Add ToolGateway reference support to ToolServer (#67)

* Initial plan

* Add ToolGateway reference support to ToolServer CRD

Co-authored-by: g3force <779094+g3force@users.noreply.github.com>

* Fix tests: add required Protocol field to ToolServer specs

Co-authored-by: g3force <779094+g3force@users.noreply.github.com>

* Address code review: use defaultToolGatewayNamespace constant in tests

Co-authored-by: g3force <779094+g3force@users.noreply.github.com>

* Fix test cleanup to prevent cross-test pollution

The tests were failing in CI because other test files (specifically
agent_tool_test.go) create ToolServers in various namespaces that
weren't being cleaned up between tests. This caused the
findToolServersReferencingToolGateway tests to find more ToolServers
than expected.

Changed the AfterEach cleanup to delete ALL ToolServers and
ToolGateways across all namespaces, rather than just specific
namespaces, to ensure complete isolation between tests.

Co-authored-by: g3force <779094+g3force@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: g3force <779094+g3force@users.noreply.github.com>

Author: Copilot

api/v1alpha1/toolserver_types.go

@@ -82,6 +82,13 @@ type ToolServerSpec struct {
 	// Resources defines the compute resource requirements for the tool server container.
 	// +optional
 	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
+
+	// ToolGatewayRef references a ToolGateway resource that this tool server should use for routing.
+	// If not specified, the operator will attempt to find the default ToolGateway in the cluster.
+	// If no default ToolGateway exists, the tool server will run without a Tool Gateway.
+	// If Namespace is not specified, defaults to the same namespace as the ToolServer.
+	// +optional
+	ToolGatewayRef *corev1.ObjectReference `json:"toolGatewayRef,omitempty"`
 }
 
 // ToolServerStatus defines the observed state of ToolServer.
@@ -93,12 +100,19 @@ type ToolServerStatus struct {
 	// Format: http://{name}.{namespace}.svc.cluster.local:{port}{path}
 	// +optional
 	Url string `json:"url,omitempty"`
+
+	// ToolGatewayRef references the ToolGateway resource that this tool server is connected to.
+	// This field is automatically populated by the controller when a Tool Gateway is being used.
+	// If nil, the tool server is not connected to any Tool Gateway.
+	// +optional
+	ToolGatewayRef *corev1.ObjectReference `json:"toolGatewayRef,omitempty"`
 }
 
 // ToolServer is the Schema for the toolservers API.
 //
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Tool Gateway",type=string,JSONPath=".status.toolGatewayRef.name"
 type ToolServer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

api/v1alpha1/zz_generated.deepcopy.go

@@ -14,7 +14,11 @@ spec:
     singular: toolserver
   scope: Namespaced
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - jsonPath: .status.toolGatewayRef.name
+      name: Tool Gateway
+      type: string
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: ToolServer is the Schema for the toolservers API.
@@ -354,6 +358,53 @@ spec:
                       More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
                     type: object
                 type: object
+              toolGatewayRef:
+                description: |-
+                  ToolGatewayRef references a ToolGateway resource that this tool server should use for routing.
+                  If not specified, the operator will attempt to find the default ToolGateway in the cluster.
+                  If no default ToolGateway exists, the tool server will run without a Tool Gateway.
+                  If Namespace is not specified, defaults to the same namespace as the ToolServer.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: |-
+                      If referring to a piece of an object instead of an entire object, this string
+                      should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within a pod, this would take on a value like:
+                      "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]" (container with
+                      index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                      referencing a part of an object.
+                    type: string
+                  kind:
+                    description: |-
+                      Kind of the referent.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                    type: string
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                  namespace:
+                    description: |-
+                      Namespace of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                    type: string
+                  resourceVersion:
+                    description: |-
+                      Specific resourceVersion to which this reference is made, if any.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                    type: string
+                  uid:
+                    description: |-
+                      UID of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
               transportType:
                 default: http
                 description: |-
@@ -428,6 +479,52 @@ spec:
                   - type
                   type: object
                 type: array
+              toolGatewayRef:
+                description: |-
+                  ToolGatewayRef references the ToolGateway resource that this tool server is connected to.
+                  This field is automatically populated by the controller when a Tool Gateway is being used.
+                  If nil, the tool server is not connected to any Tool Gateway.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: |-
+                      If referring to a piece of an object instead of an entire object, this string
+                      should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within a pod, this would take on a value like:
+                      "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]" (container with
+                      index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                      referencing a part of an object.
+                    type: string
+                  kind:
+                    description: |-
+                      Kind of the referent.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                    type: string
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                  namespace:
+                    description: |-
+                      Namespace of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                    type: string
+                  resourceVersion:
+                    description: |-
+                      Specific resourceVersion to which this reference is made, if any.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                    type: string
+                  uid:
+                    description: |-
+                      UID of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
               url:
                 description: |-
                   Url is the cluster-local URL where this tool server can be accessed

config/crd/bases/runtime.agentic-layer.ai_toolservers.yaml

@@ -64,6 +64,7 @@ rules:
   - runtime.agentic-layer.ai
   resources:
   - aigateways
+  - toolgateways
   verbs:
   - get
   - list

config/rbac/role.yaml

@@ -33,6 +33,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
@@ -51,6 +52,7 @@ type ToolServerReconciler struct {
 // +kubebuilder:rbac:groups=runtime.agentic-layer.ai,resources=toolservers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=runtime.agentic-layer.ai,resources=toolservers/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=runtime.agentic-layer.ai,resources=toolservers/finalizers,verbs=update
+// +kubebuilder:rbac:groups=runtime.agentic-layer.ai,resources=toolgateways,verbs=get;list;watch
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch;create;update;patch;delete
 
@@ -75,6 +77,13 @@ func (r *ToolServerReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 
 	log.Info("Reconciling ToolServer")
 
+	// Resolve ToolGateway (optional - returns nil if not found)
+	toolGateway, err := r.resolveToolGateway(ctx, &toolServer)
+	if err != nil {
+		log.Error(err, "Failed to resolve ToolGateway")
+		return ctrl.Result{}, err
+	}
+
 	// Ensure Deployment exists and is up to date for http/sse transports
 	if err := r.ensureDeployment(ctx, &toolServer); err != nil {
 		log.Error(err, "Failed to ensure Deployment")
@@ -94,7 +103,7 @@ func (r *ToolServerReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 	}
 
 	// Update ToolServer status to Ready (optimistic)
-	if err := r.updateToolServerStatusReady(ctx, &toolServer); err != nil {
+	if err := r.updateToolServerStatusReady(ctx, &toolServer, toolGateway); err != nil {
 		log.Error(err, "Failed to update ToolServer status")
 		return ctrl.Result{}, err
 	}
@@ -104,12 +113,25 @@ func (r *ToolServerReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 
 // SetupWithManager sets up the controller with the Manager.
 func (r *ToolServerReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
+	log := logf.FromContext(context.Background())
+
+	builder := ctrl.NewControllerManagedBy(mgr).
 		For(&runtimev1alpha1.ToolServer{}).
 		Owns(&appsv1.Deployment{}).
-		Owns(&corev1.Service{}).
-		Named("toolserver").
-		Complete(r)
+		Owns(&corev1.Service{})
+
+	// Only watch ToolGateway if the CRD is installed
+	if isToolGatewayCRDInstalled(mgr) {
+		log.Info("ToolGateway CRD detected, enabling watch")
+		builder = builder.Watches(
+			&runtimev1alpha1.ToolGateway{},
+			handler.EnqueueRequestsFromMapFunc(r.findToolServersReferencingToolGateway),
+		)
+	} else {
+		log.Info("ToolGateway CRD not installed, skipping watch (tool server will work without Tool Gateway integration)")
+	}
+
+	return builder.Named("toolserver").Complete(r)
 }
 
 // ensureDeployment ensures the Deployment for the ToolServer exists and is up to date
@@ -283,8 +305,8 @@ func (r *ToolServerReconciler) buildReadinessProbe(port int32) *corev1.Probe {
 	}
 }
 
-// updateToolServerStatusReady sets the ToolServer status to Ready and updates the URL
-func (r *ToolServerReconciler) updateToolServerStatusReady(ctx context.Context, toolServer *runtimev1alpha1.ToolServer) error {
+// updateToolServerStatusReady sets the ToolServer status to Ready and updates the URL and ToolGatewayRef
+func (r *ToolServerReconciler) updateToolServerStatusReady(ctx context.Context, toolServer *runtimev1alpha1.ToolServer, toolGateway *runtimev1alpha1.ToolGateway) error {
 	// Build URL for http/sse transports
 	if toolServer.Spec.TransportType == httpTransport || toolServer.Spec.TransportType == sseTransport {
 		toolServer.Status.Url = fmt.Sprintf("http://%s.%s.svc.cluster.local:%d%s",
@@ -293,6 +315,18 @@ func (r *ToolServerReconciler) updateToolServerStatusReady(ctx context.Context,
 		toolServer.Status.Url = ""
 	}
 
+	// Set ToolGatewayRef if a Tool Gateway is being used
+	if toolGateway != nil {
+		toolServer.Status.ToolGatewayRef = &corev1.ObjectReference{
+			Kind:       "ToolGateway",
+			Namespace:  toolGateway.Namespace,
+			Name:       toolGateway.Name,
+			APIVersion: runtimev1alpha1.GroupVersion.String(),
+		}
+	} else {
+		toolServer.Status.ToolGatewayRef = nil
+	}
+
 	// Set Ready condition to True
 	meta.SetStatusCondition(&toolServer.Status.Conditions, metav1.Condition{
 		Type:               "Ready",
@@ -311,6 +345,9 @@ func (r *ToolServerReconciler) updateToolServerStatusReady(ctx context.Context,
 
 // updateToolServerStatusNotReady sets the ToolServer status to not Ready
 func (r *ToolServerReconciler) updateToolServerStatusNotReady(ctx context.Context, toolServer *runtimev1alpha1.ToolServer, reason, message string) error {
+	// Clear the ToolGatewayRef since the tool server is not ready
+	toolServer.Status.ToolGatewayRef = nil
+
 	// Set Ready condition to False
 	meta.SetStatusCondition(&toolServer.Status.Conditions, metav1.Condition{
 		Type:               "Ready",
@@ -346,3 +383,10 @@ func getOrDefaultToolServerResourceRequirements(toolServer *runtimev1alpha1.Tool
 		},
 	}
 }
+
+// isToolGatewayCRDInstalled checks if the ToolGateway CRD is installed in the cluster
+func isToolGatewayCRDInstalled(mgr ctrl.Manager) bool {
+	gvk := runtimev1alpha1.GroupVersion.WithKind("ToolGateway")
+	_, err := mgr.GetRESTMapper().RESTMapping(gvk.GroupKind(), gvk.Version)
+	return err == nil
+}