Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions docs/api-reference/apifrontend-api.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
# API Frontend API

!!! warning "This page is under active development for v1.5 GA"

The API Frontend (AF) is the unified external gateway introduced in v1.5. It exposes MCP Streamable HTTP and A2A JSON-RPC protocols for operators, AI agents, and the Backstage console.

## Base URL
Expand Down
8 changes: 3 additions & 5 deletions docs/api-reference/operator-cr.md
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ The `Kubernaut` custom resource (`kubernaut.ai/v1alpha1`) is the single deployme
| `provider` | string | **yes** | — | LLM provider: `openai`, `ollama`, `azure`, `vertex`, `vertexAi`, `anthropic`, `bedrock`, `huggingface`, `mistral` |
| `model` | string | **yes** | — | Model name (e.g., `gpt-4o`, `gemini-2.5-pro`) |
| `credentialsSecretName` | string | **yes** | — | Secret containing API key |
| `endpoint` | string | no | — | Custom endpoint (required for `ollama`, `azure`, `mistral`) |
| `endpoint` | string | no | — | Custom endpoint (required for `openai`, `ollama`, `azure`, `mistral`). For `openai`, the operator appends `/v1` and translates to `openai_compatible` for AF. |
| `temperature` | string | no | — | LLM temperature |
| `maxRetries` | int | no | — | Retry count per LLM call |
| `timeoutSeconds` | int | no | — | Per-call timeout |
Expand Down Expand Up @@ -234,9 +234,7 @@ See [Per-phase LLM routing](../user-guide/configmap-kubernaut-agent.md#per-phase
| `issuerURL` | string | — | OIDC issuer URL (e.g., `https://login.kubernaut.ai/realms/kubernaut`). Must match the `iss` claim in tokens. |
| `audience` | string | `kubernaut-apifrontend` | Expected JWT audience claim. Must match the `aud` claim in tokens (typically the Keycloak realm URL). |
| `jwksURL` | string | — | Cluster-internal JWKS endpoint URL for token validation (e.g., `http://keycloak-service.keycloak:8080/realms/kagenti/protocol/openid-connect/certs`). Bypasses OIDC discovery — use when the issuer URL is external but JWKS must be fetched internally. |
| `allowInsecureIssuers` | bool | `false` | Allow insecure (HTTP or self-signed TLS) issuer verification. Set `true` for development or self-signed Keycloak deployments. **Must be `false` in production.** |
| `jwtProviders` | [][JWTProviderSpec](#jwtproviderspec) | — | One or more OIDC JWT providers |
| `allowInsecureJWKS` | bool | `false` | Permit HTTP JWKS URLs for dev/test. **Must be `false` in production.** |

### JWTProviderSpec (v1.5.1) {: #jwtproviderspec }

Expand All @@ -246,7 +244,7 @@ Used at `spec.kubernautAgent.interactive.jwtProviders[]` and `spec.apiFrontend.a
|---|---|---|---|
| `name` | string | **yes** | Human-readable provider name (1--63 chars, must be unique) |
| `issuerURL` | string | **yes** | OIDC issuer URL -- must match the `iss` claim in tokens |
| `jwksURL` | string | no | JWKS endpoint URL (max 2048 chars). Falls back to `issuerURL` for OIDC discovery if omitted. Must use HTTPS unless `allowInsecureJWKS` is true. |
| `jwksURL` | string | no | JWKS endpoint URL (max 2048 chars, must use HTTPS). Falls back to `issuerURL` for OIDC discovery if omitted. |
| `audiences` | []string | **yes** | Expected JWT audience claims (min 1 entry). Tokens without a matching `aud` are rejected. |
| `claimMappings` | [ClaimMappingsSpec](#claimmappingsspec) | no | Custom claim-to-identity field mappings |

