Story (Required)

See https://github.com/argoproj-labs/argocd-agent/issues/581 for details.

Acceptance Criteria

• See GitHub link above for general explanation of this feature.
• Implement 2 commands via cobra:
  • 'argocd-agentctl check-config agent' and 'argocd-agentctl check-config principal'
    • For 'argocd-agentctl check-config agent', user must specify all four of these parameters (that is, none are optional): --agent-context <workload context> --agent-namespace <workload namespace> --principal-context <principal context> --principal-namespace <principal namespace>
    • For 'argocd-agentctl check-config principal', user must specify '-principal-namespace <principal namespace>'. '-principal-context <principal context>' should be available, but is optional.
  • That is, implement check-config command with agent/principal subcommands.
• There are many things we could check with this feature. Let's start out with a minimum list of checks.
• Here are my suggestions:
• Initially, 'argocd-agentctl check-config principal' can check:
  • Check that TLS secret in principal namespace contains the public CA certificate used by Argo CD-agent components (Secret argocd-agent-ca)
  • Check that TLS secret in principal namespaces contains the certificate and private key used by the principal's gRPC service (Secret argocd-agent-principal-tls)
  • Check that TLS secret in principal namespace the certificate and private key used by the principal's resource proxy (Secret argocd-agent-resource-proxy-tls)
  • Check that secret in principal namespace exists containing the private RSA key used to sign JWT issued by the principal (Secret argocd-agent-jwt)
• Initially, 'argocd-agentctl check-config agent' will check:
  • Ensure that agent contains a Secret which includes the CA cert (Secret argocd-agent-ca)
  • Ensure that agent TLS secrets exist, and are signed by CA cert (Secret argocd-agent-client-tls)
  • Ensure that there exists a namespace on principal that has the same name as the subject of the argocd-agent cert
    • For example, if the subject on the certificate is 'jonathans-cluster', there should exist a namespace with the name 'jonathans-cluster' on principal cluster
  • Plus, since 'argocd-agentctl check-config agent' necessarily includes '-principal-namespace <principal namespace>'. '-principal-context <principal context>', we can also run the principal checks (described above) as part of this command.
• Above commands contributed to argocd-agent repository
• Unit tests for above (I don't think we need E2E tests for this, at this time)

Helpful Resources:

• More information on how these Secrets are created can be found in argocd-agent docs: https://github.com/argoproj-labs/argocd-agent/blob/main/docs/getting-started/openshift/index.md
• Gerald has a document here explaining some of the secrets: https://docs.google.com/document/d/1RJ6_Bc-rmfWbQEq0jrMJq8T7YlAcp4eJ5wck76_Gfxo/edit?tab=t.0
• How to check the contents of certificates? See 'x509.ParseCertificate' calls in argocd-agent codebase. How to validate the a certificate is signed by CA? 'CheckSignatureFrom', says Gemini.

Definition of Done

• Code Complete:
  • All code has been written, reviewed, and approved.
• Tested:
  • Unit tests have been written and passed.
  • Ensure code coverage is not reduced with the changes.
  • Integration tests have been automated.
  • System tests have been conducted, and all critical bugs have been fixed.
  • Tested and merged on OpenShift either upstream or downstream on a local build.
• Documentation:
  • User documentation or release notes have been written (if applicable).
• Build:
  • Code has been successfully built and integrated into the main repository / project.
  • Midstream changes (if applicable) are done, reviewed, approved and merged.
• Review:
  • Code has been peer-reviewed and meets coding standards.
  • All acceptance criteria defined in the user story have been met.
  • Tested by reviewer on OpenShift.
• Deployment:
  • The feature has been deployed on OpenShift cluster for testing.