argoproj-labs · ncr38 · Aug 13, 2025 · Aug 13, 2025 · Aug 13, 2025
@@ -0,0 +1,11 @@
+apiVersion: v2
+name: argocd-agent-principal
+description: A Helm chart for ArgoCD Agent Principal
+type: application
+version: 0.3.1
+appVersion: "0.3.1"
+home: https://github.com/argoproj-labs/argocd-agent
+sources:
+  - https://github.com/argoproj-labs/argocd-agent
+maintainers:
+  - name: ArgoCD Agent Team
@@ -0,0 +1,62 @@
+1. Get the application URL by running these commands:
+{{- if eq .Values.service.type "NodePort" }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "argocd-agent-principal.serviceName" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo https://$NODE_IP:$NODE_PORT
+{{- else if eq .Values.service.type "LoadBalancer" }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "argocd-agent-principal.serviceName" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "argocd-agent-principal.serviceName" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo https://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if eq .Values.service.type "ClusterIP" }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "argocd-agent-principal.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  echo "Visit https://127.0.0.1:8443 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8443:{{ .Values.principal.listen.port }}
+{{- end }}
+
+2. The ArgoCD Agent Principal is now running with the following configuration:
+   - Listen Port: {{ .Values.principal.listen.port }}
+   - Metrics Port: {{ .Values.principal.metrics.port }}
+   - Health Check Port: {{ .Values.principal.healthz.port }}
+   - Operating Namespace: {{ .Values.principal.namespace }}
+   {{- if .Values.principal.allowedNamespaces }}
+   - Allowed Namespaces: {{ .Values.principal.allowedNamespaces }}
+   {{- end }}
+
+3. To view the logs:
+   kubectl logs -f deployment/{{ include "argocd-agent-principal.fullname" . }} -n {{ .Release.Namespace }}
+
+{{- if .Values.metricsService.enabled }}
+4. Metrics are available at:
+   kubectl port-forward svc/{{ include "argocd-agent-principal.metricsServiceName" . }} {{ .Values.metricsService.port }}:{{ .Values.metricsService.port }} -n {{ .Release.Namespace }}
+   Then visit http://localhost:{{ .Values.metricsService.port }}/metrics
+{{- end }}
+
+{{- if .Values.healthzService.enabled }}
+5. Health check is available at:
+   kubectl port-forward svc/{{ include "argocd-agent-principal.healthzServiceName" . }} {{ .Values.healthzService.port }}:{{ .Values.healthzService.port }} -n {{ .Release.Namespace }}
+   Then visit http://localhost:{{ .Values.healthzService.port }}/healthz
+{{- end }}
+
+{{- if not .Values.secrets.userpass.passwd }}
+
+WARNING: You have not set a password for user authentication.
+Please update the userpass secret or set principal.auth to use mTLS authentication.
+
+To set a password:
+  kubectl create secret generic {{ include "argocd-agent-principal.userpassSecretName" . }} \
+    --from-literal=passwd="your-encrypted-password" \
+    -n {{ .Release.Namespace }}
+{{- end }}
+
+{{- if and .Values.principal.tls.server.allowGenerate (eq .Values.principal.tls.server.allowGenerate "true") }}
+
+WARNING: TLS certificate generation is enabled. This is insecure and should only be used for development.
+For production, please provide proper TLS certificates.
+{{- end }}
+
+{{- if and .Values.principal.jwt.allowGenerate (eq .Values.principal.jwt.allowGenerate "true") }}
+
+WARNING: JWT key generation is enabled. This is insecure and should only be used for development.
+For production, please provide a proper JWT signing key.
+{{- end }}
@@ -0,0 +1,159 @@
+# ArgoCD Agent Principal
+
+This Helm chart installs the ArgoCD Agent Principal component, which is part of the ArgoCD Agent system that enables multi-cluster application deployment and management.
+
+## Prerequisites
+
+- Kubernetes 1.19+
+- Helm 3.2+
+- ArgoCD installed in the cluster
+- Redis instance for agent communication
+
+## Installing the Chart
+
+To install the chart with the release name `argocd-agent-principal`:
+
+```bash
+helm install argocd-agent-principal . -n argocd
+```
+
+To install with custom values:
+
+```bash
+helm install argocd-agent-principal . -n argocd -f values.yaml
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `argocd-agent-principal` deployment:
+
+```bash
+helm uninstall argocd-agent-principal -n argocd
+```
+
+## Configuration
+
+The following table lists the configurable parameters of the ArgoCD Agent Principal chart and their default values.
+
+### Basic Configuration
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `namespace` | Target namespace for deployment | `argocd` |
+| `replicaCount` | Number of replicas | `1` |
+
+### Image Configuration
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `image.repository` | Image repository | `ghcr.io/argoproj-labs/argocd-agent/argocd-agent` |
+| `image.tag` | Image tag | `"d7ee8580"` |
+| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
+
+### Resource Configuration
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `resources.limits.cpu` | CPU limit | `2` |
+| `resources.limits.memory` | Memory limit | `4Gi` |
+| `resources.requests.cpu` | CPU request | `2` |
+| `resources.requests.memory` | Memory request | `4Gi` |
+
+### Service Configuration
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `service.type` | Service type | `LoadBalancer` |
+| `service.port` | Service port | `443` |
+| `service.targetPort` | Target port | `8443` |
+| `service.annotations` | Service annotations | `networking.gke.io/load-balancer-type: "Internal"` |
+
+### Metrics Service
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `metricsService.enabled` | Enable metrics service | `true` |
+| `metricsService.type` | Metrics service type | `ClusterIP` |
+| `metricsService.port` | Metrics service port | `8000` |
+
+### Health Check Service
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `healthzService.enabled` | Enable health check service | `true` |
+| `healthzService.type` | Health check service type | `ClusterIP` |
+| `healthzService.port` | Health check service port | `8003` |
+
+### Principal Configuration
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `principal.listen.port` | gRPC server listen port | `8443` |
+| `principal.listen.host` | gRPC server listen host | `""` (all interfaces) |
+| `principal.log.level` | Log level (trace, debug, info, warn, error) | `info` |
+| `principal.log.format` | Log format (text, json) | `text` |
+| `principal.metrics.port` | Metrics server port | `8000` |
+| `principal.healthz.port` | Health check server port | `8003` |
+| `principal.namespace` | Principal operation namespace | `"argocd"` |
+| `principal.allowedNamespaces` | Allowed namespaces for agents | `"argocd,argocd-apps,default"` |
+
+### Namespace Management
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `principal.namespaceCreate.enable` | Allow namespace creation | `true` |
+| `principal.namespaceCreate.pattern` | Namespace creation pattern | `"-agent"` |
+| `principal.namespaceCreate.labels` | Labels for created namespaces | `"managed-by=argocd-agent,environment=production"` |
+
+### TLS Configuration
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `principal.tls.secretName` | TLS secret name | `"argocd-agent-principal-tls"` |
+| `principal.tls.server.allowGenerate` | Allow TLS cert generation | `false` |
+| `principal.tls.server.rootCaSecretName` | Root CA secret name | `"argocd-agent-ca"` |
+| `principal.tls.clientCert.require` | Require client certificates | `true` |
+| `principal.tls.clientCert.matchSubject` | Match subject to agent name | `true` |
+
+### Redis Configuration
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `principal.redis.compressionType` | Redis compression type | `"gzip"` |
+| `principal.redis.server.address` | Redis server address | `"argocd-redis:6379"` |
+
+### Resource Proxy
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `principal.redisProxy.enabled` | Enable Redis proxy | `true` |
+| `principal.resourceProxy.enabled` | Enable resource proxy | `true` |
+| `principal.resourceProxy.secretName` | Resource proxy TLS secret | `"argocd-agent-resource-proxy-tls"` |
+| `principal.resourceProxy.ca.secretName` | Resource proxy CA secret | `"argocd-agent-ca"` |
+
+### JWT Configuration
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `principal.jwt.allowGenerate` | Allow JWT key generation | `false` |
+| `principal.jwt.secretName` | JWT secret name | `"argocd-agent-jwt"` |
+
+### Advanced Configuration
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `principal.websocket.enable` | Enable WebSocket streaming | `false` |
+| `principal.keepAlive.minInterval` | Keep-alive minimum interval | `"0"` |
+| `principal.pprof.port` | pprof server port | `"0"` (disabled) |
+
+### Secrets Configuration
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `secrets.ca.tls.create` | Create CA TLS secret | `true` |
+| `secrets.ca.tls.key` | CA private key (base64) | `<provided>` |
+| `secrets.ca.tls.crt` | CA certificate (base64) | `<provided>` |
+
+## Usage
+
+The principal component should be installed in the management cluster where ArgoCD is running. It will coordinate with the agent components installed in remote clusters.
