Agent Tools Configuration
The following configurations can be used when creating the ToolConfig CR. These will be referenced from the Remediator CR.
GitHub
Using Nirmata App (Recommended)
Installing the Nirmata app:
- Configure the Nirmata app in your organization and provide access to the application repositories.
- Review the required permissions and grant access.
- To obtain the private key, reach out to the Nirmata team.
Create a Kubernetes secret to store the private key.
kubectl create secret generic github-app-secret \
--from-file=private-key.pem="/path/to/pem/file" \
--from-literal=webhook-secret="mysecret" \
--namespace=nirmata
Create the ToolConfig CR.
apiVersion: serviceagents.nirmata.io/v1alpha1
kind: ToolConfig
metadata:
name: toolconfig-sample
namespace: nirmata
spec:
type: github
credentials:
method: app
app:
appId: APP_ID
privateKeySecretRef:
name: github-app-secret
namespace: nirmata
key: private-key.pem
Using Personal Access Token
Create a Kubernetes secret in the nirmata namespace with your GitHub Personal Access Token (PAT).
kubectl create secret generic github-pat-token \
--from-literal=token=GITHUB_PAT_TOKEN \
--namespace nirmata
Create the ToolConfig CR.
apiVersion: serviceagents.nirmata.io/v1alpha1
kind: ToolConfig
metadata:
name: toolconfig-sample
namespace: nirmata
spec:
type: github
credentials:
method: pat
pat:
tokenSecretRef:
name: github-pat-token
namespace: nirmata
key: token
GitLab
Using Personal Access Token
Create a Kubernetes secret in the nirmata namespace with your GitLab Personal Access Token (PAT).
kubectl create secret generic gitlab-pat-token \
--from-literal=token=GITLAB_PAT_TOKEN \
--namespace=nirmata
Create the ToolConfig CR.
apiVersion: serviceagents.nirmata.io/v1alpha1
kind: ToolConfig
metadata:
name: toolconfig-sample
namespace: nirmata
spec:
type: gitlab
credentials:
method: pat
pat:
secretRef:
name: gitlab-pat-token
namespace: nirmata
key: token
Advanced Settings
Specifying PR defaults:
Use spec.defaults.git.pullRequests to specify any default behavior during PR creation. The following customizations are supported:
defaults:
git:
pullRequests:
branchPrefix: "remediation-"
titleTemplate: "[Auto-Remediation] Fix policy violations: "
commitMessageTemplate: "Auto-fix: Remediate policy violations: "
ToolConfig CRD Reference
This section provides a comprehensive reference for all fields in the ToolConfig Custom Resource Definition (CRD).
ToolConfigSpec
The ToolConfigSpec defines the desired state of a ToolConfig resource.
type (required)
Defines the tool/provider type.
Type: string (enum)
Valid Values:
github- GitHub providergitlab- GitLab provider
Example:
spec:
type: github
credentials (required)
Defines how the agent authenticates to the provider. Exactly one authentication method must be specified.
Type: Credentials
credentials.method (required)
Selects which authentication payload is used.
Type: string (enum)
Valid Values:
pat- Personal Access Token authenticationapp- GitHub App authentication
credentials.pat (optional)
PAT-based authentication using Personal Access Token. Required when method is “pat”.
Type: PATCredentials
credentials.pat.tokenSecretRef (required)
Points to a Secret key containing the PAT token.
Type: SecretRef
Fields:
name(required) - Name of the secretnamespace(optional) - Namespace of the secretkey(required) - Key within the secret
Example:
credentials:
method: pat
pat:
tokenSecretRef:
name: github-pat-token
namespace: nirmata
key: token
credentials.app (optional)
GitHub App authentication using App ID and private key. Required when method is “app”.
Type: GitHubAppCredentials
credentials.app.appId (required)
The GitHub App ID.
Type: int64
credentials.app.installationId (optional)
The Installation ID for the target organization/repositories. If not specified, the controller will auto-discover the installation.
Type: int64
credentials.app.privateKeySecretRef (required)
Reference to a secret containing the private key.
Type: SecretRef
Example:
credentials:
method: app
app:
appId: 1819379
privateKeySecretRef:
name: github-app-private-key
namespace: nirmata
key: private-key.pem
defaults (optional)
Defines the default values for PRs/commits the agent will create.
Type: Defaults
defaults.git (optional)
Git-related defaults.
Type: GitDefaults
defaults.git.pullRequests (optional)
Pull request related defaults.
Type: PullRequestDefaults
Fields:
branchPrefix(optional) - Prefix for pull request branchestitleTemplate(optional) - Template for pull request titlescommitMessageTemplate(optional) - Template for commit messages
Example:
defaults:
git:
pullRequests:
branchPrefix: "remediation-"
titleTemplate: "[Auto-Remediation] Fix policy violations: "
commitMessageTemplate: "Auto-fix: Remediate policy violations: "
ToolConfigStatus
The ToolConfigStatus defines the observed state of a ToolConfig resource.
Complete Example
apiVersion: serviceagents.nirmata.io/v1alpha1
kind: ToolConfig
metadata:
name: toolconfig-sample
namespace: nirmata
spec:
type: github
credentials:
method: app
app:
appId: 1819379
privateKeySecretRef:
name: github-app-private-key
namespace: nirmata
key: private-key.pem
defaults:
git:
pullRequests:
branchPrefix: "remediation-"
titleTemplate: "[Auto-Remediation] Fix policy violations: "
commitMessageTemplate: "Auto-fix: Remediate policy violations: "
Validation Rules
The ToolConfig CRD includes validation rules:
- Authentication Method Exclusivity: Exactly one authentication method must be specified based on the method field
- Method-Payload Consistency: When method is “pat”, only the pat field should be set; when method is “app”, only the app field should be set
These validation rules ensure that the ToolConfig configuration is consistent and valid.