diff --git a/CHANGELOG.md b/CHANGELOG.md index da6a1c0..9f6acfc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed +- `agentic-platform-connectivity` `values.schema.json`: allow `klausGateway.slack.{dmOnly,botToken,signingSecret,appToken}`. The umbrella forwards its whole `klausGateway` block to the connectivity HelmRelease via `forwardAllValues`, but the connectivity `slack` schema had `additionalProperties: false` and only declared `enabled`/`mode`/`secretName`, so a real install (gazelle) failed the HelmRelease upgrade with `Additional property dmOnly/botToken/signingSecret/appToken is not allowed`. These keys are consumed by the klaus-gateway subchart, not this chart; they are now declared (and documented as forwarded-only) so validation passes. - klausgateway Slack OBO egress: a new `klausgateway-obo-egress` NetworkPolicy (cilium + kubernetes flavors, rendered when `klausGateway.obo.enabled`) lets the klaus-gateway pod reach the muster authorization server on 443/10443 for RFC 8414 discovery and the OAuth token exchange. The gateway is put into default-deny egress by the `klausgateway-a2a-egress` policy, which only allowed DNS + the agentgateway data plane; without this allowance the OBO token call to muster's public issuer host (which resolves to the public NLB / private LB VIP) was dropped. Mirrors the existing kagent-agent and oauth2-proxy `world`+`cluster` 443/10443 egress. - klausgateway connectivity route: the `AgentgatewayBackend` `.spec.static.host` now defaults to the correct `klaus-gateway` Service name (the klaus-gateway chart's default, matching `templates/klausgateway/netpol.yaml`) instead of `klausgateway`, which resolved to a non-existent Service when `klausGateway.fullnameOverride` was unset. diff --git a/helm/agentic-platform-connectivity/values.schema.json b/helm/agentic-platform-connectivity/values.schema.json index 83b0ae7..52a2ed8 100644 --- a/helm/agentic-platform-connectivity/values.schema.json +++ b/helm/agentic-platform-connectivity/values.schema.json @@ -502,6 +502,22 @@ "secretName": { "type": "string", "description": "Secret containing bot-token, signing-secret, and app-token. Required when slack.enabled is true." + }, + "dmOnly": { + "type": "boolean", + "description": "Forwarded to the klaus-gateway subchart (SLACK_DM_ONLY). Unused by this chart; accepted so the umbrella's forwardAllValues passes through." + }, + "botToken": { + "type": "string", + "description": "Forwarded to the klaus-gateway subchart. Unused by this chart; accepted so the umbrella's forwardAllValues passes through." + }, + "signingSecret": { + "type": "string", + "description": "Forwarded to the klaus-gateway subchart. Unused by this chart; accepted so the umbrella's forwardAllValues passes through." + }, + "appToken": { + "type": "string", + "description": "Forwarded to the klaus-gateway subchart. Unused by this chart; accepted so the umbrella's forwardAllValues passes through." } } },