@@ -0,0 +1,134 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "argocd-agent-principal.name" -}}
+{{- default .Chart.Name .Values.global.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "argocd-agent-principal.fullname" -}}
+{{- if .Values.global.fullnameOverride }}
+{{- .Values.global.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.global.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+
+{{/*
+Common labels
+*/}}
+{{- define "argocd-agent-principal.labels" -}}
+{{ include "argocd-agent-principal.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/part-of: argocd-agent
+app.kubernetes.io/component: principal
+{{- with .Values.labels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "argocd-agent-principal.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "argocd-agent-principal.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "argocd-agent-principal.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "argocd-agent-principal.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the config map
+*/}}
+{{- define "argocd-agent-principal.configMapName" -}}
+{{- printf "%s-params" (include "argocd-agent-principal.fullname" .) }}
+{{- end }}
+
+{{/*
+Create the name of the main service
+*/}}
+{{- define "argocd-agent-principal.serviceName" -}}
+{{- include "argocd-agent-principal.fullname" . }}
+{{- end }}
+
+{{/*
+Create the name of the metrics service
+*/}}
+{{- define "argocd-agent-principal.metricsServiceName" -}}
+{{- printf "%s-metrics" (include "argocd-agent-principal.fullname" .) }}
+{{- end }}
+
+{{/*
+Create the name of the healthz service
+*/}}
+{{- define "argocd-agent-principal.healthzServiceName" -}}
+{{- printf "%s-healthz" (include "argocd-agent-principal.fullname" .) }}
+{{- end }}
+
+{{/*
+Create the name of the cluster role
+*/}}
+{{- define "argocd-agent-principal.clusterRoleName" -}}
+{{- include "argocd-agent-principal.fullname" . }}
+{{- end }}
+
+{{/*
+Create the name of the role
+*/}}
+{{- define "argocd-agent-principal.roleName" -}}
+{{- include "argocd-agent-principal.fullname" . }}
+{{- end }}
+
+{{/*
+Create the name of the cluster role binding
+*/}}
+{{- define "argocd-agent-principal.clusterRoleBindingName" -}}
+{{- include "argocd-agent-principal.fullname" . }}
+{{- end }}
+
+{{/*
+Create the name of the role binding
+*/}}
+{{- define "argocd-agent-principal.roleBindingName" -}}
+{{- include "argocd-agent-principal.fullname" . }}
+{{- end }}
+
+
+{{/*
+Create the name of the userpass secret
+*/}}
+{{- define "argocd-agent-principal.userpassSecretName" -}}
+{{- printf "%s-userpass" (include "argocd-agent-principal.fullname" .) }}
+{{- end }}
+
+
+{{/*
+Common annotations
+*/}}
+{{- define "argocd-agent-principal.annotations" -}}
+{{- with .Values.annotations }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,13 @@
+{{- if .Values.secrets.ca.tls.create }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-agent-ca
+  namespace: {{ .Values.namespace }}
+  labels:
+    {{- include "argocd-agent-principal.labels" . | nindent 4 }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ .Values.secrets.ca.tls.crt | quote }}
+  tls.key: {{ .Values.secrets.ca.tls.key | quote }}
+{{ end }}