fix: Remove username/password from CLI's create agent function (#564)

Signed-off-by: jannfis <[email protected]>

Author: jannfis

cmd/ctl/agent.go

@@ -15,7 +15,6 @@
 package main
 
 import (
-	"bufio"
 	"bytes"
 	"context"
 	"crypto/tls"
@@ -26,7 +25,6 @@ import (
 	"os"
 	"strconv"
 	"strings"
-	"syscall"
 	"text/tabwriter"
 	"time"
 
@@ -39,7 +37,6 @@ import (
 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v3/util/db"
 	"github.com/spf13/cobra"
-	"golang.org/x/term"
 	"gopkg.in/yaml.v3"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -103,10 +100,8 @@ func generateAgentClientCert(agentName string, clt *kube.KubernetesClient) (clie
 
 func NewAgentCreateCommand() *cobra.Command {
 	var (
-		rpServer   string
-		rpUsername string
-		rpPassword string
-		addLabels  []string
+		rpServer  string
+		addLabels []string
 	)
 	command := &cobra.Command{
 		Short: "Create a new agent configuration",
@@ -150,35 +145,6 @@ func NewAgentCreateCommand() *cobra.Command {
 				cmdutil.Fatal("Agent %s exists.", agentName)
 			}
 
-			// Get desired credentials from the user
-			if rpUsername == "" {
-				var err error
-				reader := bufio.NewReader(os.Stdin)
-				fmt.Print("Username: ")
-				rpUsername, err = reader.ReadString('\n')
-				if err != nil {
-					cmdutil.Fatal("%v", err)
-				}
-			}
-			if rpUsername != "" && rpPassword == "" {
-				fmt.Print("Password: ")
-				pass1, err := term.ReadPassword(int(syscall.Stdin))
-				fmt.Println()
-				if err != nil {
-					cmdutil.Fatal("%v", err)
-				}
-				fmt.Print("Repeat password: ")
-				pass2, err := term.ReadPassword(int(syscall.Stdin))
-				fmt.Println()
-				if err != nil {
-					cmdutil.Fatal("%v", err)
-				}
-				if string(pass1) != string(pass2) {
-					cmdutil.Fatal("Passwords don't match.")
-				}
-				rpPassword = string(pass1)
-			}
-
 			clientCert, clientKey, caData, err := generateAgentClientCert(agentName, clt)
 			if err != nil {
 				cmdutil.Fatal("%v", err)
@@ -195,8 +161,6 @@ func NewAgentCreateCommand() *cobra.Command {
 						KeyData:  []byte(clientKey),
 						CAData:   []byte(caData),
 					},
-					Username: rpUsername,
-					Password: rpPassword,
 				},
 			}
 
@@ -219,8 +183,6 @@ func NewAgentCreateCommand() *cobra.Command {
 		},
 	}
 	command.Flags().StringVar(&rpServer, "resource-proxy-server", "argocd-agent-resource-proxy:9090", "Address of principal's resource-proxy")
-	command.Flags().StringVar(&rpUsername, "resource-proxy-username", "", "The username for the resource-proxy")
-	command.Flags().StringVar(&rpPassword, "resource-proxy-password", "", "The password for the resource-proxy")
 	command.Flags().StringSliceVarP(&addLabels, "label", "l", []string{}, "Additional labels for the agent")
 	return command
 }

docs/user-guide/adding-agents.md

@@ -65,7 +65,8 @@ argocd-agentctl jwt create-key \
   --upsert
 ```
 
-**Important**: Replace `<control-plane-context>`, `<principal-ip-addresses>`, and `<principal-dns-names>` with your actual values.
+!!! important
+    Replace `<control-plane-context>`, `<principal-ip-addresses>`, and `<principal-dns-names>` with your actual values.
 
 ## Step 2: Create Agent Configuration
 
@@ -75,35 +76,20 @@ Create the agent configuration on the principal cluster:
 argocd-agentctl agent create <agent-name> \
   --principal-context <control-plane-context> \
   --principal-namespace argocd \
-  --resource-proxy-server <principal-ip>:9090 \
-  --resource-proxy-username <agent-name> \
-  --resource-proxy-password <secure-password>
+  --resource-proxy-server <resource-proxy-service-name>:9090 
 ```
 
-### Interactive vs Non-Interactive Mode
+The resource proxy service's name is usually `argocd-agent-resource-proxy`.
 
-**Interactive Mode** (recommended for development):
-
-```bash
-argocd-agentctl agent create production-cluster
-# CLI will prompt for username and password
-```
-
-**Non-Interactive Mode** (for automation):
-
-```bash
-argocd-agentctl agent create production-cluster \
-  --resource-proxy-username production-cluster \
-  --resource-proxy-password "$(openssl rand -base64 32)"
-```
+!!! important
+    The value given as `resource-proxy-service-name` must match a SAN entry in your resource proxy's TLS certificate
 
 ### What This Command Does
 
 1. **Creates Cluster Secret**: Stores agent configuration as an Argo CD cluster secret
-2. **Generates Client Certificate**: Creates mTLS certificate for agent authentication  
-3. **Configures Resource Proxy**: Sets up credentials for live resource viewing
-4. **Validates Agent Name**: Ensures the agent name meets requirements
-5. **Prevents Duplicates**: Checks that the agent doesn't already exist
+2. **Generates Client Certificate**: Creates mTLS certificate for Argo CD to authenticate to the resource proxy
+3. **Validates Agent Name**: Ensures the agent name meets requirements
+4. **Prevents Duplicates**: Checks that the agent doesn't already exist
 
 ## Step 3: Issue Agent Client Certificate
 
@@ -118,6 +104,7 @@ argocd-agentctl pki issue agent <agent-name> \
 ```
 
 This command:
+
 - Generates a client certificate signed by the principal's CA
 - Stores the certificate in the agent's cluster as a Kubernetes secret
 - Configures the certificate with the agent's name as the subject
@@ -139,6 +126,7 @@ kubectl create namespace <agent-name> --context <control-plane-context>
 ### Option A: Using Kubernetes Manifests
 
 1. **Create Authentication Secret**:
+
 ```bash
 kubectl create secret generic argocd-agent-agent-userpass \
   --from-literal=credentials="userpass:<agent-name>:<password>" \
@@ -147,13 +135,15 @@ kubectl create secret generic argocd-agent-agent-userpass \
 ```
 
 2. **Deploy Agent Components**:
+
 ```bash
 kubectl apply -n argocd \
   -k 'https://github.com/argoproj-labs/argocd-agent/install/kubernetes/agent?ref=main' \
   --context <workload-cluster-context>
 ```
 
 3. **Configure Agent Parameters**:
+
 ```bash
 kubectl patch configmap argocd-agent-params \
   --namespace argocd \
@@ -193,7 +183,7 @@ data:
   agent.server.port: "8443"
 
   # Authentication method
-  agent.creds: "userpass:/app/config/creds/userpass.creds"
+  agent.creds: "mtls:^CN=(.+)$"
 
   # TLS settings
   agent.tls.client.insecure: "false"
@@ -206,14 +196,15 @@ data:
 
 ### Authentication Methods
 
-**UserPass Authentication** (default):
+**mTLS Authentication**:
 ```yaml
-agent.creds: "userpass:/app/config/creds/userpass.creds"
+agent.creds: "mtls:^CN=(.+)$"  # Regex to extract agent ID from cert subject
 ```
 
-**mTLS Authentication**:
+**UserPass Authentication** (deprecated):
+
 ```yaml
-agent.creds: "mtls:^CN=(.+)$"  # Regex to extract agent ID from cert subject
+agent.creds: "userpass:/app/config/creds/userpass.creds"
 ```
 
 ## Step 7: Verification
@@ -309,9 +300,8 @@ for agent in "${AGENTS[@]}"; do
 
   # Create agent configuration
   argocd-agentctl agent create "$agent" \
-    --resource-proxy-username "$agent" \
-    --resource-proxy-password "$(openssl rand -base64 32)"
-  
+    --resource-proxy-server <resource-proxy-service-name>:9090
+
   # Issue client certificate
   argocd-agentctl pki issue agent "$agent" \
     --agent-context "cluster-$agent" \
@@ -336,8 +326,6 @@ argocd-agentctl agent inspect <agent-name>
 ```bash
 argocd-agentctl agent reconfigure <agent-name> \
   --resource-proxy-server <new-server-address> \
-  --resource-proxy-username <new-username> \
-  --resource-proxy-password <new-password> \
   --reissue-client-cert
 ```
 

go.mod

@@ -26,7 +26,6 @@ require (
 	golang.org/x/crypto v0.42.0
 	golang.org/x/net v0.44.0
 	golang.org/x/sync v0.17.0
-	golang.org/x/term v0.35.0
 	golang.stackrox.io/grpc-http1 v0.4.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7
 	google.golang.org/grpc v1.75.1
@@ -171,6 +170,7 @@ require (
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
 	golang.org/x/sys v0.36.0 // indirect
+	golang.org/x/term v0.35.0 // indirect
 	golang.org/x/text v0.29.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 	google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 // indirect

hack/dev-env/create-agent-config.sh

@@ -80,8 +80,6 @@ for agent in ${AGENTS}; do
 	if ! ${AGENTCTL} agent inspect ${agent} >/dev/null 2>&1; then
 		echo "  -> Creating cluster secret for agent configuration"
 		${AGENTCTL} agent create ${agent} \
-			--resource-proxy-username ${agent} \
-			--resource-proxy-password ${agent} \
 			--resource-proxy-server ${ARGOCD_AGENT_RESOURCE_PROXY}:9090
 	else
 		echo "  -> Reusing existing cluster secret for agent configuration"