Expand Down Expand Up @@ -331,7 +329,7 @@ See [Custom ClusterRoles](../architecture/security-rbac.md#custom-clusterroles)

| Field | Type | Default | Description |
|---|---|---|---|
| `enabled` | bool | `false` | Enable SPIRE integration via kagenti. When `true`, the operator labels the namespace with `kagenti-enabled=true` and creates an `AgentRuntime` CR. |
| `enabled` | *bool | `nil` (treated as `true`) | Enable SPIRE integration via kagenti. When `true`, the operator labels the namespace with `kagenti-enabled=true` and `pod-security.kubernetes.io/enforce=privileged`, and creates an `AgentRuntime` CR. Set to `false` explicitly to disable. |
| `className` | string | — | SPIRE class name provisioned by kagenti (e.g., `zero-trust-workload-identity-manager-spire`). Must match the `SPIREClusterConfig` deployed by kagenti. |

### APIFrontendShutdownSpec {: #apifrontendshutdownspec }
Expand Down
4 changes: 1 addition & 3 deletions docs/architecture/apifrontend.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
# API Frontend Architecture

!!! warning "This page is under active development for v1.5 GA"

The API Frontend (AF) is the unified external protocol layer introduced in v1.5. It provides MCP, A2A, and REST access to Kubernaut for operators, AI agents, and the Backstage console.

## Overview
Expand Down Expand Up @@ -195,7 +193,7 @@ The AF streams investigation output to clients via **Server-Sent Events**:

The AF runs its own LLM-backed agent for the A2A handler. The LLM config (`agent.llm` in the AF config.yaml) mirrors the KA `ai.llm` schema so operators use one config style across services.

Supported providers: `vertex_ai` (Claude on Vertex AI — requires `vertexProject` + `vertexLocation`), `gemini` (Gemini API direct — requires `apiKeyFile` or OAuth2), `anthropic` (Anthropic API direct — requires `apiKeyFile` or OAuth2). When `provider` is empty, the A2A handler returns HTTP 501.
Supported providers: `openai` (OpenAI-compatible endpoints — requires `endpoint`; operator translates to `openai_compatible` and appends `/v1`), `vertex_ai` (Claude on Vertex AI — requires `vertexProject` + `vertexLocation`), `gemini` (Gemini API direct — requires `apiKeyFile` or OAuth2), `anthropic` (Anthropic API direct — requires `apiKeyFile` or OAuth2). When `provider` is empty, the A2A handler returns HTTP 501.

**Multi-provider factory** — The AF uses a transport chain that resolves the provider at startup, wires TLS (including mTLS client certificates for corporate LLM gateways via `tlsCertFile`/`tlsKeyFile` — #1342), and applies an optional circuit breaker around all outbound LLM HTTP calls.

Expand Down
4 changes: 2 additions & 2 deletions docs/architecture/security-rbac.md
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ If you deploy a Kubernetes Event Exporter separately (not included in the chart

Without the bearer token, the Gateway returns `401 Unauthorized`. Without the ClusterRoleBinding, the Gateway returns `403 Forbidden`.

See [Installation](../getting-started/installation.md#signal-source-authentication) for the complete AlertManager configuration example.
See [Configuration Reference](../user-guide/configuration.md#signal-source-authentication) for the complete AlertManager configuration example.

## CRD Controllers

Expand Down Expand Up @@ -678,7 +678,7 @@ Assign this scope as a default scope to the `kagenti` client. The trust domain m

## Next Steps

- [Installation](../getting-started/installation.md#signal-source-authentication) -- Configure AlertManager and other signal sources
- [Configuration Reference](../user-guide/configuration.md#signal-source-authentication) -- Configure AlertManager and other signal sources
- [Configuration Reference](../user-guide/configuration.md) -- Helm values for all services
- [Disconnected Installation](../operations/disconnected-install.md) -- Air-gapped installation with Keycloak integration
- [Troubleshooting](../operations/troubleshooting.md) -- Diagnose RBAC-related issues
Loading