feat: add git-based skill fetching with shared auth and lightweight init image

.gitignore

@@ -156,7 +156,7 @@ celerybeat.pid
 # Environments
 python/.env
 .venv
-env/
+.env/
 venv/
 ENV/
 env.bak/

Makefile

@@ -35,16 +35,19 @@ CONTROLLER_IMAGE_NAME ?= controller
 UI_IMAGE_NAME ?= ui
 APP_IMAGE_NAME ?= app
 KAGENT_ADK_IMAGE_NAME ?= kagent-adk
+SKILLS_INIT_IMAGE_NAME ?= skills-init
 
 CONTROLLER_IMAGE_TAG ?= $(VERSION)
 UI_IMAGE_TAG ?= $(VERSION)
 APP_IMAGE_TAG ?= $(VERSION)
 KAGENT_ADK_IMAGE_TAG ?= $(VERSION)
+SKILLS_INIT_IMAGE_TAG ?= $(VERSION)
 
 CONTROLLER_IMG ?= $(DOCKER_REGISTRY)/$(DOCKER_REPO)/$(CONTROLLER_IMAGE_NAME):$(CONTROLLER_IMAGE_TAG)
 UI_IMG ?= $(DOCKER_REGISTRY)/$(DOCKER_REPO)/$(UI_IMAGE_NAME):$(UI_IMAGE_TAG)
 APP_IMG ?= $(DOCKER_REGISTRY)/$(DOCKER_REPO)/$(APP_IMAGE_NAME):$(APP_IMAGE_TAG)
 KAGENT_ADK_IMG ?= $(DOCKER_REGISTRY)/$(DOCKER_REPO)/$(KAGENT_ADK_IMAGE_NAME):$(KAGENT_ADK_IMAGE_TAG)
+SKILLS_INIT_IMG ?= $(DOCKER_REGISTRY)/$(DOCKER_REPO)/$(SKILLS_INIT_IMAGE_NAME):$(SKILLS_INIT_IMAGE_TAG)
 
 #take from go/go.mod
 AWK ?= $(shell command -v gawk || command -v awk)
@@ -211,13 +214,13 @@ prune-docker-images:
 	docker images --filter dangling=true -q | xargs -r docker rmi || :
 
 .PHONY: build
-build: buildx-create build-controller build-ui build-app
+build: buildx-create build-controller build-ui build-app build-skills-init
 	@echo "Build completed successfully."
 	@echo "Controller Image: $(CONTROLLER_IMG)"
 	@echo "UI Image: $(UI_IMG)"
 	@echo "App Image: $(APP_IMG)"
 	@echo "Kagent ADK Image: $(KAGENT_ADK_IMG)"
-	@echo "Tools Image: $(TOOLS_IMG)"
+	@echo "Skills Init Image: $(SKILLS_INIT_IMG)"
 
 .PHONY: build-monitor
 build-monitor: buildx-create
@@ -244,9 +247,6 @@ lint:
 	make -C go lint
 	make -C python lint
 
-.PHONY: push
-push: push-controller push-ui push-app push-kagent-adk
-
 .PHONY: controller-manifests
 controller-manifests:
 	make -C go manifests
@@ -268,6 +268,10 @@ build-kagent-adk: buildx-create
 build-app: buildx-create build-kagent-adk
 	$(DOCKER_BUILDER) build $(DOCKER_BUILD_ARGS) $(TOOLS_IMAGE_BUILD_ARGS) --build-arg KAGENT_ADK_VERSION=$(KAGENT_ADK_IMAGE_TAG) --build-arg DOCKER_REGISTRY=$(DOCKER_REGISTRY) -t $(APP_IMG) -f python/Dockerfile.app ./python
 
