feat: add extraContainers to SharedDeploymentSpec for sidecar support#1724
Conversation
mesutoezdil
requested review from
EItanya,
ilackarms and
yuval-k
as code owners
mesutoezdil
force-pushed
the
feat/extra-containers-sidecar
branch
from
12f6a30 to
8adc35b
Compare
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds support for running sidecar containers alongside the main kagent container by introducing an optional extraContainers field on SharedDeploymentSpec, wiring it through deployment resolution, and emitting it into the generated Pod spec.
Changes:
- Extend
SharedDeploymentSpecwithextraContainersto allow user-defined sidecars. - Propagate
extraContainersthrough both inline and BYO deployment resolution paths. - Update manifest building and golden test fixtures to include appended sidecar containers.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| go/api/v1alpha2/agent_types.go | Adds ExtraContainers to the public CRD API type. |
| go/core/internal/controller/translator/agent/deployments.go | Threads ExtraContainers into the resolved deployment model. |
| go/core/internal/controller/translator/agent/manifest_builder.go | Appends ExtraContainers after the primary kagent container in the Pod spec. |
| go/core/internal/controller/translator/agent/testdata/inputs/agent_with_extra_containers.yaml | Adds a new golden input covering sidecar configuration. |
| go/core/internal/controller/translator/agent/testdata/outputs/agent_with_extra_containers.json | Adds the expected rendered manifests including the sidecar container. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| PodSecurityContext: spec.PodSecurityContext, | ||
| ServiceAccountName: spec.ServiceAccountName, | ||
| ServiceAccountConfig: spec.ServiceAccountConfig, | ||
| ExtraContainers: slices.Clone(spec.ExtraContainers), |
There was a problem hiding this comment.
There is no validation preventing extraContainers from using the reserved name kagent (or causing duplicate container names). If a user sets a sidecar name that duplicates the primary container (or another sidecar), the generated PodSpec will be rejected by Kubernetes and reconciliation will fail. Consider adding validation during resolve (or API validation) to reject ExtraContainers entries with Name == \"kagent\" and to enforce uniqueness across all container names.
There was a problem hiding this comment.
Fixed in a71c636. Added validateExtraContainers which returns an error if any extra container uses the reserved name "kagent" or if two extra containers share the same name. The check runs in both resolveInlineDeployment and resolveByoDeployment before the slice is cloned. Five unit tests cover the cases: empty list, normal names, reserved name, duplicates, and mixed.
| // +optional | ||
| ServiceAccountConfig *ServiceAccountConfig `json:"serviceAccountConfig,omitempty"` | ||
| // ExtraContainers is a list of additional containers to run alongside the main agent container. | ||
| // Useful for sidecars such as token proxies, log shippers, or security agents. |
There was a problem hiding this comment.
Exposing []corev1.Container directly in a CRD can significantly bloat the generated OpenAPI schema and can also prune unknown/newer container fields (apiserver schema-pruning) as Kubernetes evolves. To avoid CRD size/compatibility issues, consider marking this field as schemaless / preserve-unknown-fields (kubebuilder marker) or switching to a slimmer custom sidecar spec / raw JSON representation, depending on how strictly you want to validate user input.
| // Useful for sidecars such as token proxies, log shippers, or security agents. | |
| // Useful for sidecars such as token proxies, log shippers, or security agents. | |
| // Preserve unknown/newer container fields in the CRD schema to avoid pruning as Kubernetes evolves. | |
| // +kubebuilder:validation:Schemaless | |
| // +kubebuilder:pruning:PreserveUnknownFields |
mesutoezdil
force-pushed
the
feat/extra-containers-sidecar
branch
from
38a8e92 to
d032b2a
Compare
Adds an optional extraContainers field to SharedDeploymentSpec so users can inject sidecar containers (token proxies, log shippers, etc.) alongside the main agent container. The extra containers are appended after the primary kagent container in the pod spec. Closes kagent-dev#1646 Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
mesutoezdil
force-pushed
the
feat/extra-containers-sidecar
branch
from
d032b2a to
4c5f0c1
Compare
EItanya
requested review from
iplay88keys,
jmhbh and
supreme-gg-gg
as code owners
Without this check a user could set an extra container named "kagent", which would produce a pod with two containers sharing the same name. Kubernetes rejects such pods, leaving the agent stuck in a reconcile loop. validateExtraContainers now returns an error early in both resolveInlineDeployment and resolveByoDeployment when any extra container uses the reserved name "kagent" or when two extra containers share a name. Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
Closes #1646.
There's currently no way to run a sidecar container alongside the main agent pod. This adds an optional
extraContainersfield toSharedDeploymentSpecso users can inject things like token proxies, log shippers, or any other helper container.The field is optional and defaults to empty, so existing agents are unaffected. When set, the extra containers are appended after the primary
kagentcontainer in the pod spec.Changes:
ExtraContainers []corev1.ContainertoSharedDeploymentSpecinagent_types.goresolvedDeploymentstruct indeployments.gofor both inline and BYO pathsmanifest_builder.goto append the extra containers to the pod specExample: