Documentation

kagent#

A Helm chart for kagent, built with Google ADK

Requirements#

RepositoryNameVersion
file://../agents/argo-rolloutsargo-rollouts-agent
file://../agents/cilium-debugcilium-debug-agent
file://../agents/cilium-managercilium-manager-agent
file://../agents/cilium-policycilium-policy-agent
file://../agents/helmhelm-agent
file://../agents/istioistio-agent
file://../agents/k8sk8s-agent
file://../agents/kgatewaykgateway-agent
file://../agents/observabilityobservability-agent
file://../agents/promqlpromql-agent
file://../tools/grafana-mcpgrafana-mcp
file://../tools/querydocquerydoc
https://oauth2-proxy.github.io/manifestsoauth2-proxy~7.0.0
oci://ghcr.io/kagent-dev/kmcp/helmkmcp${KMCP_VERSION}
oci://ghcr.io/kagent-dev/tools/helmkagent-tools0.2.1

Values#

KeyTypeDefaultDescription
argo-rollouts-agent.enabledbooltrue
argo-rollouts-agent.resources.limits.memorystring"256Mi"
argo-rollouts-agent.resources.requests.cpustring"50m"
argo-rollouts-agent.resources.requests.memorystring"128Mi"
cilium-debug-agent.enabledbooltrue
cilium-debug-agent.resources.limits.memorystring"256Mi"
cilium-debug-agent.resources.requests.cpustring"50m"
cilium-debug-agent.resources.requests.memorystring"128Mi"
cilium-manager-agent.enabledbooltrue
cilium-manager-agent.resources.limits.memorystring"256Mi"
cilium-manager-agent.resources.requests.cpustring"50m"
cilium-manager-agent.resources.requests.memorystring"128Mi"
cilium-policy-agent.enabledbooltrue
cilium-policy-agent.resources.limits.memorystring"256Mi"
cilium-policy-agent.resources.requests.cpustring"50m"
cilium-policy-agent.resources.requests.memorystring"128Mi"
controller.a2aBaseUrlstringhttp://<fullname>-controller.<namespace>.svc.cluster.local:<port>The base URL of the A2A Server endpoint, as advertised to clients.
controller.agentDeploymentobject{"host":"","podLabels":{},"serviceAccountName":""}Global deployment defaults applied to all agent pods. Per-agent settings in the Agent CRD take precedence over these defaults.
controller.agentDeployment.hoststring"" (controller falls back to "0.0.0.0"; "::" when ipv6.enabled)Default host address for agent pods to bind to. Leave empty to use the controller's default fallback of "0.0.0.0". Automatically set to "::" when ipv6.enabled is true. Can be explicitly overridden here regardless of the ipv6 flag.
controller.agentDeployment.podLabelsobject (no extra labels)Default labels applied to all agent pod templates. Per-agent labels in the Agent CRD take precedence over these defaults.
controller.agentDeployment.serviceAccountNamestring"" (auto-create per-agent ServiceAccount)Default ServiceAccount name for agent pods. When set, agent pods that don't specify an explicit serviceAccountName will use this ServiceAccount instead of creating a per-agent one. Useful for Workload Identity (GCP, AWS IRSA, Azure Workload Identity). Precedence: agent-level serviceAccountName > this default > auto-created SA.
controller.agentImage.pullPolicystring""
controller.agentImage.registrystring""
controller.agentImage.repositorystring"kagent-dev/kagent/app"
controller.agentImage.tagstring""
controller.auth.modestring"unsecure"
controller.auth.userIdClaimstring""
controller.envstringnil
controller.envFromlist[]
controller.image.pullPolicystring""
controller.image.registrystring""
controller.image.repositorystring"kagent-dev/kagent/controller"
controller.image.tagstring""
controller.loglevelstring"info"
controller.mcpEgressPlaintextboolfalseRewrite RemoteMCPServer tool URLs and the controller's tool-discovery dial from https://host[:port] to http://host:<port-or-443> so MCP traffic egresses in plaintext to a proxy that originates TLS upstream off by default.
controller.metricsobjectdisabledPrometheus-style /metrics endpoint for the controller manager. When enabled, provisions a dedicated metrics Service plus the ClusterRoles required for authenticated scrapes. Bind <fullname>-metrics-reader to your Prometheus ServiceAccount to grant scrape access. Use bindAddress for any port change: the Service targetPort and the pod containerPort are derived from it at template time, so overriding METRICS_BIND_ADDRESS via controller.env shifts only the runtime listener and leaves the rendered Service pointing at the chart-time port. Setting bindAddress: "0" (or empty) is treated as a disable signal — equivalent to enabled: false — to keep faith with the controller binary's documented contract for --metrics-bind-address.
controller.nodeSelectorobject{}Node labels to match for Pod scheduling.
controller.podAnnotationsobject{}
controller.readinessProbeobjecthttpGet /health on port http, periodSeconds=30Custom readiness probe for the controller container. Setting a value replaces the default probe entirely — include a handler (httpGet / exec / tcpSocket / grpc) when overriding.
controller.replicasint1
controller.resources.limits.cpuint2
controller.resources.limits.memorystring"512Mi"
controller.resources.requests.cpustring"100m"
controller.resources.requests.memorystring"128Mi"
controller.service.ports.portint8083
controller.service.ports.targetPortint8083
controller.service.typestring"ClusterIP"
controller.skillsInitImageobject{"pullPolicy":"","registry":"","repository":"kagent-dev/kagent/skills-init","tag":""}The image used by the skills-init container to clone skills from Git and pull OCI skill images.
controller.startupProbeobjecthttpGet /health on port http, periodSeconds=15, initialDelaySeconds=15Custom startup probe for the controller container. Setting a value replaces the default probe entirely — include a handler (httpGet / exec / tcpSocket / grpc) when overriding.
controller.streamingstringnil@deprecated Removed in 0.10.0. The A2A SDK now handles SSE buffering and timeouts internally. These values have no effect and will be removed in a future release.
controller.substrate.ateApiEndpointstring""
controller.substrate.ateApiInsecureboolfalse
controller.substrate.ateApiServer.namespacestring"ate-system"
controller.substrate.ateApiServer.serviceAccountstring"ate-api-server"
controller.substrate.ateApiTokenAudiencestring"api.ate-system.svc"
controller.substrate.ateApiTokenExpirationSecondsint3600
controller.substrate.ateApiTokenFilestring"/var/run/secrets/tokens/ate-api/token"
controller.substrate.atenetRouterURLstring""
controller.substrate.defaultWorkerPool.namestring""
controller.substrate.defaultWorkerPool.namespacestring""
controller.substrate.enabledboolfalse
controller.tolerationslist[]Node taints which will be tolerated for Pod scheduling.
controller.volumeMountslist[]
controller.volumeslist[]
controller.watchNamespaceslist[] (watches all available namespaces)Namespaces the controller should watch. If empty, the controller will watch ALL available namespaces.
database.postgres.bundledobject{"enabled":true,"image":{"name":"postgres","pullPolicy":"IfNotPresent","registry":"docker.io","repository":"library","tag":"18.3-alpine"},"podSecurityContext":{"fsGroup":999,"runAsGroup":999,"runAsNonRoot":true,"runAsUser":999,"seccompProfile":{"type":"RuntimeDefault"}},"resources":{"limits":{"cpu":"500m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"256Mi"}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}},"storage":"500Mi","storageClassName":""}Bundled PostgreSQL instance — for development and evaluation only. Not suitable for production. Deployed when enabled is true and url/urlFile are not set.
database.postgres.bundled.enabledbooltrueSet to false to disable the bundled database and provide your own via url or urlFile.
database.postgres.bundled.image.namestring"postgres"Bundled PostgreSQL image name
database.postgres.bundled.image.pullPolicystring"IfNotPresent"Bundled PostgreSQL image pull policy
database.postgres.bundled.image.registrystring"docker.io"Bundled PostgreSQL image registry
database.postgres.bundled.image.repositorystring"library"Bundled PostgreSQL image repository (org/namespace)
database.postgres.bundled.image.tagstring"18.3-alpine"Bundled PostgreSQL image tag
database.postgres.bundled.podSecurityContextobject{"fsGroup":999,"runAsGroup":999,"runAsNonRoot":true,"runAsUser":999,"seccompProfile":{"type":"RuntimeDefault"}}Pod-level security context for the bundled PostgreSQL deployment.
database.postgres.bundled.resourcesobject{"limits":{"cpu":"500m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}Resource requests/limits for the demo PostgreSQL container
database.postgres.bundled.securityContextobject{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}Container-level security context for the bundled PostgreSQL container.
database.postgres.bundled.storagestring"500Mi"PersistentVolumeClaim size for demo PostgreSQL data
database.postgres.bundled.storageClassNamestring""StorageClass for the PostgreSQL PVC. Defaults to the cluster default when empty.
database.postgres.urlstring""External PostgreSQL connection string. Is always used if set regardless of the .bundled.enabled field.
database.postgres.urlFilestring""Path to a file containing the database URL. Takes precedence over url when set. Is always used if set regardless of the .bundled.enabled field.
database.postgres.vectorEnabledboolfalseEnable the pgvector migration Required to use features that depend on database vector capability. (e.g. long-term memory) Set to true when using an external PostgreSQL that has the pgvector extension installed.
fullnameOverridestring""
grafana-mcp.enabledbooltrue
grafana-mcp.grafana.serviceAccountTokenstring""
grafana-mcp.grafana.urlstring"grafana.kagent:3000/api"
grafana-mcp.resources.limits.cpustring"500m"
grafana-mcp.resources.limits.memorystring"512Mi"
grafana-mcp.resources.requests.cpustring"100m"
grafana-mcp.resources.requests.memorystring"128Mi"
helm-agent.enabledbooltrue
helm-agent.resources.limits.memorystring"256Mi"
helm-agent.resources.requests.cpustring"50m"
helm-agent.resources.requests.memorystring"128Mi"
imagePullPolicystring"IfNotPresent"
imagePullSecretslist[]
ipv6objectfalseEnable IPv6/dual-stack support. When true, configures all components for dual-stack (IPv4+IPv6) networking: - nginx listens on both IPv4 and IPv6 (adds listen [::]:8080) - Next.js binds to :: instead of 0.0.0.0 - Agent pods bind to :: for dual-stack reachability Leave disabled on clusters where IPv6 is disabled at the kernel level.
istio-agent.enabledbooltrue
istio-agent.resources.limits.memorystring"256Mi"
istio-agent.resources.requests.cpustring"50m"
istio-agent.resources.requests.memorystring"128Mi"
k8s-agent.enabledbooltrue
k8s-agent.resources.limits.memorystring"256Mi"
k8s-agent.resources.requests.cpustring"50m"
k8s-agent.resources.requests.memorystring"128Mi"
kagent-tools.enabledbooltrue
kagent-tools.nameOverridestring"tools"
kagent-tools.podSecurityContext.runAsNonRootbooltrue
kagent-tools.podSecurityContext.seccompProfile.typestring"RuntimeDefault"
kagent-tools.replicaCountint1
kagent-tools.resources.limits.memorystring"256Mi"
kagent-tools.resources.requests.cpustring"50m"
kagent-tools.resources.requests.memorystring"128Mi"
kagent-tools.securityContext.allowPrivilegeEscalationboolfalse
kagent-tools.securityContext.capabilities.drop[0]string"ALL"
kagent-tools.securityContext.readOnlyRootFilesystembooltrue
kagent-tools.tools.loglevelstring"debug"
kagent-tools.tools.metrics.portint8085
kgateway-agent.enabledbooltrue
kgateway-agent.resources.limits.memorystring"256Mi"
kgateway-agent.resources.requests.cpustring"50m"
kgateway-agent.resources.requests.memorystring"128Mi"
kmcp.enabledbooltrue
kmcp.fullnameOverridestring""
kmcp.nameOverridestring"kmcp"
kmcp.namespaceOverridestring""
labelsobject{}Additional labels to add to all Kubernetes resources
nameOverridestring""
namespaceOverridestring.Release.NamespaceOverride the namespace
nodeSelectorobject{}Node labels to match for Pod scheduling.
oauth2-proxy.config.clientIDstring""
oauth2-proxy.config.clientSecretstring""
oauth2-proxy.config.cookieSecretstring""
oauth2-proxy.config.existingSecretstring""
oauth2-proxy.enabledboolfalse
oauth2-proxy.extraArgs.approval-promptstring"auto"
oauth2-proxy.extraArgs.cookie-samesitestring"lax"
oauth2-proxy.extraArgs.cookie-securebooltrue
oauth2-proxy.extraArgs.custom-templates-dirstring"/templates"
oauth2-proxy.extraArgs.email-domainstring"*"
oauth2-proxy.extraArgs.oidc-issuer-urlstring"$(OIDC_ISSUER_URL)"
oauth2-proxy.extraArgs.pass-authorization-headerbooltrue
oauth2-proxy.extraArgs.providerstring"oidc"
oauth2-proxy.extraArgs.redirect-urlstring"$(OIDC_REDIRECT_URL)"
oauth2-proxy.extraArgs.scopestring"openid profile email groups"
oauth2-proxy.extraArgs.set-authorization-headerbooltrue
oauth2-proxy.extraArgs.skip-auth-regexstring`"^/(login_next/static
oauth2-proxy.extraArgs.skip-auth-routestring`"^/(healthlogin)$"`
oauth2-proxy.extraArgs.skip-jwt-bearer-tokensbooltrue
oauth2-proxy.extraArgs.upstreamstring"$(UPSTREAM_URL)"
oauth2-proxy.extraEnv[0].namestring"OIDC_ISSUER_URL"
oauth2-proxy.extraEnv[0].valuestring""
oauth2-proxy.extraEnv[1].namestring"OIDC_REDIRECT_URL"
oauth2-proxy.extraEnv[1].valuestring""
oauth2-proxy.extraEnv[2].namestring"UPSTREAM_URL"
oauth2-proxy.extraEnv[2].valuestring"http://kagent-ui:8080"
oauth2-proxy.extraVolumeMounts[0].mountPathstring"/templates"
oauth2-proxy.extraVolumeMounts[0].namestring"custom-templates"
oauth2-proxy.extraVolumeMounts[0].readOnlybooltrue
oauth2-proxy.extraVolumes[0].configMap.namestring"kagent-oauth2-proxy-templates"
oauth2-proxy.extraVolumes[0].namestring"custom-templates"
oauth2-proxy.redis.enabledboolfalse
oauth2-proxy.service.portNumberint4180
oauth2-proxy.service.typestring"ClusterIP"
oauth2-proxy.sessionStorage.typestring"cookie"
observability-agent.enabledbooltrue
observability-agent.resources.limits.memorystring"256Mi"
observability-agent.resources.requests.cpustring"50m"
observability-agent.resources.requests.memorystring"128Mi"
otel.logging.enabledboolfalse
otel.logging.exporter.otlp.endpointstring""
otel.logging.exporter.otlp.insecurebooltrue
otel.logging.exporter.otlp.timeoutint15000
otel.tracing.enabledboolfalse
otel.tracing.exporter.otlp.endpointstring""
otel.tracing.exporter.otlp.insecurebooltrue
otel.tracing.exporter.otlp.protocolstring"grpc"
otel.tracing.exporter.otlp.timeoutint15000
podAnnotationsobject{}
podSecurityContextobject{"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}Security context for all pods
promql-agent.enabledbooltrue
promql-agent.resources.limits.memorystring"256Mi"
promql-agent.resources.requests.cpustring"50m"
promql-agent.resources.requests.memorystring"128Mi"
providers.anthropic.apiKeySecretKeystring"ANTHROPIC_API_KEY"
providers.anthropic.apiKeySecretRefstring"kagent-anthropic"
providers.anthropic.modelstring"claude-haiku-4-5"
providers.anthropic.providerstring"Anthropic"
providers.azureOpenAI.apiKeySecretKeystring"AZUREOPENAI_API_KEY"
providers.azureOpenAI.apiKeySecretRefstring"kagent-azure-openai"
providers.azureOpenAI.config.apiVersionstring"2023-05-15"
providers.azureOpenAI.config.azureAdTokenstring""
providers.azureOpenAI.config.azureDeploymentstring""
providers.azureOpenAI.config.azureEndpointstring""
providers.azureOpenAI.modelstring"gpt-4.1-mini"
providers.azureOpenAI.providerstring"AzureOpenAI"
providers.defaultstring"openAI"
providers.gemini.apiKeySecretKeystring"GOOGLE_API_KEY"
providers.gemini.apiKeySecretRefstring"kagent-gemini"
providers.gemini.modelstring"gemini-2.0-flash-lite"
providers.gemini.providerstring"Gemini"
providers.ollama.config.hoststring"host.docker.internal:11434"
providers.ollama.config.options.num_ctxstring"64000"
providers.ollama.modelstring"llama3.2"
providers.ollama.providerstring"Ollama"
providers.openAI.apiKeySecretKeystring"OPENAI_API_KEY"
providers.openAI.apiKeySecretRefstring"kagent-openai"
providers.openAI.modelstring"gpt-4.1-mini"
providers.openAI.providerstring"OpenAI"
proxy.urlstring""
querydoc.enabledbooltrue
querydoc.image.pullPolicystring"IfNotPresent"
querydoc.image.registrystring"ghcr.io"
querydoc.image.repositorystring"kagent-dev/doc2vec/mcp"
querydoc.image.tagstring"1.1.14"
querydoc.openai.apiKeystring""
querydoc.replicasint1
querydoc.resources.limits.cpustring"500m"
querydoc.resources.limits.memorystring"512Mi"
querydoc.resources.requests.cpustring"100m"
querydoc.resources.requests.memorystring"128Mi"
rbac.namespaceslist[]Namespaces in which to create Role and RoleBinding resources. If empty (default), the chart creates cluster-scoped ClusterRole and ClusterRoleBinding resources and the controller watches all namespaces. If set, the chart creates a Role + RoleBinding per listed namespace and the controller's WATCH_NAMESPACES is derived from this list (unless controller.watchNamespaces is set explicitly, which always takes precedence).
registrystring"cr.kagent.dev"
securityContextobject{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}Security context for all containers
substrateWorkerPoolobject{"ateomImage":"","create":false,"name":"kagent-default","replicas":1}Optional Agent Substrate WorkerPool installed by this chart. This is platform capacity and is not owned by individual AgentHarness resources.
tagstring""
tolerationslist[]Node taints which will be tolerated for Pod scheduling.
ui.additionalForwardedHeaderslist[]Additional request headers (beyond Authorization) the UI proxy will forward to the backend. Names are case-insensitive. Hop-by-hop headers (Connection, Transfer-Encoding, etc.) are silently dropped.
ui.auth.ssoRedirectPathstring"/oauth2/start"
ui.backendInternalUrlstring""
ui.envobject{}
ui.image.pullPolicystring""
ui.image.registrystring""
ui.image.repositorystring"kagent-dev/kagent/ui"
ui.image.tagstring""
ui.nodeSelectorobject{}Node labels to match for Pod scheduling.
ui.podAnnotationsobject{}
ui.podSecurityContextobject(uses global podSecurityContext)Pod-level security context for the UI pod. Overrides the global podSecurityContext.
ui.publicBackendUrlstring"/api"
ui.readinessProbeobjecthttpGet /health on port http, periodSeconds=30Custom readiness probe for the UI container. Override to adjust thresholds, use exec-based probes, or change the health path.
ui.replicasint1
ui.resources.limits.cpustring"1000m"
ui.resources.limits.memorystring"1Gi"
ui.resources.requests.cpustring"100m"
ui.resources.requests.memorystring"256Mi"
ui.securityContextobject(uses global securityContext)Container-level security context for the UI container. Overrides the global securityContext.
ui.service.annotationsobject{}
ui.service.ports.portint8080
ui.service.ports.targetPortint8080
ui.service.typestring"ClusterIP"
ui.startupProbeobjecthttpGet /health on port http, periodSeconds=1, initialDelaySeconds=1Custom startup probe for the UI container. Override to adjust thresholds, use exec-based probes, or change the health path.
ui.tolerationslist[]Node taints which will be tolerated for Pod scheduling.
ui.volumesobject{"nextjsCache":"100Mi","tmp":"50Mi"}EmptyDir volume sizes for Next.js UI workload (typically used when enabling readOnlyRootFilesystem)
ui.volumes.nextjsCachestring"100Mi"Size limit for Next.js build cache (.next/cache). Default 100Mi is sufficient for typical Next.js apps with moderate caching needs.
ui.volumes.tmpstring"50Mi"Size limit for temporary files (/tmp). Default 50Mi provides ample space for Next.js runtime temporary data.
Kagent Lab: Discover kagent and kmcp
Free, on‑demand lab: build custom AI agents with kagent and integrate tools via kmcp on Kubernetes.
Start the Lab