FIX remaining outdated changes in go/core

Signed-off-by: Jet Chiang <pokyuen.jetchiang-ext@solo.io>

Author: supreme-gg-gg

go/core/internal/a2a/client_interceptors_test.go

@@ -0,0 +1,56 @@
+package a2a
+
+import (
+	"context"
+	"testing"
+
+	a2aclient "github.com/a2aproject/a2a-go/v2/a2aclient"
+	"go.opentelemetry.io/otel/propagation"
+	"go.opentelemetry.io/otel/trace"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+func TestUpstreamAuthInterceptor_InjectsTraceContext(t *testing.T) {
+	const rawTraceparent = "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01"
+
+	ctx := propagation.TraceContext{}.Extract(
+		context.Background(),
+		propagation.MapCarrier{"traceparent": rawTraceparent},
+	)
+
+	req := &a2aclient.Request{
+		BaseURL:       "http://agent.default:8080",
+		ServiceParams: a2aclient.ServiceParams{},
+	}
+	interceptor := NewUpstreamAuthInterceptor(nil, types.NamespacedName{})
+	if _, _, err := interceptor.Before(ctx, req); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	gotValues := req.ServiceParams.Get("traceparent")
+	if len(gotValues) == 0 {
+		t.Fatal("expected traceparent service param on outgoing request, got none")
+	}
+
+	outCtx := propagation.TraceContext{}.Extract(context.Background(), propagation.MapCarrier{"traceparent": gotValues[0]})
+	wantTraceID := trace.SpanContextFromContext(ctx).TraceID()
+	gotTraceID := trace.SpanContextFromContext(outCtx).TraceID()
+	if wantTraceID != gotTraceID {
+		t.Errorf("trace ID: want %s, got %s", wantTraceID, gotTraceID)
+	}
+}
+
+func TestUpstreamAuthInterceptor_NoTraceContext(t *testing.T) {
+	req := &a2aclient.Request{
+		BaseURL:       "http://agent.default:8080",
+		ServiceParams: a2aclient.ServiceParams{},
+	}
+	interceptor := NewUpstreamAuthInterceptor(nil, types.NamespacedName{})
+	if _, _, err := interceptor.Before(context.Background(), req); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if got := req.ServiceParams.Get("traceparent"); len(got) != 0 {
+		t.Errorf("expected no traceparent service param, got %q", got)
+	}
+}

go/core/internal/a2a/trace.go

@@ -16,8 +16,8 @@ import (
 
 // a2aTracingMiddleware is an A2A server middleware that creates an invoke_agent
 // span for each inbound A2A request, annotated with GenAI semantic convention
-// attributes. The span becomes the parent of any outbound proxy calls made by
-// traceInjectHandler, giving a clean agent-invocation span hierarchy in Jaeger.
+// attributes. Outbound client interceptors inject that span into proxied agent
+// calls, giving a clean agent-invocation span hierarchy in Jaeger.
 type a2aTracingMiddleware struct {
 	agentRef types.NamespacedName
 	provider attribute.KeyValue

go/core/internal/httpserver/handlers/agents.go

@@ -18,6 +18,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	utilvalidation "k8s.io/apimachinery/pkg/util/validation"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	ctrllog "sigs.k8s.io/controller-runtime/pkg/log"
 )
@@ -32,35 +33,46 @@ func NewAgentsHandler(base *Base) *AgentsHandler {
 	return &AgentsHandler{Base: base}
 }
 
-// HandleListAgents handles GET /api/agents requests using database
+// HandleListAgents handles GET /api/agents requests using database.
+// Optional query param: namespace=<ns>.
 func (h *AgentsHandler) HandleListAgents(w ErrorResponseWriter, r *http.Request) {
 	log := ctrllog.FromContext(r.Context()).WithName("agents-handler").WithValues("operation", "list-db")
 
-	if err := Check(h.Authorizer, r, auth.Resource{Type: "Agent"}); err != nil {
-		w.RespondWithError(err)
+	namespace := r.URL.Query().Get("namespace")
+	if namespace == "" {
+		h.handleListAgents(w, r, log)
 		return
 	}
 
-	agentList := &v1alpha2.AgentList{}
-	if err := h.KubeClient.List(r.Context(), agentList); err != nil {
-		w.RespondWithError(errors.NewInternalServerError("Failed to list Agents from Kubernetes", err))
+	if strings.TrimSpace(namespace) != namespace {
+		w.RespondWithError(errors.NewBadRequestError(
+			fmt.Sprintf("invalid namespace %q: must not contain leading or trailing whitespace", namespace),
+			nil,
+		))
 		return
 	}
 
-	agentsWithID := make([]api.AgentResponse, 0)
-	h.appendAgentResponses(r.Context(), log, agentObjects(agentList.Items), &agentsWithID)
+	if errs := utilvalidation.IsDNS1123Label(namespace); len(errs) > 0 {
+		w.RespondWithError(errors.NewBadRequestError(
+			fmt.Sprintf("invalid namespace %q: %s", namespace, strings.Join(errs, "; ")),
+			nil,
+		))
+		return
+	}
 
-	harnessList := &v1alpha2.AgentHarnessList{}
-	if err := h.KubeClient.List(r.Context(), harnessList); err != nil {
-		w.RespondWithError(errors.NewInternalServerError("Failed to list AgentHarness resources from Kubernetes", err))
+	h.handleListAgents(w, r, log.WithValues("namespace", namespace), client.InNamespace(namespace))
+}
+
+func (h *AgentsHandler) handleListAgents(w ErrorResponseWriter, r *http.Request, log logr.Logger, opts ...client.ListOption) {
+	if err := Check(h.Authorizer, r, auth.Resource{Type: "Agent"}); err != nil {
+		w.RespondWithError(err)
 		return
 	}
-	for i := range harnessList.Items {
-		sb := &harnessList.Items[i]
-		if sb.Spec.Backend != v1alpha2.AgentHarnessBackendOpenClaw && sb.Spec.Backend != v1alpha2.AgentHarnessBackendNemoClaw {
-			continue
-		}
-		agentsWithID = append(agentsWithID, h.openshellAgentHarnessAgentResponse(r.Context(), log, sb))
+
+	agentsWithID, err := h.listAgentResponses(r.Context(), log, opts...)
+	if err != nil {
+		w.RespondWithError(err)
+		return
 	}
 
 	log.Info("Successfully listed agents", "count", len(agentsWithID))

go/core/internal/httpserver/handlers/agents_test.go

@@ -500,6 +500,92 @@ func TestHandleListAgents(t *testing.T) {
 		}
 		require.True(t, found)
 	})
+
+	t.Run("filters Agent and AgentHarness rows by namespace query parameter", func(t *testing.T) {
+		modelConfig := createTestModelConfig()
+		agentDefault := createTestAgent("agent-in-default", modelConfig)
+		agentOther := &v1alpha2.Agent{
+			ObjectMeta: metav1.ObjectMeta{Name: "agent-in-other", Namespace: "other"},
+			Spec: v1alpha2.AgentSpec{
+				Type: v1alpha2.AgentType_Declarative,
+				Declarative: &v1alpha2.DeclarativeAgentSpec{
+					ModelConfig: modelConfig.Name,
+				},
+			},
+		}
+		harnessDefault := &v1alpha2.AgentHarness{
+			ObjectMeta: metav1.ObjectMeta{Name: "harness-default", Namespace: "default"},
+			Spec: v1alpha2.AgentHarnessSpec{
+				Backend:        v1alpha2.AgentHarnessBackendOpenClaw,
+				ModelConfigRef: "test-model-config",
+			},
+		}
+		harnessOther := &v1alpha2.AgentHarness{
+			ObjectMeta: metav1.ObjectMeta{Name: "harness-other", Namespace: "other"},
+			Spec: v1alpha2.AgentHarnessSpec{
+				Backend:        v1alpha2.AgentHarnessBackendOpenClaw,
+				ModelConfigRef: "test-model-config",
+			},
+		}
+		unsupportedHarnessDefault := &v1alpha2.AgentHarness{
+			ObjectMeta: metav1.ObjectMeta{Name: "unsupported-harness", Namespace: "default"},
+			Spec: v1alpha2.AgentHarnessSpec{
+				Backend:        v1alpha2.AgentHarnessBackendType("unsupported"),
+				ModelConfigRef: "test-model-config",
+			},
+		}
+		handler, _ := setupTestHandler(t, agentDefault, agentOther, harnessDefault, harnessOther, unsupportedHarnessDefault, modelConfig)
+
+		req := httptest.NewRequest("GET", "/api/agents?namespace=default", nil)
+		req = setUser(req, "test-user")
+		w := httptest.NewRecorder()
+
+		handler.HandleListAgents(&testErrorResponseWriter{w}, req)
+
+		require.Equal(t, http.StatusOK, w.Code)
+		var response api.StandardResponse[[]api.AgentResponse]
+		require.NoError(t, json.Unmarshal(w.Body.Bytes(), &response))
+		require.Len(t, response.Data, 2)
+
+		byName := make(map[string]api.AgentResponse, len(response.Data))
+		for _, row := range response.Data {
+			byName[row.Agent.Metadata.Name] = row
+			require.Equal(t, "default", row.Agent.Metadata.Namespace)
+		}
+		require.Contains(t, byName, "agent-in-default")
+		require.Contains(t, byName, "harness-default")
+		require.NotContains(t, byName, "agent-in-other")
+		require.NotContains(t, byName, "harness-other")
+		require.NotContains(t, byName, "unsupported-harness")
+	})
+
+	// Kubernetes namespace names must be DNS-1123 labels. Rejecting invalid input
+	// before calling the Kubernetes client keeps the list path consistent with
+	// other resource handlers and avoids surprising cross-namespace behavior.
+	t.Run("returns 400 for invalid namespace query value", func(t *testing.T) {
+		handler, _ := setupTestHandler(t)
+
+		req := httptest.NewRequest("GET", "/api/agents?namespace=INVALID_NS!", nil)
+		req = setUser(req, "test-user")
+		w := httptest.NewRecorder()
+
+		handler.HandleListAgents(&testErrorResponseWriter{w}, req)
+
+		require.Equal(t, http.StatusBadRequest, w.Code)
+	})
+
+	t.Run("returns 400 for namespace query value with leading or trailing whitespace", func(t *testing.T) {
+		handler, _ := setupTestHandler(t)
+
+		req := httptest.NewRequest("GET", "/api/agents?namespace=%20default", nil)
+		req = setUser(req, "test-user")
+		w := httptest.NewRecorder()
+
+		handler.HandleListAgents(&testErrorResponseWriter{w}, req)
+
+		require.Equal(t, http.StatusBadRequest, w.Code)
+		require.Contains(t, w.Body.String(), "must not contain leading or trailing whitespace")
+	})
 }
 
