Merge branch 'main' into feat/skills-with-imagepullsecrets

Author: EItanya

.github/release.yml

@@ -0,0 +1,29 @@
+# Configuration for GitHub's auto-generated release notes.
+# See: https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
+
+changelog:
+  exclude:
+    labels:
+      - "duplicate"
+      - "invalid"
+      - "wontfix"
+      - "stale"
+  categories:
+    - title: "Features"
+      labels:
+        - "enhancement"
+    - title: "Bug Fixes"
+      labels:
+        - "bug"
+    - title: "Documentation"
+      labels:
+        - "documentation"
+    - title: "Testing"
+      labels:
+        - "testing"
+    - title: "Dependencies"
+      labels:
+        - "dependencies"
+    - title: "Other Changes"
+      labels:
+        - "*"

.github/workflows/ci.yaml

@@ -121,7 +121,6 @@ jobs:
         env:
           OPENAI_API_KEY: fake
           KAGENT_HELM_EXTRA_ARGS: >-
-            --set rbac.clusterScoped=false
             --set 'rbac.namespaces={kagent}'
         run: |
           # Upgrade helm to use namespace-scoped RBAC

.github/workflows/conventional-label.yml

@@ -0,0 +1,22 @@
+name: Conventional Commit Labels
+
+on:
+  pull_request_target:
+    types: [opened, edited]
+
+jobs:
+  label-by-title:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: bcoe/conventional-release-labels@v1
+        with:
+          type_labels: |
+            {
+              "feat": "enhancement",
+              "fix": "bug",
+              "docs": "documentation",
+              "test": "testing"
+            }

DEVELOPMENT.md

@@ -17,7 +17,7 @@ Before you can run kagent in Kubernetes, you need to have the following tools in
 - **Kind** (v0.27.0+)
 - **kubectl** (v1.33.4+)
 - **Helm**
-- **Go** (v1.24.6+)
+- **Go** (v1.26.1+)
 - **Docker**
 - **Docker Buildx** (v0.23.0+)
 - **Make**

go/adk/pkg/a2a/server/server.go

@@ -3,6 +3,7 @@ package server
 import (
 	"context"
 	"fmt"
+	"net"
 	"net/http"
 	"os"
 	"os/signal"
@@ -59,7 +60,7 @@ func NewA2AServer(agentCard a2atype.AgentCard, executor a2asrv.AgentExecutor, lo
 
 	addr := ":" + config.Port
 	if config.Host != "" {
-		addr = config.Host + ":" + config.Port
+		addr = net.JoinHostPort(config.Host, config.Port)
 	}
 
 	return &A2AServer{

go/adk/pkg/agent/agent.go

@@ -312,6 +312,16 @@ func CreateLLM(ctx context.Context, m adk.Model, log logr.Logger) (adkmodel.LLM,
 		}
 		return models.NewAnthropicVertexAIModelWithLogger(ctx, cfg, region, project, log)
 
+	case *adk.SAPAICore:
+		cfg := models.SAPAICoreConfig{
+			Model:         m.Model,
+			BaseUrl:       m.BaseUrl,
+			ResourceGroup: m.ResourceGroup,
+			AuthUrl:       m.AuthUrl,
+			Headers:       extractHeaders(m.Headers),
+		}
+		return models.NewSAPAICoreModelWithLogger(cfg, log)
+
 	default:
 		return nil, fmt.Errorf("unsupported model type: %s", m.GetType())
 	}

go/adk/pkg/models/sapaicore.go

@@ -0,0 +1,188 @@
+package models
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/go-logr/logr"
+)
+
+type SAPAICoreConfig struct {
+	Model         string
+	BaseUrl       string
+	ResourceGroup string
+	AuthUrl       string
+	Headers       map[string]string
+}
+
+type SAPAICoreModel struct {
+	Config SAPAICoreConfig
+	Logger logr.Logger
+
+	mu              sync.Mutex
+	token           string
+	tokenExpiresAt  time.Time
+	deploymentURL   string
+	deploymentURLAt time.Time
+	httpClient      *http.Client
+}
+
+func NewSAPAICoreModelWithLogger(config SAPAICoreConfig, logger logr.Logger) (*SAPAICoreModel, error) {
+	if config.BaseUrl == "" {
+		return nil, fmt.Errorf("SAP AI Core requires base_url")
+	}
+	if config.ResourceGroup == "" {
+		config.ResourceGroup = "default"
+	}
+	return &SAPAICoreModel{
+		Config:     config,
+		Logger:     logger,
+		httpClient: &http.Client{Timeout: 5 * time.Minute},
+	}, nil
+}
+
+func (m *SAPAICoreModel) ensureToken(ctx context.Context) (string, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if m.token != "" && time.Now().Before(m.tokenExpiresAt.Add(-2*time.Minute)) {
+		return m.token, nil
+	}
+
+	clientID := os.Getenv("SAP_AI_CORE_CLIENT_ID")
+	clientSecret := os.Getenv("SAP_AI_CORE_CLIENT_SECRET")
+	if m.Config.AuthUrl == "" || clientID == "" || clientSecret == "" {
+		return "", fmt.Errorf("SAP AI Core requires auth_url + SAP_AI_CORE_CLIENT_ID/SECRET env vars")
+	}
+
+	tokenURL := strings.TrimRight(m.Config.AuthUrl, "/")
+	if !strings.HasSuffix(tokenURL, "/oauth/token") {
+		tokenURL += "/oauth/token"
+	}
+
+	formData := url.Values{
+		"grant_type":    {"client_credentials"},
+		"client_id":     {clientID},
+		"client_secret": {clientSecret},
+	}
+	req, err := http.NewRequestWithContext(ctx, "POST", tokenURL, strings.NewReader(formData.Encode()))
+	if err != nil {
+		return "", fmt.Errorf("failed to create OAuth2 token request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	resp, err := m.httpClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("OAuth2 token request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return "", &orchHTTPError{StatusCode: resp.StatusCode, URL: tokenURL}
+	}
+
+	var tokenResp struct {
+		AccessToken string `json:"access_token"`
+		ExpiresIn   int    `json:"expires_in"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
+		return "", fmt.Errorf("failed to decode OAuth2 token response: %w", err)
+	}
+
+	m.token = tokenResp.AccessToken
+	if tokenResp.ExpiresIn > 0 {
+		m.tokenExpiresAt = time.Now().Add(time.Duration(tokenResp.ExpiresIn) * time.Second)
+	} else {
+		m.tokenExpiresAt = time.Now().Add(12 * time.Hour)
+	}
+	return m.token, nil
+}
+
+func (m *SAPAICoreModel) invalidateToken() {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.token = ""
+	m.tokenExpiresAt = time.Time{}
+}
+
+func (m *SAPAICoreModel) resolveDeploymentURL(ctx context.Context) (string, error) {
+	m.mu.Lock()
+	if m.deploymentURL != "" && time.Now().Before(m.deploymentURLAt.Add(time.Hour)) {
+		u := m.deploymentURL
+		m.mu.Unlock()
+		return u, nil
+	}
+	m.mu.Unlock()
+
+	token, err := m.ensureToken(ctx)
+	if err != nil {
+		return "", err
+	}
+
+	reqURL := fmt.Sprintf("%s/v2/lm/deployments", m.Config.BaseUrl)
+	req, err := http.NewRequestWithContext(ctx, "GET", reqURL, nil)
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("Authorization", "Bearer "+token)
+	req.Header.Set("AI-Resource-Group", m.Config.ResourceGroup)
+
+	resp, err := m.httpClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("failed to list deployments: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return "", &orchHTTPError{StatusCode: resp.StatusCode, URL: reqURL}
+	}
+
+	var result struct {
+		Resources []struct {
+			ID            string `json:"id"`
+			ScenarioID    string `json:"scenarioId"`
+			Status        string `json:"status"`
+			DeploymentURL string `json:"deploymentUrl"`
+			CreatedAt     string `json:"createdAt"`
+		} `json:"resources"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
+		return "", fmt.Errorf("failed to decode deployments: %w", err)
+	}
+
+	var best string
+	var bestCreated string
+	for _, d := range result.Resources {
+		if d.ScenarioID == "orchestration" && d.Status == "RUNNING" && d.DeploymentURL != "" {
+			if d.CreatedAt > bestCreated {
+				best = d.DeploymentURL
+				bestCreated = d.CreatedAt
+			}
+		}
+	}
+	if best == "" {
+		return "", fmt.Errorf("no running orchestration deployment found in SAP AI Core")
+	}
+
+	m.mu.Lock()
+	m.deploymentURL = best
+	m.deploymentURLAt = time.Now()
+	m.mu.Unlock()
+
+	m.Logger.Info("Resolved SAP AI Core orchestration deployment", "url", best)
+	return best, nil
+}
+
+func (m *SAPAICoreModel) invalidateDeploymentURL() {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.deploymentURL = ""
+	m.deploymentURLAt = time.Time{}
+}