From 87a439706dd5e73ec58e18f2f9b4e4373bcb4cfb Mon Sep 17 00:00:00 2001 From: dongjiang Date: Tue, 9 Jun 2026 14:51:43 +0800 Subject: [PATCH 1/3] add new kube-api-linter Signed-off-by: dongjiang --- go/.golangci.yaml | 14 ++- go/api/v1alpha1/agent_types.go | 2 +- go/api/v1alpha1/modelconfig_types.go | 18 ++-- go/api/v1alpha1/toolserver_types.go | 8 +- go/api/v1alpha2/agent_types.go | 108 +++++++++---------- go/api/v1alpha2/agentharness_types.go | 54 +++++----- go/api/v1alpha2/common_types.go | 4 +- go/api/v1alpha2/modelconfig_types.go | 34 +++--- go/api/v1alpha2/modelproviderconfig_types.go | 20 ++-- go/api/v1alpha2/remotemcpserver_types.go | 10 +- 10 files changed, 138 insertions(+), 134 deletions(-) diff --git a/go/.golangci.yaml b/go/.golangci.yaml index 2919571672..529fea1f7b 100644 --- a/go/.golangci.yaml +++ b/go/.golangci.yaml @@ -37,15 +37,19 @@ linters: enable: - "conflictingmarkers" - "duplicatemarkers" + - "forbiddenmarkers" + - "nodurations" - "nofloats" + - "nomaps" + - "nophase" + - "nonullable" + - "noreferences" + - "notimestamp" - "optionalorrequired" + - "jsontags" + - "statusoptional" - "statussubresource" - "uniquemarkers" - - "statusoptional" - - "nophase" - - "nonullable" - - "forbiddenmarkers" - - "nomaps" disable: - "*" lintersConfig: diff --git a/go/api/v1alpha1/agent_types.go b/go/api/v1alpha1/agent_types.go index 17309e9193..4053091594 100644 --- a/go/api/v1alpha1/agent_types.go +++ b/go/api/v1alpha1/agent_types.go @@ -48,7 +48,7 @@ type AgentSpec struct { // Can either be a reference to the name of a Memory in the same namespace as the referencing Agent, or a reference to the name of a Memory in a different namespace in the form / // +optional Memory []string `json:"memory,omitempty"` - // A2AConfig instantiates an A2A server for this agent, + // a2aConfig instantiates an A2A server for this agent, // served on the HTTP port of the kagent kubernetes // controller (default 8083). // The A2A server URL will be served at diff --git a/go/api/v1alpha1/modelconfig_types.go b/go/api/v1alpha1/modelconfig_types.go index 98f60fe241..de11e4da2c 100644 --- a/go/api/v1alpha1/modelconfig_types.go +++ b/go/api/v1alpha1/modelconfig_types.go @@ -100,7 +100,7 @@ type AnthropicConfig struct { // +optional MaxTokens int `json:"maxTokens,omitempty"` - // Temperature for sampling + // temperature for sampling // +optional Temperature string `json:"temperature,omitempty"` @@ -119,11 +119,11 @@ type OpenAIConfig struct { // +optional BaseURL string `json:"baseUrl,omitempty"` - // Organization ID for the OpenAI API + // organization ID for the OpenAI API // +optional Organization string `json:"organization,omitempty"` - // Temperature for sampling + // temperature for sampling // +optional Temperature string `json:"temperature,omitempty"` @@ -143,11 +143,11 @@ type OpenAIConfig struct { // +optional PresencePenalty string `json:"presencePenalty,omitempty"` - // Seed value + // seed value // +optional Seed *int `json:"seed,omitempty"` - // N value + // n value // +optional N *int `json:"n,omitempty"` @@ -179,7 +179,7 @@ type AzureOpenAIConfig struct { // TODO (peterj): We need to figure out how to implement this // AzureADTokenProvider interface{} `json:"azureAdTokenProvider,omitempty"` - // Temperature for sampling + // temperature for sampling // +optional Temperature string `json:"temperature,omitempty"` @@ -194,11 +194,11 @@ type AzureOpenAIConfig struct { // OllamaConfig contains Ollama-specific configuration options type OllamaConfig struct { - // Host for the Ollama API + // host for the Ollama API // +optional Host string `json:"host,omitempty"` - // Options for the Ollama API + // options for the Ollama API // +optional Options map[string]string `json:"options,omitempty"` } @@ -234,7 +234,7 @@ type ModelConfigSpec struct { // +optional DefaultHeaders map[string]string `json:"defaultHeaders,omitempty"` - // ModelInfo contains information about the model. + // modelInfo contains information about the model. // This field is required if the model is not one of the // pre-defined autogen models. That list can be found here: // +optional diff --git a/go/api/v1alpha1/toolserver_types.go b/go/api/v1alpha1/toolserver_types.go index 72147836e2..b8609e571f 100644 --- a/go/api/v1alpha1/toolserver_types.go +++ b/go/api/v1alpha1/toolserver_types.go @@ -127,9 +127,9 @@ type HttpToolServerConfig struct { // +optional HeadersFrom []ValueRef `json:"headersFrom,omitempty"` // +optional - Timeout *metav1.Duration `json:"timeout,omitempty"` + Timeout *metav1.Duration `json:"timeout,omitempty"` //nolint:kubeapilinter // v1alpha1 deprecated: breaking change to rename to TimeoutSeconds // +optional - SseReadTimeout *metav1.Duration `json:"sseReadTimeout,omitempty"` + SseReadTimeout *metav1.Duration `json:"sseReadTimeout,omitempty"` //nolint:kubeapilinter // v1alpha1 deprecated: breaking change to rename to SseReadTimeoutSeconds } type SseMcpServerConfig struct { @@ -167,11 +167,11 @@ type Component struct { // +required Provider string `json:"provider"` // +required - ComponentType string `json:"component_type"` + ComponentType string `json:"component_type"` //nolint:kubeapilinter // v1alpha1 deprecated: breaking change to rename json tag // +required Version int `json:"version"` // +required - ComponentVersion int `json:"component_version"` + ComponentVersion int `json:"component_version"` //nolint:kubeapilinter // v1alpha1 deprecated: breaking change to rename json tag // +required Description string `json:"description"` // +required diff --git a/go/api/v1alpha2/agent_types.go b/go/api/v1alpha2/agent_types.go index e4bdd54ac7..d584971924 100644 --- a/go/api/v1alpha2/agent_types.go +++ b/go/api/v1alpha2/agent_types.go @@ -55,13 +55,13 @@ type AgentSpec struct { // +optional Type AgentType `json:"type,omitempty"` - // BYO configures a "bring your own" agent backed by a user-provided + // byo configures a "bring your own" agent backed by a user-provided // container image. Kagent deploys the image and expects it to serve the // agent over the A2A protocol on port 8080. // Required if type is BYO. // +optional BYO *BYOAgentSpec `json:"byo,omitempty"` - // Declarative configures an agent that is fully described by this resource + // declarative configures an agent that is fully described by this resource // (model, instructions, tools) and runs on one of kagent's built-in runtimes. // Required if type is Declarative. // +optional @@ -70,18 +70,18 @@ type AgentSpec struct { // +optional Description string `json:"description,omitempty"` - // Skills to load into the agent. They will be pulled from the specified container images. + // skills to load into the agent. They will be pulled from the specified container images. // and made available to the agent under the `/skills` folder. // +optional Skills *SkillForAgent `json:"skills,omitempty"` - // Sandbox configures sandboxed execution behavior shared across runtimes. + // sandbox configures sandboxed execution behavior shared across runtimes. // This is intended for sandboxed declarative execution today, and can also // be consumed by BYO agents. // +optional Sandbox *SandboxConfig `json:"sandbox,omitempty"` - // AllowedNamespaces defines which namespaces are allowed to reference this Agent as a tool. + // allowedNamespaces defines which namespaces are allowed to reference this Agent as a tool. // This follows the Gateway API pattern for cross-namespace route attachments. // If not specified, only Agents in the same namespace can reference this Agent as a tool. // This field only applies when this Agent is used as a tool by another Agent. @@ -103,7 +103,7 @@ type SkillForAgent struct { // +optional Refs []string `json:"refs,omitempty"` - // ImagePullSecrets is a list of references to secrets in the same namespace to use for + // imagePullSecrets is a list of references to secrets in the same namespace to use for // pulling skill images from private registries. Each referenced secret must be of type // kubernetes.io/dockerconfigjson. The credentials from all secrets are merged and made // available to the skills-init container at /.kagent/.docker/config.json; krane will @@ -143,7 +143,7 @@ type SkillsInitContainer struct { // GitRepo specifies a single Git repository to fetch skills from. type GitRepo struct { - // URL of the git repository (HTTPS or SSH). + // url of the git repository (HTTPS or SSH). // +required URL string `json:"url"` @@ -158,7 +158,7 @@ type GitRepo struct { // +optional Path string `json:"path,omitempty"` - // Name for the skill directory under /skills. If omitted, defaults to the last + // name for the skill directory under /skills. If omitted, defaults to the last // segment of Path when Path is set; otherwise defaults to the repo name (last // URL path segment, without .git). // +optional @@ -167,24 +167,24 @@ type GitRepo struct { // +kubebuilder:validation:XValidation:rule="!has(self.systemMessage) || !has(self.systemMessageFrom)",message="systemMessage and systemMessageFrom are mutually exclusive" type DeclarativeAgentSpec struct { - // Runtime specifies which ADK implementation to use for this agent. + // runtime specifies which ADK implementation to use for this agent. // - "python": Uses the Python ADK (default, slower startup, full feature set) // - "go": Uses the Go ADK (faster startup, most features supported) // The runtime determines both the container image and readiness probe configuration. // +optional // +kubebuilder:default=python Runtime DeclarativeRuntime `json:"runtime,omitempty"` - // SystemMessage is a string specifying the system message for the agent. + // systemMessage is a string specifying the system message for the agent. // When PromptTemplate is set, this field is treated as a Go text/template // with access to an include("source/key") function and agent context variables // such as .AgentName, .AgentNamespace, .Description, .ToolNames, and .SkillNames. // +optional SystemMessage string `json:"systemMessage,omitempty"` - // SystemMessageFrom is a reference to a ConfigMap or Secret containing the system message. + // systemMessageFrom is a reference to a ConfigMap or Secret containing the system message. // When PromptTemplate is set, the resolved value is treated as a Go text/template. // +optional SystemMessageFrom *ValueSource `json:"systemMessageFrom,omitempty"` - // PromptTemplate enables Go text/template processing on the systemMessage field. + // promptTemplate enables Go text/template processing on the systemMessage field. // When set, systemMessage is treated as a Go template with access to the include function // and agent context variables. // +optional @@ -201,7 +201,7 @@ type DeclarativeAgentSpec struct { // +kubebuilder:validation:MaxItems=20 // +optional Tools []*Tool `json:"tools,omitempty"` - // A2AConfig instantiates an A2A server for this agent, + // a2aConfig instantiates an A2A server for this agent, // served on the HTTP port of the kagent kubernetes // controller (default 8083). // The A2A server URL will be served at @@ -220,11 +220,11 @@ type DeclarativeAgentSpec struct { // due to a bug in adk (https://github.com/google/adk-python/issues/3921 ), this field is ignored for now. ExecuteCodeBlocks *bool `json:"executeCodeBlocks,omitempty"` - // Memory configuration for the agent. + // memory configuration for the agent. // +optional Memory *MemorySpec `json:"memory,omitempty"` - // Context configures context management for this agent. + // context configures context management for this agent. // This includes event compaction (compression) and context caching. // +optional Context *ContextConfig `json:"context,omitempty"` @@ -232,7 +232,7 @@ type DeclarativeAgentSpec struct { // SandboxConfig configures sandboxed execution behavior. type SandboxConfig struct { - // Network configures outbound network access for sandboxed execution paths. + // network configures outbound network access for sandboxed execution paths. // When unset or when allowedDomains is empty, outbound access is denied by default. // +optional Network *NetworkConfig `json:"network,omitempty"` @@ -240,7 +240,7 @@ type SandboxConfig struct { // NetworkConfig configures outbound network access for sandboxed execution paths. type NetworkConfig struct { - // AllowedDomains lists the domains that sandboxed execution may contact. + // allowedDomains lists the domains that sandboxed execution may contact. // Wildcards such as *.example.com are supported by the sandbox runtime. // +optional AllowedDomains []string `json:"allowedDomains,omitempty"` @@ -248,7 +248,7 @@ type NetworkConfig struct { // ContextConfig configures context management for an agent. type ContextConfig struct { - // Compaction configures event history compaction. + // compaction configures event history compaction. // When enabled, older events in the conversation are compacted (compressed/summarized) // to reduce context size while preserving key information. // +optional @@ -267,7 +267,7 @@ type ContextCompressionConfig struct { // +kubebuilder:default=2 // +kubebuilder:validation:Minimum=0 OverlapSize *int `json:"overlapSize,omitempty"` - // Summarizer configures an LLM-based summarizer for event compaction. + // summarizer configures an LLM-based summarizer for event compaction. // If not specified, compacted events are dropped from the context without summarization. // +optional Summarizer *ContextSummarizerConfig `json:"summarizer,omitempty"` @@ -275,19 +275,19 @@ type ContextCompressionConfig struct { // observed prompt token count meets or exceeds this threshold. // +optional TokenThreshold *int `json:"tokenThreshold,omitempty"` - // EventRetentionSize is the number of most recent events to always retain. + // eventRetentionSize is the number of most recent events to always retain. // +optional EventRetentionSize *int `json:"eventRetentionSize,omitempty"` } // ContextSummarizerConfig configures the LLM-based event summarizer. type ContextSummarizerConfig struct { - // ModelConfig is the name of a ModelConfig resource to use for summarization. + // modelConfig is the name of a ModelConfig resource to use for summarization. // Must be in the same namespace as the Agent. // If not specified, uses the agent's own model. // +optional ModelConfig *string `json:"modelConfig,omitempty"` - // PromptTemplate is a custom prompt template for the summarizer. + // promptTemplate is a custom prompt template for the summarizer. // See the ADK LlmEventSummarizer for template details: // https://github.com/google/adk-python/blob/main/src/google/adk/apps/llm_event_summarizer.py // +optional @@ -296,7 +296,7 @@ type ContextSummarizerConfig struct { // PromptTemplateSpec configures prompt template processing for an agent's system message. type PromptTemplateSpec struct { - // DataSources defines the ConfigMaps whose keys can be included in the systemMessage + // dataSources defines the ConfigMaps whose keys can be included in the systemMessage // using Go template syntax, e.g. include("alias/key") or include("name/key"). // +optional // +kubebuilder:validation:MaxItems=20 @@ -311,7 +311,7 @@ type PromptSource struct { // For ConfigMaps: kind=ConfigMap, apiGroup="" (empty for core API group). TypedLocalReference `json:",inline"` - // Alias is an optional short identifier for use in include directives. + // alias is an optional short identifier for use in include directives. // If set, use include("alias/key") instead of include("name/key"). // +optional Alias string `json:"alias,omitempty"` @@ -319,12 +319,12 @@ type PromptSource struct { // MemorySpec enables long-term memory for an agent. type MemorySpec struct { - // ModelConfig is the name of the ModelConfig object whose embedding + // modelConfig is the name of the ModelConfig object whose embedding // provider will be used to generate memory vectors. // +required ModelConfig string `json:"modelConfig"` - // TTLDays controls how many days a stored memory entry remains valid before + // ttlDays controls how many days a stored memory entry remains valid before // it is eligible for pruning. Defaults to 15 days when unset or zero. // +optional // +kubebuilder:validation:Minimum=1 @@ -339,21 +339,21 @@ type DeclarativeDeploymentSpec struct { } type BYOAgentSpec struct { - // Deployment configures the Kubernetes Deployment created for the BYO agent container. + // deployment configures the Kubernetes Deployment created for the BYO agent container. // +optional Deployment *ByoDeploymentSpec `json:"deployment,omitempty"` } type ByoDeploymentSpec struct { - // Image is the container image of the BYO agent. + // image is the container image of the BYO agent. // The image is expected to serve the agent over the A2A protocol on port 8080. // +kubebuilder:validation:MinLength=1 // +optional Image string `json:"image,omitempty"` - // Cmd overrides the container entrypoint (the container's command). + // cmd overrides the container entrypoint (the container's command). // +optional Cmd *string `json:"cmd,omitempty"` - // Args are the arguments passed to the container entrypoint. + // args are the arguments passed to the container entrypoint. // +optional Args []string `json:"args,omitempty"` // workingDir sets the container working directory. Defaults to the image WORKDIR when omitted. @@ -365,66 +365,66 @@ type ByoDeploymentSpec struct { // +kubebuilder:validation:XValidation:message="serviceAccountName and serviceAccountConfig are mutually exclusive",rule="!(has(self.serviceAccountName) && has(self.serviceAccountConfig))" type SharedDeploymentSpec struct { - // Replicas is the number of desired agent pods. Defaults to 1. + // replicas is the number of desired agent pods. Defaults to 1. // +optional Replicas *int32 `json:"replicas,omitempty"` - // ImagePullSecrets are references to secrets in the agent's namespace + // imagePullSecrets are references to secrets in the agent's namespace // used for pulling the agent container image. // +optional ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"` - // Volumes are additional volumes added to the agent pod. + // volumes are additional volumes added to the agent pod. // +optional Volumes []corev1.Volume `json:"volumes,omitempty"` - // VolumeMounts are additional volume mounts added to the agent container. + // volumeMounts are additional volume mounts added to the agent container. // +optional VolumeMounts []corev1.VolumeMount `json:"volumeMounts,omitempty"` - // Labels are additional labels added to the agent pods. + // labels are additional labels added to the agent pods. // +optional Labels map[string]string `json:"labels,omitempty"` - // Annotations are additional annotations added to the agent pods. + // annotations are additional annotations added to the agent pods. // +optional Annotations map[string]string `json:"annotations,omitempty"` - // Env are additional environment variables set on the agent container. + // env are additional environment variables set on the agent container. // +optional Env []corev1.EnvVar `json:"env,omitempty"` // +optional ImagePullPolicy corev1.PullPolicy `json:"imagePullPolicy,omitempty"` // +optional Resources *corev1.ResourceRequirements `json:"resources,omitempty"` - // Tolerations applied to the agent pods. + // tolerations applied to the agent pods. // +optional Tolerations []corev1.Toleration `json:"tolerations,omitempty"` // +optional Affinity *corev1.Affinity `json:"affinity,omitempty"` - // NodeSelector restricts the nodes the agent pods can be scheduled on. + // nodeSelector restricts the nodes the agent pods can be scheduled on. // +optional NodeSelector map[string]string `json:"nodeSelector,omitempty"` // +optional SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"` // +optional PodSecurityContext *corev1.PodSecurityContext `json:"podSecurityContext,omitempty"` - // ServiceAccountName specifies the name of an existing ServiceAccount to use. + // serviceAccountName specifies the name of an existing ServiceAccount to use. // If this field is set, the Agent controller will not create a ServiceAccount for the agent. // This field is mutually exclusive with ServiceAccountConfig. // +optional ServiceAccountName *string `json:"serviceAccountName,omitempty"` - // ServiceAccountConfig configures the ServiceAccount created by the Agent controller. + // serviceAccountConfig configures the ServiceAccount created by the Agent controller. // This field can only be used when ServiceAccountName is not set. // If ServiceAccountName is not set, a default ServiceAccount (named after the agent) // is created, and this config will be applied to it. // +optional ServiceAccountConfig *ServiceAccountConfig `json:"serviceAccountConfig,omitempty"` - // ExtraContainers is a list of additional containers to run alongside the main agent container. + // extraContainers is a list of additional containers to run alongside the main agent container. // Useful for sidecars such as token proxies, log shippers, or security agents. // +optional ExtraContainers []corev1.Container `json:"extraContainers,omitempty"` } type ServiceAccountConfig struct { - // Labels are additional labels added to the created ServiceAccount. + // labels are additional labels added to the created ServiceAccount. // +optional Labels map[string]string `json:"labels,omitempty"` - // Annotations are additional annotations added to the created ServiceAccount. + // annotations are additional annotations added to the created ServiceAccount. // +optional Annotations map[string]string `json:"annotations,omitempty"` } @@ -450,7 +450,7 @@ type Tool struct { // +optional Agent *TypedReference `json:"agent,omitempty"` - // HeadersFrom specifies a list of configuration values to be added as + // headersFrom specifies a list of configuration values to be added as // headers to requests sent to the Tool from this agent. The value of // each header is resolved from either a Secret or ConfigMap in the same // namespace as the Agent. Headers specified here will override any @@ -487,7 +487,7 @@ type McpServerTool struct { // +optional ToolNames []string `json:"toolNames,omitempty"` - // RequireApproval lists tool names that require human approval before + // requireApproval lists tool names that require human approval before // execution. Each name must also appear in ToolNames. When a tool in // this list is invoked by the agent, execution pauses and the user is // prompted to approve or reject the call. @@ -495,7 +495,7 @@ type McpServerTool struct { // +kubebuilder:validation:MaxItems=50 RequireApproval []string `json:"requireApproval,omitempty"` - // AllowedHeaders specifies which headers from the A2A request should be + // allowedHeaders specifies which headers from the A2A request should be // propagated to MCP tool calls. Header names are case-insensitive. // // Authorization header behavior: @@ -557,28 +557,28 @@ type A2AConfig struct { // AgentSkill describes a specific capability or function of the agent. type AgentSkill struct { - // ID is the unique identifier for the skill. + // id is the unique identifier for the skill. // +optional ID string `json:"id,omitempty"` - // Name is the human-readable name of the skill. + // name is the human-readable name of the skill. // +kubebuilder:validation:MinLength=1 // +required Name string `json:"name"` - // Description is an optional detailed description of the skill. + // description is an optional detailed description of the skill. // +optional Description string `json:"description,omitempty"` - // Tags are optional tags for categorization. + // tags are optional tags for categorization. // +optional // +kubebuilder:validation:MaxItems=20 Tags []string `json:"tags,omitempty"` - // Examples are optional usage examples. + // examples are optional usage examples. // +optional // +kubebuilder:validation:MaxItems=20 Examples []string `json:"examples,omitempty"` - // InputModes are the supported input MIME types for this skill, overriding the agent's defaults. + // inputModes are the supported input MIME types for this skill, overriding the agent's defaults. // +optional InputModes []string `json:"inputModes,omitempty"` - // OutputModes are the supported output MIME types for this skill, overriding the agent's defaults. + // outputModes are the supported output MIME types for this skill, overriding the agent's defaults. // +optional OutputModes []string `json:"outputModes,omitempty"` } diff --git a/go/api/v1alpha2/agentharness_types.go b/go/api/v1alpha2/agentharness_types.go index ee74118827..df0cb0f255 100644 --- a/go/api/v1alpha2/agentharness_types.go +++ b/go/api/v1alpha2/agentharness_types.go @@ -49,7 +49,7 @@ const ( // AgentHarnessSubstrateSnapshotsConfig points at a GCS prefix for actor memory snapshots. // Substrate currently expects a gs:// location (see Agent Substrate SnapshotsConfig). type AgentHarnessSubstrateSnapshotsConfig struct { - // Location is the GCS URI prefix for golden and incremental snapshots. + // location is the GCS URI prefix for golden and incremental snapshots. // Example: gs://ate-snapshots/kagent/my-namespace/my-harness/ // +required // +kubebuilder:validation:Pattern=`^gs://` @@ -63,27 +63,27 @@ type AgentHarnessSubstrateSnapshotsConfig struct { // created or deleted by the AgentHarness controller. // +kubebuilder:validation:XValidation:rule="(has(self.gatewayToken) && !has(self.gatewayTokenSecretRef)) || (!has(self.gatewayToken) && has(self.gatewayTokenSecretRef))",message="Exactly one of gatewayToken or gatewayTokenSecretRef must be specified" type AgentHarnessSubstrateSpec struct { - // WorkerPoolRef references an existing ate.dev WorkerPool in the harness namespace. + // workerPoolRef references an existing ate.dev WorkerPool in the harness namespace. // When unset, the controller uses its configured default WorkerPool. // +optional WorkerPoolRef *TypedLocalReference `json:"workerPoolRef,omitempty"` - // SnapshotsConfig configures actor memory snapshots. Defaults to + // snapshotsConfig configures actor memory snapshots. Defaults to // gs://ate-snapshots// when unset. // +optional SnapshotsConfig *AgentHarnessSubstrateSnapshotsConfig `json:"snapshotsConfig,omitempty"` - // WorkloadImage overrides the default nemoclaw/openclaw sandbox image in the ActorTemplate. + // workloadImage overrides the default nemoclaw/openclaw sandbox image in the ActorTemplate. // +optional WorkloadImage string `json:"workloadImage,omitempty"` - // GatewayToken is the OpenClaw gateway Bearer token for this harness. + // gatewayToken is the OpenClaw gateway Bearer token for this harness. // Prefer gatewayTokenSecretRef for production secrets. // +optional // +kubebuilder:validation:MinLength=1 GatewayToken string `json:"gatewayToken,omitempty"` - // GatewayTokenSecretRef references a Secret key holding the OpenClaw gateway Bearer token. + // gatewayTokenSecretRef references a Secret key holding the OpenClaw gateway Bearer token. // The Secret must contain a "token" key. // +optional GatewayTokenSecretRef *TypedLocalReference `json:"gatewayTokenSecretRef,omitempty"` @@ -138,7 +138,7 @@ type AgentHarnessTelegramChannelSpec struct { type AgentHarnessOpenClawSlackOptions struct { // +optional ChannelAccess AgentHarnessChannelAccess `json:"channelAccess,omitempty"` - // AllowlistChannels is required when channelAccess is allowlist. + // allowlistChannels is required when channelAccess is allowlist. // +optional // +kubebuilder:validation:MaxItems=1024 AllowlistChannels []string `json:"allowlistChannels,omitempty"` @@ -151,16 +151,16 @@ type AgentHarnessOpenClawSlackOptions struct { // // +kubebuilder:validation:XValidation:rule="!(size(self.allowedUserIDs) > 0 && has(self.allowedUserIDsFrom))",message="allowedUserIDs and allowedUserIDsFrom are mutually exclusive" type AgentHarnessHermesSlackOptions struct { - // AllowedUserIDs restricts which Slack member IDs may interact with the bot (SLACK_ALLOWED_USERS). + // allowedUserIDs restricts which Slack member IDs may interact with the bot (SLACK_ALLOWED_USERS). // +optional // +kubebuilder:validation:MaxItems=1024 AllowedUserIDs []string `json:"allowedUserIDs,omitempty"` // +optional AllowedUserIDsFrom *ValueSource `json:"allowedUserIDsFrom,omitempty"` - // HomeChannel is the default Slack channel ID for cron/scheduled messages (SLACK_HOME_CHANNEL). + // homeChannel is the default Slack channel ID for cron/scheduled messages (SLACK_HOME_CHANNEL). // +optional HomeChannel string `json:"homeChannel,omitempty"` - // HomeChannelName is a human-readable label for HomeChannel (SLACK_HOME_CHANNEL_NAME). + // homeChannelName is a human-readable label for HomeChannel (SLACK_HOME_CHANNEL_NAME). // +optional HomeChannelName string `json:"homeChannelName,omitempty"` } @@ -173,10 +173,10 @@ type AgentHarnessSlackChannelSpec struct { BotToken AgentHarnessChannelCredential `json:"botToken"` // +required AppToken AgentHarnessChannelCredential `json:"appToken"` - // OpenClaw configures OpenClaw/NemoClaw-specific Slack routing. + // openclaw configures OpenClaw/NemoClaw-specific Slack routing. // +optional OpenClaw *AgentHarnessOpenClawSlackOptions `json:"openclaw,omitempty"` - // Hermes configures Hermes-specific Slack settings. + // hermes configures Hermes-specific Slack settings. // +optional Hermes *AgentHarnessHermesSlackOptions `json:"hermes,omitempty"` } @@ -185,7 +185,7 @@ type AgentHarnessSlackChannelSpec struct { // // +kubebuilder:validation:XValidation:rule="(self.type == 'telegram' && has(self.telegram) && !has(self.slack)) || (self.type == 'slack' && has(self.slack) && !has(self.telegram))",message="exactly one of telegram or slack must be set and must match type" type AgentHarnessChannel struct { - // Name is a stable id for this binding (OpenClaw channels.*.accounts key). + // name is a stable id for this binding (OpenClaw channels.*.accounts key). // +kubebuilder:validation:MinLength=1 // +required Name string `json:"name"` @@ -193,7 +193,7 @@ type AgentHarnessChannel struct { Type AgentHarnessChannelType `json:"type"` // +optional Telegram *AgentHarnessTelegramChannelSpec `json:"telegram,omitempty"` - // Slack configures Slack when type is Slack. + // slack configures Slack when type is Slack. // +optional Slack *AgentHarnessSlackChannelSpec `json:"slack,omitempty"` } @@ -208,48 +208,48 @@ type AgentHarnessChannel struct { // +kubebuilder:validation:XValidation:rule="!has(self.substrate) || self.runtime == 'substrate'",message="spec.substrate may only be set when runtime is substrate" // +kubebuilder:validation:XValidation:rule="self.runtime != 'substrate' || has(self.substrate)",message="spec.substrate is required when runtime is substrate" type AgentHarnessSpec struct { - // Backend selects the control plane to use. Required. + // backend selects the control plane to use. Required. // +required Backend AgentHarnessBackendType `json:"backend"` - // Runtime selects the harness provisioning stack. Defaults to openshell when unset. + // runtime selects the harness provisioning stack. Defaults to openshell when unset. // +optional // +kubebuilder:default=openshell Runtime AgentHarnessRuntime `json:"runtime,omitempty"` - // Substrate is required when runtime is substrate. + // substrate is required when runtime is substrate. // +optional Substrate *AgentHarnessSubstrateSpec `json:"substrate,omitempty"` - // Description is a short human-readable summary shown in the UI (e.g. agents list). + // description is a short human-readable summary shown in the UI (e.g. agents list). // +optional Description string `json:"description,omitempty"` - // Image is the container image to run in the harness VM, if the backend + // image is the container image to run in the harness VM, if the backend // supports per-resource images. Backends openclaw and nemoclaw pin the image // to the NemoClaw sandbox base when this field is empty; backend hermes pins // to the Hermes sandbox base image when empty. // +optional Image string `json:"image,omitempty"` - // Env is a list of environment variables injected into the harness workload. + // env is a list of environment variables injected into the harness workload. // Values use the Kubernetes EnvVar shape; ValueFrom references are // resolved server-side where supported. // +optional Env []corev1.EnvVar `json:"env,omitempty"` - // Network controls outbound access from the harness. When unset, + // network controls outbound access from the harness. When unset, // backend defaults apply. // +optional Network *AgentHarnessNetwork `json:"network,omitempty"` - // ModelConfigRef is the reference to the ModelConfig used to configure the harness. + // modelConfigRef is the reference to the ModelConfig used to configure the harness. // The controller registers the gateway provider and, after the harness is Ready, // writes OpenClaw config inside the VM (~/.openclaw/openclaw.json) and starts the gateway. // +optional ModelConfigRef string `json:"modelConfigRef,omitempty"` - // Channels configures Telegram and Slack integrations for OpenClaw inside the harness VM. + // channels configures Telegram and Slack integrations for OpenClaw inside the harness VM. // +optional // +kubebuilder:validation:MaxItems=1024 Channels []AgentHarnessChannel `json:"channels,omitempty"` @@ -257,14 +257,14 @@ type AgentHarnessSpec struct { // AgentHarnessNetwork captures the minimal network-policy knobs exposed to users. type AgentHarnessNetwork struct { - // AllowedDomains is a list of DNS names the harness may reach. + // allowedDomains is a list of DNS names the harness may reach. // +optional AllowedDomains []string `json:"allowedDomains,omitempty"` } // AgentHarnessConnection describes how clients reach the provisioned harness VM. type AgentHarnessConnection struct { - // Endpoint is the backend-specific address (gRPC target, SSH host:port, + // endpoint is the backend-specific address (gRPC target, SSH host:port, // ...) clients should use to reach the harness. // +optional Endpoint string `json:"endpoint,omitempty"` @@ -285,12 +285,12 @@ type AgentHarnessStatus struct { // +optional Conditions []metav1.Condition `json:"conditions,omitempty"` - // BackendRef points at the harness instance on the backend control + // backendRef points at the harness instance on the backend control // plane, once Ensure has succeeded at least once. // +optional BackendRef *AgentHarnessStatusRef `json:"backendRef,omitempty"` - // Connection is populated by the controller when the harness is ready. + // connection is populated by the controller when the harness is ready. // +optional Connection *AgentHarnessConnection `json:"connection,omitempty"` } diff --git a/go/api/v1alpha2/common_types.go b/go/api/v1alpha2/common_types.go index 5b5c574c25..d216fbe650 100644 --- a/go/api/v1alpha2/common_types.go +++ b/go/api/v1alpha2/common_types.go @@ -51,7 +51,7 @@ const ( // By default (when not specified), only references from the same namespace are allowed. // +kubebuilder:validation:XValidation:rule="!(self.from == 'Selector' && !has(self.selector))",message="selector must be specified when from is Selector" type AllowedNamespaces struct { - // From indicates where references to this resource can originate. + // from indicates where references to this resource can originate. // Possible values are: // * All: References from all namespaces are allowed. // * Same: Only references from the same namespace are allowed (default). @@ -60,7 +60,7 @@ type AllowedNamespaces struct { // +optional From FromNamespaces `json:"from,omitempty"` - // Selector is a label selector for namespaces that are allowed to reference this resource. + // selector is a label selector for namespaces that are allowed to reference this resource. // Only used when From is set to "Selector". // +optional Selector *metav1.LabelSelector `json:"selector,omitempty"` diff --git a/go/api/v1alpha2/modelconfig_types.go b/go/api/v1alpha2/modelconfig_types.go index 3536611744..87f049e6ab 100644 --- a/go/api/v1alpha2/modelconfig_types.go +++ b/go/api/v1alpha2/modelconfig_types.go @@ -103,7 +103,7 @@ type AnthropicConfig struct { // +optional MaxTokens int `json:"maxTokens,omitempty"` - // Temperature for sampling + // temperature for sampling // +optional Temperature string `json:"temperature,omitempty"` @@ -124,7 +124,7 @@ const TokenExchangeTypeGDCH TokenExchangeType = "GDCHServiceAccount" // GDCHServiceAccountConfig holds GDCH-specific token exchange parameters. type GDCHServiceAccountConfig struct { - // Audience is the token exchange audience URL (the GDC inference gateway base URL) + // audience is the token exchange audience URL (the GDC inference gateway base URL) // +required Audience string `json:"audience"` } @@ -143,11 +143,11 @@ type OpenAIConfig struct { // +optional BaseURL string `json:"baseUrl,omitempty"` - // Organization ID for the OpenAI API + // organization ID for the OpenAI API // +optional Organization string `json:"organization,omitempty"` - // Temperature for sampling + // temperature for sampling // +optional Temperature string `json:"temperature,omitempty"` @@ -167,11 +167,11 @@ type OpenAIConfig struct { // +optional PresencePenalty string `json:"presencePenalty,omitempty"` - // Seed value + // seed value // +optional Seed *int `json:"seed,omitempty"` - // N value + // n value // +optional N *int `json:"n,omitempty"` @@ -183,7 +183,7 @@ type OpenAIConfig struct { // +optional ReasoningEffort *OpenAIReasoningEffort `json:"reasoningEffort,omitempty"` - // TokenExchange configures dynamic bearer token acquisition via credential exchange. + // tokenExchange configures dynamic bearer token acquisition via credential exchange. // Requires apiKeySecret (used as the service account secret) and is mutually exclusive with apiKeyPassthrough. // +optional TokenExchange *TokenExchangeConfig `json:"tokenExchange,omitempty"` @@ -216,7 +216,7 @@ type AzureOpenAIConfig struct { // TODO (peterj): We need to figure out how to implement this // AzureADTokenProvider interface{} `json:"azureAdTokenProvider,omitempty"` - // Temperature for sampling + // temperature for sampling // +optional Temperature string `json:"temperature,omitempty"` @@ -231,11 +231,11 @@ type AzureOpenAIConfig struct { // OllamaConfig contains Ollama-specific configuration options type OllamaConfig struct { - // Host for the Ollama API + // host for the Ollama API // +optional Host string `json:"host,omitempty"` - // Options for the Ollama API + // options for the Ollama API // +optional Options map[string]string `json:"options,omitempty"` } @@ -248,7 +248,7 @@ type BedrockConfig struct { // +required Region string `json:"region"` - // AdditionalModelRequestFields passes model-specific parameters to Bedrock's + // additionalModelRequestFields passes model-specific parameters to Bedrock's // additionalModelRequestFields in the Converse API. Use this for provider-specific // options that are not part of the standard InferenceConfiguration block, such as // Claude extended thinking or top_k. Values are forwarded as-is to the API. @@ -283,7 +283,7 @@ type SAPAICoreConfig struct { // +kubebuilder:validation:XValidation:message="caCertSecretRef requires caCertSecretKey",rule="!(has(self.caCertSecretRef) && size(self.caCertSecretRef) > 0 && (!has(self.caCertSecretKey) || size(self.caCertSecretKey) == 0))" // +kubebuilder:validation:XValidation:message="disableSystemCAs requires caCertSecretRef or disableVerify (trust-nothing config rejects every upstream)",rule="!(has(self.disableSystemCAs) && self.disableSystemCAs && (!has(self.disableVerify) || !self.disableVerify) && (!has(self.caCertSecretRef) || size(self.caCertSecretRef) == 0))" type TLSConfig struct { - // DisableVerify disables SSL certificate verification entirely. + // disableVerify disables SSL certificate verification entirely. // When false (default), SSL certificates are verified. // When true, SSL certificate verification is disabled. // WARNING: This should ONLY be used in development/testing environments. @@ -292,7 +292,7 @@ type TLSConfig struct { // +kubebuilder:default=false DisableVerify bool `json:"disableVerify,omitempty"` - // CACertSecretRef is a reference to a Kubernetes Secret containing + // caCertSecretRef is a reference to a Kubernetes Secret containing // CA certificate(s) in PEM format. The Secret must be in the same // namespace as the resource referencing it (ModelConfig, // RemoteMCPServer, or any future consumer of TLSConfig). @@ -301,14 +301,14 @@ type TLSConfig struct { // +optional CACertSecretRef string `json:"caCertSecretRef,omitempty"` - // CACertSecretKey is the key within the Secret that contains the + // caCertSecretKey is the key within the Secret that contains the // CA certificate data (PEM-encoded). Required when CACertSecretRef // is set — admission rejects ref-without-key regardless of // DisableVerify (see the TLSConfig-level XValidation rules). // +optional CACertSecretKey string `json:"caCertSecretKey,omitempty"` - // DisableSystemCAs disables the use of system CA certificates. + // disableSystemCAs disables the use of system CA certificates. // When false (default), system CA certificates are used for verification (safe behavior). // When true, only the custom CA from CACertSecretRef is trusted. // This allows strict security policies where only corporate CAs should be trusted. @@ -363,7 +363,7 @@ type ModelConfigSpec struct { // +optional APIKeySecretKey string `json:"apiKeySecretKey,omitempty"` - // APIKeyPassthrough enables forwarding the Bearer token from incoming A2A requests + // apiKeyPassthrough enables forwarding the Bearer token from incoming A2A requests // directly to the LLM provider as the API key. This is useful for organizations // with federated identity that want to avoid separate secret management. // Mutually exclusive with apiKeySecret. @@ -414,7 +414,7 @@ type ModelConfigSpec struct { // +optional SAPAICore *SAPAICoreConfig `json:"sapAICore,omitempty"` - // TLS configuration for provider connections. + // tls configuration for provider connections. // Enables agents to connect to internal LiteLLM gateways or other providers // that use self-signed certificates or custom certificate authorities. // +optional diff --git a/go/api/v1alpha2/modelproviderconfig_types.go b/go/api/v1alpha2/modelproviderconfig_types.go index 9070012320..ecbf113708 100644 --- a/go/api/v1alpha2/modelproviderconfig_types.go +++ b/go/api/v1alpha2/modelproviderconfig_types.go @@ -53,7 +53,7 @@ func DefaultModelProviderEndpoint(providerType ModelProvider) string { // SecretReference references a Kubernetes Secret that must contain exactly one data key // holding the API key or credential. type SecretReference struct { - // Name is the name of the secret in the same namespace as the ModelProviderConfig. + // name is the name of the secret in the same namespace as the ModelProviderConfig. // +required Name string `json:"name"` } @@ -63,17 +63,17 @@ type SecretReference struct { // +kubebuilder:validation:XValidation:message="endpoint must be a valid URL starting with http:// or https://",rule="!has(self.endpoint) || size(self.endpoint) == 0 || self.endpoint.startsWith('http://') || self.endpoint.startsWith('https://')" // +kubebuilder:validation:XValidation:message="secretRef is required for providers that need authentication (not Ollama)",rule="self.type == 'Ollama' || (has(self.secretRef) && has(self.secretRef.name) && size(self.secretRef.name) > 0)" type ModelProviderConfigSpec struct { - // Type is the model provider type (OpenAI, Anthropic, etc.) + // type is the model provider type (OpenAI, Anthropic, etc.) // +required Type ModelProvider `json:"type"` - // Endpoint is the API endpoint URL for the provider. + // endpoint is the API endpoint URL for the provider. // If not specified, the default endpoint for the provider type will be used. // +optional // +kubebuilder:validation:Pattern=`^https?://.*` Endpoint string `json:"endpoint,omitempty"` - // SecretRef references the Kubernetes Secret containing the API key. + // secretRef references the Kubernetes Secret containing the API key. // Optional for providers that don't require authentication (e.g., local Ollama). // +optional SecretRef *SecretReference `json:"secretRef,omitempty"` @@ -94,29 +94,29 @@ func (p *ModelProviderConfigSpec) RequiresSecret() bool { // ModelProviderConfigStatus defines the observed state of ModelProviderConfig. type ModelProviderConfigStatus struct { - // ObservedGeneration reflects the generation of the most recently observed ModelProviderConfig spec + // observedGeneration reflects the generation of the most recently observed ModelProviderConfig spec // +optional ObservedGeneration int64 `json:"observedGeneration,omitempty"` - // Conditions represent the latest available observations of the ModelProviderConfig's state + // conditions represent the latest available observations of the ModelProviderConfig's state // +optional // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` - // DiscoveredModels is the cached list of model IDs available from this model provider + // discoveredModels is the cached list of model IDs available from this model provider // +optional DiscoveredModels []string `json:"discoveredModels,omitempty"` - // ModelCount is the number of discovered models (for kubectl display) + // modelCount is the number of discovered models (for kubectl display) // +optional ModelCount int `json:"modelCount,omitempty"` - // LastDiscoveryTime is the timestamp of the last successful model discovery + // lastDiscoveryTime is the timestamp of the last successful model discovery // +optional LastDiscoveryTime *metav1.Time `json:"lastDiscoveryTime,omitempty"` - // SecretHash is a hash of the referenced secret data, used to detect secret changes + // secretHash is a hash of the referenced secret data, used to detect secret changes // +optional SecretHash string `json:"secretHash,omitempty"` } diff --git a/go/api/v1alpha2/remotemcpserver_types.go b/go/api/v1alpha2/remotemcpserver_types.go index 09cad5a6a2..2c0e8c15b6 100644 --- a/go/api/v1alpha2/remotemcpserver_types.go +++ b/go/api/v1alpha2/remotemcpserver_types.go @@ -52,21 +52,21 @@ type RemoteMCPServerSpec struct { HeadersFrom []ValueRef `json:"headersFrom,omitempty"` // +optional // +kubebuilder:default="30s" - Timeout *metav1.Duration `json:"timeout,omitempty"` + Timeout *metav1.Duration `json:"timeout,omitempty"` //nolint:kubeapilinter // breaking change to rename to TimeoutSeconds // +optional - SseReadTimeout *metav1.Duration `json:"sseReadTimeout,omitempty"` + SseReadTimeout *metav1.Duration `json:"sseReadTimeout,omitempty"` //nolint:kubeapilinter // breaking change to rename to SseReadTimeoutSeconds // +optional // +kubebuilder:default=true TerminateOnClose *bool `json:"terminateOnClose,omitempty"` - // AllowedNamespaces defines which namespaces are allowed to reference this RemoteMCPServer. + // allowedNamespaces defines which namespaces are allowed to reference this RemoteMCPServer. // This follows the Gateway API pattern for cross-namespace route attachments. // If not specified, only Agents in the same namespace can reference this RemoteMCPServer. // See: https://gateway-api.sigs.k8s.io/guides/multiple-ns/#cross-namespace-route-attachment // +optional AllowedNamespaces *AllowedNamespaces `json:"allowedNamespaces,omitempty"` - // TLS configuration for the upstream MCP server connection. + // tls configuration for the upstream MCP server connection. // Use this for HTTPS upstreams that present a certificate the agent's // system trust store does not include (corporate CA, self-signed cert // on a test fixture, internal MCP gateway). Reuses the same TLSConfig @@ -109,7 +109,7 @@ type RemoteMCPServerStatus struct { Conditions []metav1.Condition `json:"conditions,omitempty"` // +optional DiscoveredTools []*MCPTool `json:"discoveredTools,omitempty"` - // SecretHash stores a hash of the TLS Secret referenced by spec.tls so + // secretHash stores a hash of the TLS Secret referenced by spec.tls so // agents that consume this RemoteMCPServer can detect cert rotation and // roll on the next reconcile. Empty when spec.tls.caCertSecretRef is unset. // +optional From 4082804d43553bba83abfda0351586e41297f6bd Mon Sep 17 00:00:00 2001 From: dongjiang Date: Tue, 9 Jun 2026 17:29:00 +0800 Subject: [PATCH 2/3] fix make manifests Signed-off-by: dongjiang --- .../crd/bases/kagent.dev_agentharnesses.yaml | 54 +++---- .../config/crd/bases/kagent.dev_agents.yaml | 142 +++++++++--------- .../crd/bases/kagent.dev_modelconfigs.yaml | 52 +++---- .../kagent.dev_modelproviderconfigs.yaml | 20 +-- .../bases/kagent.dev_remotemcpservers.yaml | 18 +-- .../crd/bases/kagent.dev_sandboxagents.yaml | 140 ++++++++--------- 6 files changed, 213 insertions(+), 213 deletions(-) diff --git a/go/api/config/crd/bases/kagent.dev_agentharnesses.yaml b/go/api/config/crd/bases/kagent.dev_agentharnesses.yaml index 9c4c1ee2a6..0b820b66b3 100644 --- a/go/api/config/crd/bases/kagent.dev_agentharnesses.yaml +++ b/go/api/config/crd/bases/kagent.dev_agentharnesses.yaml @@ -68,26 +68,26 @@ spec: ready to accept incoming commands. properties: backend: - description: Backend selects the control plane to use. Required. + description: backend selects the control plane to use. Required. enum: - openclaw - nemoclaw - hermes type: string channels: - description: Channels configures Telegram and Slack integrations for + description: channels configures Telegram and Slack integrations for OpenClaw inside the harness VM. items: description: AgentHarnessChannel declares one messenger binding inside a harness VM. properties: name: - description: Name is a stable id for this binding (OpenClaw + description: name is a stable id for this binding (OpenClaw channels.*.accounts key). minLength: 1 type: string slack: - description: Slack configures Slack when type is Slack. + description: slack configures Slack when type is Slack. properties: appToken: description: AgentHarnessChannelCredential supplies a token @@ -158,10 +158,10 @@ spec: rule: (has(self.value) && !has(self.valueFrom)) || (!has(self.value) && has(self.valueFrom)) hermes: - description: Hermes configures Hermes-specific Slack settings. + description: hermes configures Hermes-specific Slack settings. properties: allowedUserIDs: - description: AllowedUserIDs restricts which Slack member + description: allowedUserIDs restricts which Slack member IDs may interact with the bot (SLACK_ALLOWED_USERS). items: type: string @@ -190,11 +190,11 @@ spec: - type type: object homeChannel: - description: HomeChannel is the default Slack channel + description: homeChannel is the default Slack channel ID for cron/scheduled messages (SLACK_HOME_CHANNEL). type: string homeChannelName: - description: HomeChannelName is a human-readable label + description: homeChannelName is a human-readable label for HomeChannel (SLACK_HOME_CHANNEL_NAME). type: string type: object @@ -203,11 +203,11 @@ spec: exclusive rule: '!(size(self.allowedUserIDs) > 0 && has(self.allowedUserIDsFrom))' openclaw: - description: OpenClaw configures OpenClaw/NemoClaw-specific + description: openclaw configures OpenClaw/NemoClaw-specific Slack routing. properties: allowlistChannels: - description: AllowlistChannels is required when channelAccess + description: allowlistChannels is required when channelAccess is allowlist. items: type: string @@ -326,12 +326,12 @@ spec: maxItems: 1024 type: array description: - description: Description is a short human-readable summary shown in + description: description is a short human-readable summary shown in the UI (e.g. agents list). type: string env: description: |- - Env is a list of environment variables injected into the harness workload. + env is a list of environment variables injected into the harness workload. Values use the Kubernetes EnvVar shape; ValueFrom references are resolved server-side where supported. items: @@ -491,24 +491,24 @@ spec: type: array image: description: |- - Image is the container image to run in the harness VM, if the backend + image is the container image to run in the harness VM, if the backend supports per-resource images. Backends openclaw and nemoclaw pin the image to the NemoClaw sandbox base when this field is empty; backend hermes pins to the Hermes sandbox base image when empty. type: string modelConfigRef: description: |- - ModelConfigRef is the reference to the ModelConfig used to configure the harness. + modelConfigRef is the reference to the ModelConfig used to configure the harness. The controller registers the gateway provider and, after the harness is Ready, writes OpenClaw config inside the VM (~/.openclaw/openclaw.json) and starts the gateway. type: string network: description: |- - Network controls outbound access from the harness. When unset, + network controls outbound access from the harness. When unset, backend defaults apply. properties: allowedDomains: - description: AllowedDomains is a list of DNS names the harness + description: allowedDomains is a list of DNS names the harness may reach. items: type: string @@ -516,24 +516,24 @@ spec: type: object runtime: default: openshell - description: Runtime selects the harness provisioning stack. Defaults + description: runtime selects the harness provisioning stack. Defaults to openshell when unset. enum: - openshell - substrate type: string substrate: - description: Substrate is required when runtime is substrate. + description: substrate is required when runtime is substrate. properties: gatewayToken: description: |- - GatewayToken is the OpenClaw gateway Bearer token for this harness. + gatewayToken is the OpenClaw gateway Bearer token for this harness. Prefer gatewayTokenSecretRef for production secrets. minLength: 1 type: string gatewayTokenSecretRef: description: |- - GatewayTokenSecretRef references a Secret key holding the OpenClaw gateway Bearer token. + gatewayTokenSecretRef references a Secret key holding the OpenClaw gateway Bearer token. The Secret must contain a "token" key. properties: apiGroup: @@ -547,12 +547,12 @@ spec: type: object snapshotsConfig: description: |- - SnapshotsConfig configures actor memory snapshots. Defaults to + snapshotsConfig configures actor memory snapshots. Defaults to gs://ate-snapshots// when unset. properties: location: description: |- - Location is the GCS URI prefix for golden and incremental snapshots. + location is the GCS URI prefix for golden and incremental snapshots. Example: gs://ate-snapshots/kagent/my-namespace/my-harness/ pattern: ^gs:// type: string @@ -561,7 +561,7 @@ spec: type: object workerPoolRef: description: |- - WorkerPoolRef references an existing ate.dev WorkerPool in the harness namespace. + workerPoolRef references an existing ate.dev WorkerPool in the harness namespace. When unset, the controller uses its configured default WorkerPool. properties: apiGroup: @@ -574,7 +574,7 @@ spec: - name type: object workloadImage: - description: WorkloadImage overrides the default nemoclaw/openclaw + description: workloadImage overrides the default nemoclaw/openclaw sandbox image in the ActorTemplate. type: string type: object @@ -601,7 +601,7 @@ spec: properties: backendRef: description: |- - BackendRef points at the harness instance on the backend control + backendRef points at the harness instance on the backend control plane, once Ensure has succeeded at least once. properties: backend: @@ -676,12 +676,12 @@ spec: type: object type: array connection: - description: Connection is populated by the controller when the harness + description: connection is populated by the controller when the harness is ready. properties: endpoint: description: |- - Endpoint is the backend-specific address (gRPC target, SSH host:port, + endpoint is the backend-specific address (gRPC target, SSH host:port, ...) clients should use to reach the harness. type: string type: object diff --git a/go/api/config/crd/bases/kagent.dev_agents.yaml b/go/api/config/crd/bases/kagent.dev_agents.yaml index 8338f8e182..39e9c11aa3 100644 --- a/go/api/config/crd/bases/kagent.dev_agents.yaml +++ b/go/api/config/crd/bases/kagent.dev_agents.yaml @@ -56,7 +56,7 @@ spec: properties: a2aConfig: description: |- - A2AConfig instantiates an A2A server for this agent, + a2aConfig instantiates an A2A server for this agent, served on the HTTP port of the kagent kubernetes controller (default 8083). The A2A server URL will be served at @@ -2393,7 +2393,7 @@ spec: properties: allowedNamespaces: description: |- - AllowedNamespaces defines which namespaces are allowed to reference this Agent as a tool. + allowedNamespaces defines which namespaces are allowed to reference this Agent as a tool. This follows the Gateway API pattern for cross-namespace route attachments. If not specified, only Agents in the same namespace can reference this Agent as a tool. This field only applies when this Agent is used as a tool by another Agent. @@ -2402,7 +2402,7 @@ spec: from: default: Same description: |- - From indicates where references to this resource can originate. + from indicates where references to this resource can originate. Possible values are: * All: References from all namespaces are allowed. * Same: Only references from the same namespace are allowed (default). @@ -2414,7 +2414,7 @@ spec: type: string selector: description: |- - Selector is a label selector for namespaces that are allowed to reference this resource. + selector is a label selector for namespaces that are allowed to reference this resource. Only used when From is set to "Selector". properties: matchExpressions: @@ -2466,13 +2466,13 @@ spec: rule: '!(self.from == ''Selector'' && !has(self.selector))' byo: description: |- - BYO configures a "bring your own" agent backed by a user-provided + byo configures a "bring your own" agent backed by a user-provided container image. Kagent deploys the image and expects it to serve the agent over the A2A protocol on port 8080. Required if type is BYO. properties: deployment: - description: Deployment configures the Kubernetes Deployment created + description: deployment configures the Kubernetes Deployment created for the BYO agent container. properties: affinity: @@ -3402,21 +3402,21 @@ spec: annotations: additionalProperties: type: string - description: Annotations are additional annotations added + description: annotations are additional annotations added to the agent pods. type: object args: - description: Args are the arguments passed to the container + description: args are the arguments passed to the container entrypoint. items: type: string type: array cmd: - description: Cmd overrides the container entrypoint (the container's + description: cmd overrides the container entrypoint (the container's command). type: string env: - description: Env are additional environment variables set + description: env are additional environment variables set on the agent container. items: description: EnvVar represents an environment variable present @@ -3576,7 +3576,7 @@ spec: type: array extraContainers: description: |- - ExtraContainers is a list of additional containers to run alongside the main agent container. + extraContainers is a list of additional containers to run alongside the main agent container. Useful for sidecars such as token proxies, log shippers, or security agents. items: description: A single application container that you want @@ -5115,7 +5115,7 @@ spec: type: array image: description: |- - Image is the container image of the BYO agent. + image is the container image of the BYO agent. The image is expected to serve the agent over the A2A protocol on port 8080. minLength: 1 type: string @@ -5125,7 +5125,7 @@ spec: type: string imagePullSecrets: description: |- - ImagePullSecrets are references to secrets in the agent's namespace + imagePullSecrets are references to secrets in the agent's namespace used for pulling the agent container image. items: description: |- @@ -5147,13 +5147,13 @@ spec: labels: additionalProperties: type: string - description: Labels are additional labels added to the agent + description: labels are additional labels added to the agent pods. type: object nodeSelector: additionalProperties: type: string - description: NodeSelector restricts the nodes the agent pods + description: nodeSelector restricts the nodes the agent pods can be scheduled on. type: object podSecurityContext: @@ -5393,7 +5393,7 @@ spec: type: object type: object replicas: - description: Replicas is the number of desired agent pods. + description: replicas is the number of desired agent pods. Defaults to 1. format: int32 type: integer @@ -5653,7 +5653,7 @@ spec: type: object serviceAccountConfig: description: |- - ServiceAccountConfig configures the ServiceAccount created by the Agent controller. + serviceAccountConfig configures the ServiceAccount created by the Agent controller. This field can only be used when ServiceAccountName is not set. If ServiceAccountName is not set, a default ServiceAccount (named after the agent) is created, and this config will be applied to it. @@ -5661,24 +5661,24 @@ spec: annotations: additionalProperties: type: string - description: Annotations are additional annotations added + description: annotations are additional annotations added to the created ServiceAccount. type: object labels: additionalProperties: type: string - description: Labels are additional labels added to the + description: labels are additional labels added to the created ServiceAccount. type: object type: object serviceAccountName: description: |- - ServiceAccountName specifies the name of an existing ServiceAccount to use. + serviceAccountName specifies the name of an existing ServiceAccount to use. If this field is set, the Agent controller will not create a ServiceAccount for the agent. This field is mutually exclusive with ServiceAccountConfig. type: string tolerations: - description: Tolerations applied to the agent pods. + description: tolerations applied to the agent pods. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -5718,7 +5718,7 @@ spec: type: object type: array volumeMounts: - description: VolumeMounts are additional volume mounts added + description: volumeMounts are additional volume mounts added to the agent container. items: description: VolumeMount describes a mounting of a Volume @@ -5783,7 +5783,7 @@ spec: type: object type: array volumes: - description: Volumes are additional volumes added to the agent + description: volumes are additional volumes added to the agent pod. items: description: Volume represents a named volume in a pod that @@ -7713,13 +7713,13 @@ spec: type: object declarative: description: |- - Declarative configures an agent that is fully described by this resource + declarative configures an agent that is fully described by this resource (model, instructions, tools) and runs on one of kagent's built-in runtimes. Required if type is Declarative. properties: a2aConfig: description: |- - A2AConfig instantiates an A2A server for this agent, + a2aConfig instantiates an A2A server for this agent, served on the HTTP port of the kagent kubernetes controller (default 8083). The A2A server URL will be served at @@ -7732,37 +7732,37 @@ spec: or function of the agent. properties: description: - description: Description is an optional detailed description + description: description is an optional detailed description of the skill. type: string examples: - description: Examples are optional usage examples. + description: examples are optional usage examples. items: type: string maxItems: 20 type: array id: - description: ID is the unique identifier for the skill. + description: id is the unique identifier for the skill. type: string inputModes: - description: InputModes are the supported input MIME + description: inputModes are the supported input MIME types for this skill, overriding the agent's defaults. items: type: string type: array name: - description: Name is the human-readable name of the + description: name is the human-readable name of the skill. minLength: 1 type: string outputModes: - description: OutputModes are the supported output MIME + description: outputModes are the supported output MIME types for this skill, overriding the agent's defaults. items: type: string type: array tags: - description: Tags are optional tags for categorization. + description: tags are optional tags for categorization. items: type: string maxItems: 20 @@ -7775,12 +7775,12 @@ spec: type: object context: description: |- - Context configures context management for this agent. + context configures context management for this agent. This includes event compaction (compression) and context caching. properties: compaction: description: |- - Compaction configures event history compaction. + compaction configures event history compaction. When enabled, older events in the conversation are compacted (compressed/summarized) to reduce context size while preserving key information. properties: @@ -7792,7 +7792,7 @@ spec: minimum: 1 type: integer eventRetentionSize: - description: EventRetentionSize is the number of most + description: eventRetentionSize is the number of most recent events to always retain. type: integer overlapSize: @@ -7805,18 +7805,18 @@ spec: type: integer summarizer: description: |- - Summarizer configures an LLM-based summarizer for event compaction. + summarizer configures an LLM-based summarizer for event compaction. If not specified, compacted events are dropped from the context without summarization. properties: modelConfig: description: |- - ModelConfig is the name of a ModelConfig resource to use for summarization. + modelConfig is the name of a ModelConfig resource to use for summarization. Must be in the same namespace as the Agent. If not specified, uses the agent's own model. type: string promptTemplate: description: |- - PromptTemplate is a custom prompt template for the summarizer. + promptTemplate is a custom prompt template for the summarizer. See the ADK LlmEventSummarizer for template details: https://github.com/google/adk-python/blob/main/src/google/adk/apps/llm_event_summarizer.py type: string @@ -8757,11 +8757,11 @@ spec: annotations: additionalProperties: type: string - description: Annotations are additional annotations added + description: annotations are additional annotations added to the agent pods. type: object env: - description: Env are additional environment variables set + description: env are additional environment variables set on the agent container. items: description: EnvVar represents an environment variable present @@ -8921,7 +8921,7 @@ spec: type: array extraContainers: description: |- - ExtraContainers is a list of additional containers to run alongside the main agent container. + extraContainers is a list of additional containers to run alongside the main agent container. Useful for sidecars such as token proxies, log shippers, or security agents. items: description: A single application container that you want @@ -10464,7 +10464,7 @@ spec: type: string imagePullSecrets: description: |- - ImagePullSecrets are references to secrets in the agent's namespace + imagePullSecrets are references to secrets in the agent's namespace used for pulling the agent container image. items: description: |- @@ -10488,13 +10488,13 @@ spec: labels: additionalProperties: type: string - description: Labels are additional labels added to the agent + description: labels are additional labels added to the agent pods. type: object nodeSelector: additionalProperties: type: string - description: NodeSelector restricts the nodes the agent pods + description: nodeSelector restricts the nodes the agent pods can be scheduled on. type: object podSecurityContext: @@ -10734,7 +10734,7 @@ spec: type: object type: object replicas: - description: Replicas is the number of desired agent pods. + description: replicas is the number of desired agent pods. Defaults to 1. format: int32 type: integer @@ -10994,7 +10994,7 @@ spec: type: object serviceAccountConfig: description: |- - ServiceAccountConfig configures the ServiceAccount created by the Agent controller. + serviceAccountConfig configures the ServiceAccount created by the Agent controller. This field can only be used when ServiceAccountName is not set. If ServiceAccountName is not set, a default ServiceAccount (named after the agent) is created, and this config will be applied to it. @@ -11002,24 +11002,24 @@ spec: annotations: additionalProperties: type: string - description: Annotations are additional annotations added + description: annotations are additional annotations added to the created ServiceAccount. type: object labels: additionalProperties: type: string - description: Labels are additional labels added to the + description: labels are additional labels added to the created ServiceAccount. type: object type: object serviceAccountName: description: |- - ServiceAccountName specifies the name of an existing ServiceAccount to use. + serviceAccountName specifies the name of an existing ServiceAccount to use. If this field is set, the Agent controller will not create a ServiceAccount for the agent. This field is mutually exclusive with ServiceAccountConfig. type: string tolerations: - description: Tolerations applied to the agent pods. + description: tolerations applied to the agent pods. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -11059,7 +11059,7 @@ spec: type: object type: array volumeMounts: - description: VolumeMounts are additional volume mounts added + description: volumeMounts are additional volume mounts added to the agent container. items: description: VolumeMount describes a mounting of a Volume @@ -11124,7 +11124,7 @@ spec: type: object type: array volumes: - description: Volumes are additional volumes added to the agent + description: volumes are additional volumes added to the agent pod. items: description: Volume represents a named volume in a pod that @@ -13055,16 +13055,16 @@ spec: due to a bug in adk (https://github.com/google/adk-python/issues/3921 ), this field is ignored for now. type: boolean memory: - description: Memory configuration for the agent. + description: memory configuration for the agent. properties: modelConfig: description: |- - ModelConfig is the name of the ModelConfig object whose embedding + modelConfig is the name of the ModelConfig object whose embedding provider will be used to generate memory vectors. type: string ttlDays: description: |- - TTLDays controls how many days a stored memory entry remains valid before + ttlDays controls how many days a stored memory entry remains valid before it is eligible for pruning. Defaults to 15 days when unset or zero. minimum: 1 type: integer @@ -13079,13 +13079,13 @@ spec: type: string promptTemplate: description: |- - PromptTemplate enables Go text/template processing on the systemMessage field. + promptTemplate enables Go text/template processing on the systemMessage field. When set, systemMessage is treated as a Go template with access to the include function and agent context variables. properties: dataSources: description: |- - DataSources defines the ConfigMaps whose keys can be included in the systemMessage + dataSources defines the ConfigMaps whose keys can be included in the systemMessage using Go template syntax, e.g. include("alias/key") or include("name/key"). items: description: |- @@ -13095,7 +13095,7 @@ spec: properties: alias: description: |- - Alias is an optional short identifier for use in include directives. + alias is an optional short identifier for use in include directives. If set, use include("alias/key") instead of include("name/key"). type: string apiGroup: @@ -13113,7 +13113,7 @@ spec: runtime: default: python description: |- - Runtime specifies which ADK implementation to use for this agent. + runtime specifies which ADK implementation to use for this agent. - "python": Uses the Python ADK (default, slower startup, full feature set) - "go": Uses the Go ADK (faster startup, most features supported) The runtime determines both the container image and readiness probe configuration. @@ -13128,14 +13128,14 @@ spec: type: boolean systemMessage: description: |- - SystemMessage is a string specifying the system message for the agent. + systemMessage is a string specifying the system message for the agent. When PromptTemplate is set, this field is treated as a Go text/template with access to an include("source/key") function and agent context variables such as .AgentName, .AgentNamespace, .Description, .ToolNames, and .SkillNames. type: string systemMessageFrom: description: |- - SystemMessageFrom is a reference to a ConfigMap or Secret containing the system message. + systemMessageFrom is a reference to a ConfigMap or Secret containing the system message. When PromptTemplate is set, the resolved value is treated as a Go text/template. properties: key: @@ -13174,7 +13174,7 @@ spec: type: object headersFrom: description: |- - HeadersFrom specifies a list of configuration values to be added as + headersFrom specifies a list of configuration values to be added as headers to requests sent to the Tool from this agent. The value of each header is resolved from either a Secret or ConfigMap in the same namespace as the Agent. Headers specified here will override any @@ -13220,7 +13220,7 @@ spec: properties: allowedHeaders: description: |- - AllowedHeaders specifies which headers from the A2A request should be + allowedHeaders specifies which headers from the A2A request should be propagated to MCP tool calls. Header names are case-insensitive. Authorization header behavior: @@ -13244,7 +13244,7 @@ spec: type: string requireApproval: description: |- - RequireApproval lists tool names that require human approval before + requireApproval lists tool names that require human approval before execution. Each name must also appear in ToolNames. When a tool in this list is invoked by the agent, execution pauses and the user is prompted to approve or reject the call. @@ -13296,18 +13296,18 @@ spec: type: string sandbox: description: |- - Sandbox configures sandboxed execution behavior shared across runtimes. + sandbox configures sandboxed execution behavior shared across runtimes. This is intended for sandboxed declarative execution today, and can also be consumed by BYO agents. properties: network: description: |- - Network configures outbound network access for sandboxed execution paths. + network configures outbound network access for sandboxed execution paths. When unset or when allowedDomains is empty, outbound access is denied by default. properties: allowedDomains: description: |- - AllowedDomains lists the domains that sandboxed execution may contact. + allowedDomains lists the domains that sandboxed execution may contact. Wildcards such as *.example.com are supported by the sandbox runtime. items: type: string @@ -13316,7 +13316,7 @@ spec: type: object skills: description: |- - Skills to load into the agent. They will be pulled from the specified container images. + skills to load into the agent. They will be pulled from the specified container images. and made available to the agent under the `/skills` folder. properties: gitAuthSecretRef: @@ -13345,7 +13345,7 @@ spec: properties: name: description: |- - Name for the skill directory under /skills. If omitted, defaults to the last + name for the skill directory under /skills. If omitted, defaults to the last segment of Path when Path is set; otherwise defaults to the repo name (last URL path segment, without .git). type: string @@ -13361,7 +13361,7 @@ spec: SHA.' type: string url: - description: URL of the git repository (HTTPS or SSH). + description: url of the git repository (HTTPS or SSH). type: string required: - url @@ -13371,7 +13371,7 @@ spec: type: array imagePullSecrets: description: |- - ImagePullSecrets is a list of references to secrets in the same namespace to use for + imagePullSecrets is a list of references to secrets in the same namespace to use for pulling skill images from private registries. Each referenced secret must be of type kubernetes.io/dockerconfigjson. The credentials from all secrets are merged and made available to the skills-init container at /.kagent/.docker/config.json; krane will diff --git a/go/api/config/crd/bases/kagent.dev_modelconfigs.yaml b/go/api/config/crd/bases/kagent.dev_modelconfigs.yaml index ce185907d9..0badfec243 100644 --- a/go/api/config/crd/bases/kagent.dev_modelconfigs.yaml +++ b/go/api/config/crd/bases/kagent.dev_modelconfigs.yaml @@ -60,7 +60,7 @@ spec: description: Maximum tokens to generate type: integer temperature: - description: Temperature for sampling + description: temperature for sampling type: string topK: description: Top-k sampling parameter @@ -126,7 +126,7 @@ spec: description: Maximum tokens to generate type: integer temperature: - description: Temperature for sampling + description: temperature for sampling type: string topP: description: Top-p sampling parameter @@ -182,7 +182,7 @@ spec: type: string modelInfo: description: |- - ModelInfo contains information about the model. + modelInfo contains information about the model. This field is required if the model is not one of the pre-defined autogen models. That list can be found here: properties: @@ -203,12 +203,12 @@ spec: description: Ollama-specific configuration properties: host: - description: Host for the Ollama API + description: host for the Ollama API type: string options: additionalProperties: type: string - description: Options for the Ollama API + description: options for the Ollama API type: object type: object openAI: @@ -224,19 +224,19 @@ spec: description: Maximum tokens to generate type: integer "n": - description: N value + description: n value type: integer organization: - description: Organization ID for the OpenAI API + description: organization ID for the OpenAI API type: string presencePenalty: description: Presence penalty type: string seed: - description: Seed value + description: seed value type: integer temperature: - description: Temperature for sampling + description: temperature for sampling type: string timeout: description: Timeout @@ -387,7 +387,7 @@ spec: description: Maximum tokens to generate type: integer temperature: - description: Temperature for sampling + description: temperature for sampling type: string topK: description: Top-k sampling parameter @@ -428,7 +428,7 @@ spec: type: object apiKeyPassthrough: description: |- - APIKeyPassthrough enables forwarding the Bearer token from incoming A2A requests + apiKeyPassthrough enables forwarding the Bearer token from incoming A2A requests directly to the LLM provider as the API key. This is useful for organizations with federated identity that want to avoid separate secret management. Mutually exclusive with apiKeySecret. @@ -463,7 +463,7 @@ spec: description: Maximum tokens to generate type: integer temperature: - description: Temperature for sampling + description: temperature for sampling type: string topP: description: Top-p sampling parameter @@ -477,7 +477,7 @@ spec: properties: additionalModelRequestFields: description: |- - AdditionalModelRequestFields passes model-specific parameters to Bedrock's + additionalModelRequestFields passes model-specific parameters to Bedrock's additionalModelRequestFields in the Converse API. Use this for provider-specific options that are not part of the standard InferenceConfiguration block, such as Claude extended thinking or top_k. Values are forwarded as-is to the API. @@ -539,12 +539,12 @@ spec: description: Ollama-specific configuration properties: host: - description: Host for the Ollama API + description: host for the Ollama API type: string options: additionalProperties: type: string - description: Options for the Ollama API + description: options for the Ollama API type: object type: object openAI: @@ -560,10 +560,10 @@ spec: description: Maximum tokens to generate type: integer "n": - description: N value + description: n value type: integer organization: - description: Organization ID for the OpenAI API + description: organization ID for the OpenAI API type: string presencePenalty: description: Presence penalty @@ -577,17 +577,17 @@ spec: - high type: string seed: - description: Seed value + description: seed value type: integer temperature: - description: Temperature for sampling + description: temperature for sampling type: string timeout: description: Timeout type: integer tokenExchange: description: |- - TokenExchange configures dynamic bearer token acquisition via credential exchange. + tokenExchange configures dynamic bearer token acquisition via credential exchange. Requires apiKeySecret (used as the service account secret) and is mutually exclusive with apiKeyPassthrough. properties: gdchServiceAccount: @@ -595,7 +595,7 @@ spec: token exchange parameters. properties: audience: - description: Audience is the token exchange audience URL + description: audience is the token exchange audience URL (the GDC inference gateway base URL) type: string required: @@ -646,20 +646,20 @@ spec: type: object tls: description: |- - TLS configuration for provider connections. + tls configuration for provider connections. Enables agents to connect to internal LiteLLM gateways or other providers that use self-signed certificates or custom certificate authorities. properties: caCertSecretKey: description: |- - CACertSecretKey is the key within the Secret that contains the + caCertSecretKey is the key within the Secret that contains the CA certificate data (PEM-encoded). Required when CACertSecretRef is set — admission rejects ref-without-key regardless of DisableVerify (see the TLSConfig-level XValidation rules). type: string caCertSecretRef: description: |- - CACertSecretRef is a reference to a Kubernetes Secret containing + caCertSecretRef is a reference to a Kubernetes Secret containing CA certificate(s) in PEM format. The Secret must be in the same namespace as the resource referencing it (ModelConfig, RemoteMCPServer, or any future consumer of TLSConfig). @@ -669,7 +669,7 @@ spec: disableSystemCAs: default: false description: |- - DisableSystemCAs disables the use of system CA certificates. + disableSystemCAs disables the use of system CA certificates. When false (default), system CA certificates are used for verification (safe behavior). When true, only the custom CA from CACertSecretRef is trusted. This allows strict security policies where only corporate CAs should be trusted. @@ -677,7 +677,7 @@ spec: disableVerify: default: false description: |- - DisableVerify disables SSL certificate verification entirely. + disableVerify disables SSL certificate verification entirely. When false (default), SSL certificates are verified. When true, SSL certificate verification is disabled. WARNING: This should ONLY be used in development/testing environments. diff --git a/go/api/config/crd/bases/kagent.dev_modelproviderconfigs.yaml b/go/api/config/crd/bases/kagent.dev_modelproviderconfigs.yaml index 493e817e9e..cfcd519d76 100644 --- a/go/api/config/crd/bases/kagent.dev_modelproviderconfigs.yaml +++ b/go/api/config/crd/bases/kagent.dev_modelproviderconfigs.yaml @@ -63,24 +63,24 @@ spec: properties: endpoint: description: |- - Endpoint is the API endpoint URL for the provider. + endpoint is the API endpoint URL for the provider. If not specified, the default endpoint for the provider type will be used. pattern: ^https?://.* type: string secretRef: description: |- - SecretRef references the Kubernetes Secret containing the API key. + secretRef references the Kubernetes Secret containing the API key. Optional for providers that don't require authentication (e.g., local Ollama). properties: name: - description: Name is the name of the secret in the same namespace + description: name is the name of the secret in the same namespace as the ModelProviderConfig. type: string required: - name type: object type: - description: Type is the model provider type (OpenAI, Anthropic, etc.) + description: type is the model provider type (OpenAI, Anthropic, etc.) enum: - Anthropic - OpenAI @@ -107,7 +107,7 @@ spec: description: ModelProviderConfigStatus defines the observed state of ModelProviderConfig. properties: conditions: - description: Conditions represent the latest available observations + description: conditions represent the latest available observations of the ModelProviderConfig's state items: description: Condition contains details for one aspect of the current @@ -168,27 +168,27 @@ spec: - type x-kubernetes-list-type: map discoveredModels: - description: DiscoveredModels is the cached list of model IDs available + description: discoveredModels is the cached list of model IDs available from this model provider items: type: string type: array lastDiscoveryTime: - description: LastDiscoveryTime is the timestamp of the last successful + description: lastDiscoveryTime is the timestamp of the last successful model discovery format: date-time type: string modelCount: - description: ModelCount is the number of discovered models (for kubectl + description: modelCount is the number of discovered models (for kubectl display) type: integer observedGeneration: - description: ObservedGeneration reflects the generation of the most + description: observedGeneration reflects the generation of the most recently observed ModelProviderConfig spec format: int64 type: integer secretHash: - description: SecretHash is a hash of the referenced secret data, used + description: secretHash is a hash of the referenced secret data, used to detect secret changes type: string type: object diff --git a/go/api/config/crd/bases/kagent.dev_remotemcpservers.yaml b/go/api/config/crd/bases/kagent.dev_remotemcpservers.yaml index f21cf9fba5..6bca1527bc 100644 --- a/go/api/config/crd/bases/kagent.dev_remotemcpservers.yaml +++ b/go/api/config/crd/bases/kagent.dev_remotemcpservers.yaml @@ -55,7 +55,7 @@ spec: properties: allowedNamespaces: description: |- - AllowedNamespaces defines which namespaces are allowed to reference this RemoteMCPServer. + allowedNamespaces defines which namespaces are allowed to reference this RemoteMCPServer. This follows the Gateway API pattern for cross-namespace route attachments. If not specified, only Agents in the same namespace can reference this RemoteMCPServer. See: https://gateway-api.sigs.k8s.io/guides/multiple-ns/#cross-namespace-route-attachment @@ -63,7 +63,7 @@ spec: from: default: Same description: |- - From indicates where references to this resource can originate. + from indicates where references to this resource can originate. Possible values are: * All: References from all namespaces are allowed. * Same: Only references from the same namespace are allowed (default). @@ -75,7 +75,7 @@ spec: type: string selector: description: |- - Selector is a label selector for namespaces that are allowed to reference this resource. + selector is a label selector for namespaces that are allowed to reference this resource. Only used when From is set to "Selector". properties: matchExpressions: @@ -181,7 +181,7 @@ spec: type: string tls: description: |- - TLS configuration for the upstream MCP server connection. + tls configuration for the upstream MCP server connection. Use this for HTTPS upstreams that present a certificate the agent's system trust store does not include (corporate CA, self-signed cert on a test fixture, internal MCP gateway). Reuses the same TLSConfig @@ -197,14 +197,14 @@ spec: properties: caCertSecretKey: description: |- - CACertSecretKey is the key within the Secret that contains the + caCertSecretKey is the key within the Secret that contains the CA certificate data (PEM-encoded). Required when CACertSecretRef is set — admission rejects ref-without-key regardless of DisableVerify (see the TLSConfig-level XValidation rules). type: string caCertSecretRef: description: |- - CACertSecretRef is a reference to a Kubernetes Secret containing + caCertSecretRef is a reference to a Kubernetes Secret containing CA certificate(s) in PEM format. The Secret must be in the same namespace as the resource referencing it (ModelConfig, RemoteMCPServer, or any future consumer of TLSConfig). @@ -214,7 +214,7 @@ spec: disableSystemCAs: default: false description: |- - DisableSystemCAs disables the use of system CA certificates. + disableSystemCAs disables the use of system CA certificates. When false (default), system CA certificates are used for verification (safe behavior). When true, only the custom CA from CACertSecretRef is trusted. This allows strict security policies where only corporate CAs should be trusted. @@ -222,7 +222,7 @@ spec: disableVerify: default: false description: |- - DisableVerify disables SSL certificate verification entirely. + disableVerify disables SSL certificate verification entirely. When false (default), SSL certificates are verified. When true, SSL certificate verification is disabled. WARNING: This should ONLY be used in development/testing environments. @@ -334,7 +334,7 @@ spec: type: integer secretHash: description: |- - SecretHash stores a hash of the TLS Secret referenced by spec.tls so + secretHash stores a hash of the TLS Secret referenced by spec.tls so agents that consume this RemoteMCPServer can detect cert rotation and roll on the next reconcile. Empty when spec.tls.caCertSecretRef is unset. type: string diff --git a/go/api/config/crd/bases/kagent.dev_sandboxagents.yaml b/go/api/config/crd/bases/kagent.dev_sandboxagents.yaml index 78d1c5c90c..e831b74665 100644 --- a/go/api/config/crd/bases/kagent.dev_sandboxagents.yaml +++ b/go/api/config/crd/bases/kagent.dev_sandboxagents.yaml @@ -51,7 +51,7 @@ spec: properties: allowedNamespaces: description: |- - AllowedNamespaces defines which namespaces are allowed to reference this Agent as a tool. + allowedNamespaces defines which namespaces are allowed to reference this Agent as a tool. This follows the Gateway API pattern for cross-namespace route attachments. If not specified, only Agents in the same namespace can reference this Agent as a tool. This field only applies when this Agent is used as a tool by another Agent. @@ -60,7 +60,7 @@ spec: from: default: Same description: |- - From indicates where references to this resource can originate. + from indicates where references to this resource can originate. Possible values are: * All: References from all namespaces are allowed. * Same: Only references from the same namespace are allowed (default). @@ -72,7 +72,7 @@ spec: type: string selector: description: |- - Selector is a label selector for namespaces that are allowed to reference this resource. + selector is a label selector for namespaces that are allowed to reference this resource. Only used when From is set to "Selector". properties: matchExpressions: @@ -124,13 +124,13 @@ spec: rule: '!(self.from == ''Selector'' && !has(self.selector))' byo: description: |- - BYO configures a "bring your own" agent backed by a user-provided + byo configures a "bring your own" agent backed by a user-provided container image. Kagent deploys the image and expects it to serve the agent over the A2A protocol on port 8080. Required if type is BYO. properties: deployment: - description: Deployment configures the Kubernetes Deployment created + description: deployment configures the Kubernetes Deployment created for the BYO agent container. properties: affinity: @@ -1060,21 +1060,21 @@ spec: annotations: additionalProperties: type: string - description: Annotations are additional annotations added + description: annotations are additional annotations added to the agent pods. type: object args: - description: Args are the arguments passed to the container + description: args are the arguments passed to the container entrypoint. items: type: string type: array cmd: - description: Cmd overrides the container entrypoint (the container's + description: cmd overrides the container entrypoint (the container's command). type: string env: - description: Env are additional environment variables set + description: env are additional environment variables set on the agent container. items: description: EnvVar represents an environment variable present @@ -1234,7 +1234,7 @@ spec: type: array extraContainers: description: |- - ExtraContainers is a list of additional containers to run alongside the main agent container. + extraContainers is a list of additional containers to run alongside the main agent container. Useful for sidecars such as token proxies, log shippers, or security agents. items: description: A single application container that you want @@ -2773,7 +2773,7 @@ spec: type: array image: description: |- - Image is the container image of the BYO agent. + image is the container image of the BYO agent. The image is expected to serve the agent over the A2A protocol on port 8080. minLength: 1 type: string @@ -2783,7 +2783,7 @@ spec: type: string imagePullSecrets: description: |- - ImagePullSecrets are references to secrets in the agent's namespace + imagePullSecrets are references to secrets in the agent's namespace used for pulling the agent container image. items: description: |- @@ -2805,13 +2805,13 @@ spec: labels: additionalProperties: type: string - description: Labels are additional labels added to the agent + description: labels are additional labels added to the agent pods. type: object nodeSelector: additionalProperties: type: string - description: NodeSelector restricts the nodes the agent pods + description: nodeSelector restricts the nodes the agent pods can be scheduled on. type: object podSecurityContext: @@ -3051,7 +3051,7 @@ spec: type: object type: object replicas: - description: Replicas is the number of desired agent pods. + description: replicas is the number of desired agent pods. Defaults to 1. format: int32 type: integer @@ -3311,7 +3311,7 @@ spec: type: object serviceAccountConfig: description: |- - ServiceAccountConfig configures the ServiceAccount created by the Agent controller. + serviceAccountConfig configures the ServiceAccount created by the Agent controller. This field can only be used when ServiceAccountName is not set. If ServiceAccountName is not set, a default ServiceAccount (named after the agent) is created, and this config will be applied to it. @@ -3319,24 +3319,24 @@ spec: annotations: additionalProperties: type: string - description: Annotations are additional annotations added + description: annotations are additional annotations added to the created ServiceAccount. type: object labels: additionalProperties: type: string - description: Labels are additional labels added to the + description: labels are additional labels added to the created ServiceAccount. type: object type: object serviceAccountName: description: |- - ServiceAccountName specifies the name of an existing ServiceAccount to use. + serviceAccountName specifies the name of an existing ServiceAccount to use. If this field is set, the Agent controller will not create a ServiceAccount for the agent. This field is mutually exclusive with ServiceAccountConfig. type: string tolerations: - description: Tolerations applied to the agent pods. + description: tolerations applied to the agent pods. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -3376,7 +3376,7 @@ spec: type: object type: array volumeMounts: - description: VolumeMounts are additional volume mounts added + description: volumeMounts are additional volume mounts added to the agent container. items: description: VolumeMount describes a mounting of a Volume @@ -3441,7 +3441,7 @@ spec: type: object type: array volumes: - description: Volumes are additional volumes added to the agent + description: volumes are additional volumes added to the agent pod. items: description: Volume represents a named volume in a pod that @@ -5371,13 +5371,13 @@ spec: type: object declarative: description: |- - Declarative configures an agent that is fully described by this resource + declarative configures an agent that is fully described by this resource (model, instructions, tools) and runs on one of kagent's built-in runtimes. Required if type is Declarative. properties: a2aConfig: description: |- - A2AConfig instantiates an A2A server for this agent, + a2aConfig instantiates an A2A server for this agent, served on the HTTP port of the kagent kubernetes controller (default 8083). The A2A server URL will be served at @@ -5390,37 +5390,37 @@ spec: or function of the agent. properties: description: - description: Description is an optional detailed description + description: description is an optional detailed description of the skill. type: string examples: - description: Examples are optional usage examples. + description: examples are optional usage examples. items: type: string maxItems: 20 type: array id: - description: ID is the unique identifier for the skill. + description: id is the unique identifier for the skill. type: string inputModes: - description: InputModes are the supported input MIME + description: inputModes are the supported input MIME types for this skill, overriding the agent's defaults. items: type: string type: array name: - description: Name is the human-readable name of the + description: name is the human-readable name of the skill. minLength: 1 type: string outputModes: - description: OutputModes are the supported output MIME + description: outputModes are the supported output MIME types for this skill, overriding the agent's defaults. items: type: string type: array tags: - description: Tags are optional tags for categorization. + description: tags are optional tags for categorization. items: type: string maxItems: 20 @@ -5433,12 +5433,12 @@ spec: type: object context: description: |- - Context configures context management for this agent. + context configures context management for this agent. This includes event compaction (compression) and context caching. properties: compaction: description: |- - Compaction configures event history compaction. + compaction configures event history compaction. When enabled, older events in the conversation are compacted (compressed/summarized) to reduce context size while preserving key information. properties: @@ -5450,7 +5450,7 @@ spec: minimum: 1 type: integer eventRetentionSize: - description: EventRetentionSize is the number of most + description: eventRetentionSize is the number of most recent events to always retain. type: integer overlapSize: @@ -5463,18 +5463,18 @@ spec: type: integer summarizer: description: |- - Summarizer configures an LLM-based summarizer for event compaction. + summarizer configures an LLM-based summarizer for event compaction. If not specified, compacted events are dropped from the context without summarization. properties: modelConfig: description: |- - ModelConfig is the name of a ModelConfig resource to use for summarization. + modelConfig is the name of a ModelConfig resource to use for summarization. Must be in the same namespace as the Agent. If not specified, uses the agent's own model. type: string promptTemplate: description: |- - PromptTemplate is a custom prompt template for the summarizer. + promptTemplate is a custom prompt template for the summarizer. See the ADK LlmEventSummarizer for template details: https://github.com/google/adk-python/blob/main/src/google/adk/apps/llm_event_summarizer.py type: string @@ -6415,11 +6415,11 @@ spec: annotations: additionalProperties: type: string - description: Annotations are additional annotations added + description: annotations are additional annotations added to the agent pods. type: object env: - description: Env are additional environment variables set + description: env are additional environment variables set on the agent container. items: description: EnvVar represents an environment variable present @@ -6579,7 +6579,7 @@ spec: type: array extraContainers: description: |- - ExtraContainers is a list of additional containers to run alongside the main agent container. + extraContainers is a list of additional containers to run alongside the main agent container. Useful for sidecars such as token proxies, log shippers, or security agents. items: description: A single application container that you want @@ -8122,7 +8122,7 @@ spec: type: string imagePullSecrets: description: |- - ImagePullSecrets are references to secrets in the agent's namespace + imagePullSecrets are references to secrets in the agent's namespace used for pulling the agent container image. items: description: |- @@ -8146,13 +8146,13 @@ spec: labels: additionalProperties: type: string - description: Labels are additional labels added to the agent + description: labels are additional labels added to the agent pods. type: object nodeSelector: additionalProperties: type: string - description: NodeSelector restricts the nodes the agent pods + description: nodeSelector restricts the nodes the agent pods can be scheduled on. type: object podSecurityContext: @@ -8392,7 +8392,7 @@ spec: type: object type: object replicas: - description: Replicas is the number of desired agent pods. + description: replicas is the number of desired agent pods. Defaults to 1. format: int32 type: integer @@ -8652,7 +8652,7 @@ spec: type: object serviceAccountConfig: description: |- - ServiceAccountConfig configures the ServiceAccount created by the Agent controller. + serviceAccountConfig configures the ServiceAccount created by the Agent controller. This field can only be used when ServiceAccountName is not set. If ServiceAccountName is not set, a default ServiceAccount (named after the agent) is created, and this config will be applied to it. @@ -8660,24 +8660,24 @@ spec: annotations: additionalProperties: type: string - description: Annotations are additional annotations added + description: annotations are additional annotations added to the created ServiceAccount. type: object labels: additionalProperties: type: string - description: Labels are additional labels added to the + description: labels are additional labels added to the created ServiceAccount. type: object type: object serviceAccountName: description: |- - ServiceAccountName specifies the name of an existing ServiceAccount to use. + serviceAccountName specifies the name of an existing ServiceAccount to use. If this field is set, the Agent controller will not create a ServiceAccount for the agent. This field is mutually exclusive with ServiceAccountConfig. type: string tolerations: - description: Tolerations applied to the agent pods. + description: tolerations applied to the agent pods. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -8717,7 +8717,7 @@ spec: type: object type: array volumeMounts: - description: VolumeMounts are additional volume mounts added + description: volumeMounts are additional volume mounts added to the agent container. items: description: VolumeMount describes a mounting of a Volume @@ -8782,7 +8782,7 @@ spec: type: object type: array volumes: - description: Volumes are additional volumes added to the agent + description: volumes are additional volumes added to the agent pod. items: description: Volume represents a named volume in a pod that @@ -10713,16 +10713,16 @@ spec: due to a bug in adk (https://github.com/google/adk-python/issues/3921 ), this field is ignored for now. type: boolean memory: - description: Memory configuration for the agent. + description: memory configuration for the agent. properties: modelConfig: description: |- - ModelConfig is the name of the ModelConfig object whose embedding + modelConfig is the name of the ModelConfig object whose embedding provider will be used to generate memory vectors. type: string ttlDays: description: |- - TTLDays controls how many days a stored memory entry remains valid before + ttlDays controls how many days a stored memory entry remains valid before it is eligible for pruning. Defaults to 15 days when unset or zero. minimum: 1 type: integer @@ -10737,13 +10737,13 @@ spec: type: string promptTemplate: description: |- - PromptTemplate enables Go text/template processing on the systemMessage field. + promptTemplate enables Go text/template processing on the systemMessage field. When set, systemMessage is treated as a Go template with access to the include function and agent context variables. properties: dataSources: description: |- - DataSources defines the ConfigMaps whose keys can be included in the systemMessage + dataSources defines the ConfigMaps whose keys can be included in the systemMessage using Go template syntax, e.g. include("alias/key") or include("name/key"). items: description: |- @@ -10753,7 +10753,7 @@ spec: properties: alias: description: |- - Alias is an optional short identifier for use in include directives. + alias is an optional short identifier for use in include directives. If set, use include("alias/key") instead of include("name/key"). type: string apiGroup: @@ -10771,7 +10771,7 @@ spec: runtime: default: python description: |- - Runtime specifies which ADK implementation to use for this agent. + runtime specifies which ADK implementation to use for this agent. - "python": Uses the Python ADK (default, slower startup, full feature set) - "go": Uses the Go ADK (faster startup, most features supported) The runtime determines both the container image and readiness probe configuration. @@ -10786,14 +10786,14 @@ spec: type: boolean systemMessage: description: |- - SystemMessage is a string specifying the system message for the agent. + systemMessage is a string specifying the system message for the agent. When PromptTemplate is set, this field is treated as a Go text/template with access to an include("source/key") function and agent context variables such as .AgentName, .AgentNamespace, .Description, .ToolNames, and .SkillNames. type: string systemMessageFrom: description: |- - SystemMessageFrom is a reference to a ConfigMap or Secret containing the system message. + systemMessageFrom is a reference to a ConfigMap or Secret containing the system message. When PromptTemplate is set, the resolved value is treated as a Go text/template. properties: key: @@ -10832,7 +10832,7 @@ spec: type: object headersFrom: description: |- - HeadersFrom specifies a list of configuration values to be added as + headersFrom specifies a list of configuration values to be added as headers to requests sent to the Tool from this agent. The value of each header is resolved from either a Secret or ConfigMap in the same namespace as the Agent. Headers specified here will override any @@ -10878,7 +10878,7 @@ spec: properties: allowedHeaders: description: |- - AllowedHeaders specifies which headers from the A2A request should be + allowedHeaders specifies which headers from the A2A request should be propagated to MCP tool calls. Header names are case-insensitive. Authorization header behavior: @@ -10902,7 +10902,7 @@ spec: type: string requireApproval: description: |- - RequireApproval lists tool names that require human approval before + requireApproval lists tool names that require human approval before execution. Each name must also appear in ToolNames. When a tool in this list is invoked by the agent, execution pauses and the user is prompted to approve or reject the call. @@ -10954,18 +10954,18 @@ spec: type: string sandbox: description: |- - Sandbox configures sandboxed execution behavior shared across runtimes. + sandbox configures sandboxed execution behavior shared across runtimes. This is intended for sandboxed declarative execution today, and can also be consumed by BYO agents. properties: network: description: |- - Network configures outbound network access for sandboxed execution paths. + network configures outbound network access for sandboxed execution paths. When unset or when allowedDomains is empty, outbound access is denied by default. properties: allowedDomains: description: |- - AllowedDomains lists the domains that sandboxed execution may contact. + allowedDomains lists the domains that sandboxed execution may contact. Wildcards such as *.example.com are supported by the sandbox runtime. items: type: string @@ -10974,7 +10974,7 @@ spec: type: object skills: description: |- - Skills to load into the agent. They will be pulled from the specified container images. + skills to load into the agent. They will be pulled from the specified container images. and made available to the agent under the `/skills` folder. properties: gitAuthSecretRef: @@ -11003,7 +11003,7 @@ spec: properties: name: description: |- - Name for the skill directory under /skills. If omitted, defaults to the last + name for the skill directory under /skills. If omitted, defaults to the last segment of Path when Path is set; otherwise defaults to the repo name (last URL path segment, without .git). type: string @@ -11019,7 +11019,7 @@ spec: SHA.' type: string url: - description: URL of the git repository (HTTPS or SSH). + description: url of the git repository (HTTPS or SSH). type: string required: - url @@ -11029,7 +11029,7 @@ spec: type: array imagePullSecrets: description: |- - ImagePullSecrets is a list of references to secrets in the same namespace to use for + imagePullSecrets is a list of references to secrets in the same namespace to use for pulling skill images from private registries. Each referenced secret must be of type kubernetes.io/dockerconfigjson. The credentials from all secrets are merged and made available to the skills-init container at /.kagent/.docker/config.json; krane will From bee5af8d4a30a00cc2ebd01f0ba7f3ff4b8f4908 Mon Sep 17 00:00:00 2001 From: dongjiang Date: Tue, 9 Jun 2026 17:46:00 +0800 Subject: [PATCH 3/3] fix make controller-manifests Signed-off-by: dongjiang --- .../templates/kagent.dev_agentharnesses.yaml | 54 +++---- .../templates/kagent.dev_agents.yaml | 142 +++++++++--------- .../templates/kagent.dev_modelconfigs.yaml | 52 +++---- .../kagent.dev_modelproviderconfigs.yaml | 20 +-- .../kagent.dev_remotemcpservers.yaml | 18 +-- .../templates/kagent.dev_sandboxagents.yaml | 140 ++++++++--------- 6 files changed, 213 insertions(+), 213 deletions(-) diff --git a/helm/kagent-crds/templates/kagent.dev_agentharnesses.yaml b/helm/kagent-crds/templates/kagent.dev_agentharnesses.yaml index 9c4c1ee2a6..0b820b66b3 100644 --- a/helm/kagent-crds/templates/kagent.dev_agentharnesses.yaml +++ b/helm/kagent-crds/templates/kagent.dev_agentharnesses.yaml @@ -68,26 +68,26 @@ spec: ready to accept incoming commands. properties: backend: - description: Backend selects the control plane to use. Required. + description: backend selects the control plane to use. Required. enum: - openclaw - nemoclaw - hermes type: string channels: - description: Channels configures Telegram and Slack integrations for + description: channels configures Telegram and Slack integrations for OpenClaw inside the harness VM. items: description: AgentHarnessChannel declares one messenger binding inside a harness VM. properties: name: - description: Name is a stable id for this binding (OpenClaw + description: name is a stable id for this binding (OpenClaw channels.*.accounts key). minLength: 1 type: string slack: - description: Slack configures Slack when type is Slack. + description: slack configures Slack when type is Slack. properties: appToken: description: AgentHarnessChannelCredential supplies a token @@ -158,10 +158,10 @@ spec: rule: (has(self.value) && !has(self.valueFrom)) || (!has(self.value) && has(self.valueFrom)) hermes: - description: Hermes configures Hermes-specific Slack settings. + description: hermes configures Hermes-specific Slack settings. properties: allowedUserIDs: - description: AllowedUserIDs restricts which Slack member + description: allowedUserIDs restricts which Slack member IDs may interact with the bot (SLACK_ALLOWED_USERS). items: type: string @@ -190,11 +190,11 @@ spec: - type type: object homeChannel: - description: HomeChannel is the default Slack channel + description: homeChannel is the default Slack channel ID for cron/scheduled messages (SLACK_HOME_CHANNEL). type: string homeChannelName: - description: HomeChannelName is a human-readable label + description: homeChannelName is a human-readable label for HomeChannel (SLACK_HOME_CHANNEL_NAME). type: string type: object @@ -203,11 +203,11 @@ spec: exclusive rule: '!(size(self.allowedUserIDs) > 0 && has(self.allowedUserIDsFrom))' openclaw: - description: OpenClaw configures OpenClaw/NemoClaw-specific + description: openclaw configures OpenClaw/NemoClaw-specific Slack routing. properties: allowlistChannels: - description: AllowlistChannels is required when channelAccess + description: allowlistChannels is required when channelAccess is allowlist. items: type: string @@ -326,12 +326,12 @@ spec: maxItems: 1024 type: array description: - description: Description is a short human-readable summary shown in + description: description is a short human-readable summary shown in the UI (e.g. agents list). type: string env: description: |- - Env is a list of environment variables injected into the harness workload. + env is a list of environment variables injected into the harness workload. Values use the Kubernetes EnvVar shape; ValueFrom references are resolved server-side where supported. items: @@ -491,24 +491,24 @@ spec: type: array image: description: |- - Image is the container image to run in the harness VM, if the backend + image is the container image to run in the harness VM, if the backend supports per-resource images. Backends openclaw and nemoclaw pin the image to the NemoClaw sandbox base when this field is empty; backend hermes pins to the Hermes sandbox base image when empty. type: string modelConfigRef: description: |- - ModelConfigRef is the reference to the ModelConfig used to configure the harness. + modelConfigRef is the reference to the ModelConfig used to configure the harness. The controller registers the gateway provider and, after the harness is Ready, writes OpenClaw config inside the VM (~/.openclaw/openclaw.json) and starts the gateway. type: string network: description: |- - Network controls outbound access from the harness. When unset, + network controls outbound access from the harness. When unset, backend defaults apply. properties: allowedDomains: - description: AllowedDomains is a list of DNS names the harness + description: allowedDomains is a list of DNS names the harness may reach. items: type: string @@ -516,24 +516,24 @@ spec: type: object runtime: default: openshell - description: Runtime selects the harness provisioning stack. Defaults + description: runtime selects the harness provisioning stack. Defaults to openshell when unset. enum: - openshell - substrate type: string substrate: - description: Substrate is required when runtime is substrate. + description: substrate is required when runtime is substrate. properties: gatewayToken: description: |- - GatewayToken is the OpenClaw gateway Bearer token for this harness. + gatewayToken is the OpenClaw gateway Bearer token for this harness. Prefer gatewayTokenSecretRef for production secrets. minLength: 1 type: string gatewayTokenSecretRef: description: |- - GatewayTokenSecretRef references a Secret key holding the OpenClaw gateway Bearer token. + gatewayTokenSecretRef references a Secret key holding the OpenClaw gateway Bearer token. The Secret must contain a "token" key. properties: apiGroup: @@ -547,12 +547,12 @@ spec: type: object snapshotsConfig: description: |- - SnapshotsConfig configures actor memory snapshots. Defaults to + snapshotsConfig configures actor memory snapshots. Defaults to gs://ate-snapshots// when unset. properties: location: description: |- - Location is the GCS URI prefix for golden and incremental snapshots. + location is the GCS URI prefix for golden and incremental snapshots. Example: gs://ate-snapshots/kagent/my-namespace/my-harness/ pattern: ^gs:// type: string @@ -561,7 +561,7 @@ spec: type: object workerPoolRef: description: |- - WorkerPoolRef references an existing ate.dev WorkerPool in the harness namespace. + workerPoolRef references an existing ate.dev WorkerPool in the harness namespace. When unset, the controller uses its configured default WorkerPool. properties: apiGroup: @@ -574,7 +574,7 @@ spec: - name type: object workloadImage: - description: WorkloadImage overrides the default nemoclaw/openclaw + description: workloadImage overrides the default nemoclaw/openclaw sandbox image in the ActorTemplate. type: string type: object @@ -601,7 +601,7 @@ spec: properties: backendRef: description: |- - BackendRef points at the harness instance on the backend control + backendRef points at the harness instance on the backend control plane, once Ensure has succeeded at least once. properties: backend: @@ -676,12 +676,12 @@ spec: type: object type: array connection: - description: Connection is populated by the controller when the harness + description: connection is populated by the controller when the harness is ready. properties: endpoint: description: |- - Endpoint is the backend-specific address (gRPC target, SSH host:port, + endpoint is the backend-specific address (gRPC target, SSH host:port, ...) clients should use to reach the harness. type: string type: object diff --git a/helm/kagent-crds/templates/kagent.dev_agents.yaml b/helm/kagent-crds/templates/kagent.dev_agents.yaml index 8338f8e182..39e9c11aa3 100644 --- a/helm/kagent-crds/templates/kagent.dev_agents.yaml +++ b/helm/kagent-crds/templates/kagent.dev_agents.yaml @@ -56,7 +56,7 @@ spec: properties: a2aConfig: description: |- - A2AConfig instantiates an A2A server for this agent, + a2aConfig instantiates an A2A server for this agent, served on the HTTP port of the kagent kubernetes controller (default 8083). The A2A server URL will be served at @@ -2393,7 +2393,7 @@ spec: properties: allowedNamespaces: description: |- - AllowedNamespaces defines which namespaces are allowed to reference this Agent as a tool. + allowedNamespaces defines which namespaces are allowed to reference this Agent as a tool. This follows the Gateway API pattern for cross-namespace route attachments. If not specified, only Agents in the same namespace can reference this Agent as a tool. This field only applies when this Agent is used as a tool by another Agent. @@ -2402,7 +2402,7 @@ spec: from: default: Same description: |- - From indicates where references to this resource can originate. + from indicates where references to this resource can originate. Possible values are: * All: References from all namespaces are allowed. * Same: Only references from the same namespace are allowed (default). @@ -2414,7 +2414,7 @@ spec: type: string selector: description: |- - Selector is a label selector for namespaces that are allowed to reference this resource. + selector is a label selector for namespaces that are allowed to reference this resource. Only used when From is set to "Selector". properties: matchExpressions: @@ -2466,13 +2466,13 @@ spec: rule: '!(self.from == ''Selector'' && !has(self.selector))' byo: description: |- - BYO configures a "bring your own" agent backed by a user-provided + byo configures a "bring your own" agent backed by a user-provided container image. Kagent deploys the image and expects it to serve the agent over the A2A protocol on port 8080. Required if type is BYO. properties: deployment: - description: Deployment configures the Kubernetes Deployment created + description: deployment configures the Kubernetes Deployment created for the BYO agent container. properties: affinity: @@ -3402,21 +3402,21 @@ spec: annotations: additionalProperties: type: string - description: Annotations are additional annotations added + description: annotations are additional annotations added to the agent pods. type: object args: - description: Args are the arguments passed to the container + description: args are the arguments passed to the container entrypoint. items: type: string type: array cmd: - description: Cmd overrides the container entrypoint (the container's + description: cmd overrides the container entrypoint (the container's command). type: string env: - description: Env are additional environment variables set + description: env are additional environment variables set on the agent container. items: description: EnvVar represents an environment variable present @@ -3576,7 +3576,7 @@ spec: type: array extraContainers: description: |- - ExtraContainers is a list of additional containers to run alongside the main agent container. + extraContainers is a list of additional containers to run alongside the main agent container. Useful for sidecars such as token proxies, log shippers, or security agents. items: description: A single application container that you want @@ -5115,7 +5115,7 @@ spec: type: array image: description: |- - Image is the container image of the BYO agent. + image is the container image of the BYO agent. The image is expected to serve the agent over the A2A protocol on port 8080. minLength: 1 type: string @@ -5125,7 +5125,7 @@ spec: type: string imagePullSecrets: description: |- - ImagePullSecrets are references to secrets in the agent's namespace + imagePullSecrets are references to secrets in the agent's namespace used for pulling the agent container image. items: description: |- @@ -5147,13 +5147,13 @@ spec: labels: additionalProperties: type: string - description: Labels are additional labels added to the agent + description: labels are additional labels added to the agent pods. type: object nodeSelector: additionalProperties: type: string - description: NodeSelector restricts the nodes the agent pods + description: nodeSelector restricts the nodes the agent pods can be scheduled on. type: object podSecurityContext: @@ -5393,7 +5393,7 @@ spec: type: object type: object replicas: - description: Replicas is the number of desired agent pods. + description: replicas is the number of desired agent pods. Defaults to 1. format: int32 type: integer @@ -5653,7 +5653,7 @@ spec: type: object serviceAccountConfig: description: |- - ServiceAccountConfig configures the ServiceAccount created by the Agent controller. + serviceAccountConfig configures the ServiceAccount created by the Agent controller. This field can only be used when ServiceAccountName is not set. If ServiceAccountName is not set, a default ServiceAccount (named after the agent) is created, and this config will be applied to it. @@ -5661,24 +5661,24 @@ spec: annotations: additionalProperties: type: string - description: Annotations are additional annotations added + description: annotations are additional annotations added to the created ServiceAccount. type: object labels: additionalProperties: type: string - description: Labels are additional labels added to the + description: labels are additional labels added to the created ServiceAccount. type: object type: object serviceAccountName: description: |- - ServiceAccountName specifies the name of an existing ServiceAccount to use. + serviceAccountName specifies the name of an existing ServiceAccount to use. If this field is set, the Agent controller will not create a ServiceAccount for the agent. This field is mutually exclusive with ServiceAccountConfig. type: string tolerations: - description: Tolerations applied to the agent pods. + description: tolerations applied to the agent pods. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -5718,7 +5718,7 @@ spec: type: object type: array volumeMounts: - description: VolumeMounts are additional volume mounts added + description: volumeMounts are additional volume mounts added to the agent container. items: description: VolumeMount describes a mounting of a Volume @@ -5783,7 +5783,7 @@ spec: type: object type: array volumes: - description: Volumes are additional volumes added to the agent + description: volumes are additional volumes added to the agent pod. items: description: Volume represents a named volume in a pod that @@ -7713,13 +7713,13 @@ spec: type: object declarative: description: |- - Declarative configures an agent that is fully described by this resource + declarative configures an agent that is fully described by this resource (model, instructions, tools) and runs on one of kagent's built-in runtimes. Required if type is Declarative. properties: a2aConfig: description: |- - A2AConfig instantiates an A2A server for this agent, + a2aConfig instantiates an A2A server for this agent, served on the HTTP port of the kagent kubernetes controller (default 8083). The A2A server URL will be served at @@ -7732,37 +7732,37 @@ spec: or function of the agent. properties: description: - description: Description is an optional detailed description + description: description is an optional detailed description of the skill. type: string examples: - description: Examples are optional usage examples. + description: examples are optional usage examples. items: type: string maxItems: 20 type: array id: - description: ID is the unique identifier for the skill. + description: id is the unique identifier for the skill. type: string inputModes: - description: InputModes are the supported input MIME + description: inputModes are the supported input MIME types for this skill, overriding the agent's defaults. items: type: string type: array name: - description: Name is the human-readable name of the + description: name is the human-readable name of the skill. minLength: 1 type: string outputModes: - description: OutputModes are the supported output MIME + description: outputModes are the supported output MIME types for this skill, overriding the agent's defaults. items: type: string type: array tags: - description: Tags are optional tags for categorization. + description: tags are optional tags for categorization. items: type: string maxItems: 20 @@ -7775,12 +7775,12 @@ spec: type: object context: description: |- - Context configures context management for this agent. + context configures context management for this agent. This includes event compaction (compression) and context caching. properties: compaction: description: |- - Compaction configures event history compaction. + compaction configures event history compaction. When enabled, older events in the conversation are compacted (compressed/summarized) to reduce context size while preserving key information. properties: @@ -7792,7 +7792,7 @@ spec: minimum: 1 type: integer eventRetentionSize: - description: EventRetentionSize is the number of most + description: eventRetentionSize is the number of most recent events to always retain. type: integer overlapSize: @@ -7805,18 +7805,18 @@ spec: type: integer summarizer: description: |- - Summarizer configures an LLM-based summarizer for event compaction. + summarizer configures an LLM-based summarizer for event compaction. If not specified, compacted events are dropped from the context without summarization. properties: modelConfig: description: |- - ModelConfig is the name of a ModelConfig resource to use for summarization. + modelConfig is the name of a ModelConfig resource to use for summarization. Must be in the same namespace as the Agent. If not specified, uses the agent's own model. type: string promptTemplate: description: |- - PromptTemplate is a custom prompt template for the summarizer. + promptTemplate is a custom prompt template for the summarizer. See the ADK LlmEventSummarizer for template details: https://github.com/google/adk-python/blob/main/src/google/adk/apps/llm_event_summarizer.py type: string @@ -8757,11 +8757,11 @@ spec: annotations: additionalProperties: type: string - description: Annotations are additional annotations added + description: annotations are additional annotations added to the agent pods. type: object env: - description: Env are additional environment variables set + description: env are additional environment variables set on the agent container. items: description: EnvVar represents an environment variable present @@ -8921,7 +8921,7 @@ spec: type: array extraContainers: description: |- - ExtraContainers is a list of additional containers to run alongside the main agent container. + extraContainers is a list of additional containers to run alongside the main agent container. Useful for sidecars such as token proxies, log shippers, or security agents. items: description: A single application container that you want @@ -10464,7 +10464,7 @@ spec: type: string imagePullSecrets: description: |- - ImagePullSecrets are references to secrets in the agent's namespace + imagePullSecrets are references to secrets in the agent's namespace used for pulling the agent container image. items: description: |- @@ -10488,13 +10488,13 @@ spec: labels: additionalProperties: type: string - description: Labels are additional labels added to the agent + description: labels are additional labels added to the agent pods. type: object nodeSelector: additionalProperties: type: string - description: NodeSelector restricts the nodes the agent pods + description: nodeSelector restricts the nodes the agent pods can be scheduled on. type: object podSecurityContext: @@ -10734,7 +10734,7 @@ spec: type: object type: object replicas: - description: Replicas is the number of desired agent pods. + description: replicas is the number of desired agent pods. Defaults to 1. format: int32 type: integer @@ -10994,7 +10994,7 @@ spec: type: object serviceAccountConfig: description: |- - ServiceAccountConfig configures the ServiceAccount created by the Agent controller. + serviceAccountConfig configures the ServiceAccount created by the Agent controller. This field can only be used when ServiceAccountName is not set. If ServiceAccountName is not set, a default ServiceAccount (named after the agent) is created, and this config will be applied to it. @@ -11002,24 +11002,24 @@ spec: annotations: additionalProperties: type: string - description: Annotations are additional annotations added + description: annotations are additional annotations added to the created ServiceAccount. type: object labels: additionalProperties: type: string - description: Labels are additional labels added to the + description: labels are additional labels added to the created ServiceAccount. type: object type: object serviceAccountName: description: |- - ServiceAccountName specifies the name of an existing ServiceAccount to use. + serviceAccountName specifies the name of an existing ServiceAccount to use. If this field is set, the Agent controller will not create a ServiceAccount for the agent. This field is mutually exclusive with ServiceAccountConfig. type: string tolerations: - description: Tolerations applied to the agent pods. + description: tolerations applied to the agent pods. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -11059,7 +11059,7 @@ spec: type: object type: array volumeMounts: - description: VolumeMounts are additional volume mounts added + description: volumeMounts are additional volume mounts added to the agent container. items: description: VolumeMount describes a mounting of a Volume @@ -11124,7 +11124,7 @@ spec: type: object type: array volumes: - description: Volumes are additional volumes added to the agent + description: volumes are additional volumes added to the agent pod. items: description: Volume represents a named volume in a pod that @@ -13055,16 +13055,16 @@ spec: due to a bug in adk (https://github.com/google/adk-python/issues/3921 ), this field is ignored for now. type: boolean memory: - description: Memory configuration for the agent. + description: memory configuration for the agent. properties: modelConfig: description: |- - ModelConfig is the name of the ModelConfig object whose embedding + modelConfig is the name of the ModelConfig object whose embedding provider will be used to generate memory vectors. type: string ttlDays: description: |- - TTLDays controls how many days a stored memory entry remains valid before + ttlDays controls how many days a stored memory entry remains valid before it is eligible for pruning. Defaults to 15 days when unset or zero. minimum: 1 type: integer @@ -13079,13 +13079,13 @@ spec: type: string promptTemplate: description: |- - PromptTemplate enables Go text/template processing on the systemMessage field. + promptTemplate enables Go text/template processing on the systemMessage field. When set, systemMessage is treated as a Go template with access to the include function and agent context variables. properties: dataSources: description: |- - DataSources defines the ConfigMaps whose keys can be included in the systemMessage + dataSources defines the ConfigMaps whose keys can be included in the systemMessage using Go template syntax, e.g. include("alias/key") or include("name/key"). items: description: |- @@ -13095,7 +13095,7 @@ spec: properties: alias: description: |- - Alias is an optional short identifier for use in include directives. + alias is an optional short identifier for use in include directives. If set, use include("alias/key") instead of include("name/key"). type: string apiGroup: @@ -13113,7 +13113,7 @@ spec: runtime: default: python description: |- - Runtime specifies which ADK implementation to use for this agent. + runtime specifies which ADK implementation to use for this agent. - "python": Uses the Python ADK (default, slower startup, full feature set) - "go": Uses the Go ADK (faster startup, most features supported) The runtime determines both the container image and readiness probe configuration. @@ -13128,14 +13128,14 @@ spec: type: boolean systemMessage: description: |- - SystemMessage is a string specifying the system message for the agent. + systemMessage is a string specifying the system message for the agent. When PromptTemplate is set, this field is treated as a Go text/template with access to an include("source/key") function and agent context variables such as .AgentName, .AgentNamespace, .Description, .ToolNames, and .SkillNames. type: string systemMessageFrom: description: |- - SystemMessageFrom is a reference to a ConfigMap or Secret containing the system message. + systemMessageFrom is a reference to a ConfigMap or Secret containing the system message. When PromptTemplate is set, the resolved value is treated as a Go text/template. properties: key: @@ -13174,7 +13174,7 @@ spec: type: object headersFrom: description: |- - HeadersFrom specifies a list of configuration values to be added as + headersFrom specifies a list of configuration values to be added as headers to requests sent to the Tool from this agent. The value of each header is resolved from either a Secret or ConfigMap in the same namespace as the Agent. Headers specified here will override any @@ -13220,7 +13220,7 @@ spec: properties: allowedHeaders: description: |- - AllowedHeaders specifies which headers from the A2A request should be + allowedHeaders specifies which headers from the A2A request should be propagated to MCP tool calls. Header names are case-insensitive. Authorization header behavior: @@ -13244,7 +13244,7 @@ spec: type: string requireApproval: description: |- - RequireApproval lists tool names that require human approval before + requireApproval lists tool names that require human approval before execution. Each name must also appear in ToolNames. When a tool in this list is invoked by the agent, execution pauses and the user is prompted to approve or reject the call. @@ -13296,18 +13296,18 @@ spec: type: string sandbox: description: |- - Sandbox configures sandboxed execution behavior shared across runtimes. + sandbox configures sandboxed execution behavior shared across runtimes. This is intended for sandboxed declarative execution today, and can also be consumed by BYO agents. properties: network: description: |- - Network configures outbound network access for sandboxed execution paths. + network configures outbound network access for sandboxed execution paths. When unset or when allowedDomains is empty, outbound access is denied by default. properties: allowedDomains: description: |- - AllowedDomains lists the domains that sandboxed execution may contact. + allowedDomains lists the domains that sandboxed execution may contact. Wildcards such as *.example.com are supported by the sandbox runtime. items: type: string @@ -13316,7 +13316,7 @@ spec: type: object skills: description: |- - Skills to load into the agent. They will be pulled from the specified container images. + skills to load into the agent. They will be pulled from the specified container images. and made available to the agent under the `/skills` folder. properties: gitAuthSecretRef: @@ -13345,7 +13345,7 @@ spec: properties: name: description: |- - Name for the skill directory under /skills. If omitted, defaults to the last + name for the skill directory under /skills. If omitted, defaults to the last segment of Path when Path is set; otherwise defaults to the repo name (last URL path segment, without .git). type: string @@ -13361,7 +13361,7 @@ spec: SHA.' type: string url: - description: URL of the git repository (HTTPS or SSH). + description: url of the git repository (HTTPS or SSH). type: string required: - url @@ -13371,7 +13371,7 @@ spec: type: array imagePullSecrets: description: |- - ImagePullSecrets is a list of references to secrets in the same namespace to use for + imagePullSecrets is a list of references to secrets in the same namespace to use for pulling skill images from private registries. Each referenced secret must be of type kubernetes.io/dockerconfigjson. The credentials from all secrets are merged and made available to the skills-init container at /.kagent/.docker/config.json; krane will diff --git a/helm/kagent-crds/templates/kagent.dev_modelconfigs.yaml b/helm/kagent-crds/templates/kagent.dev_modelconfigs.yaml index ce185907d9..0badfec243 100644 --- a/helm/kagent-crds/templates/kagent.dev_modelconfigs.yaml +++ b/helm/kagent-crds/templates/kagent.dev_modelconfigs.yaml @@ -60,7 +60,7 @@ spec: description: Maximum tokens to generate type: integer temperature: - description: Temperature for sampling + description: temperature for sampling type: string topK: description: Top-k sampling parameter @@ -126,7 +126,7 @@ spec: description: Maximum tokens to generate type: integer temperature: - description: Temperature for sampling + description: temperature for sampling type: string topP: description: Top-p sampling parameter @@ -182,7 +182,7 @@ spec: type: string modelInfo: description: |- - ModelInfo contains information about the model. + modelInfo contains information about the model. This field is required if the model is not one of the pre-defined autogen models. That list can be found here: properties: @@ -203,12 +203,12 @@ spec: description: Ollama-specific configuration properties: host: - description: Host for the Ollama API + description: host for the Ollama API type: string options: additionalProperties: type: string - description: Options for the Ollama API + description: options for the Ollama API type: object type: object openAI: @@ -224,19 +224,19 @@ spec: description: Maximum tokens to generate type: integer "n": - description: N value + description: n value type: integer organization: - description: Organization ID for the OpenAI API + description: organization ID for the OpenAI API type: string presencePenalty: description: Presence penalty type: string seed: - description: Seed value + description: seed value type: integer temperature: - description: Temperature for sampling + description: temperature for sampling type: string timeout: description: Timeout @@ -387,7 +387,7 @@ spec: description: Maximum tokens to generate type: integer temperature: - description: Temperature for sampling + description: temperature for sampling type: string topK: description: Top-k sampling parameter @@ -428,7 +428,7 @@ spec: type: object apiKeyPassthrough: description: |- - APIKeyPassthrough enables forwarding the Bearer token from incoming A2A requests + apiKeyPassthrough enables forwarding the Bearer token from incoming A2A requests directly to the LLM provider as the API key. This is useful for organizations with federated identity that want to avoid separate secret management. Mutually exclusive with apiKeySecret. @@ -463,7 +463,7 @@ spec: description: Maximum tokens to generate type: integer temperature: - description: Temperature for sampling + description: temperature for sampling type: string topP: description: Top-p sampling parameter @@ -477,7 +477,7 @@ spec: properties: additionalModelRequestFields: description: |- - AdditionalModelRequestFields passes model-specific parameters to Bedrock's + additionalModelRequestFields passes model-specific parameters to Bedrock's additionalModelRequestFields in the Converse API. Use this for provider-specific options that are not part of the standard InferenceConfiguration block, such as Claude extended thinking or top_k. Values are forwarded as-is to the API. @@ -539,12 +539,12 @@ spec: description: Ollama-specific configuration properties: host: - description: Host for the Ollama API + description: host for the Ollama API type: string options: additionalProperties: type: string - description: Options for the Ollama API + description: options for the Ollama API type: object type: object openAI: @@ -560,10 +560,10 @@ spec: description: Maximum tokens to generate type: integer "n": - description: N value + description: n value type: integer organization: - description: Organization ID for the OpenAI API + description: organization ID for the OpenAI API type: string presencePenalty: description: Presence penalty @@ -577,17 +577,17 @@ spec: - high type: string seed: - description: Seed value + description: seed value type: integer temperature: - description: Temperature for sampling + description: temperature for sampling type: string timeout: description: Timeout type: integer tokenExchange: description: |- - TokenExchange configures dynamic bearer token acquisition via credential exchange. + tokenExchange configures dynamic bearer token acquisition via credential exchange. Requires apiKeySecret (used as the service account secret) and is mutually exclusive with apiKeyPassthrough. properties: gdchServiceAccount: @@ -595,7 +595,7 @@ spec: token exchange parameters. properties: audience: - description: Audience is the token exchange audience URL + description: audience is the token exchange audience URL (the GDC inference gateway base URL) type: string required: @@ -646,20 +646,20 @@ spec: type: object tls: description: |- - TLS configuration for provider connections. + tls configuration for provider connections. Enables agents to connect to internal LiteLLM gateways or other providers that use self-signed certificates or custom certificate authorities. properties: caCertSecretKey: description: |- - CACertSecretKey is the key within the Secret that contains the + caCertSecretKey is the key within the Secret that contains the CA certificate data (PEM-encoded). Required when CACertSecretRef is set — admission rejects ref-without-key regardless of DisableVerify (see the TLSConfig-level XValidation rules). type: string caCertSecretRef: description: |- - CACertSecretRef is a reference to a Kubernetes Secret containing + caCertSecretRef is a reference to a Kubernetes Secret containing CA certificate(s) in PEM format. The Secret must be in the same namespace as the resource referencing it (ModelConfig, RemoteMCPServer, or any future consumer of TLSConfig). @@ -669,7 +669,7 @@ spec: disableSystemCAs: default: false description: |- - DisableSystemCAs disables the use of system CA certificates. + disableSystemCAs disables the use of system CA certificates. When false (default), system CA certificates are used for verification (safe behavior). When true, only the custom CA from CACertSecretRef is trusted. This allows strict security policies where only corporate CAs should be trusted. @@ -677,7 +677,7 @@ spec: disableVerify: default: false description: |- - DisableVerify disables SSL certificate verification entirely. + disableVerify disables SSL certificate verification entirely. When false (default), SSL certificates are verified. When true, SSL certificate verification is disabled. WARNING: This should ONLY be used in development/testing environments. diff --git a/helm/kagent-crds/templates/kagent.dev_modelproviderconfigs.yaml b/helm/kagent-crds/templates/kagent.dev_modelproviderconfigs.yaml index 493e817e9e..cfcd519d76 100644 --- a/helm/kagent-crds/templates/kagent.dev_modelproviderconfigs.yaml +++ b/helm/kagent-crds/templates/kagent.dev_modelproviderconfigs.yaml @@ -63,24 +63,24 @@ spec: properties: endpoint: description: |- - Endpoint is the API endpoint URL for the provider. + endpoint is the API endpoint URL for the provider. If not specified, the default endpoint for the provider type will be used. pattern: ^https?://.* type: string secretRef: description: |- - SecretRef references the Kubernetes Secret containing the API key. + secretRef references the Kubernetes Secret containing the API key. Optional for providers that don't require authentication (e.g., local Ollama). properties: name: - description: Name is the name of the secret in the same namespace + description: name is the name of the secret in the same namespace as the ModelProviderConfig. type: string required: - name type: object type: - description: Type is the model provider type (OpenAI, Anthropic, etc.) + description: type is the model provider type (OpenAI, Anthropic, etc.) enum: - Anthropic - OpenAI @@ -107,7 +107,7 @@ spec: description: ModelProviderConfigStatus defines the observed state of ModelProviderConfig. properties: conditions: - description: Conditions represent the latest available observations + description: conditions represent the latest available observations of the ModelProviderConfig's state items: description: Condition contains details for one aspect of the current @@ -168,27 +168,27 @@ spec: - type x-kubernetes-list-type: map discoveredModels: - description: DiscoveredModels is the cached list of model IDs available + description: discoveredModels is the cached list of model IDs available from this model provider items: type: string type: array lastDiscoveryTime: - description: LastDiscoveryTime is the timestamp of the last successful + description: lastDiscoveryTime is the timestamp of the last successful model discovery format: date-time type: string modelCount: - description: ModelCount is the number of discovered models (for kubectl + description: modelCount is the number of discovered models (for kubectl display) type: integer observedGeneration: - description: ObservedGeneration reflects the generation of the most + description: observedGeneration reflects the generation of the most recently observed ModelProviderConfig spec format: int64 type: integer secretHash: - description: SecretHash is a hash of the referenced secret data, used + description: secretHash is a hash of the referenced secret data, used to detect secret changes type: string type: object diff --git a/helm/kagent-crds/templates/kagent.dev_remotemcpservers.yaml b/helm/kagent-crds/templates/kagent.dev_remotemcpservers.yaml index f21cf9fba5..6bca1527bc 100644 --- a/helm/kagent-crds/templates/kagent.dev_remotemcpservers.yaml +++ b/helm/kagent-crds/templates/kagent.dev_remotemcpservers.yaml @@ -55,7 +55,7 @@ spec: properties: allowedNamespaces: description: |- - AllowedNamespaces defines which namespaces are allowed to reference this RemoteMCPServer. + allowedNamespaces defines which namespaces are allowed to reference this RemoteMCPServer. This follows the Gateway API pattern for cross-namespace route attachments. If not specified, only Agents in the same namespace can reference this RemoteMCPServer. See: https://gateway-api.sigs.k8s.io/guides/multiple-ns/#cross-namespace-route-attachment @@ -63,7 +63,7 @@ spec: from: default: Same description: |- - From indicates where references to this resource can originate. + from indicates where references to this resource can originate. Possible values are: * All: References from all namespaces are allowed. * Same: Only references from the same namespace are allowed (default). @@ -75,7 +75,7 @@ spec: type: string selector: description: |- - Selector is a label selector for namespaces that are allowed to reference this resource. + selector is a label selector for namespaces that are allowed to reference this resource. Only used when From is set to "Selector". properties: matchExpressions: @@ -181,7 +181,7 @@ spec: type: string tls: description: |- - TLS configuration for the upstream MCP server connection. + tls configuration for the upstream MCP server connection. Use this for HTTPS upstreams that present a certificate the agent's system trust store does not include (corporate CA, self-signed cert on a test fixture, internal MCP gateway). Reuses the same TLSConfig @@ -197,14 +197,14 @@ spec: properties: caCertSecretKey: description: |- - CACertSecretKey is the key within the Secret that contains the + caCertSecretKey is the key within the Secret that contains the CA certificate data (PEM-encoded). Required when CACertSecretRef is set — admission rejects ref-without-key regardless of DisableVerify (see the TLSConfig-level XValidation rules). type: string caCertSecretRef: description: |- - CACertSecretRef is a reference to a Kubernetes Secret containing + caCertSecretRef is a reference to a Kubernetes Secret containing CA certificate(s) in PEM format. The Secret must be in the same namespace as the resource referencing it (ModelConfig, RemoteMCPServer, or any future consumer of TLSConfig). @@ -214,7 +214,7 @@ spec: disableSystemCAs: default: false description: |- - DisableSystemCAs disables the use of system CA certificates. + disableSystemCAs disables the use of system CA certificates. When false (default), system CA certificates are used for verification (safe behavior). When true, only the custom CA from CACertSecretRef is trusted. This allows strict security policies where only corporate CAs should be trusted. @@ -222,7 +222,7 @@ spec: disableVerify: default: false description: |- - DisableVerify disables SSL certificate verification entirely. + disableVerify disables SSL certificate verification entirely. When false (default), SSL certificates are verified. When true, SSL certificate verification is disabled. WARNING: This should ONLY be used in development/testing environments. @@ -334,7 +334,7 @@ spec: type: integer secretHash: description: |- - SecretHash stores a hash of the TLS Secret referenced by spec.tls so + secretHash stores a hash of the TLS Secret referenced by spec.tls so agents that consume this RemoteMCPServer can detect cert rotation and roll on the next reconcile. Empty when spec.tls.caCertSecretRef is unset. type: string diff --git a/helm/kagent-crds/templates/kagent.dev_sandboxagents.yaml b/helm/kagent-crds/templates/kagent.dev_sandboxagents.yaml index 78d1c5c90c..e831b74665 100644 --- a/helm/kagent-crds/templates/kagent.dev_sandboxagents.yaml +++ b/helm/kagent-crds/templates/kagent.dev_sandboxagents.yaml @@ -51,7 +51,7 @@ spec: properties: allowedNamespaces: description: |- - AllowedNamespaces defines which namespaces are allowed to reference this Agent as a tool. + allowedNamespaces defines which namespaces are allowed to reference this Agent as a tool. This follows the Gateway API pattern for cross-namespace route attachments. If not specified, only Agents in the same namespace can reference this Agent as a tool. This field only applies when this Agent is used as a tool by another Agent. @@ -60,7 +60,7 @@ spec: from: default: Same description: |- - From indicates where references to this resource can originate. + from indicates where references to this resource can originate. Possible values are: * All: References from all namespaces are allowed. * Same: Only references from the same namespace are allowed (default). @@ -72,7 +72,7 @@ spec: type: string selector: description: |- - Selector is a label selector for namespaces that are allowed to reference this resource. + selector is a label selector for namespaces that are allowed to reference this resource. Only used when From is set to "Selector". properties: matchExpressions: @@ -124,13 +124,13 @@ spec: rule: '!(self.from == ''Selector'' && !has(self.selector))' byo: description: |- - BYO configures a "bring your own" agent backed by a user-provided + byo configures a "bring your own" agent backed by a user-provided container image. Kagent deploys the image and expects it to serve the agent over the A2A protocol on port 8080. Required if type is BYO. properties: deployment: - description: Deployment configures the Kubernetes Deployment created + description: deployment configures the Kubernetes Deployment created for the BYO agent container. properties: affinity: @@ -1060,21 +1060,21 @@ spec: annotations: additionalProperties: type: string - description: Annotations are additional annotations added + description: annotations are additional annotations added to the agent pods. type: object args: - description: Args are the arguments passed to the container + description: args are the arguments passed to the container entrypoint. items: type: string type: array cmd: - description: Cmd overrides the container entrypoint (the container's + description: cmd overrides the container entrypoint (the container's command). type: string env: - description: Env are additional environment variables set + description: env are additional environment variables set on the agent container. items: description: EnvVar represents an environment variable present @@ -1234,7 +1234,7 @@ spec: type: array extraContainers: description: |- - ExtraContainers is a list of additional containers to run alongside the main agent container. + extraContainers is a list of additional containers to run alongside the main agent container. Useful for sidecars such as token proxies, log shippers, or security agents. items: description: A single application container that you want @@ -2773,7 +2773,7 @@ spec: type: array image: description: |- - Image is the container image of the BYO agent. + image is the container image of the BYO agent. The image is expected to serve the agent over the A2A protocol on port 8080. minLength: 1 type: string @@ -2783,7 +2783,7 @@ spec: type: string imagePullSecrets: description: |- - ImagePullSecrets are references to secrets in the agent's namespace + imagePullSecrets are references to secrets in the agent's namespace used for pulling the agent container image. items: description: |- @@ -2805,13 +2805,13 @@ spec: labels: additionalProperties: type: string - description: Labels are additional labels added to the agent + description: labels are additional labels added to the agent pods. type: object nodeSelector: additionalProperties: type: string - description: NodeSelector restricts the nodes the agent pods + description: nodeSelector restricts the nodes the agent pods can be scheduled on. type: object podSecurityContext: @@ -3051,7 +3051,7 @@ spec: type: object type: object replicas: - description: Replicas is the number of desired agent pods. + description: replicas is the number of desired agent pods. Defaults to 1. format: int32 type: integer @@ -3311,7 +3311,7 @@ spec: type: object serviceAccountConfig: description: |- - ServiceAccountConfig configures the ServiceAccount created by the Agent controller. + serviceAccountConfig configures the ServiceAccount created by the Agent controller. This field can only be used when ServiceAccountName is not set. If ServiceAccountName is not set, a default ServiceAccount (named after the agent) is created, and this config will be applied to it. @@ -3319,24 +3319,24 @@ spec: annotations: additionalProperties: type: string - description: Annotations are additional annotations added + description: annotations are additional annotations added to the created ServiceAccount. type: object labels: additionalProperties: type: string - description: Labels are additional labels added to the + description: labels are additional labels added to the created ServiceAccount. type: object type: object serviceAccountName: description: |- - ServiceAccountName specifies the name of an existing ServiceAccount to use. + serviceAccountName specifies the name of an existing ServiceAccount to use. If this field is set, the Agent controller will not create a ServiceAccount for the agent. This field is mutually exclusive with ServiceAccountConfig. type: string tolerations: - description: Tolerations applied to the agent pods. + description: tolerations applied to the agent pods. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -3376,7 +3376,7 @@ spec: type: object type: array volumeMounts: - description: VolumeMounts are additional volume mounts added + description: volumeMounts are additional volume mounts added to the agent container. items: description: VolumeMount describes a mounting of a Volume @@ -3441,7 +3441,7 @@ spec: type: object type: array volumes: - description: Volumes are additional volumes added to the agent + description: volumes are additional volumes added to the agent pod. items: description: Volume represents a named volume in a pod that @@ -5371,13 +5371,13 @@ spec: type: object declarative: description: |- - Declarative configures an agent that is fully described by this resource + declarative configures an agent that is fully described by this resource (model, instructions, tools) and runs on one of kagent's built-in runtimes. Required if type is Declarative. properties: a2aConfig: description: |- - A2AConfig instantiates an A2A server for this agent, + a2aConfig instantiates an A2A server for this agent, served on the HTTP port of the kagent kubernetes controller (default 8083). The A2A server URL will be served at @@ -5390,37 +5390,37 @@ spec: or function of the agent. properties: description: - description: Description is an optional detailed description + description: description is an optional detailed description of the skill. type: string examples: - description: Examples are optional usage examples. + description: examples are optional usage examples. items: type: string maxItems: 20 type: array id: - description: ID is the unique identifier for the skill. + description: id is the unique identifier for the skill. type: string inputModes: - description: InputModes are the supported input MIME + description: inputModes are the supported input MIME types for this skill, overriding the agent's defaults. items: type: string type: array name: - description: Name is the human-readable name of the + description: name is the human-readable name of the skill. minLength: 1 type: string outputModes: - description: OutputModes are the supported output MIME + description: outputModes are the supported output MIME types for this skill, overriding the agent's defaults. items: type: string type: array tags: - description: Tags are optional tags for categorization. + description: tags are optional tags for categorization. items: type: string maxItems: 20 @@ -5433,12 +5433,12 @@ spec: type: object context: description: |- - Context configures context management for this agent. + context configures context management for this agent. This includes event compaction (compression) and context caching. properties: compaction: description: |- - Compaction configures event history compaction. + compaction configures event history compaction. When enabled, older events in the conversation are compacted (compressed/summarized) to reduce context size while preserving key information. properties: @@ -5450,7 +5450,7 @@ spec: minimum: 1 type: integer eventRetentionSize: - description: EventRetentionSize is the number of most + description: eventRetentionSize is the number of most recent events to always retain. type: integer overlapSize: @@ -5463,18 +5463,18 @@ spec: type: integer summarizer: description: |- - Summarizer configures an LLM-based summarizer for event compaction. + summarizer configures an LLM-based summarizer for event compaction. If not specified, compacted events are dropped from the context without summarization. properties: modelConfig: description: |- - ModelConfig is the name of a ModelConfig resource to use for summarization. + modelConfig is the name of a ModelConfig resource to use for summarization. Must be in the same namespace as the Agent. If not specified, uses the agent's own model. type: string promptTemplate: description: |- - PromptTemplate is a custom prompt template for the summarizer. + promptTemplate is a custom prompt template for the summarizer. See the ADK LlmEventSummarizer for template details: https://github.com/google/adk-python/blob/main/src/google/adk/apps/llm_event_summarizer.py type: string @@ -6415,11 +6415,11 @@ spec: annotations: additionalProperties: type: string - description: Annotations are additional annotations added + description: annotations are additional annotations added to the agent pods. type: object env: - description: Env are additional environment variables set + description: env are additional environment variables set on the agent container. items: description: EnvVar represents an environment variable present @@ -6579,7 +6579,7 @@ spec: type: array extraContainers: description: |- - ExtraContainers is a list of additional containers to run alongside the main agent container. + extraContainers is a list of additional containers to run alongside the main agent container. Useful for sidecars such as token proxies, log shippers, or security agents. items: description: A single application container that you want @@ -8122,7 +8122,7 @@ spec: type: string imagePullSecrets: description: |- - ImagePullSecrets are references to secrets in the agent's namespace + imagePullSecrets are references to secrets in the agent's namespace used for pulling the agent container image. items: description: |- @@ -8146,13 +8146,13 @@ spec: labels: additionalProperties: type: string - description: Labels are additional labels added to the agent + description: labels are additional labels added to the agent pods. type: object nodeSelector: additionalProperties: type: string - description: NodeSelector restricts the nodes the agent pods + description: nodeSelector restricts the nodes the agent pods can be scheduled on. type: object podSecurityContext: @@ -8392,7 +8392,7 @@ spec: type: object type: object replicas: - description: Replicas is the number of desired agent pods. + description: replicas is the number of desired agent pods. Defaults to 1. format: int32 type: integer @@ -8652,7 +8652,7 @@ spec: type: object serviceAccountConfig: description: |- - ServiceAccountConfig configures the ServiceAccount created by the Agent controller. + serviceAccountConfig configures the ServiceAccount created by the Agent controller. This field can only be used when ServiceAccountName is not set. If ServiceAccountName is not set, a default ServiceAccount (named after the agent) is created, and this config will be applied to it. @@ -8660,24 +8660,24 @@ spec: annotations: additionalProperties: type: string - description: Annotations are additional annotations added + description: annotations are additional annotations added to the created ServiceAccount. type: object labels: additionalProperties: type: string - description: Labels are additional labels added to the + description: labels are additional labels added to the created ServiceAccount. type: object type: object serviceAccountName: description: |- - ServiceAccountName specifies the name of an existing ServiceAccount to use. + serviceAccountName specifies the name of an existing ServiceAccount to use. If this field is set, the Agent controller will not create a ServiceAccount for the agent. This field is mutually exclusive with ServiceAccountConfig. type: string tolerations: - description: Tolerations applied to the agent pods. + description: tolerations applied to the agent pods. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -8717,7 +8717,7 @@ spec: type: object type: array volumeMounts: - description: VolumeMounts are additional volume mounts added + description: volumeMounts are additional volume mounts added to the agent container. items: description: VolumeMount describes a mounting of a Volume @@ -8782,7 +8782,7 @@ spec: type: object type: array volumes: - description: Volumes are additional volumes added to the agent + description: volumes are additional volumes added to the agent pod. items: description: Volume represents a named volume in a pod that @@ -10713,16 +10713,16 @@ spec: due to a bug in adk (https://github.com/google/adk-python/issues/3921 ), this field is ignored for now. type: boolean memory: - description: Memory configuration for the agent. + description: memory configuration for the agent. properties: modelConfig: description: |- - ModelConfig is the name of the ModelConfig object whose embedding + modelConfig is the name of the ModelConfig object whose embedding provider will be used to generate memory vectors. type: string ttlDays: description: |- - TTLDays controls how many days a stored memory entry remains valid before + ttlDays controls how many days a stored memory entry remains valid before it is eligible for pruning. Defaults to 15 days when unset or zero. minimum: 1 type: integer @@ -10737,13 +10737,13 @@ spec: type: string promptTemplate: description: |- - PromptTemplate enables Go text/template processing on the systemMessage field. + promptTemplate enables Go text/template processing on the systemMessage field. When set, systemMessage is treated as a Go template with access to the include function and agent context variables. properties: dataSources: description: |- - DataSources defines the ConfigMaps whose keys can be included in the systemMessage + dataSources defines the ConfigMaps whose keys can be included in the systemMessage using Go template syntax, e.g. include("alias/key") or include("name/key"). items: description: |- @@ -10753,7 +10753,7 @@ spec: properties: alias: description: |- - Alias is an optional short identifier for use in include directives. + alias is an optional short identifier for use in include directives. If set, use include("alias/key") instead of include("name/key"). type: string apiGroup: @@ -10771,7 +10771,7 @@ spec: runtime: default: python description: |- - Runtime specifies which ADK implementation to use for this agent. + runtime specifies which ADK implementation to use for this agent. - "python": Uses the Python ADK (default, slower startup, full feature set) - "go": Uses the Go ADK (faster startup, most features supported) The runtime determines both the container image and readiness probe configuration. @@ -10786,14 +10786,14 @@ spec: type: boolean systemMessage: description: |- - SystemMessage is a string specifying the system message for the agent. + systemMessage is a string specifying the system message for the agent. When PromptTemplate is set, this field is treated as a Go text/template with access to an include("source/key") function and agent context variables such as .AgentName, .AgentNamespace, .Description, .ToolNames, and .SkillNames. type: string systemMessageFrom: description: |- - SystemMessageFrom is a reference to a ConfigMap or Secret containing the system message. + systemMessageFrom is a reference to a ConfigMap or Secret containing the system message. When PromptTemplate is set, the resolved value is treated as a Go text/template. properties: key: @@ -10832,7 +10832,7 @@ spec: type: object headersFrom: description: |- - HeadersFrom specifies a list of configuration values to be added as + headersFrom specifies a list of configuration values to be added as headers to requests sent to the Tool from this agent. The value of each header is resolved from either a Secret or ConfigMap in the same namespace as the Agent. Headers specified here will override any @@ -10878,7 +10878,7 @@ spec: properties: allowedHeaders: description: |- - AllowedHeaders specifies which headers from the A2A request should be + allowedHeaders specifies which headers from the A2A request should be propagated to MCP tool calls. Header names are case-insensitive. Authorization header behavior: @@ -10902,7 +10902,7 @@ spec: type: string requireApproval: description: |- - RequireApproval lists tool names that require human approval before + requireApproval lists tool names that require human approval before execution. Each name must also appear in ToolNames. When a tool in this list is invoked by the agent, execution pauses and the user is prompted to approve or reject the call. @@ -10954,18 +10954,18 @@ spec: type: string sandbox: description: |- - Sandbox configures sandboxed execution behavior shared across runtimes. + sandbox configures sandboxed execution behavior shared across runtimes. This is intended for sandboxed declarative execution today, and can also be consumed by BYO agents. properties: network: description: |- - Network configures outbound network access for sandboxed execution paths. + network configures outbound network access for sandboxed execution paths. When unset or when allowedDomains is empty, outbound access is denied by default. properties: allowedDomains: description: |- - AllowedDomains lists the domains that sandboxed execution may contact. + allowedDomains lists the domains that sandboxed execution may contact. Wildcards such as *.example.com are supported by the sandbox runtime. items: type: string @@ -10974,7 +10974,7 @@ spec: type: object skills: description: |- - Skills to load into the agent. They will be pulled from the specified container images. + skills to load into the agent. They will be pulled from the specified container images. and made available to the agent under the `/skills` folder. properties: gitAuthSecretRef: @@ -11003,7 +11003,7 @@ spec: properties: name: description: |- - Name for the skill directory under /skills. If omitted, defaults to the last + name for the skill directory under /skills. If omitted, defaults to the last segment of Path when Path is set; otherwise defaults to the repo name (last URL path segment, without .git). type: string @@ -11019,7 +11019,7 @@ spec: SHA.' type: string url: - description: URL of the git repository (HTTPS or SSH). + description: url of the git repository (HTTPS or SSH). type: string required: - url @@ -11029,7 +11029,7 @@ spec: type: array imagePullSecrets: description: |- - ImagePullSecrets is a list of references to secrets in the same namespace to use for + imagePullSecrets is a list of references to secrets in the same namespace to use for pulling skill images from private registries. Each referenced secret must be of type kubernetes.io/dockerconfigjson. The credentials from all secrets are merged and made available to the skills-init container at /.kagent/.docker/config.json; krane will