Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-8094

Argo agent: Unable to run agent in secure mode

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 1.19.0
    • None
    • None
    • 3
    • False
    • Hide

      None

      Show
      None
    • False
    • GitOps Crimson Sprint 24

      Description of Problem

      Agent pod fails to come up with tlsClientInSecure set to 'false'

      Additional Info

      With default values for tlsClientKeyPath, tlsClientCertPath and tlsRootCAPath:

      tlsClientKeyPath: "/app/config/tls/tls.key"
tlsClientCertPath: "/app/config/tls/tls.crt"
tlsRootCAPath: "/app/config/tls/ca.crt"
      $ oc logs -f argocd-agent-agent-7c9d74f847-59482 -n argocd
time="2025-11-04T06:17:50Z" level=info msg="Loading root CA certificate from file /app/config/tls/ca.crt"
time="2025-11-04T06:17:50Z" level=info msg="Loading client TLS configuration from files cert=/app/config/tls/tls.crt and key=/app/config/tls/tls.key"
[FATAL]: Error creating remote: open /app/config/tls/ca.crt: no such file or directory

      Problem Reproduction

      • Creating agent using 'helm install' with tlsClientInSecure set to 'false' (default setting)

      Reproducibility

      • Always

      Prerequisites/Environment

      • Regular ocp with 1.19 RC

      Steps to Reproduce

      • Install 1.19 RC
      • Create agent using helm install (I was using locally built chart)
      helm install argocd-agent /home/varshab/argocd-agent/argocd-agent-agent-0.1.0.tgz --version 0.1.0 --set logLevel="debug" --set agentMode=${mode} --set server=${route} --set namespaceOverride=argocd

      Expected Results

      • agent pod is up and running

      Actual Results

      • agent pod fails to come up as its enable to find ca.crt file

      Problem Analysis

      • <Completed by engineering team as part of the triage/refinement process>

      Root Cause

      • <What is the root cause of the problem? Or, why is it not a bug?>

      Workaround (If Possible)

      • If the values are set as empty string: 
        $ oc logs argocd-agent-agent-7c9d74f847-89r8d -n argocd
time="2025-11-04T08:14:52Z" level=info msg="Loading root CA certificate from secret argocd/argocd-agent-ca"
time="2025-11-04T08:14:52Z" level=info msg="Loading client TLS certificate from secret argocd/argocd-agent-client-tls"
[FATAL]: Error creating remote: could not read secret: secrets "argocd-agent-ca" not found

        Run `argocd-agentctl pki propagate` command

      Fix Approaches

      • <If we decide to fix this bug, how will we do it?>

      Acceptance Criteria

      • ...

      Definition of Done

      • Code Complete:
        • All code has been written, reviewed, and approved.
      • Tested:
        • Unit tests have been written and passed.
        • Ensure code coverage is not reduced with the changes.
        • Integration tests have been automated.
        • System tests have been conducted, and all critical bugs have been fixed.
        • Tested and merged on OpenShift either upstream or downstream on a local build.
      • Documentation:
        • User documentation or release notes have been written (if applicable).
      • Build:
        • Code has been successfully built and integrated into the main repository / project.
        • Midstream changes (if applicable) are done, reviewed, approved and merged.
      • Review:
        • Code has been peer-reviewed and meets coding standards.
        • All acceptance criteria defined in the user story have been met.
        • Tested by reviewer on OpenShift.
      • Deployment:
        • The feature has been deployed on OpenShift cluster for testing.

              rh-ee-ansingh Anand Singh
              rhn-support-vab Varsha B
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: