From de23bb0ef16ea62aa802d88632936f4b9d1a09d2 Mon Sep 17 00:00:00 2001
From: QuentinBisson <quentin@giantswarm.io>
Date: Wed, 24 Jun 2026 16:08:24 +0200
Subject: [PATCH 1/3] feat(kagent): forward the human token from sre-agent to
 muster for OBO

Set allowedHeaders: ["authorization"] on the sre-agent muster tool ref so the
inbound user token is forwarded onto muster tool calls. The kagent controller's
STS plugin then exchanges it (sub=human, act=sre-agent SA) and muster mints the
backend token on behalf of the human instead of as the agent SA.

headersFrom (the static SA token) is kept as the M2M fallback: autonomous runs
carry no inbound user token, so nothing is forwarded and muster sees the SA.
---
 helm/agentic-platform-connectivity/values.yaml | 2 +-
 helm/agentic-platform/values.yaml              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/helm/agentic-platform-connectivity/values.yaml b/helm/agentic-platform-connectivity/values.yaml
index 656128f..71eafab 100644
--- a/helm/agentic-platform-connectivity/values.yaml
+++ b/helm/agentic-platform-connectivity/values.yaml
@@ -813,7 +813,7 @@ agents:
       # Request headers forwarded from the inbound A2A call onto muster tool calls.
       # Set ["authorization"] to forward the human token for on-behalf-of (the STS
       # plugin then exchanges it); leave [] for pure M2M.
-      allowedHeaders: []
+      allowedHeaders: ["authorization"]
       # Optional container resources for the agent Deployment.
       resources: {}
       # Optional extra env for the agent Deployment.
diff --git a/helm/agentic-platform/values.yaml b/helm/agentic-platform/values.yaml
index c28bcd4..966c0a4 100644
--- a/helm/agentic-platform/values.yaml
+++ b/helm/agentic-platform/values.yaml
@@ -989,7 +989,7 @@ agents:
       # Request headers forwarded from the inbound A2A call onto muster tool calls.
       # Set ["authorization"] to forward the human token for on-behalf-of (the STS
       # plugin then exchanges it); leave [] for pure M2M.
-      allowedHeaders: []
+      allowedHeaders: ["authorization"]
       # Optional container resources for the agent Deployment.
       resources: {}
       # Optional extra env for the agent Deployment.

From 9fbabe214fb95effed718b6ec0c89eea8337fd5f Mon Sep 17 00:00:00 2001
From: QuentinBisson <quentin@giantswarm.io>
Date: Thu, 25 Jun 2026 12:07:11 +0200
Subject: [PATCH 2/3] docs(kagent): correct allowedHeaders OBO comment to the
 muster localMint model

The previous comment claimed forwarding authorization performs OBO via an STS
plugin exchange. It does not: muster localMint runs the RFC 8693 exchange,
taking the forwarded Dex token as subject and the agent SA token (X-Actor-Token)
as actor. Document that, the kagent override env var it depends on
(KAGENT_PROPAGATE_TOKEN_OVERRIDES_STATIC, kagent-dev/kagent#2044), the required
muster ActorDelegationPolicy, and the M2M fallback when no caller token exists.
---
 helm/agentic-platform-connectivity/values.yaml | 12 ++++++++++--
 helm/agentic-platform/values.yaml              | 12 ++++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/helm/agentic-platform-connectivity/values.yaml b/helm/agentic-platform-connectivity/values.yaml
index 71eafab..e579cc9 100644
--- a/helm/agentic-platform-connectivity/values.yaml
+++ b/helm/agentic-platform-connectivity/values.yaml
@@ -811,8 +811,16 @@ agents:
         - describe_prompt
         - get_prompt
       # Request headers forwarded from the inbound A2A call onto muster tool calls.
-      # Set ["authorization"] to forward the human token for on-behalf-of (the STS
-      # plugin then exchanges it); leave [] for pure M2M.
+      # ["authorization"] forwards the caller's Dex token to muster on each tool call.
+      # On its own this does not switch identity. It becomes the on-behalf-of subject
+      # only once muster's localMint backend runs the RFC 8693 exchange (sub=user) with
+      # the agent's ServiceAccount token as actor (act=sre-agent, carried as the
+      # X-Actor-Token header), minting a user-scoped backend token. That requires both
+      # (a) the kagent runtime override KAGENT_PROPAGATE_TOKEN_OVERRIDES_STATIC so the
+      # forwarded token beats the static M2M Authorization (kagent-dev/kagent#2044), and
+      # (b) a muster ActorDelegationPolicy letting the agent SA act for users. Until both
+      # land, sre-agent runs M2M only. With no caller token (autonomous runs) it always
+      # falls back to the static M2M token. Leave [] to disable forwarding.
       allowedHeaders: ["authorization"]
       # Optional container resources for the agent Deployment.
       resources: {}
diff --git a/helm/agentic-platform/values.yaml b/helm/agentic-platform/values.yaml
index 966c0a4..883af7d 100644
--- a/helm/agentic-platform/values.yaml
+++ b/helm/agentic-platform/values.yaml
@@ -987,8 +987,16 @@ agents:
         - describe_prompt
         - get_prompt
       # Request headers forwarded from the inbound A2A call onto muster tool calls.
-      # Set ["authorization"] to forward the human token for on-behalf-of (the STS
-      # plugin then exchanges it); leave [] for pure M2M.
+      # ["authorization"] forwards the caller's Dex token to muster on each tool call.
+      # On its own this does not switch identity. It becomes the on-behalf-of subject
+      # only once muster's localMint backend runs the RFC 8693 exchange (sub=user) with
+      # the agent's ServiceAccount token as actor (act=sre-agent, carried as the
+      # X-Actor-Token header), minting a user-scoped backend token. That requires both
+      # (a) the kagent runtime override KAGENT_PROPAGATE_TOKEN_OVERRIDES_STATIC so the
+      # forwarded token beats the static M2M Authorization (kagent-dev/kagent#2044), and
+      # (b) a muster ActorDelegationPolicy letting the agent SA act for users. Until both
+      # land, sre-agent runs M2M only. With no caller token (autonomous runs) it always
+      # falls back to the static M2M token. Leave [] to disable forwarding.
       allowedHeaders: ["authorization"]
       # Optional container resources for the agent Deployment.
       resources: {}

From 5373716ef0feac55b366e9a8ad3bc8d8fdebb064 Mon Sep 17 00:00:00 2001
From: QuentinBisson <quentin@giantswarm.io>
Date: Thu, 25 Jun 2026 15:33:39 +0200
Subject: [PATCH 3/3] feat(kagent): add OBO actor-token forwarding to muster
 RemoteMCPServer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When `obo.enabled: true` (default), the agent's own SA OIDC token is sent
as X-Actor-Token alongside the forwarded user Authorization header. muster
then mints a localMint token with sub=user, act=SA — one exchange, no STS
plugin hop required.

When no user token is present (autonomous M2M runs), mcp-oauth strips the
actor token because actor==subject, so the minted token carries no act claim.
No SA→SA delegation rule is needed.

Depends on mcp-oauth fix/strip-self-actor-token (PR #488).
---
 .../kagent/agents/remotemcpservers.yaml       |  7 +++++++
 .../agentic-platform-connectivity/values.yaml | 20 +++++++++----------
 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/helm/agentic-platform-connectivity/templates/kagent/agents/remotemcpservers.yaml b/helm/agentic-platform-connectivity/templates/kagent/agents/remotemcpservers.yaml
index 491cbfc..701d51f 100644
--- a/helm/agentic-platform-connectivity/templates/kagent/agents/remotemcpservers.yaml
+++ b/helm/agentic-platform-connectivity/templates/kagent/agents/remotemcpservers.yaml
@@ -24,6 +24,13 @@ spec:
       type: Secret
       name: {{ $tokenSecretName | quote }}
       key: token
+{{- if $agent.obo.enabled }}
+  - name: X-Actor-Token
+    valueFrom:
+      type: Secret
+      name: {{ $tokenSecretName | quote }}
+      key: token
+{{- end }}
 {{- end }}
 {{- end }}
 {{- end }}
diff --git a/helm/agentic-platform-connectivity/values.yaml b/helm/agentic-platform-connectivity/values.yaml
index e579cc9..931d121 100644
--- a/helm/agentic-platform-connectivity/values.yaml
+++ b/helm/agentic-platform-connectivity/values.yaml
@@ -811,17 +811,17 @@ agents:
         - describe_prompt
         - get_prompt
       # Request headers forwarded from the inbound A2A call onto muster tool calls.
-      # ["authorization"] forwards the caller's Dex token to muster on each tool call.
-      # On its own this does not switch identity. It becomes the on-behalf-of subject
-      # only once muster's localMint backend runs the RFC 8693 exchange (sub=user) with
-      # the agent's ServiceAccount token as actor (act=sre-agent, carried as the
-      # X-Actor-Token header), minting a user-scoped backend token. That requires both
-      # (a) the kagent runtime override KAGENT_PROPAGATE_TOKEN_OVERRIDES_STATIC so the
-      # forwarded token beats the static M2M Authorization (kagent-dev/kagent#2044), and
-      # (b) a muster ActorDelegationPolicy letting the agent SA act for users. Until both
-      # land, sre-agent runs M2M only. With no caller token (autonomous runs) it always
-      # falls back to the static M2M token. Leave [] to disable forwarding.
+      # ["authorization"] forwards the caller's Dex token to muster on each tool call,
+      # making the caller the sub on localMint exchanges. Leave [] to disable forwarding.
       allowedHeaders: ["authorization"]
+      # OBO (on-behalf-of) mode: sends the agent SA's K8s OIDC token as X-Actor-Token
+      # on every request to muster, enabling RFC 8693 delegation (sub=user, act=SA).
+      # Requires allowedHeaders to include "authorization" AND a muster
+      # ActorDelegationPolicy that allows this SA to act for the subject issuers.
+      # M2M autonomous runs (no caller token) still work provided the muster broker
+      # has a self-delegation rule for this SA (actor=subject=SA is a valid grant).
+      obo:
+        enabled: true
       # Optional container resources for the agent Deployment.
       resources: {}
       # Optional extra env for the agent Deployment.