epic: GitHub Issue Agent end-to-end deployment blockers #237
Description
Epic: GitHub Issue Agent End-to-End Deployment Blockers
This epic tracks all issues discovered during end-to-end testing of the
GitHub Issue Agent with AuthBridge (UI deployment flow). These issues
span multiple repositories and must all be addressed for the demo to work
reliably.
Current Blockers (agent cannot function)
-
agent-examples#175 — GitHub tool MCP server rejects null for optional parameters
- Repo:
kagenti/agent-examples - Fix: agent-examples#176 — Strip nil arguments before forwarding
- Impact: Every
list_issuescall fails because OpenAI sendsnullfor optional params and the Go MCP server rejects them - Severity: Blocker — agent cannot execute any tool calls
- Status: ✅ Fixed — PR merged, issue closed
- Repo:
-
agent-examples#174 — Git issue agent .env.openai missing LLM_API_BASE and uses wrong model
- Repo:
kagenti/agent-examples - Fix: agent-examples#177 — Add LLM_API_BASE and fix model name
- Impact: Agent sends OpenAI requests to Ollama endpoint (default
http://host.docker.internal:11434), resulting in 404 - Severity: Blocker — agent cannot reach LLM
- Status: ✅ Fixed — PR merged, issue closed
- Repo:
-
agent-examples#173 — Git issue agent fails with Ollama models after crewai 1.10.1 upgrade
- Repo:
kagenti/agent-examples - Impact: Ollama models produce text-based ReAct output instead of structured function calls;
Instructor does not support multiple tool callserrors - Severity: Blocker for Ollama users — OpenAI works as a workaround (once feat: investigate agent-side token propagation for per-user authorization at tools #174 and fix: harden go-processor logging and tokenURL validation #175 are fixed)
- Status: Open — no fix yet, OpenAI recommended as workaround
- Repo:
Infrastructure Issues
-
kagenti#958 — UI-created workloads get incorrect SPIFFE ID due to missing serviceAccountName
- Repo:
kagenti/kagenti - Fix: kagenti#959 — Sets
serviceAccountNameand creates ServiceAccount in UI backend - Impact: Token exchange fails because Keycloak client is registered under wrong SPIFFE ID (includes ReplicaSet hash)
- Severity: Blocker — token exchange always fails for UI-deployed agents
- Status: ✅ Fixed — PR merged, issue closed
- Repo:
-
kagenti-extensions#235 — OUTBOUND_PORTS_EXCLUDE should be configurable via annotation or ConfigMap
- Repo:
kagenti/kagenti-extensions - Fix: kagenti-extensions#240 — Add
kagenti.io/outbound-ports-excludeannotation support - Impact: Ollama traffic on port 11434 intercepted by Envoy, corrupting LLM streaming responses
- Severity: Blocker for Ollama users — requires manual iptables workaround
- Status: PR open, pending review
- Repo:
Documentation Updates
- kagenti-extensions#236 — Docs: Remove redundant keycloak-admin-secret creation + add OpenAI/Ollama sections
- Repo:
kagenti/kagenti-extensions - Changes: Updated both weather-agent and github-issue demo docs:
- Added OpenAI as Option B (recommended) alongside Ollama
- Added Ollama port exclusion workaround
- Fixed JWT base64url decoding (added padding +
trfor scope display) - Removed redundant keycloak-admin-secret creation step
- Status: ✅ Merged
- Repo:
All PRs
| PR | Repo | Fixes | Status |
|---|---|---|---|
| #176 | agent-examples | #175 (null params) | ✅ Merged |
| #177 | agent-examples | #174 (LLM_API_BASE) | ✅ Merged |
| #959 | kagenti | #958 (ServiceAccount) | ✅ Merged |
| #236 | kagenti-extensions | Docs | ✅ Merged |
| #240 | kagenti-extensions | #235 (port exclude) | Open |
Dependency Graph
For the GitHub Issue Agent to work end-to-end:
-
kagenti#959 (ServiceAccount fix) — MERGED
- Enables correct SPIFFE ID, correct Keycloak client, token exchange works
-
agent-examples#176 (null params) — MERGED
- Enables MCP tool calls to succeed through Envoy
-
agent-examples#177 (LLM_API_BASE) — MERGED
- Enables OpenAI requests to reach api.openai.com
-
kagenti-extensions#240 (port exclude annotation) — OPEN
- Enables Ollama traffic to bypass Envoy via annotation
-
agent-examples#173 (crewai+Ollama) — OPEN (no fix yet)
- Enables reliable function calling with local models
Progress Summary
OpenAI path: fully unblocked — All 4 required fixes (#959, #176, #177, #236) are merged. The GitHub Issue Agent works end-to-end with OpenAI.
Ollama path: 2 remaining issues — #240 (port exclusion annotation) is open with PR ready for review. #173 (crewai+Ollama compatibility) has no fix yet; OpenAI is the recommended workaround.
Testing Checklist
Once all fixes are merged:
- Deploy github-tool via UI (no AuthBridge sidecars)
- Deploy git-issue-agent via UI (with AuthBridge + SPIRE)
- Verify SPIFFE ID is
spiffe://localtest.me/ns/team1/sa/git-issue-agent(no hash) - Verify token exchange succeeds in envoy-proxy logs
- Test agent card endpoint (Step 9a — no token)
- Test inbound rejection (Step 9b/9c — no/invalid token)
- Test end-to-end with valid token (Step 9d)
- Test Alice vs Bob access control (Step 10c/10d)
- Verify scope-based PAT selection in tool logs (Step 10e)