From 123405ee482e9ea5bd7def18b741cfce58ad8ecf Mon Sep 17 00:00:00 2001 From: QuentinBisson Date: Tue, 23 Jun 2026 13:52:12 +0200 Subject: [PATCH 1/2] fix(kagent): gate agent agentgateway routes on agentgateway ingress mode The template was gated only on kagent.enabled, so AgentgatewayBackend and HTTPRoute resources were rendered on clusters running muster-direct mode (no agentgateway data plane). Gate on the existing ingress.agentgateway helper, which returns true only for agentgateway-muster and agentgateway-direct modes. --- .../templates/kagent/agents/agentgateway-backends.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/agentic-platform-connectivity/templates/kagent/agents/agentgateway-backends.yaml b/helm/agentic-platform-connectivity/templates/kagent/agents/agentgateway-backends.yaml index 8246a2c..3cfffbd 100644 --- a/helm/agentic-platform-connectivity/templates/kagent/agents/agentgateway-backends.yaml +++ b/helm/agentic-platform-connectivity/templates/kagent/agents/agentgateway-backends.yaml @@ -1,4 +1,4 @@ -{{- if .Values.kagent.enabled }} +{{- if and .Values.kagent.enabled (include "agentic-platform.ingress.agentgateway" .) }} {{- $ns := .Values.kagent.namespaceOverride | default .Release.Namespace }} {{- range $name, $cfg := .Values.agents.definitions }} {{- $agent := merge (dict "name" $name) $cfg }} From 00eaf58a4bc462ee640b5673af0c0f5baae5c07b Mon Sep 17 00:00:00 2001 From: QuentinBisson Date: Tue, 23 Jun 2026 13:56:55 +0200 Subject: [PATCH 2/2] fix(kagent): drop public HTTPRoute for agent A2A endpoints MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Agent A2A endpoints are consumed in-cluster (by other agents and the kagent controller) — not by external clients. The public route added unnecessary attack surface; the inner agentgateway route is sufficient. External A2A access can be added via extraObjects when explicitly needed. --- .../kagent/agents/agentgateway-backends.yaml | 25 ------------------- .../agentic-platform-connectivity/values.yaml | 9 ++++--- 2 files changed, 5 insertions(+), 29 deletions(-) diff --git a/helm/agentic-platform-connectivity/templates/kagent/agents/agentgateway-backends.yaml b/helm/agentic-platform-connectivity/templates/kagent/agents/agentgateway-backends.yaml index 3cfffbd..99f1bce 100644 --- a/helm/agentic-platform-connectivity/templates/kagent/agents/agentgateway-backends.yaml +++ b/helm/agentic-platform-connectivity/templates/kagent/agents/agentgateway-backends.yaml @@ -59,31 +59,6 @@ spec: - name: {{ $agent.name | quote }} kind: AgentgatewayBackend group: agentgateway.dev -{{- if and $.Values.ingress.parentRefs $route.hostname }} ---- -# HTTPRoute — exposes {{ $agent.name }} on the outer public Gateway (TLS-terminating). -# No URLRewrite: the prefix strip happens at the inner agentgateway hop. -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: {{ printf "%s-public" $agent.name | quote }} - namespace: {{ $.Release.Namespace }} - labels: - {{- include "labels.common" $ | nindent 4 }} -spec: - parentRefs: - {{- toYaml $.Values.ingress.parentRefs | nindent 4 }} - hostnames: - - {{ $route.hostname | quote }} - rules: - - matches: - - path: - type: PathPrefix - value: {{ $pathPrefix }} - backendRefs: - - name: {{ $.Values.gateway.name }} - port: 8080 -{{- end }} {{- end }} {{- end }} {{- end }} diff --git a/helm/agentic-platform-connectivity/values.yaml b/helm/agentic-platform-connectivity/values.yaml index f9c747f..26682a8 100644 --- a/helm/agentic-platform-connectivity/values.yaml +++ b/helm/agentic-platform-connectivity/values.yaml @@ -782,11 +782,12 @@ agents: namespace: mcp-kubernetes # Agentgateway route — exposes this agent's A2A endpoint at /agents/ # on the agentgateway inner Gateway (agentgateway-* ingress modes only). - # Rendered automatically when the agent is enabled; set hostname to the - # agentgateway Gateway hostname. Set ingress.parentRefs to also create - # the public HTTPRoute on the outer TLS-terminating Gateway. + # Rendered automatically when the agent is enabled. Only in-cluster callers + # (other agents, the kagent controller) are expected to use this path; no + # public outer HTTPRoute is created. Use extraObjects for external A2A access. agentgatewayRoute: - # Hostname on which the agentgateway Gateway will match /agents/. + # Optional: scope the inner HTTPRoute to a specific hostname on the + # agentgateway Gateway. Leave empty to match all hostnames. # Example: agentgateway.. hostname: ""