stacklok
diff --git a/‎cmd/thv-operator/README.md‎
Lines changed: 78 additions & 0 deletions b/‎cmd/thv-operator/README.md‎
Lines changed: 78 additions & 0 deletions
diff --git a/‎cmd/thv-operator/controllers/mcpserver_controller.go‎
Lines changed: 14 additions & 0 deletions b/‎cmd/thv-operator/controllers/mcpserver_controller.go‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎cmd/thv-operator/controllers/mcpserver_kagent.go‎
Lines changed: 202 additions & 0 deletions b/‎cmd/thv-operator/controllers/mcpserver_kagent.go‎
Lines changed: 202 additions & 0 deletions
@@ -213,6 +213,84 @@ kubectl describe mcpserver <name>
 | `permissionProfile` | Permission profile configuration                 | No       | -       |
 | `tools`             | Allow-list filter on the list of tools           | No       | -       |
 
+### Kagent Integration
+
+The ToolHive operator supports optional integration with [kagent](https://kagent.dev), allowing kagent agents to discover and use MCP servers managed by ToolHive. When enabled, the operator automatically creates kagent ToolServer resources that reference the ToolHive-managed MCP servers.
+
+#### Enabling Kagent Integration
+
+To enable kagent integration, set the following Helm value when installing the operator:
+
+```bash
+helm upgrade -i toolhive-operator oci://ghcr.io/stacklok/toolhive/toolhive-operator \
+  --set kagentIntegration.enabled=true \
+  -n toolhive-system --create-namespace
+```
+
+Or add it to your values file:
+
+```yaml
+kagentIntegration:
+  enabled: true
+```
+
+#### How It Works
+
+When kagent integration is enabled:
+
+1. For each ToolHive MCPServer resource created, the operator automatically creates a corresponding kagent ToolServer resource
+2. The ToolServer resource references the ToolHive-managed MCP server service URL
+3. The ToolServer is owned by the MCPServer, ensuring it's deleted when the MCPServer is removed
+4. Kagent agents can then discover and use these ToolServers to access the MCP servers
+
+The kagent ToolServer resources are created with:
+- Name: `toolhive-<mcpserver-name>`
+- Namespace: Same as the MCPServer
+- Transport configuration: Mapped from ToolHive transport types (sse → sse, streamable-http → streamableHttp, stdio → sse)
+- Service URL: Points to the ToolHive proxy service
+
+#### Requirements
+
+- Kagent must be installed in your cluster
+- The operator needs permissions to manage kagent ToolServer resources (automatically configured when integration is enabled)
+
+#### Example
+
+When you create a ToolHive MCPServer:
+
+```yaml
+apiVersion: toolhive.stacklok.dev/v1alpha1
+kind: MCPServer
+metadata:
+  name: github
+  namespace: toolhive-system
+spec:
+  image: ghcr.io/github/github-mcp-server
+  transport: sse
+  port: 8080
+```
+
+With kagent integration enabled, the operator automatically creates:
+
+```yaml
+apiVersion: kagent.dev/v1alpha1
+kind: ToolServer
+metadata:
+  name: toolhive-github
+  namespace: toolhive-system
+  labels:
+    toolhive.stacklok.dev/managed-by: toolhive-operator
+    toolhive.stacklok.dev/mcpserver: github
+spec:
+  description: "ToolHive MCP Server: github"
+  config:
+    type: sse
+    sse:
+      url: http://mcp-github-proxy.toolhive-system.svc.cluster.local:8080
+```
+
+Kagent agents can then reference this ToolServer to use the GitHub MCP server in their workflows.
+
 ### Permission Profiles
 
 Permission profiles can be configured in two ways:
 
@@ -318,6 +318,13 @@ func (r *MCPServerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 		}
 	}
 
+	// Ensure kagent ToolServer resource if integration is enabled
+	if err := r.ensureKagentToolServer(ctx, mcpServer); err != nil {
+		ctxLogger.Error(err, "Failed to ensure kagent ToolServer")
+		// Log the error but don't fail the reconciliation
+		// This allows the ToolHive MCPServer to work even if kagent integration fails
+	}
+
 	// Check if the deployment spec changed
 	if r.deploymentNeedsUpdate(deployment, mcpServer) {
 		// Update the deployment
@@ -1248,6 +1255,13 @@ func (r *MCPServerReconciler) finalizeMCPServer(ctx context.Context, m *mcpv1alp
 		return fmt.Errorf("failed to check RunConfig ConfigMap %s: %w", runConfigName, err)
 	}
 
+	// Step 5: Delete associated kagent ToolServer if it exists
+	// This should be handled by owner references, but we explicitly delete for safety
+	if err := r.deleteKagentToolServer(ctx, m); err != nil {
+		// Log the error but don't fail the finalization
+		ctxLogger.Error(err, "Failed to delete kagent ToolServer during finalization")
+	}
+
 	// The owner references will automatically delete the deployment and service
 	// when the MCPServer is deleted, so we don't need to do anything here.
 	return nil
 
@@ -0,0 +1,202 @@
+package controllers
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strconv"
+
+	"k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	mcpv1alpha1 "github.com/stacklok/toolhive/cmd/thv-operator/api/v1alpha1"
+)
+
+// kagentToolServerGVK defines the GroupVersionKind for kagent ToolServer
+var kagentToolServerGVK = schema.GroupVersionKind{
+	Group:   "kagent.dev",
+	Version: "v1alpha1",
+	Kind:    "ToolServer",
+}
+
+// Constants for kagent config types
+const (
+	kagentConfigTypeSSE            = "sse"
+	kagentConfigTypeStreamableHTTP = "streamableHttp"
+)
+
+// isKagentIntegrationEnabled checks if kagent integration is enabled via environment variable
+func isKagentIntegrationEnabled() bool {
+	enabled := os.Getenv("KAGENT_INTEGRATION_ENABLED")
+	if enabled == "" {
+		return false
+	}
+	result, err := strconv.ParseBool(enabled)
+	if err != nil {
+		return false
+	}
+	return result
+}
+
+// ensureKagentToolServer ensures a kagent ToolServer resource exists for the ToolHive MCPServer
+func (r *MCPServerReconciler) ensureKagentToolServer(ctx context.Context, mcpServer *mcpv1alpha1.MCPServer) error {
+	logger := log.FromContext(ctx)
+
+	// Check if kagent integration is enabled
+	if !isKagentIntegrationEnabled() {
+		// If not enabled, ensure any existing kagent ToolServer is deleted
+		return r.deleteKagentToolServer(ctx, mcpServer)
+	}
+
+	// Create the kagent ToolServer object
+	kagentToolServer := r.createKagentToolServerObject(mcpServer)
+
+	// Check if the kagent ToolServer already exists
+	existing := &unstructured.Unstructured{}
+	existing.SetGroupVersionKind(kagentToolServerGVK)
+	err := r.Get(ctx, types.NamespacedName{
+		Name:      kagentToolServer.GetName(),
+		Namespace: kagentToolServer.GetNamespace(),
+	}, existing)
+
+	if errors.IsNotFound(err) {
+		// Create the kagent ToolServer
+		logger.Info("Creating kagent ToolServer",
+			"name", kagentToolServer.GetName(),
+			"namespace", kagentToolServer.GetNamespace())
+		if err := r.Create(ctx, kagentToolServer); err != nil {
+			return fmt.Errorf("failed to create kagent ToolServer: %w", err)
+		}
+		return nil
+	} else if err != nil {
+		return fmt.Errorf("failed to get kagent ToolServer: %w", err)
+	}
+
+	// Update the kagent ToolServer if needed
+	existingSpec, _, _ := unstructured.NestedMap(existing.Object, "spec")
+	desiredSpec, _, _ := unstructured.NestedMap(kagentToolServer.Object, "spec")
+
+	if !equality.Semantic.DeepEqual(existingSpec, desiredSpec) {
+		logger.Info("Updating kagent ToolServer",
+			"name", kagentToolServer.GetName(),
+			"namespace", kagentToolServer.GetNamespace())
+		existing.Object["spec"] = kagentToolServer.Object["spec"]
+		if err := r.Update(ctx, existing); err != nil {
+			return fmt.Errorf("failed to update kagent ToolServer: %w", err)
+		}
+	}
+
+	return nil
+}
+
+// deleteKagentToolServer deletes the kagent ToolServer if it exists
+func (r *MCPServerReconciler) deleteKagentToolServer(ctx context.Context, mcpServer *mcpv1alpha1.MCPServer) error {
+	logger := log.FromContext(ctx)
+
+	kagentToolServer := &unstructured.Unstructured{}
+	kagentToolServer.SetGroupVersionKind(kagentToolServerGVK)
+	kagentToolServer.SetName(fmt.Sprintf("toolhive-%s", mcpServer.Name))
+	kagentToolServer.SetNamespace(mcpServer.Namespace)
+
+	err := r.Get(ctx, types.NamespacedName{
+		Name:      kagentToolServer.GetName(),
+		Namespace: kagentToolServer.GetNamespace(),
+	}, kagentToolServer)
+
+	if errors.IsNotFound(err) {
+		// Already deleted
+		return nil
+	} else if err != nil {
+		return fmt.Errorf("failed to get kagent ToolServer for deletion: %w", err)
+	}
+
+	logger.Info("Deleting kagent ToolServer",
+		"name", kagentToolServer.GetName(),
+		"namespace", kagentToolServer.GetNamespace())
+	if err := r.Delete(ctx, kagentToolServer); err != nil && !errors.IsNotFound(err) {
+		return fmt.Errorf("failed to delete kagent ToolServer: %w", err)
+	}
+
+	return nil
+}
+
+// createKagentToolServerObject creates an unstructured kagent ToolServer object
+func (*MCPServerReconciler) createKagentToolServerObject(mcpServer *mcpv1alpha1.MCPServer) *unstructured.Unstructured {
+	kagentToolServer := &unstructured.Unstructured{}
+	kagentToolServer.SetGroupVersionKind(kagentToolServerGVK)
+	kagentToolServer.SetName(fmt.Sprintf("toolhive-%s", mcpServer.Name))
+	kagentToolServer.SetNamespace(mcpServer.Namespace)
+
+	// Build the service URL for the ToolHive MCP server
+	serviceName := createServiceName(mcpServer.Name)
+	serviceURL := fmt.Sprintf("http://%s.%s.svc.cluster.local:%d",
+		serviceName, mcpServer.Namespace, mcpServer.Spec.Port)
+
+	// Determine the config type based on ToolHive transport
+	var configType string
+	var config map[string]interface{}
+
+	switch mcpServer.Spec.Transport {
+	case "sse":
+		configType = kagentConfigTypeSSE
+		config = map[string]interface{}{
+			kagentConfigTypeSSE: map[string]interface{}{
+				"url": serviceURL,
+			},
+		}
+	case "streamable-http":
+		configType = kagentConfigTypeStreamableHTTP
+		config = map[string]interface{}{
+			kagentConfigTypeStreamableHTTP: map[string]interface{}{
+				"url": serviceURL,
+			},
+		}
+	default:
+		// For stdio or any other transport, default to SSE
+		// since ToolHive exposes everything via HTTP
+		configType = kagentConfigTypeSSE
+		config = map[string]interface{}{
+			kagentConfigTypeSSE: map[string]interface{}{
+				"url": serviceURL,
+			},
+		}
+	}
+
+	config["type"] = configType
+
+	// Build the spec
+	spec := map[string]interface{}{
+		"description": fmt.Sprintf("ToolHive MCP Server: %s", mcpServer.Name),
+		"config":      config,
+	}
+
+	kagentToolServer.Object = map[string]interface{}{
+		"apiVersion": "kagent.dev/v1alpha1",
+		"kind":       "ToolServer",
+		"metadata": map[string]interface{}{
+			"name":      kagentToolServer.GetName(),
+			"namespace": kagentToolServer.GetNamespace(),
+			"labels": map[string]interface{}{
+				"toolhive.stacklok.dev/managed-by": "toolhive-operator",
+				"toolhive.stacklok.dev/mcpserver":  mcpServer.Name,
+			},
+			"ownerReferences": []interface{}{
+				map[string]interface{}{
+					"apiVersion":         "toolhive.stacklok.dev/v1alpha1",
+					"kind":               "MCPServer",
+					"name":               mcpServer.Name,
+					"uid":                string(mcpServer.UID),
+					"controller":         true,
+					"blockOwnerDeletion": true,
+				},
+			},
+		},
+		"spec": spec,
+	}
+
+	return kagentToolServer
+}