Skip to content

refactor(agents): remove per-agent muster token machinery, forward-token only#198

Open
QuentinBisson wants to merge 1 commit into
mainfrom
obo/forward-token
Open

refactor(agents): remove per-agent muster token machinery, forward-token only#198
QuentinBisson wants to merge 1 commit into
mainfrom
obo/forward-token

Conversation

@QuentinBisson

Copy link
Copy Markdown
Contributor

Session 4 of the OBO single-token refactor (stack: giantswarm/mcp-oauth#496, giantswarm/muster#947, giantswarm/mcp-kubernetes#535, giantswarm/mcp-prometheus#245, giantswarm/mcp-observability-platform#138).

With M2M gone (#197), the per-agent static SA-token path had no remaining consumer. Agents reach muster exclusively on behalf of a user: kagent exchanges the caller's token plus the agent's projected SA token at muster's /oauth/token (RFC 8693) and propagates the single muster-issued token; muster validates it on /mcp and forwards it byte-identical to forwardToken backends.

Removed from agentic-platform-connectivity (and the umbrella defaults):

  • muster-token-init Job, muster-refresh CronJob, the shared token pod-spec helper, and the Secret-writer Role/RoleBinding
  • the static headersFrom Authorization on the per-agent muster RemoteMCPServer
  • the agents.definitions.<agent>.obo flag (on-behalf-of is the only mode; nothing left to toggle)
  • agents.muster.{kubectlImage,busyboxImage,tokenExpirationSeconds,tokenRefreshSchedule}

agents.remoteMcpServers[].tokenSecret now only accepts a pre-existing Secret. The chart-owned agent ServiceAccount stays: it is the actor identity muster sees on token exchange. docs/authentication.md OBO section rewritten for the forward-token model.

Held in draft until the glean end-to-end run is green; merges after the upstream stack, bottom-up.

…ken only

With M2M removed, the static SA-token path (muster-token-init Job,
muster-refresh CronJob, token pod-spec helper, Secret-writer RBAC, and the
headersFrom Authorization on the per-agent muster RemoteMCPServer) served no
remaining mode. The RemoteMCPServer now carries no static credentials: the
propagated muster on-behalf-of token is the only Authorization. The
agents.definitions.<agent>.obo flag and the agents.muster image/TTL/schedule
values are removed with it. docs/authentication.md describes the forward-token
model (one muster-issued token, validated and forwarded byte-identical).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants