Quick Start with Core Profile
This guide walks through the smallest possible end-to-end deployment on the Kagenti Operator's core profile — the default install shape with agent enrollment and dynamic discovery, but no identity sidecars, no Keycloak, and no mesh mTLS. It is the fastest way to prove your operator install works and to become familiar with the AgentRuntime custom resource before layering on the secure profile.
The scenario is a weather agent that answers questions like "What is the weather in New York?" by calling a weather MCP tool for live data and a large language model to compose the reply. The request flow is:
Under the core profile there is no authentication or transport security — every step below is a plain in-cluster HTTP call. For the secured version (Bearer-token requests, SPIRE mTLS, an AuthBridge sidecar per agent), continue to Demo with Secure Profile after this guide.
TOC
PrerequisitesFind your model endpoint and nameStep 1: Deploy the MCP tool serverStep 2: Deploy the agentStep 3: Check statusStep 4: Send a query (end-to-end test)Updating and deleting an AgentRuntimeClean upNext stepsTroubleshootingPrerequisites
-
Kagenti Operator is installed and its
Kagentioperand is reconciled — see Installation. -
kubectlaccess to the target cluster. -
A demo namespace. This guide uses
team1: -
An InferenceService that serves an OpenAI-compatible chat API, reachable in-cluster. This guide uses an InferenceService named
qwen36-27b-gguf. Any chat model works; agent quality improves with a tool-calling-capable model.
Find your model endpoint and name
The agent connects to the model with three environment variables — LLM_API_BASE, LLM_API_KEY, and LLM_MODEL. Resolve them from your InferenceService:
For the qwen36-27b-gguf InferenceService deployed in namespace models, that resolves to:
Substitute your own InferenceService name, namespace, and model id throughout this guide. If the model is a reasoning model, the first tokens of a response are reasoning content — keep the agent's token budget unconstrained (as below) so the final answer is not truncated.
Step 1: Deploy the MCP tool server
The MCP (Model Context Protocol) server provides the get_weather tool the agent calls. Deploy it and expose it with a Service. On the core profile the tool runs as a plain Deployment (single container, no sidecar); the same layout is used again unchanged under the secure profile since the operand default is spec.featureGates.injectTools: false.
- The MCP server image, mirrored to
docker.io/alaudadockerhub. On an air-gapped cluster use the copy relocated into your platform registry. - The Service the agent will reach at
http://weather-tool-mcp.team1.svc.cluster.local:8000/mcp. The operator does not create this Service for you, so you define it explicitly and select the tool's pods.
Wait for the tool to be ready:
READY 1/1 confirms the tool is running as a single container.
Step 2: Deploy the agent
The agent only needs a protocol.kagenti.io/a2a label on its Deployment — the controller applies kagenti.io/type, computes a config hash, and (when the identity stack is enabled) triggers sidecar injection. The protocol label also tells the AgentCard sync controller which protocol the agent speaks, enabling automatic discovery.
protocol.kagenti.io/a2a: ""marks the Deployment as an A2A agent. It enables automaticAgentCardcreation; aValidatingAdmissionPolicyforbids settingkagenti.io/typedirectly, so enrollment must go through theAgentRuntime.- The agent image, mirrored to
docker.io/alaudadockerhub. Usev0.1.0or later — these readHOST/PORTfrom the environment, which is required under the secure profile (the AuthBridge sidecar remaps the app port). MCP_URL— the MCP tool endpoint from Step 1 (the Service name with the/mcppath).LLM_API_BASE— the OpenAI-compatible base URL of your InferenceService predictor (.../v1).LLM_MODEL— the model id served by the InferenceService.
The agent's Service is named after the Deployment (weather-agent); the AgentRuntime controller resolves it to fetch the Agent Card for discovery.
When the AgentRuntime is created, the controller will:
- Resolve
targetRefand verify the Deployment exists. - Apply
kagenti.io/type: agentandapp.kubernetes.io/managed-by: kagenti-operatorlabels. - Compute a config hash and set it as a
kagenti.io/config-hashannotation on the pod template, triggering a rolling update.
Step 3: Check status
SYNCED=True with the AGENT column populated (here Weather Assistant) confirms the sync controller fetched the agent's A2A card — dynamic discovery is working.
Step 4: Send a query (end-to-end test)
Send an A2A message/send request to the agent from a temporary in-cluster pod, using the agent's internal Service DNS name:
The agent calls the model, the model invokes the weather MCP tool, and the agent returns a completed A2A task:
The history array in the full response shows the tool-calling flow (assistant → tools → assistant), including the ToolMessage returned by the weather MCP server.
A reasoning model spends its first tokens "thinking" before the final answer, so the first request may take noticeably longer than a non-reasoning model. Subsequent requests are faster.
You can watch the interaction in the logs:
Updating and deleting an AgentRuntime
Platform configuration changes (cluster or namespace ConfigMaps) trigger a rolling update so pods pick up new settings. Editing the AgentRuntime spec itself does not force a restart — new values are applied at pod creation time.
Deleting the AgentRuntime performs a graceful cleanup: the controller removes the kagenti.io/type label and the kagenti.io/config-hash annotation (triggering a rolling update so any injected pods are replaced) and the app.kubernetes.io/managed-by label.
Clean up
Next steps
The core profile you just exercised has no authentication or transport security. To layer those on:
- Install the Secure-Profile Dependencies — SPIRE, Keycloak, Istio ambient.
- Enable the Secure Profile — flip the operand feature gates.
- Demo with Secure Profile — re-run the same weather scenario with an AuthBridge sidecar on the agent, a SPIRE SVID per workload, and Bearer-token-authenticated requests.
- Demo Advanced: AuthBridge on the Tool with Token Exchange — add AuthBridge to the tool too, with RFC 8693 token exchange between agent and tool.