certificate: %w", err)
+		clientCert, clientKey, caData, err = generateAgentClientCert(ctx, kubeclient, namespace, agentName, config.SecretNamePrincipalCA)
+		if err != nil {
+			return fmt.Errorf("could not generate client certificate: %v", err)
+		}
 	}
 
 	// Note: this structure has to be same as manual creation done by `argocd-agentctl agent create <agent_name>`
@@ -225,22 +245,47 @@ func CreateCluster(ctx context.Context, kubeclient kubernetes.Interface, namespa
 		},
 	}
 	if err := ClusterToSecret(cluster, secret); err != nil {
-		return fmt.Errorf("could not convert cluster to secret: %w", err)
+		return fmt.Errorf("could not convert cluster to secret: %v", err)
 	}
 
 	// Create the secret to register the agent's cluster.
-	// Handle AlreadyExists as success to make this idempotent and avoid TOCTOU race
-	// conditions where concurrent registrations both pass the existence check.
 	if _, err = kubeclient.CoreV1().Secrets(namespace).Create(ctx, secret, metav1.CreateOptions{}); err != nil {
 		if apierrors.IsAlreadyExists(err) {
 			return nil
 		}
-		return fmt.Errorf("could not create cluster secret to register agent's cluster: %w", err)
+		return fmt.Errorf("could not create cluster secret to register agent's cluster: %v", err)
 	}
 
 	return nil
 }
 
+// readSharedClientCertFromSecret reads TLS credentials from an existing Kubernetes TLS secret.
+// The secret should contain tls.crt, tls.key, and ca.crt keys.
+func readSharedClientCertFromSecret(ctx context.Context, kubeclient kubernetes.Interface, namespace, sharedClientCertSecretName string) (clientCert, clientKey, caData string, err error) {
+	secret, err := kubeclient.CoreV1().Secrets(namespace).Get(ctx, sharedClientCertSecretName, metav1.GetOptions{})
+	if err != nil {
+		return "", "", "", fmt.Errorf("could not read TLS secret %s/%s: %v", namespace, sharedClientCertSecretName, err)
+	}
+
+	certData, ok := secret.Data["tls.crt"]
+	if !ok {
+		return "", "", "", fmt.Errorf("secret %s/%s missing tls.crt", namespace, sharedClientCertSecretName)
+	}
+
+	keyData, ok := secret.Data["tls.key"]
+	if !ok {
+		return "", "", "", fmt.Errorf("secret %s/%s missing tls.key", namespace, sharedClientCertSecretName)
+	}
+
+	// CA cert can be in ca.crt (cert-manager style) or tls.crt of a separate CA secret
+	caBytes, ok := secret.Data["ca.crt"]
+	if !ok {
+		return "", "", "", fmt.Errorf("secret %s/%s missing ca.crt", namespace, sharedClientCertSecretName)
+	}
+
+	return string(certData), string(keyData), string(caBytes), nil
+}
+
 // ClusterSecretExists checks if a cluster secret exists for the given agent.
 func ClusterSecretExists(ctx context.Context, kubeclient kubernetes.Interface, namespace, agentName string) (bool, error) {
 	if _, err := kubeclient.CoreV1().Secrets(namespace).Get(ctx, getClusterSecretName(agentName), metav1.GetOptions{}); err != nil {
@@ -257,28 +302,28 @@ func generateAgentClientCert(ctx context.Context, kubeclient kubernetes.Interfac
 	// Read the CA certificate from the principal's CA secret
 	tlsCert, err := tlsutil.TLSCertFromSecret(ctx, kubeclient, namespace, caSecretName)
 	if err != nil {
-		err = fmt.Errorf("could not read CA secret: %w", err)
+		err = fmt.Errorf("could not read CA secret: %v", err)
 		return
 	}
 
 	// Parse CA certificate from PEM format
 	signerCert, err := x509.ParseCertificate(tlsCert.Certificate[0])
 	if err != nil {
-		err = fmt.Errorf("could not parse CA certificate: %w", err)
+		err = fmt.Errorf("could not parse CA certificate: %v", err)
 		return
 	}
 
 	// Generate a client cert with agent name as CN and sign it with the CA's cert and key
 	clientCert, clientKey, err = tlsutil.GenerateClientCertificate(agentName, signerCert, tlsCert.PrivateKey)
 	if err != nil {
-		err = fmt.Errorf("could not create client cert: %w", err)
+		err = fmt.Errorf("could not create client cert: %v", err)
 		return
 	}
 
 	// Convert CA certificate to PEM format
 	caData, err = tlsutil.CertDataToPEM(tlsCert.Certificate[0])
 	if err != nil {
-		err = fmt.Errorf("could not convert CA certificate to PEM format: %w", err)
+		err = fmt.Errorf("could not convert CA certificate to PEM format: %v", err)
 		return
 	}
 

internal/argocd/cluster/cluster_test.go

@@ -345,7 +345,7 @@ func Test_CreateCluster(t *testing.T) {
 	t.Run("Returns error when CA secret is missing", func(t *testing.T) {
 		kubeclient := kube.NewFakeClientsetWithResources()
 
-		err := CreateCluster(context.Background(), kubeclient, testNamespace, "test-agent", testResourceProxyAddr)
+		err := CreateCluster(context.Background(), kubeclient, testNamespace, "test-agent", testResourceProxyAddr, "")
 
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "could not generate client certificate")
@@ -356,7 +356,7 @@ func Test_CreateCluster(t *testing.T) {
 		createTestCASecret(t, kubeclient, testNamespace)
 
 		agentName := "test-agent"
-		err := CreateCluster(context.Background(), kubeclient, testNamespace, agentName, testResourceProxyAddr)
+		err := CreateCluster(context.Background(), kubeclient, testNamespace, agentName, testResourceProxyAddr, "")
 
 		require.NoError(t, err)
 
@@ -371,4 +371,124 @@ func Test_CreateCluster(t *testing.T) {
 		require.Equal(t, agentName, secret.Labels[LabelKeyClusterAgentMapping])
 		require.Equal(t, "true", secret.Labels[LabelKeySelfRegisteredCluster])
 	})
+
+	t.Run("Creates cluster secret with shared client cert", func(t *testing.T) {
+		kubeclient := kube.NewFakeClientsetWithResources()
+
+		// Create the shared client cert secret
+		sharedSecret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "shared-client-cert",
+				Namespace: testNamespace,
+			},
+			Data: map[string][]byte{
+				"tls.crt": []byte("shared-cert-data"),
+				"tls.key": []byte("shared-key-data"),
+				"ca.crt":  []byte("shared-ca-data"),
+			},
+		}
+		_, err := kubeclient.CoreV1().Secrets(testNamespace).Create(context.Background(), sharedSecret, metav1.CreateOptions{})
+		require.NoError(t, err)
+
+		agentName := "test-agent-shared"
+		err = CreateCluster(context.Background(), kubeclient, testNamespace, agentName, testResourceProxyAddr, "shared-client-cert")
+
+		require.NoError(t, err)
+
+		// Verify the cluster secret was created with shared cert data
+		secret, err := kubeclient.CoreV1().Secrets(testNamespace).Get(
+			context.Background(),
+			getClusterSecretName(agentName),
+			metav1.GetOptions{},
+		)
+		require.NoError(t, err)
+		require.NotNil(t, secret)
+
+		// Verify the cluster secret contains the shared cert data (base64 encoded in JSON)
+		clusterData, ok := secret.Data["config"]
+		require.True(t, ok)
+		require.Contains(t, string(clusterData), "c2hhcmVkLWNlcnQtZGF0YQ==")
+		require.Contains(t, string(clusterData), "c2hhcmVkLWtleS1kYXRh")
+		require.Contains(t, string(clusterData), "c2hhcmVkLWNhLWRhdGE=")
+	})
+
+	t.Run("Returns error when shared client cert secret does not exist", func(t *testing.T) {
+		kubeclient := kube.NewFakeClientsetWithResources()
+
+		err := CreateCluster(context.Background(), kubeclient, testNamespace, "test-agent", testResourceProxyAddr, "non-existent-secret")
+
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "could not read shared client certificate from secret")
+	})
+}
+
+func Test_CreateClusterWithSharedCert(t *testing.T) {
+	const testNamespace = "argocd"
+	const testResourceProxyAddr = "resource-proxy:8443"
+
+	t.Run("Returns error when shared secret is missing tls.crt", func(t *testing.T) {
+		kubeclient := kube.NewFakeClientsetWithResources()
+
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "missing-cert",
+				Namespace: testNamespace,
+			},
+			Data: map[string][]byte{
+				"tls.key": []byte("key-data"),
+				"ca.crt":  []byte("ca-data"),
+			},
+		}
+		_, err := kubeclient.CoreV1().Secrets(testNamespace).Create(context.Background(), secret, metav1.CreateOptions{})
+		require.NoError(t, err)
+
+		err = CreateCluster(context.Background(), kubeclient, testNamespace, "test-agent", testResourceProxyAddr, "missing-cert")
+
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "missing tls.crt")
+	})
+
+	t.Run("Returns error when shared secret is missing tls.key", func(t *testing.T) {
+		kubeclient := kube.NewFakeClientsetWithResources()
+
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "missing-key",
+				Namespace: testNamespace,
+			},
+			Data: map[string][]byte{
+				"tls.crt": []byte("cert-data"),
+				"ca.crt":  []byte("ca-data"),
+			},
+		}
+		_, err := kubeclient.CoreV1().Secrets(testNamespace).Create(context.Background(), secret, metav1.CreateOptions{})
+		require.NoError(t, err)
+
+		err = CreateCluster(context.Background(), kubeclient, testNamespace, "test-agent", testResourceProxyAddr, "missing-key")
+
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "missing tls.key")
+	})
+
+	t.Run("Returns error when shared secret is missing ca.crt", func(t *testing.T) {
+		kubeclient := kube.NewFakeClientsetWithResources()
+
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "missing-ca",
+				Namespace: testNamespace,
+			},
+			Data: map[string][]byte{
+				"tls.crt": []byte("cert-data"),
+				"tls.key": []byte("key-data"),
+			},
+		}
+		_, err := kubeclient.CoreV1().Secrets(testNamespace).Create(context.Background(), secret, metav1.CreateOptions{})
+		require.NoError(t, err)
+
+		err = CreateCluster(context.Background(), kubeclient, testNamespace, "test-agent", testResourceProxyAddr, "missing-ca")
+
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "missing ca.crt")
+	})
 }

principal/apis/auth/auth_test.go

@@ -132,7 +132,7 @@ func Test_Authenticate(t *testing.T) {
 
 		// Create manager with self cluster registration disabled
 		kubeclient := kube.NewFakeKubeClient("argocd")
-		mgr := clusterregistration.NewClusterRegistrationManager(false, "argocd", "resource-proxy:8443", kubeclient)
+		mgr := clusterregistration.NewClusterRegistrationManager(false, "argocd", "resource-proxy:8443", "", kubeclient)
 
 		auths, err := NewServer(queues, ams, iss, WithClusterRegistrationManager(mgr))
 		require.NoError(t, err)
@@ -155,7 +155,7 @@ func Test_Authenticate(t *testing.T) {
 
 		// Create manager with self cluster registration enabled but no CA secret to make it fail
 		kubeclient := kube.NewFakeClientsetWithResources()
-		mgr := clusterregistration.NewClusterRegistrationManager(true, "argocd", "resource-proxy:8443", kubeclient)
+		mgr := clusterregistration.NewClusterRegistrationManager(true, "argocd", "resource-proxy:8443", "", kubeclient)
 
 		auths, err := NewServer(queues, ams, nil, WithClusterRegistrationManager(mgr))
 		require.NoError(t, err)

principal/clusterregistration/clusterregistration.go

@@ -28,15 +28,17 @@ type ClusterRegistrationManager struct {
 	selfClusterRegistrationEnabled bool
 	namespace                      string
 	resourceProxyAddress           string
+	sharedClientCertSecretName     string
 	kubeclient                     kubernetes.Interface
 }
 
-func NewClusterRegistrationManager(enabled bool, namespace, resourceProxyAddress string,
+func NewClusterRegistrationManager(enabled bool, namespace, resourceProxyAddress, sharedClientCertSecretName string,
 	kubeclient kubernetes.Interface) *ClusterRegistrationManager {
 	return &ClusterRegistrationManager{
 		selfClusterRegistrationEnabled: enabled,
 		namespace:                      namespace,
 		resourceProxyAddress:           resourceProxyAddress,
+		sharedClientCertSecretName:     sharedClientCertSecretName,
 		kubeclient:                     kubeclient,
 	}
 }
@@ -54,7 +56,7 @@ func (mgr *ClusterRegistrationManager) RegisterCluster(ctx context.Context, agen
 	// Check if cluster secret already exists for the given agent
 	exists, err := cluster.ClusterSecretExists(ctx, mgr.kubeclient, mgr.namespace, agentName)
 	if err != nil {
-		return fmt.Errorf("error while checking if cluster secret exists: %w", err)
+		return fmt.Errorf("error while checking if cluster secret exists: %v", err)
 	}
 
 	if exists {
@@ -65,8 +67,8 @@ func (mgr *ClusterRegistrationManager) RegisterCluster(ctx context.Context, agen
 	// Create the cluster secret
 	logCtx.Info("Registering agent's cluster")
 
-	if err := cluster.CreateCluster(ctx, mgr.kubeclient, mgr.namespace, agentName, mgr.resourceProxyAddress); err != nil {
-		return fmt.Errorf("failed to self register agent's cluster and create cluster secret: %w", err)
+	if err := cluster.CreateCluster(ctx, mgr.kubeclient, mgr.namespace, agentName, mgr.resourceProxyAddress, mgr.sharedClientCertSecretName); err != nil {
+		return fmt.Errorf("failed to self register agent's cluster and create cluster secret: %v", err)
 	}
 
 	logCtx.Info("Agent's self cluster registration completed successfully")