Redis Network Policy created using helm chart doesnt work and agent is unable to start.

[jparsai]

Describe the bug
While installing managed agent using helm chart and argocd operator, network policy provided in help chart doesn't work as expected and agent is unable to start due blocked API calls.

Steps to reproduce the behaviour

1. Setup ArgoCD and principal in control-plane cluster.
2. Setup workload cluster and created required secrets.
3. Now install agent using following command:

helm install <Helm_REPO> -n argocd --version <VERSION> --set namespaceOverride=argocd --set agentMode=managed --set server=<PRINCIPAL_SERVICE_URL> --set argoCdRedisSecretName="argocd-redis-initial-password" --set argoCdRedisPasswordKey=admin.password

Here first thing is (not sure if this is bug or expected behaviour) that we have to provide -n flag to ensure allow-agent-to-redis network policy is created in argocd namespace. If -n is not provided, network policy is created in default helm release namespace i.e default. My understanding is that we may want to install helm release in default namespace but still Network Policy should be installed in same namespace as ArgoCD.

With -n flag, network policy is created in argocd namespace, but agent is not able to start and shows this error in logs

level=info msg="Loading root CA certificate from secret openshift-gitops/argocd-agent-ca"
level=info msg="Loading client TLS certificate from secret openshift-gitops/argocd-agent-client-tls"
[FATAL]: Error creating remote: could not read secret: Get "https://172.30.0.1:443/api/v1/namespaces/openshift-gitops/secrets/argocd-agent-ca": dial tcp 172.30.0.1:443: i/o timeout

If we delete the allow-agent-to-redis network policy and update the one created by operator i.e argocd-redis-network-policy, it works and agent is started, also it is able to connect with redis.

oc --context <AGENT_CONTEXT> -n argocd patch networkpolicy argocd-redis-network-policy --type='json' -p='[{"op": "add", "path": "/spec/ingress/0/from/-", "value": {"podSelector": {"matchLabels": {"app.kubernetes.io/name": "argocd-agent-agent"}}}}]'

[jannfis]

Do you think #618 would fix this issue?

[jparsai]

This will fix the issue if user is installing Argo CD instance using manifests provided in agent repo, but if it is installed through argocd-operator using ArgoCD CR (as documented here) then users will have to patch existing argocd-redis-network-policy themselves or create another one. Since helm chart already provided option to configure redis network policy, I thought of using that only for operator docs, but this PR will remove that, so I think now operator users will have no other option to configure network policy, other than manually updating/creating themselves.
All this will be fixed when Agent is installed using ArgoCD CR (ArgoCD.Spc.ArgoCDAgent.Agent.Enabled = true) which is recently delivered in operator. But I think for GA we are going to document/support agent installation via helm charts only. Is that correct?