Skip to content

Add a 'check-config' command to argocd-agentctl which will verify the user's configuration #581

New issue
New issue
Open
Feature
Open
Add a 'check-config' command to argocd-agentctl which will verify the user's configuration#581
Feature
Assignees
jgwest
Labels
enhancementNew feature or request
@jgwest

Description

@jgwest
jgwest
opened on Sep 25, 2025

Is your feature request related to a problem? Please describe.

Configuration of argocd-agent can be complex, due to:

  • various interlocking certificates that need to be configured for auth
  • multiple workloads to configure: both argo cd and argo cd agent
  • multiple possibles modes to configure for agents: managed, autonomous
  • multiple possible k8s configurations: argocd agent install via argocd-operator, or argocd agent install via standalone.
  • etc.

It would be beneficial to provide a tool that can verify the sanity of the configuration as much as possible.

As an example of the kind of problems one can face, see the Slack threads I linked below where a user hit a number of configuration issues (granted many of them were due to product issues we have already addressed, or are addressing).

Describe the solution you'd like

The format of the proposed argocd-agentctl command might look like this:

argocd-agentctl check-config agent --agent-context <workload context> --agent-namespace <workload namespace> --principal-context <principal context> --principal-namespace <principal namespace>
argocd-agentctl check-config principal --principal-context <principal context> --principal-namespace <principal namespace>

NOTE: command name is placeholder, I'm using 'check-config' as the command name, we could use or 'pki check-config', or something else entirely if folks have better ideas.

When you run the argocd-agentctl check-config agent, it will verify the agent configuration is correct, and matches the principal configuration.

  • Notice that the argocd-agentctl check-config agent takes both agent-context/namespace and principal-context/namespace as parameters.

When you run the argocd-agentctl check-config principal command, it will verify the principal configuration is correct (no expired certificates, host names match the certificate, etc.)

See the documentation https://github.com/argoproj-labs/argocd-agent/blob/main/docs/getting-started/openshift/index.md and https://github.com/argoproj-labs/argocd-agent/blob/main/docs/getting-started/kubernetes/index.md for how we currently tell users to setup the resources, and thus what our command needs to check.

Example of checks we can perform

The list of checks to perform is TBD, but here is some brainstorming of what we can check:

Principal:

  • Argo CD instance must be cluster scoped.

  • Apps in any Namespace must be enabled for Hub Cluster.

  • Secrets:

    • Check that TLS secret ips/dns match Route host (openshift-only)
    • Check that TLS secret containing the public CA certificate used by Argo CD-agent components
    • Check that TLS secret containing the certificate and private key used by the principal's gRPC service
    • Check that TLS secret containing the certificate and private key used by the principal's resource proxy
    • Check that secret containing the private RSA key used to sign JWT issued by the principal

Agent:

  • Ensure that agent TLS secrets are signed by principal cert
  • Ensure certs are not expired
  • Ensure that there exists a namespace on principal that has the same name as the argocd-agent
  • etc

The output of the command might look like this:

> argocd-agentctl check-config agent --agent-context <workload context> --agent-namespace <workload namespace> --principal-context <principal context> --principal-namespace <principal namespace>

mTLS certificates:
* Verifying principal public CA certificate exists and is valid: ✅
* Verifing agent mTLS certificate exists and is not expired: ✅
* Verifing agent mTLS certificate is signed by principal CA certificate: ✅

Workload configuration:
* Verifying principal is accessible from internet: ✅
* Verifying argocd-agent points to correct principal API address: ❌
ERROR: argocd-agent is attempting to connect to principal at '(...)', but principal is accessible at '(...). To bypass this check, specify: --bypass-agent-api-check

Completion Criteria:

  • Brainstorm and implement verification logic for the checks we can thnk of
    • Verification logic should work with both kubernetes and argocd-operator ArgoCD CR (openshift) configurations of agent
  • Commands implemented as above, as cobra commands
  • E2E tests to verify functionality

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

Feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions