RemoteMCPServer
kagent.dev / v1alpha2
apiVersion: kagent.dev/v1alpha2
kind: RemoteMCPServer
metadata:
name: example
apiVersion
string
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind
string
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata
object
spec object
RemoteMCPServerSpec defines the desired state of RemoteMCPServer.
allowedNamespaces object
AllowedNamespaces defines which namespaces are allowed to reference this RemoteMCPServer.
This follows the Gateway API pattern for cross-namespace route attachments.
If not specified, only Agents in the same namespace can reference this RemoteMCPServer.
See: https://gateway-api.sigs.k8s.io/guides/multiple-ns/#cross-namespace-route-attachment
A cross-namespace-permitting value (from: All or from: Selector) is
mutually exclusive with spec.tls.caCertSecretRef (enforced by a spec-level
XValidation rule): a pinned CA Secret is mounted onto the consuming agent's
pod by bare name and Kubernetes resolves it in the agent's namespace, not
this RemoteMCPServer's, so a CA-pinning RemoteMCPServer cannot be referenced
cross-namespace. from: Same (the default) is always allowed.
from
string
From indicates where references to this resource can originate.
Possible values are:
* All: References from all namespaces are allowed.
* Same: Only references from the same namespace are allowed (default).
* Selector: References from namespaces matching the selector are allowed.
enum:
All, Same, Selectorselector object
Selector is a label selector for namespaces that are allowed to reference this resource.
Only used when From is set to "Selector".
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key
string required
key is the label key that the selector applies to.
operator
string required
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
values
[]string
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
matchLabels
object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
description
string required
headersFrom []object
name
string required
value
string
valueFrom object
ValueSource defines a source for configuration values from a Secret or ConfigMap
key
string required
The key of the ConfigMap or Secret.
maxLength:
253
name
string required
The name of the ConfigMap or Secret.
maxLength:
253
type
string required
enum:
ConfigMap, Secret
protocol
string
enum:
SSE, STREAMABLE_HTTP
sseReadTimeout
string
terminateOnClose
boolean
timeout
string
tls object
TLS configuration for the upstream MCP server connection.
Use this for HTTPS upstreams that present a certificate the agent's
system trust store does not include (corporate CA, self-signed cert
on a test fixture, internal MCP gateway). Reuses the same TLSConfig
type as ModelConfig.spec.tls — disableVerify turns off certificate
validation entirely, caCertSecretRef + caCertSecretKey point at a
PEM bundle Secret in the same namespace, and disableSystemCAs
trusts only the named bundle.
Note one asymmetry with ModelConfig: a spec-level XValidation rule
on RemoteMCPServer rejects spec.tls when spec.url has the http://
scheme (a TLS opinion contradicts a plaintext URL). ModelConfig has
no equivalent rule, so a TLS block can sit alongside any baseUrl.
caCertSecretKey
string
CACertSecretKey is the key within the Secret that contains the
CA certificate data (PEM-encoded). Required when CACertSecretRef
is set — admission rejects ref-without-key regardless of
DisableVerify (see the TLSConfig-level XValidation rules).
caCertSecretRef
string
CACertSecretRef is a reference to a Kubernetes Secret containing
CA certificate(s) in PEM format. The Secret must be in the same
namespace as the resource referencing it (ModelConfig,
RemoteMCPServer, or any future consumer of TLSConfig).
When set, the certificate will be used to verify the upstream's
SSL certificate.
disableSystemCAs
boolean
DisableSystemCAs disables the use of system CA certificates.
When false (default), system CA certificates are used for verification (safe behavior).
When true, only the custom CA from CACertSecretRef is trusted.
This allows strict security policies where only corporate CAs should be trusted.
disableVerify
boolean
DisableVerify disables SSL certificate verification entirely.
When false (default), SSL certificates are verified.
When true, SSL certificate verification is disabled.
WARNING: This should ONLY be used in development/testing environments.
Production deployments MUST use proper certificates.
url
string required
minLength:
1status object
RemoteMCPServerStatus defines the observed state of RemoteMCPServer.
conditions []object
lastTransitionTime
string required
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format:
date-time
message
string required
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength:
32768
observedGeneration
integer
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format:
int64minimum:
0
reason
string required
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
pattern:
^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$minLength:
1maxLength:
1024
status
string required
status of the condition, one of True, False, Unknown.
enum:
True, False, Unknown
type
string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern:
^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$maxLength:
316discoveredTools []object
description
string required
name
string required
observedGeneration
integer
INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
Important: Run "make" to regenerate code after modifying this file
format:
int64
secretHash
string
SecretHash stores a hash of the TLS Secret referenced by spec.tls so
agents that consume this RemoteMCPServer can detect cert rotation and
roll on the next reconcile. Empty when spec.tls.caCertSecretRef is unset.
No matches. Try .spec.allowedNamespaces for an exact path