9. Installing of kagents for MicroK8s
Notes#
- Installing kagent on microk8s
-
This guide uses helm installation from https://kagent.dev/docs/kagent/introduction/installation
-
Important: KAgent is not exposed to the internet by default for security reasons. Publishing it online without protections can be risky.
In this guide, we will show how to enable internet access safely using an Ingress with Basic Authentication and optional HTTPS. This allows KAgent to be accessed on your floating IP or domain while keeping it protected.
Prerequisites#
-
The product platform instructions v2 steps 1–3 have been reviewed.
-
A Kubernetes agent connected to the project’s cluster is set up.
-
Runner installed and registered on a cPouta VM.
1. Installing kagent#
1. Install the kagent Helm chart with CRDs.
microk8s helm install kagent-crds oci://ghcr.io/kagent-dev/kagent/helm/kagent-crds \
--namespace kagent \
--create-namespace
2. Set the OPENAI_API_KEY environment variable:
You can use OpenAI key which we have for our team
3. Install the kagent Helm chart:
microk8s helm install kagent oci://ghcr.io/kagent-dev/kagent/helm/kagent \
--namespace kagent \
--set providers.openAI.apiKey=$OPENAI_API_KEY
2. Testing kagent locally#
When you run the command:
and if you're using a remote machine, you might see something like:
Dashboard is not available on this platform
You can easily start the dashboard by running:
kubectl port-forward -n kagent service/kagent-ui 8082:80
and then opening http://localhost:8082 in your browser
- Note: The suggested command uses port 80 by default, but the actual port used by kagent-ui may differ.
1. Port-Forward the kagent-ui Service
Try running:
If you see an error like:
this means the service is not exposing port 80. You need to check the correct port.
2. Check the Service Port
List all services in the kagent namespace:
Look for kagent-ui in the list. The PORT(S) column shows the correct port (for example, 8080).
You will use this port for port-forwarding instead of the default 80.
3. Forward the Correct Port
Once you know the correct port, forward it to your local machine. For example, if kagent-ui uses port 8080:
-
8082 → Local machine port
-
8080 → Service port inside the cluster
-
Now you can open the dashboard in your browser at: http://localhost:8082
4. Using an SSH Tunnel (e.g., with PuTTY)
If you are connecting to a remote machine via SSH:
-
Right-click the top bar of your PuTTY window → Change Settings.
-
Navigate to Connection → SSH → Tunnels.
Set:
-
Source Port: 8082 (your local machine)
-
Destination: localhost:8082 (the forwarded port on the remote)
-
Click Add and then Open the SSH connection.
- Once connected, you can access Kagent locally at:
http://localhost:8082
3. Enable internet accessibility#
To expose KAgent to the internet on your cPouta virtual machine's floating IP, we need to create an Ingress resource.
- Note: Exposing KAgent publicly requires security. In this guide, we’ll use Basic Authentication on the Ingress. You could also use OAuth or other methods.
1. We need htpasswd to create the authentication file:
2. Create the auth file
-
This will prompt you to enter a password for the username.
-
The resulting auth file will be used in a Kubernetes secret.
3. 3: Create a Kubernetes Secret
- Replace
<SECRET-NAME>with a name for your secret, e.g., kagent-basic-auth.
4. Create the Ingress YAML
Create a file named e.g., kagent-ingress.yaml on your VM. Replace
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kagent-ui
namespace: kagent
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: <SECRET-NAME>
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
ingressClassName: nginx
rules:
- host: <YOUR-DOMAIN>
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kagent-ui
port:
number: <PORT>
5. Apply the ingress
-
After this, KAgent should be accessible in your browser at: http://
<YOUR-DOMAIN> -
You will be prompted for your username and password:
- After logging in, you can access the KAgent dashboard:
6. Enable HTTPS with Let's Encrypt
To enable HTTPS, update your Ingress YAML to include TLS annotations and reference a ClusterIssuer:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kagent-ui
namespace: kagent
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod" # Add these to enable https
acme.cert-manager.io/http01-edit-in-place: "true" #
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: <SECRET-NAME>
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
ingressClassName: nginx
tls: # Add these to enable https
- hosts: #
- <YOUR-DOMAIN> #
secretName: kagent-ui-tls #
rules:
- host: <YOUR-DOMAIN>
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kagent-ui
port:
number: <PORT>
---
# Add the ClusterIssuer to enable https
# ClusterIssuer (Let's Encrypt)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <EMAIL>
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
-
Replace
<EMAIL>with your email for Let's Encrypt notifications. -
<SECRET-NAME>,<YOUR-DOMAIN>, and<PORT>should match your setup.
3. Create an agent#
- You can follow the official guide to create your first agent:
- Note: After creating the agent, it may take a little while before it becomes fully available.
What can you do with agent?
4. Uninstallation#
To remove kagent from your cluster:
1. Uninstall kagent chart:
2. Optionally, remove all kagent CRDs and resources:
Note that uninstalling the kagent-crds chart deletes all kagent resources across all namespaces.