fix(connectivity): drop hostname scoping on inner kagent-controller route

[teemow]

Problem

The Slack OBO sre-agent turn passed JWT validation (the human muster token was forwarded and accepted — jwt.sub present) but died with 406 Not Acceptable before reaching the agent:

http.path=/kagent/api/a2a/kagent/sre-agent/a2a http.status=406
route=agentic-platform/agentic-platform-mcps protocol=mcp
error="mcp: client must accept both application/json and text/event-stream"

Root cause: the inner kagent-controller HTTPRoute (on the agentgateway data-plane Gateway) is rendered with hostnames: [<public hostname>] from kagent.controllerRoute.hostname. In-cluster A2A callers — notably klaus-gateway's --a2a-url, which targets the agentgateway Service cluster-DNS name (agentgateway.<ns>.svc.cluster.local) — send that Service host, which does not match the public hostname. The request falls through to the catch-all MCP route (agentic-platform-mcps, path /) and is handled as MCP Streamable-HTTP, which requires the client to accept both application/json and text/event-stream (the A2A client sends only text/event-stream).

Fix

Remove the hostname scoping from the inner kagent-controller route only. The inner hop is internal and must match any Host. /kagent is more specific than the MCP / route, so a hostname-less route wins for every Host (matching the existing hostname-less agentic-platform-mcps and sre-agent routes on the same Gateway). The outer kagent-controller-public route keeps the public hostname (required on the shared TLS Gateway).

Test plan

• make verify-modes + make verify-meta render guards unaffected
• Reconcile on gazelle; confirm the Slack OBO sre-agent turn streams a reply (no 406)

Made with Cursor