Azure foundry backend#2091
Open
marosset wants to merge 3 commits into
Open
Conversation
Signed-off-by: Mark Rossetti <marosset@microsoft.com>
Signed-off-by: Mark Rossetti <marosset@microsoft.com>
marosset
requested review from
EItanya,
ilackarms,
jmhbh,
peterj and
yuval-k
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Adds first-class Azure/Microsoft Foundry model provider support across the CRDs, controller translation layer, Go ADK runtime, and the web UI, including Azure Workload Identity wiring and Foundry-specific auth modes.
Changes:
- Introduces a new
Foundryprovider in ModelConfig/ModelProviderConfig, with auth modesAPIKey,WorkloadIdentity, andAPIKeyPassthroughplus endpoint/deployment/apiVersion settings. - Updates the Go controller translator to emit Foundry runtime env + Azure Workload Identity pod labels / ServiceAccount annotations, and adds focused translator tests.
- Adds a Go ADK Foundry model implementation (Azure SDK token acquisition + request middleware) and UI create/edit support for Foundry.
Reviewed changes
Copilot reviewed 24 out of 26 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| ui/src/types/index.ts | Adds FoundryConfig type and wires it into ModelConfigSpec. |
| ui/src/lib/providers.ts | Registers Foundry as a supported provider and adds docs/help metadata. |
| ui/src/components/ProviderCombobox.tsx | Adds Foundry icon mapping. |
| ui/src/components/models/new/AuthSection.tsx | Adds Foundry auth-type selector and adjusts API key UI behavior. |
| ui/src/components/ModelProviderCombobox.tsx | Adds Foundry icon mapping for model provider selection. |
| ui/src/app/models/new/page.tsx | Implements Foundry auth mode handling and payload shaping in the model create/edit UI. |
| helm/kagent-crds/templates/kagent.dev_modelproviderconfigs.yaml | Adds Foundry to provider enum. |
| helm/kagent-crds/templates/kagent.dev_modelconfigs.yaml | Adds Foundry schema (endpoint/endpointFrom, auth modes, WI config, validations). |
| go/go.mod | Adds Azure SDK dependencies for token acquisition. |
| go/go.sum | Locks Azure SDK and transitive deps. |
| go/core/pkg/env/providers.go | Adds Foundry env vars (endpoint/deployment/api version/api key). |
| go/core/internal/httpserver/handlers/models.go | Adds Foundry model catalog entries to supported-models output. |
| go/core/internal/httpserver/handlers/modelproviderconfig.go | Adds Foundry provider + custom required/optional param lists. |
| go/core/internal/controller/translator/agent/foundry_test.go | New translator tests for Foundry auth modes and WI wiring. |
| go/core/internal/controller/translator/agent/deployments.go | Adds runtime-requirements merge + ServiceAccount annotation enforcement. |
| go/core/internal/controller/translator/agent/deployments_test.go | Tests runtime-requirements merge/conflict behavior. |
| go/core/internal/controller/translator/agent/compiler.go | Plumbs runtime requirements through compilation + enforces Go runtime for Foundry. |
| go/core/internal/controller/translator/agent/adk_api_translator.go | Implements Foundry config resolution, WI requirements, and ADK model translation. |
| go/api/v1alpha2/zz_generated.deepcopy.go | Adds deepcopy support for new Foundry API types. |
| go/api/v1alpha2/modelconfig_types.go | Defines Foundry provider + CRD types/validations (including ConfigMap refs). |
| go/api/config/crd/bases/kagent.dev_modelproviderconfigs.yaml | Adds Foundry to provider enum in generated CRD bases. |
| go/api/config/crd/bases/kagent.dev_modelconfigs.yaml | Adds Foundry schema + validations in generated CRD bases. |
| go/api/adk/types.go | Adds ADK Foundry model type and parsing/marshal support. |
| go/adk/pkg/models/foundry.go | Implements Foundry model client creation + Azure token/passthrough middleware. |
| go/adk/pkg/models/foundry_test.go | Adds unit tests for Foundry auth modes and middleware behavior. |
| go/adk/pkg/agent/agent.go | Wires ADK Foundry model into LLM creation. |
Files not reviewed (1)
- go/api/v1alpha2/zz_generated.deepcopy.go: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+293
to
+297
| if (spec.foundry?.auth) { | ||
| effectiveFoundryAuthType = spec.foundry.auth.type; | ||
| setFoundryAuthType(effectiveFoundryAuthType); | ||
| fetchedParams = { ...spec.foundry } as Record<string, unknown>; | ||
| if (spec.foundry.auth.workloadIdentity) { |
Comment on lines
44
to
+68
| // Helper function to get JSON keys specifically marked as required | ||
| func getRequiredKeysForModelProvider(providerType v1alpha2.ModelProvider) []string { | ||
| switch providerType { | ||
| case v1alpha2.ModelProviderAzureOpenAI: | ||
| // Based on the +required comments in the AzureOpenAIConfig struct definition | ||
| return []string{"azureEndpoint", "apiVersion"} | ||
| case v1alpha2.ModelProviderBedrock: | ||
| return []string{"region"} | ||
| case v1alpha2.ModelProviderSAPAICore: | ||
| return []string{"baseUrl"} | ||
| case v1alpha2.ModelProviderOpenAI, v1alpha2.ModelProviderAnthropic, v1alpha2.ModelProviderOllama: | ||
| // These providers currently have no fields marked as strictly required in the API definition | ||
| return []string{} | ||
| case v1alpha2.ModelProviderFoundry: | ||
| return []string{"endpoint", "deployment", "clientId"} | ||
| default: | ||
| // Unknown provider, return empty | ||
| return []string{} | ||
| } | ||
| } | ||
|
|
||
| func getOptionalKeysForModelProvider(providerType v1alpha2.ModelProvider, allKeys, requiredKeys []string) []string { | ||
| if providerType == v1alpha2.ModelProviderFoundry { | ||
| return []string{"apiVersion", "tenantId"} | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds first-class Azure/Microsoft Foundry model provider support to kagent.
When
auth: WorkloadIdentityis selected kagent will label and annotate generated agent pods and ServiceAccounts for Azure Workload Identity support. The Go runtime has also been updated to Azure SDK to aquire Cognitave Sercies (part of Foudnry) tokens.These changes also add Azure Workload Identity support for authenticating to the models without the use of API keys.
API-Key and bearer-token passthrough support has also been added to match Foundry Entra (Azure AD) data-plane behavior
What Changed
Foudryas aModelConfigprovider and ADK runtime modelAPIKey,WorkloadIdentity, andAPIKeyPassthroughValidation
Fixes ##2072