fix(connectivity): allow agentgateway data-plane egress to klaus-gateway:8080#193
Merged
Merged
Conversation
…way:8080
The channel paths (/v1, /web, /cli/v1, /channels/slack) are served on the
agentgateway data-plane Gateway and forwarded to the klaus-gateway Service on
:8080. The data-plane runs in Cilium default-deny egress (the -dataplane policy),
whose cluster allowance only covers 80/443, and there was no per-backend egress
allowance for klaus-gateway (unlike -dataplane-to-kagent). So the forward was
dropped and every channel request -- including inbound Slack events delivered to
the public hostname and routed through the data-plane -- failed with
503 UpstreamFailure ("Connect: deadline has elapsed"), so the Slack bot never
replied.
Add a -dataplane-to-klausgateway egress policy (cilium + kubernetes flavors,
rendered when klausGateway.agentgatewayRoute.enabled) mirroring the existing
-dataplane-to-kagent allowance.
Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
End-to-end gazelle validation of the Slack OBO gateway surfaced a real routing bug: the bot never replied to DMs.
Root cause (from the agentgateway data-plane log):
The channel paths (
/v1,/web,/cli/v1,/channels/slack) are served on the agentgateway data-plane Gateway and forwarded to theklaus-gatewayService on:8080. The data-plane runs in Cilium default-deny egress (the-dataplanepolicy), whose cluster allowance only covers80/443, and there was no per-backend egress allowance for klaus-gateway (unlike-dataplane-to-kagent). So the forward was dropped and every channel request — including inbound Slack events delivered to the public hostname and routed through the data-plane — failed with a 503, so the Slack bot never replied. The OBO route was unaffected because it goes envoy → klaus-gateway Service directly (a different, allowed hop).Change
*-dataplane-to-klausgatewayegress policy (cilium + kubernetes flavors, rendered whenklausGateway.agentgatewayRoute.enabled) that lets the data-plane reachklaus-gateway:8080. Mirrors the existing-dataplane-to-kagentallowance.Test plan
POST /channels/slack/eventsno longer 503s; a Slack DM to the swarmgeist bot gets a reply.Made with Cursor