feat(cli): agent create can now use existing TLS certificates

[jannfis]

Assisted-by: Cursor

What does this PR do / why we need it:

The argocd-agentctl agent create command generates its own set of certificates for authenticating Argo CD to the resource proxy, using the CLI maintained PKI.

However, the argocd-agentctl pki command is not intended for production use, so users would have to roll their own cluster secrets for the use with the argocd-agent. This is error prone and not a good user experience.

This change adds the --tls-from-secret and --ca-from-secret switches to the argocd-agentctl agent create command so users will be able to use the CLI to create required configuration, while using certificates managed externally (e.g. using cert-manager or other tooling).

Which issue(s) this PR fixes:

Fixes #622

How to test changes / Special notes to the reviewer:

Checklist

• Documentation update is required by this PR (and has been updated) OR no documentation update is required.

Summary by CodeRabbit

Release Notes

• New Features
  • Added --tls-from-secret and --ca-from-secret CLI flags for agent creation, enabling TLS certificates and keys to be loaded from existing Kubernetes secrets.
  • Supports namespace-aware secret references (format: namespace/name or name).
  • Validates both TLS and CA secrets are provided together.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The changes add TLS secret handling to agent creation CLI, enabling users to source TLS certificates, keys, and CA data from existing Kubernetes secrets rather than generating them via PKI. New flags --tls-from-secret and --ca-from-secret are introduced, along with helpers for parsing secret references and extracting TLS material from secrets.

Changes

Cohort / File(s)	Summary
TLS Secret Handling cmd/ctl/agent.go	Adds unexported helpers parseSecretRef and readTLSFromExistingSecrets for parsing secret references and extracting TLS material. Extends agent creation CLI with --tls-from-secret and --ca-from-secret flags; validates both are provided together. Modifies agent creation flow to read from secrets when provided, otherwise retains existing PKI-based generation.
Test Coverage cmd/ctl/agent_test.go	Adds Test_parseSecretRef and Test_readTLSFromExistingSecrets with subtests covering secret parsing, TLS/CA reading, cross-namespace references, missing keys, and invalid TLS data using a fake Kubernetes clientset.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Straightforward Kubernetes secret reading and validation logic
• Two focused files with consistent pattern
• Helper functions follow standard patterns for secret parsing and data extraction
• Comprehensive test coverage for both happy and error paths

Areas needing attention:

• Secret reference parsing logic and namespace defaulting behavior
• TLS key pair validation implementation
• Cross-namespace secret reading permissions and behavior
• Test setup with fake clientset and certificate data manipulation

Suggested reviewers

• chetan-rns
• jgwest
• mikeshng

Poem

🐰 A secret holder's delight, no need to spin,

When cert-manager weaves its TLS within!

No PKI toil, just extract and use,

Fresh flags guide the way—nothing to lose! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 28.57% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: agent create command now supports reading existing TLS certificates via flags.
Linked Issues check	✅ Passed	The PR implements the core requirement from #622: agent creation now sources TLS/CA certs from existing secrets via flags, eliminating manual secret assembly.
Out of Scope Changes check	✅ Passed	Changes are limited to agent CLI, secret parsing helpers, and tests—all directly aligned with enabling TLS sourcing from existing secrets; no unrelated modifications detected.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/cli-agent-external-tls

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 80babe1 and 5f4e8ac.

⛔ Files ignored due to path filters (2)

• cmd/ctl/testdata/001_test_cert.pem is excluded by !**/*.pem
• cmd/ctl/testdata/001_test_key.pem is excluded by !**/*.pem

📒 Files selected for processing (2)

• cmd/ctl/agent.go (4 hunks)
• cmd/ctl/agent_test.go (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• cmd/ctl/agent.go
• cmd/ctl/agent_test.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Run unit tests
• GitHub Check: Build & cache Go code
• GitHub Check: Lint Go code
• GitHub Check: Run end-to-end tests
• GitHub Check: Build and push image
• GitHub Check: Analyze (go)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6504943 and ebab656.

📒 Files selected for processing (2)

• cmd/ctl/agent.go (4 hunks)
• cmd/ctl/agent_test.go (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (2)

cmd/ctl/agent_test.go (2)

test/testutil/file.go (1)

• MustReadFile (8-19)

internal/kube/client.go (1)

• KubernetesClient (37-44)

cmd/ctl/agent.go (1)

internal/kube/client.go (1)

• KubernetesClient (37-44)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Run end-to-end tests
• GitHub Check: Build & cache Go code
• GitHub Check: Run unit tests
• GitHub Check: Lint Go code
• GitHub Check: Build and push image
• GitHub Check: Analyze (go)

🔇 Additional comments (6)

cmd/ctl/agent.go (4)

111-163: Well-structured TLS secret reading logic with comprehensive error handling.

The function correctly validates that tls.crt and tls.key form a valid pair. However, it doesn't verify that the client certificate was actually signed by the provided CA certificate. While this validation will eventually occur at runtime when the agent attempts to connect, catching the mismatch earlier would improve the user experience.

Consider adding CA validation after line 143:

// Optionally validate that the client cert was signed by the CA
certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM(caCertData) {
	err = fmt.Errorf("invalid CA certificate in secret %s/%s", caNamespace, caSecretName)
	return
}
cert, err := x509.ParseCertificate(certData)
if err != nil {
	err = fmt.Errorf("could not parse client certificate: %w", err)
	return
}
_, err = cert.Verify(x509.VerifyOptions{Roots: certPool})
if err != nil {
	err = fmt.Errorf("client certificate in %s/%s was not signed by CA in %s/%s: %w", 
		tlsNamespace, tlsSecretName, caNamespace, caSecretName, err)
	return
}

This verification is optional and you may choose to defer it to runtime.

---

183-186: Correct validation logic for mutually required flags.

The XOR logic correctly ensures that both --tls-from-secret and --ca-from-secret must be provided together or not at all.

---

219-233: Clean conditional logic that maintains backward compatibility.

The implementation correctly switches between reading from existing secrets and generating certificates from PKI based on flag presence, while preserving the existing behavior when flags are not provided.

---

269-270: Well-documented flag definitions.

The flag descriptions clearly specify the expected secret format and required keys, which will help users understand how to use this feature.

cmd/ctl/agent_test.go (2)

251-296: Comprehensive test coverage for secret reference parsing.

The test cases cover the main scenarios including edge cases. The test on line 281-286 documents the behavior when the secret reference starts with /, which results in an empty namespace—this aligns with the concern raised in the parseSecretRef implementation review.

---

298-555: Excellent test coverage with comprehensive error path validation.

The test suite thoroughly validates both success and failure scenarios, including:

• Default and explicit namespace handling
• Missing secrets and keys
• Invalid certificate/key pairs
• Cross-namespace references

The use of a fake Kubernetes client and test data files from testdata/ directory provides robust unit testing without external dependencies.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

cmd/ctl/agent.go (2)

101-112: The empty namespace fix looks good; consider trimming whitespace.

The fix for the past review comment is properly implemented—inputs like /my-secret now resolve to the default namespace instead of returning an empty string. However, the function doesn't trim whitespace from the parsed namespace or name, which could cause Kubernetes API errors if users accidentally include spaces (e.g., namespace / name or namespace/name).

Consider adding whitespace trimming:

 func parseSecretRef(secretRef, defaultNamespace string) (namespace, name string) {
+	secretRef = strings.TrimSpace(secretRef)
 	parts := strings.SplitN(secretRef, "/", 2)
 	if len(parts) == 2 {
+		parts[0] = strings.TrimSpace(parts[0])
+		parts[1] = strings.TrimSpace(parts[1])
 		if parts[0] == "" {
 			return defaultNamespace, parts[1]
 		}
 		return parts[0], parts[1]
 	}
-	return defaultNamespace, secretRef
+	return defaultNamespace, strings.TrimSpace(secretRef)
 }

---

114-166: Solid implementation; consider validating CA certificate format.

The function correctly reads and validates the TLS certificate/key pair (line 142), which will catch configuration errors early. Error messages are clear and include the namespace/name context.

For a better user experience, consider validating that the CA data is actually a valid PEM-encoded certificate before returning:

 	caCertData, ok := caSecret.Data["ca.crt"]
 	if !ok {
 		err = fmt.Errorf("CA secret %s/%s does not contain key 'ca.crt'", caNamespace, caSecretName)
 		return
 	}
+
+	// Validate CA certificate format
+	certPool := x509.NewCertPool()
+	if !certPool.AppendCertsFromPEM(caCertData) {
+		err = fmt.Errorf("CA secret %s/%s contains invalid PEM-encoded certificate", caNamespace, caSecretName)
+		return
+	}
 
 	clientCert = string(certData)

This would provide clearer error messages at configuration time rather than cryptic runtime errors when the agent attempts to use an invalid CA certificate.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ebab656 and cae423a.

⛔ Files ignored due to path filters (2)

• cmd/ctl/testdata/001_test_cert.pem is excluded by !**/*.pem
• cmd/ctl/testdata/001_test_key.pem is excluded by !**/*.pem

📒 Files selected for processing (1)

• cmd/ctl/agent.go (4 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

cmd/ctl/agent.go (1)

internal/kube/client.go (1)

• KubernetesClient (37-44)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Build and push image
• GitHub Check: Run unit tests
• GitHub Check: Run end-to-end tests
• GitHub Check: Lint Go code
• GitHub Check: Build & cache Go code
• GitHub Check: Analyze (go)

🔇 Additional comments (3)

cmd/ctl/agent.go (3)

186-189: LGTM!

The validation correctly ensures that both --tls-from-secret and --ca-from-secret are provided together, preventing a half-configured state. The error message is clear.

---

222-236: LGTM!

The implementation cleanly separates the two paths (external secrets vs. PKI generation) while maintaining backwards compatibility. When the new flags aren't provided, the original PKI generation flow is preserved.

---

272-273: LGTM!

The flag definitions clearly document the expected format and secret keys, matching standard Kubernetes TLS secret conventions.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 69.09091% with 17 lines in your changes missing coverage. Please review.
✅ Project coverage is 46.29%. Comparing base (09ce442) to head (5f4e8ac).

Files with missing lines	Patch %	Lines
cmd/ctl/agent.go	69.09%	17 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #676      +/-   ##
==========================================
+ Coverage   46.15%   46.29%   +0.14%     
==========================================
  Files          92       92              
  Lines       10689    10739      +50     
==========================================
+ Hits         4933     4972      +39     
- Misses       5259     5270      +11     
  Partials      497      497              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[gnunn1]

I'm testing this out, a couple of things I'm running into:

1. Even when you pass in the --principal-context it still assumes the namespace is argocd, in my IMHO it should use the namespace associated with the context

$ ./argocd-agentctl agent create managed-cluster --tls-from-secret=managed-cluster-principal --ca-from-secret=argocd-agent-ca --principal-context=principal
[FATAL]: could not read TLS secret argocd/managed-cluster-principal: secrets "managed-cluster-principal" not found

Prefixing the secret name with the namespace, i.e. gitops-control-plane/managed-cluster-principal works fine.

2. I'm using cert-manager to generate certificates as per the docs here:

https://argocd-agent.readthedocs.io/latest/configuration/principal/pki-certificates/#step-1-initialize-the-pki_1

The docs create a secret for the CA which does not include the field ca.crt as creating a TLS certificate with kubectl doesn't allow for creating a CA but instead you get a tls.crt and tls.key fields. This command is expecting a ca.crt field.

$ ./argocd-agentctl agent create managed-cluster --tls-from-secret=gitops-control-plane/managed-cluster-principal --ca-from-secret=gitops-control-plane/argocd-agent-ca --principal-context=principal
[FATAL]: CA secret gitops-control-plane/argocd-agent-ca does not contain key 'ca.crt'

Should the command be able to work with a tls.crt or should I update the docs to create a secret with ca.crt and move the signing CA into a standalone secret? Updating the docs makes sense because for the agent I have a step to strip the key out of the CA secret so doing this as a standalone secret makes sense to me.

[jannfis]

I think the field name ca.crt is somewhat of a standard for storing CA certificates in either ConfigMaps or Secrets, and the server configuration requires it to be stored in ca.crt too, so I would like to leave it that way.

But I agree that in our case, it's a bit more complicated, since we refer the same secret that the CA uses to issue certificates and we're using a secret of type tls, that only accepts tls.crt and tls.key fields.

As a compromise, I could change the logic to first look for a key ca.crt and if not found, look for tls.crt.

[gnunn1]

Like I said I don't mind updating the docs to have a separate secret with ca.crt and if the underlying code expects that then even more reason to do it. I'll work on an update to the cert-manager docs over the weekend.

[gnunn1]

So using the ca.crt in argocd-agent-ca doesn't seem like it works on the Principal, only on the Agent as it looks like the Principal expects a tls.crt field? Using ca.crt for the secret on the Principal results in the Agents complaining about the CA not matching, recreating the cert with tls.crt everything works fine.

Could this be because I have jwtAllowGenerate: true set in the Operator, does the Principal need the key to sign the JWT tokens and hence the error with the Agent complaining about the CA not matching? Note there are no logs as far as I can tell in the Principal complaining about this.

Also the command argocd-agentctl pki init creates the secret on the principal with tls.crt and tls.key, I haven't tested it but assume the command argocd-agentctl agent create creates the argocd-agent-ca as a generic Opaque secret with ca.crt.

IMHO this should be consistent as with cert-manager, and presumably manual, as well it makes things complicated. So IMHO we need to do one of the following:

1. Use tls.crt everywhere for the argocd-agent-ca, this works now
2. Use ca.crt everywhere for the argocd-agent-ca, this works on Agent AFAIK but not the Principal (assuming the issue is not caused by the jwtAllowGenerate: true flag)
3. Allow both and the code figures it out.

I think there is some benefit to keeping the CA key in a different secret then what is mounted in the Principal for security purposes so using a ca.crt Opaque secret without the key for both Principal and Agent makes sense to me. However I would appreciate insight on whether jwtAllowGenerate requires the key though.

[jannfis]

The jwtAllowGenerate shouldn't affect any of this. If enabled, it will generate an RSA key instead of using one that is provided. The implications of jwtAllowGenerate set to true should only be that, once the principal restarts (and generates a new key), all previous connections to it become invalid.

[jannfis]

Also the command argocd-agentctl pki init creates the secret on the principal with tls.crt and tls.key

Yes, because this is the CA's private secret.

I haven't tested it but assume the command argocd-agentctl agent create creates the argocd-agent-ca as a generic Opaque secret with ca.crt.

It should, just like argocd-agentctl pki propagate does.

From the terminology, tls.crt and tls.key indicates that there is a TLS certificate, i.e. something you can actually use to authenticate yourself (both in case of either client or server).

A certificate stored in ca.crt indicates that there is just a certificate, no key, you can use to verify the authenticity of others (i.e. something that has been signed with the private key that corresponds to the certificate stored in ca.crt).

So, from my point of view, it makes sense to have:

1. Rename argocd-agent-ca secret on the principal to argocd-agent-private-ca, as it is generated by argocd-agentctl pki init, and have it tls.crt and tls.key entries (it is used to sign other certificates). Only used in this scenario.
2. Have an argocd-agent-ca secret on the principal, having a ca.crt entry that holds the public certificate of the CA that is issuing the certificates used within argocd-agent. This can be either the CA generated by argocd-agentctl, or an external one.
3. The argocd-agent-ca secret on the agents stay as is, i.e. having a ca.crt entry that holds the public certificate of the CA that is issuing the certificates used within argocd-agent.

[gnunn1]

Thanks, what you laid out seems very reasonable to me, thanks for the clear and succint explanation. One question about this just to confirm:

1. Rename argocd-agent-ca secret on the principal to argocd-agent-private-ca, as it is generated by argocd-agentctl pki init, and have it tls.crt and tls.key entries (it is used to sign other certificates). Only used in this scenario.

By Only used in this scenario you mean only used to generate certs and thus would never be mounted in the Principal pod?

[jannfis]

None of the secrets should actually be mounted to any of the pods. The processes use the Kubernetes client to access the secrets via the Kubernetes API.

[gnunn1]

None of the secrets should actually be mounted to any of the pods. The processes use the Kubernetes client to access the secrets via the Kubernetes API.

You lost me here, is this in the context of the process not needing the certs to be mounted? The principal and agent pods need the CA plus their specific TLS cert to be mounted in order for mTLS to work. What I was getting at is that some users will not want to have the tls.crt and tls.key for the CA that issues certificates mounted in the Principal pod, we should only need to mount the ca.crt in the Principal pod. So your solution to split them makes a lot of sense to me, so I'm just agreeing with you :)

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9856499 and 3342de8.

📒 Files selected for processing (2)

• .github/workflows/ci.yaml (2 hunks)
• hack/test.sh (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: chetan-rns
Repo: argoproj-labs/argocd-agent PR: 632
File: test/data/pre-sync/pre-sync-job.yaml:2-17
Timestamp: 2025-10-31T10:37:28.008Z
Learning: In the argocd-agent repository, Kubernetes manifests under test/data/ directories are test fixtures for e2e testing and do not require production-grade security hardening such as securityContext settings for runAsNonRoot or allowPrivilegeEscalation.

📚 Learning: 2025-10-31T10:37:28.008Z

Learnt from: chetan-rns
Repo: argoproj-labs/argocd-agent PR: 632
File: test/data/pre-sync/pre-sync-job.yaml:2-17
Timestamp: 2025-10-31T10:37:28.008Z
Learning: In the argocd-agent repository, Kubernetes manifests under test/data/ directories are test fixtures for e2e testing and do not require production-grade security hardening such as securityContext settings for runAsNonRoot or allowPrivilegeEscalation.

Applied to files:

• hack/test.sh
• .github/workflows/ci.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Run unit tests
• GitHub Check: Run end-to-end tests
• GitHub Check: Build & cache Go code
• GitHub Check: Lint Go code
• GitHub Check: Build and push image
• GitHub Check: Analyze (go)

🔇 Additional comments (2)

hack/test.sh (1)

19-19: Good addition: -failfast improves test feedback loop.

Stopping test execution at the first failure accelerates CI feedback without affecting coverage or determinism. This is a solid practice for development and CI workflows.

.github/workflows/ci.yaml (1)

206-211: Debug step enhances e2e observability.

Capturing service and pod state across both vcluster contexts helps diagnose transient failures during e2e testing. This aligns well with the TLS secret feature testing.

Consider: Should this step run conditionally on failure (if: ${{ failure() }}) to avoid noise in successful runs, or is the unconditional output intentional for post-test snapshots?

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

helm-docs v1.13.1 release date latest stable version breaking changes

💡 Result:

• Release date for helm-docs v1.13.1: March 2, 2024 (GitHub release). [1]

• Latest stable release (as of now): v1.14.2 (marked "Latest" on the project releases; published July 8, 2024). [1][2]

• Breaking changes in v1.13.1: none listed — the v1.13.1 release is primarily dependency fixes and documentation updates (chore: update golang.org/x/crypto, update default template/docs). No breaking/API changes recorded for that release. [2]

• Security note: a CVE was later reported affecting older versions; maintainers / distributors recommend upgrading to ≥ v1.14.2. [3]

Sources:

1. norwoodj/helm-docs releases (GitHub).
2. Package changelog / update log (openSUSE Build Service) — v1.13.1 changelog.
3. Snyk / vulnerability advisory recommending upgrade to 1.14.2.

---

🏁 Script executed:

# Check the CI workflow context around the helm-docs version usage
cd .github/workflows && head -300 ci.yaml | tail -50

Repository: argoproj-labs/argocd-agent

Length of output: 2096

---

Upgrade helm-docs to v1.14.2 for security.

The version is pinned to v1.13.1 (released March 2024), but v1.14.2 is the current latest stable (July 2024). While v1.13.1 has no breaking changes, a security vulnerability was reported in versions before v1.14.2; upgrading to the latest version is recommended to mitigate this risk.

🤖 Prompt for AI Agents

.github/workflows/ci.yaml around line 274: the workflow pins helm-docs to
version v1.13.1 which has a reported security issue; update the pinned version
to v1.14.2. Modify the workflow step that sets the helm-docs version to use
v1.14.2 (replace v1.13.1 with v1.14.2) and verify the action runs successfully
in CI; if the version is referenced elsewhere in the file update those
occurrences as well.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

.github/workflows/ci.yaml (1)

275-275: Helm-docs version security update (pre-existing issue).

This version pin was already flagged in a previous review. Version v1.13.1 has a security vulnerability; upgrading to v1.14.2 is recommended.

If not already addressed elsewhere, please upgrade helm-docs to v1.14.2.

🧹 Nitpick comments (1)

.github/workflows/ci.yaml (1)

206-212: Consider a more descriptive step name.

The step "Display something" is vague. Given that it displays cluster resources for debugging on failure, consider renaming it to something like "Display cluster state on failure" or "Display Kubernetes resources for debugging."

-      - name: Display something
+      - name: Display cluster state on failure

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3342de8 and f6e0e94.

📒 Files selected for processing (2)

• .github/workflows/ci.yaml (2 hunks)
• test/run-e2e.sh (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: chetan-rns
Repo: argoproj-labs/argocd-agent PR: 632
File: test/data/pre-sync/pre-sync-job.yaml:2-17
Timestamp: 2025-10-31T10:37:28.008Z
Learning: In the argocd-agent repository, Kubernetes manifests under test/data/ directories are test fixtures for e2e testing and do not require production-grade security hardening such as securityContext settings for runAsNonRoot or allowPrivilegeEscalation.

📚 Learning: 2025-10-31T10:37:28.008Z

Learnt from: chetan-rns
Repo: argoproj-labs/argocd-agent PR: 632
File: test/data/pre-sync/pre-sync-job.yaml:2-17
Timestamp: 2025-10-31T10:37:28.008Z
Learning: In the argocd-agent repository, Kubernetes manifests under test/data/ directories are test fixtures for e2e testing and do not require production-grade security hardening such as securityContext settings for runAsNonRoot or allowPrivilegeEscalation.

Applied to files:

• .github/workflows/ci.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Build and push image
• GitHub Check: Run end-to-end tests
• GitHub Check: Build & cache Go code
• GitHub Check: Run unit tests
• GitHub Check: Lint Go code
• GitHub Check: Analyze (go)

🔇 Additional comments (1)

test/run-e2e.sh (1)

23-23: Good practice: faster feedback with -failfast.

Adding -failfast to the test invocation improves CI feedback by exiting on the first failure, which aligns well with the e2e test enhancements in this PR.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

.github/workflows/ci.yaml (1)

285-285: Helm-docs version remains unpinned against prior security recommendation.

A previous review flagged helm-docs v1.13.1 as having a reported security vulnerability and recommended upgrading to v1.14.2 (the current stable, released July 2024). The version pinning remains unchanged in this PR.

If the security upgrade was deferred, please confirm this is intentional. Otherwise, apply the recommended upgrade to v1.14.2.

🧹 Nitpick comments (1)

.github/workflows/ci.yaml (1)

206-222: Good addition: enhanced e2e failure diagnostics.

The new "Display something" step provides valuable debugging output when e2e tests fail, showing services, pods, deployments, and nodes across both vcluster contexts. The conditional if: ${{ failure() }} ensures it runs only on test failures, and the placement before log uploads is logical. This improves observability for diagnosing e2e test issues.

These kubectl output captures are helpful for troubleshooting. Consider also capturing events (kubectl get events) in the future if pod startup or networking issues emerge during e2e debugging.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bc05bf5 and 0aece7c.

📒 Files selected for processing (1)

• .github/workflows/ci.yaml (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-31T10:37:28.008Z

Learnt from: chetan-rns
Repo: argoproj-labs/argocd-agent PR: 632
File: test/data/pre-sync/pre-sync-job.yaml:2-17
Timestamp: 2025-10-31T10:37:28.008Z
Learning: In the argocd-agent repository, Kubernetes manifests under test/data/ directories are test fixtures for e2e testing and do not require production-grade security hardening such as securityContext settings for runAsNonRoot or allowPrivilegeEscalation.

Applied to files:

• .github/workflows/ci.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Lint Go code
• GitHub Check: Build & cache Go code
• GitHub Check: Run end-to-end tests
• GitHub Check: Run unit tests
• GitHub Check: Build and push image
• GitHub Check: Analyze (go)

[jannfis]

The principal and agent pods need the CA plus their specific TLS cert to be mounted in order for mTLS to work

Technically, they need access to the data in the secret. The pods do not mount the secret, though, see

argocd-agent/install/kubernetes/principal/principal-deployment.yaml

Line 259 in c9d7253

volumes:

and

argocd-agent/install/kubernetes/agent/agent-deployment.yaml

Line 176 in c9d7253

volumes:

.

Both perform a direct Kube API request to read the data from the secret.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

.github/workflows/ci.yaml (1)

321-321: Unresolved: Upgrade helm-docs to v1.14.2 for security.

The version is still pinned to v1.13.1, which has a reported security vulnerability. A previous review flagged this concern; upgrading to v1.14.2 (the current stable release from July 2024) mitigates the risk.

-          version: v1.13.1
+          version: v1.14.2

🧹 Nitpick comments (1)

.github/workflows/ci.yaml (1)

209-258: Step name "Display something" is too vague; consider a more descriptive name.

The debugging step provides comprehensive failure diagnostics across control plane and agent vcluster contexts. However, the step name does not convey its purpose. Rename to something like "Display diagnostic information on failure" or "Collect debug details" to improve clarity.

-      - name: Display something
+      - name: Display diagnostic information on failure

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d597bd3 and 0799aae.

📒 Files selected for processing (1)

• .github/workflows/ci.yaml (5 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-31T10:37:28.008Z

Learnt from: chetan-rns
Repo: argoproj-labs/argocd-agent PR: 632
File: test/data/pre-sync/pre-sync-job.yaml:2-17
Timestamp: 2025-10-31T10:37:28.008Z
Learning: In the argocd-agent repository, Kubernetes manifests under test/data/ directories are test fixtures for e2e testing and do not require production-grade security hardening such as securityContext settings for runAsNonRoot or allowPrivilegeEscalation.

Applied to files:

• .github/workflows/ci.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Run end-to-end tests
• GitHub Check: Run unit tests
• GitHub Check: Build & cache Go code
• GitHub Check: Lint Go code
• GitHub Check: Build and push image
• GitHub Check: Analyze (go)

🔇 Additional comments (1)

.github/workflows/ci.yaml (1)

166-166: Disk diagnostics additions improve operational visibility.

The df -h insertions provide valuable context for debugging resource constraints during CI setup. These are non-invasive improvements.

Also applies to: 175-175, 191-191