argocd-agentctl create Agent from existing TLS secret

[gnunn1]

Is your feature request related to a problem? Please describe.

When using cert-manager instead of argocd-agentctl to manage PKI it's a pain to formulate the required cluster secret manually since you need to extract the CA, TLS cert and TLS key from the generated Certificate secret and then create the cluster secret using the right JSON format for config.

See the steps in the cert-manager PR here: https://github.com/argoproj-labs/argocd-agent/pull/620/files#diff-9232676f0184124a604022337fed7719340a566c7806114a08fd1aa7750c7d18R194

Describe the solution you'd like

The argocd-agentctl should have a create-from-tls command to create the cluster secret based on an existing TLS secret. Maybe something like:

argocd-agentctl pki cluster-secret <tls-secret-name> --principal-context <context> --principal-context-namespace <namespace> 

Describe alternatives you've considered

• Creating cluster secret manually which is a multi-step process.
• Using ESO's ability to template secrets. Basically have an ESO Kubernetes SecretStore to read the TLS secret and then create an ExternalSecret that templates out the cluster secret correctly. It has more moving parts and requires ESO be installed.

[jannfis]

Yep, I like this idea. I think it should go as an option to the argocd-agentctl agent create command, as only the PKI command is marked for non-production.

For example:

argocd-agentctl agent create my-agent --tls-cert-from-secret some-secret --tls-ca-cert-from-secret some-other-secret

The secret specified by --tls-cert-from-secret must be a proper TLS secret with the cert in tls.crt and the key in tls.key. For the CA certificate, I think it would be fair to assume it's stored in a field named ca.crt, but the secret itself can be of type opaque.

I was wondering if - in a later iteration of this feature - it would be cool to reference the source secret from the cluster secret (via an annotation, for example) and have the principal watch for changes to the source secrets (for example, cert manager re-issues the certificate for renewal) and update the cluster secret automatically. But as I said, that's for later.