Skip to content

docs: Document agent self-registration#778

Open
jannfis wants to merge 5 commits into
mainfrom
docs/self-registration
Open

docs: Document agent self-registration#778
jannfis wants to merge 5 commits into
mainfrom
docs/self-registration

Conversation

@jannfis

@jannfis jannfis commented Mar 2, 2026

Copy link
Copy Markdown
Collaborator

Assisted-by: Cursor

What does this PR do / why we need it:

Document changes introduced by #736

Which issue(s) this PR fixes:

Fixes #?

How to test changes / Special notes to the reviewer:

Checklist

  • Documentation update is required by this PR (and has been updated) OR no documentation update is required.

Summary by CodeRabbit

  • Documentation
    • Added experimental Agent self-registration configuration with enablement and client-secret options and warnings.
    • New detailed self-registration user guide explaining prerequisites, setup, runtime behavior, verification, and security considerations.
    • Added a quick tip about automated Agent onboarding to the user guide.
    • Updated site navigation to expose self-registration docs.
    • Added operational docs for JWT signing key management (create/inspect/delete workflows, examples, and security guidance).

Signed-off-by: jannfis <jann@mistrust.net>
Assisted-by: Cursor
@coderabbitai

coderabbitai Bot commented Mar 2, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

Adds experimental Agent self‑registration documentation: a new user guide, principal configuration entries, mkdocs navigation, and detailed argocd-agentctl JWT key CLI docs. All changes are documentation-only; no code or API surface modifications.

Changes

Cohort / File(s) Summary
Principal configuration
docs/configuration/reference/principal.md
Inserted "Experimental Self-Registration Configuration" section documenting two new config items: --enable-self-cluster-registration and --self-registration-client-secret with warnings and usage notes.
User guides
docs/user-guide/self-registration.md, docs/user-guide/adding-agents.md
Added full experimental self-registration user guide and an informational tip about Agent self-registration in the adding-agents guide.
Operations / CLI docs
docs/operations/jwt-signing-keys.md
New CLI documentation for argocd-agentctl jwt subcommands (create-key, inspect-key, delete-key), options, examples, key specs, secret conventions, and security/troubleshooting guidance.
Site navigation
mkdocs.yml
Added "Agent self-registration (Experimental)" entry under the User guide navigation.

Sequence Diagram(s)

sequenceDiagram
  participant Agent
  participant Principal
  participant ArgoCD_API as ArgoCD API
  participant K8s as Kubernetes Secret Store

  Agent->>Principal: Connect using shared client TLS cert + auth request
  Principal->>Principal: Validate auth + check self-registration enabled
  alt No manual cluster secret exists
    Principal->>ArgoCD_API: Request create cluster secret for Agent
    ArgoCD_API->>K8s: Persist cluster secret (labels/annotations)
    ArgoCD_API-->>Principal: Acknowledge secret creation
  else Manual cluster secret present
    Principal-->>ArgoCD_API: Skip creation (use manual secret)
  end
  Principal-->>Agent: Return tokens (JWT) and client details
  Note right of Agent: Token refresh occurs automatically when JWT keys rotate
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Suggested reviewers

  • jgwest
  • chetan-rns

Poem

🐰 I hopped through docs with a nibble and grin,

Wrote steps for agents to quietly slip in.
Keys, secrets, and tokens set out on the trail,
Experimental paths for clusters to hail.
🥕 Hooray — onboarding made tiny and hale!

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and accurately summarizes the main purpose of the pull request: adding documentation for the agent self-registration feature.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch docs/self-registration

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Signed-off-by: jannfis <jann@mistrust.net>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
docs/configuration/reference/principal.md (1)

337-337: Consider adding a brief security note.

Since self-registration allows agents to automatically create cluster secrets, it might be helpful to add a brief note about security implications (e.g., that this delegates trust to any agent with valid credentials, and operators should ensure proper certificate issuance controls). This could be here or in the referenced user guide.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@docs/configuration/reference/principal.md` at line 337, Add a short security
note to the experimental self-registration description that warns operators
about the trust delegation and recommends controls: mention that enabling
self-registration (requires --enable-resource-proxy and
--self-registration-client-cert-secret) allows any agent with valid credentials
to create cluster secrets, advise restricting certificate issuance, auditing
registrations, and limiting scope/TTL of created secrets; place this note inline
after the existing sentence or add a brief "Security" subsection and mirror a
similar note in the referenced self-registration user guide.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/user-guide/adding-agents.md`:
- Around line 5-8: The repository references
docs/user-guide/self-registration.md but the file is missing; either add a new
docs/user-guide/self-registration.md with the intended content (matching the
cross-reference text used in adding-agents.md) or remove/update both references:
the inline link "./self-registration.md" in docs/user-guide/adding-agents.md and
the navigation entry "user-guide/self-registration.md" in mkdocs.yml so they no
longer point to a non-existent page; ensure the chosen fix keeps the wording
consistent with the tip label "Agent self-registration (Experimental)" in
adding-agents.md.

