fixes

Author: Collin Walker

docs/troubleshooting/ssl-errors.md

@@ -47,7 +47,7 @@ stringData:
   key: sk-litellm-1234567890abcdef  # Replace with your actual API key
 
 ---
-apiVersion: kagent.dev/v1alpha1
+apiVersion: kagent.dev/v1alpha2
 kind: ModelConfig
 metadata:
   name: litellm-internal
@@ -71,12 +71,13 @@ spec:
     caCertSecretRef: litellm-ca-cert
     caCertSecretKey: ca.crt
 
-    # Trust both system CAs and custom CA (recommended)
+    # Trust both system CAs and custom CA (recommended, default behavior)
+    # When false (default), system CAs are used for verification (safe behavior)
     # This allows connecting to both public services and internal services
-    useSystemCAs: true
+    disableSystemCAs: false
 
     # Verification is enabled (secure)
-    verifyDisabled: false
+    disableVerify: false
 
 ---
 # Example 2: Multiple CA Certificates (Certificate Bundle)
@@ -106,7 +107,7 @@ stringData:
     -----END CERTIFICATE-----
 
 ---
-apiVersion: kagent.dev/v1alpha1
+apiVersion: kagent.dev/v1alpha2
 kind: ModelConfig
 metadata:
   name: corporate-llm
@@ -121,8 +122,8 @@ spec:
   tls:
     caCertSecretRef: corporate-ca-bundle
     caCertSecretKey: ca-bundle.crt  # Reference the bundle key
-    useSystemCAs: true
-    verifyDisabled: false
+    disableSystemCAs: false  # Use system CAs (default, safe behavior)
+    disableVerify: false
 
 ---
 # Example 3: Custom CA Only (No System CAs)
@@ -144,7 +145,7 @@ stringData:
     -----END CERTIFICATE-----
 
 ---
-apiVersion: kagent.dev/v1alpha1
+apiVersion: kagent.dev/v1alpha2
 kind: ModelConfig
 metadata:
   name: strict-internal-llm
@@ -161,10 +162,11 @@ spec:
     caCertSecretKey: ca.crt
 
     # Only trust custom CA, not system CAs
+    # When true, system CAs are disabled (only custom CA is trusted)
     # This prevents connections to public services
-    useSystemCAs: false
+    disableSystemCAs: true
 
-    verifyDisabled: false
+    disableVerify: false
 
 ---
 # Example 4: Verification Disabled (Development/Testing Only)
@@ -175,7 +177,7 @@ spec:
 # Use Case: Local development where you want to quickly test without
 # managing certificates, or testing against a server with invalid certificates.
 
-apiVersion: kagent.dev/v1alpha1
+apiVersion: kagent.dev/v1alpha2
 kind: ModelConfig
 metadata:
   name: litellm-dev
@@ -189,9 +191,9 @@ spec:
     baseUrl: https://localhost:8080
   tls:
     # Disable all SSL verification (insecure!)
-    verifyDisabled: true
+    disableVerify: true
 
-    # When verifyDisabled is true, other TLS fields are ignored
+    # When disableVerify is true, other TLS fields are ignored
     # No Secret is required in this mode
 
 # When this configuration is used, agents will log prominent warnings:
@@ -232,7 +234,7 @@ stringData:
   key: your-azure-api-key-here
 
 ---
-apiVersion: kagent.dev/v1alpha1
+apiVersion: kagent.dev/v1alpha2
 kind: ModelConfig
 metadata:
   name: azure-through-proxy
@@ -249,8 +251,8 @@ spec:
   tls:
     caCertSecretRef: azure-proxy-ca
     caCertSecretKey: ca.crt
-    useSystemCAs: true
-    verifyDisabled: false
+    disableSystemCAs: false  # Use system CAs (default, safe behavior)
+    disableVerify: false
 
 ---
 # Example 6: Default Configuration (No TLS)
@@ -268,7 +270,7 @@ stringData:
   key: sk-openai-1234567890abcdef
 
 ---
-apiVersion: kagent.dev/v1alpha1
+apiVersion: kagent.dev/v1alpha2
 kind: ModelConfig
 metadata:
   name: openai-public
@@ -289,7 +291,7 @@ spec:
 # Complete example showing how to create an Agent that uses a ModelConfig
 # with TLS configuration.
 
-apiVersion: kagent.dev/v1alpha1
+apiVersion: kagent.dev/v1alpha2
 kind: Agent
 metadata:
   name: internal-assistant
@@ -365,7 +367,7 @@ roleRef:
 #    - Never commit Secrets to Git (use sealed secrets or external secret management)
 #
 # 3. Security:
-#    - Always enable verification (verifyDisabled: false) in production
+#    - Always enable verification (disableVerify: false) in production
 #    - Use RBAC to limit Secret access to specific service accounts
 #    - Use namespace isolation for different environments
 #    - Monitor certificate expiry dates

docs/user-guide/modelconfig-tls.md

@@ -202,41 +202,6 @@ type OllamaConfig struct {
 
 type GeminiConfig struct{}
 
-// TLSConfig contains TLS/SSL configuration options for model provider connections.
-// This enables agents to connect to internal LiteLLM gateways or other providers
-// that use self-signed certificates or custom certificate authorities.
-type TLSConfig struct {
-	// VerifyDisabled disables SSL certificate verification entirely.
-	// WARNING: This should ONLY be used in development/testing environments.
-	// Production deployments MUST use proper certificates.
-	// +optional
-	// +kubebuilder:default=false
-	VerifyDisabled bool `json:"verifyDisabled,omitempty"`
-
-	// CACertSecretRef is a reference to a Kubernetes Secret containing
-	// CA certificate(s) in PEM format. The Secret must be in the same
-	// namespace as the ModelConfig.
-	// When set, the certificate will be used to verify the provider's SSL certificate.
-	// This field follows the same pattern as APIKeySecretRef.
-	// +optional
-	CACertSecretRef string `json:"caCertSecretRef,omitempty"`
-
-	// CACertSecretKey is the key within the Secret that contains the CA certificate data.
-	// This field follows the same pattern as APIKeySecretKey.
-	// Required when CACertSecretRef is set.
-	// +optional
-	// +kubebuilder:default="ca.crt"
-	CACertSecretKey string `json:"caCertSecretKey,omitempty"`
-
-	// UseSystemCAs determines whether to use system CA certificates in addition
-	// to custom CA certificates. When true, both system and custom CAs are trusted (additive).
-	// When false, only the custom CA from CACertSecretRef is trusted.
-	// This allows connecting to both public and internal services with a single configuration.
-	// +optional
-	// +kubebuilder:default=true
-	UseSystemCAs bool `json:"useSystemCAs,omitempty"`
-}
-
 // ModelConfigSpec defines the desired state of ModelConfig.
 //
 // +kubebuilder:validation:XValidation:message="provider.openAI must be nil if the provider is not OpenAI",rule="!(has(self.openAI) && self.provider != 'OpenAI')"
@@ -246,8 +211,6 @@ type TLSConfig struct {
 // +kubebuilder:validation:XValidation:message="provider.gemini must be nil if the provider is not Gemini",rule="!(has(self.gemini) && self.provider != 'Gemini')"
 // +kubebuilder:validation:XValidation:message="provider.geminiVertexAI must be nil if the provider is not GeminiVertexAI",rule="!(has(self.geminiVertexAI) && self.provider != 'GeminiVertexAI')"
 // +kubebuilder:validation:XValidation:message="provider.anthropicVertexAI must be nil if the provider is not AnthropicVertexAI",rule="!(has(self.anthropicVertexAI) && self.provider != 'AnthropicVertexAI')"
-// +kubebuilder:validation:XValidation:message="caCertSecretKey requires caCertSecretRef",rule="!(has(self.tls) && has(self.tls.caCertSecretKey) && self.tls.caCertSecretKey != '' && (!has(self.tls.caCertSecretRef) || self.tls.caCertSecretRef == ''))"
-// +kubebuilder:validation:XValidation:message="caCertSecretRef requires caCertSecretKey",rule="!(has(self.tls) && has(self.tls.caCertSecretRef) && self.tls.caCertSecretRef != '' && (!has(self.tls.caCertSecretKey) || self.tls.caCertSecretKey == ''))"
 type ModelConfigSpec struct {
 	Model string `json:"model"`
 
@@ -299,12 +262,6 @@ type ModelConfigSpec struct {
 	// Anthropic-specific configuration
 	// +optional
 	AnthropicVertexAI *AnthropicVertexAIConfig `json:"anthropicVertexAI,omitempty"`
-
-	// TLS configuration for provider connections.
-	// Enables agents to connect to internal LiteLLM gateways or other providers
-	// that use self-signed certificates or custom certificate authorities.
-	// +optional
-	TLS *TLSConfig `json:"tls,omitempty"`
 }
 
 // Model Configurations