 func TestHandleListSandboxAgents(t *testing.T) {

go/core/test/e2e/invoke_api_test.go

@@ -1075,6 +1075,15 @@ func TestE2EInvokeCrewAIAgent(t *testing.T) {
 }
 
 func TestE2EInvokeSTSIntegration(t *testing.T) {
+	runE2EInvokeSTSIntegration(t, "python", nil)
+}
+
+func TestE2EGoInvokeSTSIntegration(t *testing.T) {
+	goRuntime := v1alpha2.DeclarativeRuntime_Go
+	runE2EInvokeSTSIntegration(t, "go", &goRuntime)
+}
+
+func runE2EInvokeSTSIntegration(t *testing.T, runtimeName string, runtimeOverride *v1alpha2.DeclarativeRuntime) {
 	// Setup mock STS server
 	agentName := "test-sts"
 	agentServiceAccount := fmt.Sprintf("system:serviceaccount:kagent:%s", agentName)
@@ -1110,8 +1119,9 @@ func TestE2EInvokeSTSIntegration(t *testing.T) {
 
 	modelCfg := setupModelConfig(t, cli, baseURL)
 	agent := setupAgentWithOptions(t, cli, modelCfg.Name, tools, AgentOptions{
-		Name:          "test-sts-agent",
+		Name:          "test-sts-agent-" + runtimeName,
 		SystemMessage: "You are an agent that adds numbers using the add tool available to you through the everything-mcp-server.",
+		Runtime:       runtimeOverride,
 		Env: []corev1.EnvVar{
 			{
 				Name:  "STS_WELL_KNOWN_URI",
@@ -1139,7 +1149,7 @@ func TestE2EInvokeSTSIntegration(t *testing.T) {
 	a2aURL := a2aUrl(agent.Namespace, agent.Name)
 	a2aClient := newA2AClient(t, a2aURL, httpClient, nil)
 
-	t.Run("sync_invocation", func(t *testing.T) {
+	t.Run(runtimeName+"/sts_exchange_sync_invocation", func(t *testing.T) {
 		runSyncTest(t, a2aClient, "add 3 and 5", "8", nil)
 
 		// verify our mock STS server received the token exchange request
@@ -1150,6 +1160,10 @@ func TestE2EInvokeSTSIntegration(t *testing.T) {
 		// which contains the may act claim
 		stsRequest := stsRequests[0]
 		require.Equal(t, subjectToken, stsRequest.SubjectToken)
+		require.Equal(t, "urn:ietf:params:oauth:grant-type:token-exchange", stsRequest.GrantType)
+		require.Equal(t, "urn:ietf:params:oauth:token-type:jwt", stsRequest.SubjectTokenType)
+		require.NotEmpty(t, stsRequest.ActorToken)
+		require.Equal(t, "urn:ietf:params:oauth:token-type:jwt", stsRequest.ActorTokenType)
 	})
 }