---

Nitpick comments:
In `@docs/configuration/reference/principal.md`:
- Line 337: Add a short security note to the experimental self-registration
description that warns operators about the trust delegation and recommends
controls: mention that enabling self-registration (requires
--enable-resource-proxy and --self-registration-client-cert-secret) allows any
agent with valid credentials to create cluster secrets, advise restricting
certificate issuance, auditing registrations, and limiting scope/TTL of created
secrets; place this note inline after the existing sentence or add a brief
"Security" subsection and mirror a similar note in the referenced
self-registration user guide.

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f187412 and 3c7406d.

📒 Files selected for processing (3)
  • docs/configuration/reference/principal.md
  • docs/user-guide/adding-agents.md
  • mkdocs.yml

Comment thread docs/user-guide/adding-agents.md
Signed-off-by: jannfis <jann@mistrust.net>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/user-guide/self-registration.md`:
- Around line 151-154: Update the fenced code blocks in
docs/user-guide/self-registration.md so they declare a language: change the log
block containing "INFO Creating self-registered cluster secret for agent 
agent=my-agent" / "INFO Successfully created self-registered cluster secret..."
to use a log/text fence (e.g., ```text or ```log) and change the label snippet
that contains argocd-agent.argoproj-labs.io/self-registered-cluster: "true" to
use a yaml fence (```yaml); locate the blocks by the shown log lines and the
label line and replace the opening ``` with the appropriate language-tagged
fence.
- Around line 96-100: Update the paragraph referencing the argocd-agentctl
command to explicitly note that argocd-agentctl pki issue agent requires both
--agent-context and --principal-context to be set (and that you must add
--same-context when the agent and principal are the same), or add a link to the
CLI docs showing these flags; mention the exact flags (--agent-context,
--principal-context, --same-context) and where to add them so users don’t omit
them when running argocd-agentctl pki issue agent.
- Around line 40-42: The docs mention "header-based" auth but lack a prominent
hardening warning; add a clearly marked warning block under "Security
Considerations" titled something like "Warning: Header-based authentication
hardening" that states the principal must never be externally reachable,
explains risks of header injection, and prescribes protecting the principal via
localhost-only binds or service-mesh (sidecar) policies; include explicit
guidance for localhost/service-mesh protection and Istio-specific caveats, and
add a link to the detailed principal authentication guidance page (the principal
auth guidance referenced in the repo) so readers can follow mitigation
steps—also replicate the same warning near the other mention of header-based
auth later in the document where header-based is discussed.

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3c7406d and 910aca0.

📒 Files selected for processing (2)
  • docs/operations/jwt-signing-keys.md
  • docs/user-guide/self-registration.md
✅ Files skipped from review due to trivial changes (1)
  • docs/operations/jwt-signing-keys.md

Comment thread docs/user-guide/self-registration.md
Comment thread docs/user-guide/self-registration.md
Comment thread docs/user-guide/self-registration.md
@codecov-commenter

codecov-commenter commented Mar 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 47.51%. Comparing base (f187412) to head (342dc12).
⚠️ Report is 158 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #778      +/-   ##
==========================================
+ Coverage   47.48%   47.51%   +0.02%     
==========================================
  Files         104      104              
  Lines       13344    13344              
==========================================
+ Hits         6336     6340       +4     
+ Misses       6404     6399       -5     
- Partials      604      605       +1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@mikeshng mikeshng left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good doc. I was able to follow it and get it working. Some nits below:

Comment thread docs/user-guide/self-registration.md Outdated
Comment thread docs/user-guide/self-registration.md Outdated
!!! important
The client certificate must be trusted by the resource proxy's CA. If you are
using the argocd-agent PKI, you can issue a client certificate with
`argocd-agentctl pki issue agent` and use its `tls.crt` and `tls.key` along

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to reiterate this pki subcommand is not meant for production use here? No strong opinion either way.


```bash
ARGOCD_PRINCIPAL_ENABLE_SELF_CLUSTER_REGISTRATION=true
ARGOCD_PRINCIPAL_SELF_REGISTRATION_CLIENT_CERT_SECRET=argocd-agent-shared-client-cert

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this is meant for local dev env testing?

To do it for deployment we need to modify the principal configmap and/or deployment but I don't see available options in https://github.com/argoproj-labs/argocd-agent/tree/main/install/kubernetes/principal configured to be false etc.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, I think this was missed in the original PR. We need to fix that.

Co-authored-by: Mike Ng <ming@redhat.com>
Signed-off-by: Jann Fischer <jann@mistrust.net>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
docs/user-guide/self-registration.md (1)

151-154: ⚠️ Potential issue | 🟡 Minor

Add language identifiers to fenced code blocks (markdownlint MD040).

Line 151 and Line 177 use unlabeled fences; this will keep markdownlint warnings active.

Suggested doc diff
-```
+```text
 INFO Creating self-registered cluster secret for agent  agent=my-agent
 INFO Successfully created self-registered cluster secret with shared client cert and bearer token

- +yaml
argocd-agent.argoproj-labs.io/self-registered-cluster: "true"

Also applies to: 177-179

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@docs/user-guide/self-registration.md` around lines 151 - 154, The two
unlabeled fenced code blocks containing the log lines starting with "INFO
Creating self-registered cluster secret for agent  agent=my-agent" / "INFO
Successfully created self-registered cluster secret ..." and the YAML block with
"argocd-agent.argoproj-labs.io/self-registered-cluster: \"true\"" should be
updated to include language identifiers; change the log block fences to ```text
and the YAML block fences to ```yaml so markdownlint MD040 warnings are resolved
and syntax highlighting is applied.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@docs/user-guide/self-registration.md`:
- Around line 151-154: The two unlabeled fenced code blocks containing the log
lines starting with "INFO Creating self-registered cluster secret for agent 
agent=my-agent" / "INFO Successfully created self-registered cluster secret ..."
and the YAML block with "argocd-agent.argoproj-labs.io/self-registered-cluster:
\"true\"" should be updated to include language identifiers; change the log
block fences to ```text and the YAML block fences to ```yaml so markdownlint
MD040 warnings are resolved and syntax highlighting is applied.

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 910aca0 and aab1397.

📒 Files selected for processing (1)
  • docs/user-guide/self-registration.md

Signed-off-by: Jann Fischer <jann@mistrust.net>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
docs/user-guide/self-registration.md (1)

149-152: ⚠️ Potential issue | 🟡 Minor

Add explicit fence languages for Markdown lint compliance.

Line 149 and Line 175 still use unlabeled fenced blocks, which triggers MD040. Please annotate them (text for logs, yaml for the label snippet).

Suggested doc patch
-```
+```text
 INFO Creating self-registered cluster secret for agent  agent=my-agent
 INFO Successfully created self-registered cluster secret with shared client cert and bearer token

- +yaml
argocd-agent.argoproj-labs.io/self-registered-cluster: "true"

Also applies to: 175-177

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@docs/user-guide/self-registration.md` around lines 149 - 152, The Markdown
has unlabeled fenced code blocks; replace the fence before the log block that
starts with "INFO Creating self-registered cluster secret for agent 
agent=my-agent" with a text-fenced block (use ```text) and replace the fence
before the label snippet that contains
'argocd-agent.argoproj-labs.io/self-registered-cluster: "true"' with a
yaml-fenced block (use ```yaml) — update both occurrences (the log example and
the label snippet) so the fenced blocks include the appropriate language labels
for MD040 compliance.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@docs/user-guide/self-registration.md`:
- Around line 149-152: The Markdown has unlabeled fenced code blocks; replace
the fence before the log block that starts with "INFO Creating self-registered
cluster secret for agent  agent=my-agent" with a text-fenced block (use ```text)
and replace the fence before the label snippet that contains
'argocd-agent.argoproj-labs.io/self-registered-cluster: "true"' with a
yaml-fenced block (use ```yaml) — update both occurrences (the log example and
the label snippet) so the fenced blocks include the appropriate language labels
for MD040 compliance.

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between aab1397 and 342dc12.

📒 Files selected for processing (1)
  • docs/user-guide/self-registration.md

@jparsai

jparsai commented Mar 4, 2026

Copy link
Copy Markdown
Collaborator

It's a detailed doc and covers everything about self agent registration feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants