Install the Tool Gateway agentgateway Operator

This guide walks you through installing the Tool Gateway agentgateway Operator and all of its required dependencies on your Kubernetes cluster.

Prerequisites

  • A running Kubernetes cluster (version 1.26.0 or higher) with kubectl configured.

  • Helm 3+ installed.

Install Dependencies

The operator requires the following infrastructure components to be installed first.

Install cert-manager

helm upgrade -i cert-manager oci://quay.io/jetstack/charts/cert-manager \
  --version v1.19.3 \
  --namespace cert-manager \
  --create-namespace \
  --set crds.enabled=true \
  --wait

kubectl wait validatingwebhookconfiguration/cert-manager-webhook \
  --for "jsonpath={.webhooks[0].clientConfig.caBundle}" \
  --timeout 5m

Install Gateway API CRDs

kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/latest/download/standard-install.yaml

Browse all Gateway API releases at https://github.com/kubernetes-sigs/gateway-api/releases.

Install agentgateway

# Install agentgateway CRDs
helm upgrade -i agentgateway-crds \
  oci://ghcr.io/kgateway-dev/charts/agentgateway-crds \
  --namespace agentgateway-system \
  --version v2.2.0 \
  --create-namespace \
  --wait

# Install agentgateway controller
helm upgrade -i agentgateway \
  oci://ghcr.io/kgateway-dev/charts/agentgateway \
  --namespace agentgateway-system \
  --version v2.2.0 \
  --wait

Install the Agent Runtime Operator

The Agent Runtime Operator provides the ToolGateway, ToolGatewayClass, ToolRoute, and ToolServer CRDs.

kubectl apply -f https://github.com/agentic-layer/agent-runtime-operator/releases/latest/download/install.yaml

kubectl wait deployment.apps/agent-runtime-operator-controller-manager \
  --for condition=Available \
  --namespace agent-runtime-operator-system \
  --timeout 5m

Install the Operator

Install with kubectl

kubectl apply -f https://github.com/agentic-layer/tool-gateway-agentgateway/releases/latest/download/install.yaml

kubectl wait --for=condition=Available --timeout=60s \
  -n tool-gateway-agentgateway-system \
  deployment/tool-gateway-agentgateway-controller-manager

Find the latest version at https://github.com/agentic-layer/tool-gateway-agentgateway/releases/

Install with Flux

If you are using Flux for GitOps, install the operator via its OCI repository:

apiVersion: source.toolkit.fluxcd.io/v1
kind: OCIRepository
metadata:
  name: tool-gateway-agentgateway
  namespace: flux-system
spec:
  interval: 5m
  url: oci://ghcr.io/agentic-layer/manifests/tool-gateway-agentgateway
  ref:
    semver: ">= 0, < 1"
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: tool-gateway-agentgateway
  namespace: flux-system
spec:
  sourceRef:
    kind: OCIRepository
    name: tool-gateway-agentgateway
  interval: 10m
  path: ./
  prune: true
  wait: true
  dependsOn:
    # Ensure cert-manager is installed first (if you install it with Flux as well)
    - name: cert-manager
    # Ensure Agent Runtime Operator is installed
    - name: agent-runtime-operator

Enable Guardrails (Optional)

The operator can attach guardrails to a ToolGateway to filter sensitive content from tool traffic. To enable this, the controller must be started with the --guardrail-adapter-image=<image>:<tag> flag. The shipped install.yaml already pins a known-compatible adapter version. If you build your own Kustomize overlay, set the image via:

patches:
  - target: { kind: Deployment, name: controller-manager, namespace: tool-gateway-agentgateway-system }
    patch: |-
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: controller-manager
      spec:
        template:
          spec:
            containers:
              - name: manager
                args:
                  - --leader-elect
                  - --health-probe-bind-address=:8081
                  - --guardrail-adapter-image=ghcr.io/agentic-layer/guardrail-adapter:0.2.1

You also need a GuardrailProvider backing service (e.g. Presidio) reachable from the cluster. See Create and Use Guardrails in Gateways for the cross-gateway concepts and the Guardrails section in the reference for ToolGateway-specific configuration.

Verify

# Check that the operator is running
kubectl get pods -n tool-gateway-agentgateway-system

You should see the operator pod running.

Uninstall

To remove the operator:

kubectl delete -f https://github.com/agentic-layer/tool-gateway-agentgateway/releases/latest/download/install.yaml

To remove all dependencies (optional):

# Uninstall Agent Runtime Operator
kubectl delete -f https://github.com/agentic-layer/agent-runtime-operator/releases/latest/download/install.yaml

# Uninstall agentgateway
helm uninstall agentgateway --namespace agentgateway-system
helm uninstall agentgateway-crds --namespace agentgateway-system

# Uninstall Gateway API CRDs
kubectl delete -f https://github.com/kubernetes-sigs/gateway-api/releases/latest/download/standard-install.yaml

# Uninstall cert-manager
helm uninstall cert-manager --namespace cert-manager
kubectl delete namespace cert-manager

Related