+.PHONY: build-skills-init
+build-skills-init: buildx-create
+	$(DOCKER_BUILDER) build $(DOCKER_BUILD_ARGS) -t $(SKILLS_INIT_IMG) -f docker/skills-init/Dockerfile docker/skills-init
+
 .PHONY: helm-cleanup
 helm-cleanup:
 	rm -f ./$(HELM_DIST_FOLDER)/*.tgz

docker/skills-init/Dockerfile

@@ -0,0 +1,18 @@
+### Stage 0: build krane
+FROM golang:1.25-alpine AS krane-builder
+
+ENV KRANE_VERSION=v0.20.7
+WORKDIR /build
+
+RUN apk add --no-cache git && \
+    git clone --depth 1 --branch $KRANE_VERSION \
+    https://github.com/google/go-containerregistry.git
+
+WORKDIR /build/go-containerregistry/cmd/krane
+
+RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /build/krane .
+
+FROM alpine:3.21
+
+RUN apk add --no-cache git
+COPY --from=krane-builder /build/krane /usr/local/bin/krane

go/api/v1alpha2/agent_types.go

@@ -69,16 +69,51 @@ type AgentSpec struct {
 	AllowedNamespaces *AllowedNamespaces `json:"allowedNamespaces,omitempty"`
 }
 
+// +kubebuilder:validation:AtLeastOneOf=refs,gitRefs
 type SkillForAgent struct {
 	// Fetch images insecurely from registries (allowing HTTP and skipping TLS verification).
 	// Meant for development and testing purposes only.
 	// +optional
 	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
 
 	// The list of skill images to fetch.
-	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=20
+	// +kubebuilder:validation:MinItems=1
+	// +optional
 	Refs []string `json:"refs,omitempty"`
+
+	// Reference to a Secret containing git credentials.
+	// Applied to all gitRefs entries.
+	// The secret should contain a `token` key for HTTPS auth,
+	// or `ssh-privatekey` for SSH auth.
+	// +optional
+	GitAuthSecretRef *corev1.LocalObjectReference `json:"gitAuthSecretRef,omitempty"`
+
+	// Git repositories to fetch skills from.
+	// +kubebuilder:validation:MaxItems=20
+	// +kubebuilder:validation:MinItems=1
+	// +optional
+	GitRefs []GitRepo `json:"gitRefs,omitempty"`
+}
+
+// GitRepo specifies a single Git repository to fetch skills from.
+type GitRepo struct {
+	// URL of the git repository (HTTPS or SSH).
+	// +kubebuilder:validation:Required
+	URL string `json:"url"`
+
+	// Git reference: branch name, tag, or commit SHA.
+	// +optional
+	// +kubebuilder:default="main"
+	Ref string `json:"ref,omitempty"`
+
+	// Subdirectory within the repo to use as the skill root.
+	// +optional
+	Path string `json:"path,omitempty"`
+
+	// Name for the skill directory under /skills. Defaults to the repo name.
+	// +optional
+	Name string `json:"name,omitempty"`
 }
 
 // +kubebuilder:validation:XValidation:rule="!has(self.systemMessage) || !has(self.systemMessageFrom)",message="systemMessage and systemMessageFrom are mutually exclusive"

go/config/crd/bases/kagent.dev_agents.yaml

@@ -10027,6 +10027,52 @@ spec:
                   Skills to load into the agent. They will be pulled from the specified container images.
                   and made available to the agent under the `/skills` folder.
                 properties:
+                  gitAuthSecretRef:
+                    description: |-
+                      Reference to a Secret containing git credentials.
+                      Applied to all gitRefs entries.
+                      The secret should contain a `token` key for HTTPS auth,
+                      or `ssh-privatekey` for SSH auth.
+                    properties:
+                      name:
+                        default: ""
+                        description: |-
+                          Name of the referent.
+                          This field is effectively required, but due to backwards compatibility is
+                          allowed to be empty. Instances of this type with an empty value here are
+                          almost certainly wrong.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  gitRefs:
+                    description: Git repositories to fetch skills from.
+                    items:
+                      description: GitRepo specifies a single Git repository to fetch
+                        skills from.
+                      properties:
+                        name:
+                          description: Name for the skill directory under /skills.
+                            Defaults to the repo name.
+                          type: string
+                        path:
+                          description: Subdirectory within the repo to use as the
+                            skill root.
+                          type: string
+                        ref:
+                          default: main
+                          description: 'Git reference: branch name, tag, or commit
+                            SHA.'
+                          type: string
+                        url:
+                          description: URL of the git repository (HTTPS or SSH).
+                          type: string
+                      required:
+                      - url
+                      type: object
+                    maxItems: 20
+                    minItems: 1
+                    type: array
                   insecureSkipVerify:
                     description: |-
                       Fetch images insecurely from registries (allowing HTTP and skipping TLS verification).