feat(klausgateway): wire Slack OBO route + obo.* pass-through#185
Merged
Conversation
Forward the klaus-gateway `obo.*` values (CIMD-based Slack on-behalf-of linking) through the umbrella and connectivity charts, and render a public HTTPRoute exposing the unauthenticated OAuth-bootstrap paths /auth/slack/link, /auth/slack/callback and the CIMD document /auth/slack/client.json on the gateway's public hostname (derived from obo.callbackBaseUrl). The route targets the klaus-gateway Service directly so these paths bypass the JWT policy guarding the channel paths; both the linking browser and muster (CIMD fetch) reach the gateway over it. Disabled by default. Also fixes the klausgateway AgentgatewayBackend host default to the correct klaus-gateway Service name (was klausgateway, a non-existent Service when fullnameOverride is unset). Co-authored-by: Cursor <cursoragent@cursor.com>
The CHANGELOG documented a klausgateway-obo-egress NetworkPolicy but the template was missing. Without it the gateway, put into default-deny egress by klausgateway-a2a-egress, cannot reach muster's authorization server (443/10443) for RFC 8414 discovery and the OBO token exchange. Mirrors the kagent-agent and oauth2-proxy world+cluster 443/10443 egress. Co-authored-by: Cursor <cursoragent@cursor.com>
Add klausGateway.slack.dmOnly (umbrella values + schema), forwarded to the klaus-gateway subchart which renders it as SLACK_DM_ONLY. Restricts the Slack adapter to direct messages — the recommended mode for the OBO gateway, which is a DM-only bot. Default false. Requires giantswarm/klaus-gateway#113 (the chart that renders the env). Co-authored-by: Cursor <cursoragent@cursor.com>
Add klausGateway.slack.botToken/signingSecret/appToken (umbrella values + schema), forwarded to the klaus-gateway subchart which renders the slack.secretName Secret from them. Lets the per-cluster secret-values patch stage SOPS-encrypted Slack creds that become the slack-credentials Secret. Requires giantswarm/klaus-gateway#114 (the chart that renders the Secret). Co-authored-by: Cursor <cursoragent@cursor.com>
…ic SA token An agent that lists "authorization" in allowedHeaders now forwards the caller's own Authorization header to muster. Its muster RemoteMCPServer omits the headersFrom injection, and the per-agent token-mint Job, refresh CronJob, and Secret-writer RBAC are no longer rendered, so the forwarded token reaches muster unshadowed. A request carries a single Authorization header, so the two are mutually exclusive; agents that do not forward authorization keep the previous static service-account-token behaviour. A ci/test-agent-forward-auth-values.yaml render test covers this (no headersFrom, no token-mint resources). Co-authored-by: Cursor <cursoragent@cursor.com>
… of static SA token" This reverts commit 82cf2c9.
…-umbrella-route * origin/main: feat(kagent): OBO actor-token forwarding to muster via X-Actor-Token (#190) chore: align files according to platform standards (#189) chore: align files according to platform standards (#188) feat(kagent): forward the human token from sre-agent to muster for OBO (#187) fix(kagent): name sre-agent muster meta-tools so the UI stops showing "Unknown Tool" (#186) chore(deps): update gsoci.azurecr.io/giantswarm/agentgateway docker tag to v1.3.1 (#179) fix(kagent): refresh Dex id_token in oauth2-proxy for OBO (#184) Co-authored-by: Cursor <cursoragent@cursor.com> # Conflicts: # CHANGELOG.md # helm/agentic-platform/values.yaml
This was referenced Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements the agentic-platform umbrella side of the Slack OBO via CIMD work: forward the klaus-gateway
obo.*values through the charts and add the public connectivity route for the OAuth-bootstrap endpoints.klausGateway.obo.*pass-through — added and documented theoboblock (enabled,musterUrl,callbackBaseUrl,storePath,stateKey,storeKey) in bothagentic-platform(meta-package, forwarded to the klaus-gateway subchart viavaluesFrom: klausGateway) andagentic-platform-connectivityvalues.yaml, with matchingvalues.schema.jsonentries.HTTPRoute(klausgateway-obo) intemplates/klausgateway/route.yamlexposing/auth/slack/(covers/auth/slack/link,/auth/slack/callback,/auth/slack/client.json) on the gateway's public hostname, derived fromobo.callbackBaseUrlso the route, the OAuth redirect URI, and the CIMDclient_idstay in lockstep. It routes straight to theklaus-gatewayService (not through the agentgateway data-plane) so these unauthenticated bootstrap paths bypass the JWT policy that guards the channel paths. Both the linking browser and muster (CIMD fetch) reach the gateway over it. Gated onklausGateway.enabled && klausGateway.obo.enabled && ingress.parentRefs; disabled by default.AgentgatewayBackend.spec.static.hostdefaulted toklausgateway, a non-existent Service; corrected to the chart's actualklaus-gatewayService name (matchingnetpol.yaml).1.1.34 → 1.1.35, updated CHANGELOG, and addedci/test-klausgateway-obo-values.yamlas a render check.Test plan
helm lintpasses on both chartscallbackBaseUrl, path/auth/slack/, backendklaus-gateway:8080on the public Gateway/auth/slack/client.jsonand itsclient_idmatches the URLNotes
Made with Cursor