humanlayer · balanceiskey · May 14, 2025 · May 14, 2025 · May 14, 2025 · May 14, 2025
@@ -9,6 +9,8 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
+- namespace_permissions_patch.yaml
+- namespace_permissions_binding.yaml
 # The following RBAC configurations are used to protect
 # the metrics endpoint with authn/authz. These configurations
 # ensure that only authorized users and service accounts

@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: namespace-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: namespace-manager-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system
@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: namespace-manager-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - create
@@ -21,6 +21,11 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
+const (
+	transportTypeStdio = "stdio"
+	transportTypeHTTP  = "http"
+)
+
 // CreateTaskRequest defines the structure of the request body for creating a task
 type CreateTaskRequest struct {
 	Namespace     string        `json:"namespace,omitempty"`     // Optional, defaults to "default"
@@ -215,6 +220,13 @@ func (s *APIServer) createAgent(c *gin.Context) {
 	// Default namespace to "default" if not provided
 	namespace := defaultIfEmpty(req.Namespace, "default")
 
+	// Ensure the namespace exists
+	if err := s.ensureNamespaceExists(ctx, namespace); err != nil {
+		logger.Error(err, "Failed to ensure namespace exists")
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to ensure namespace exists: " + err.Error()})
+		return
+	}
+
 	// Check if agent already exists
 	exists, err := s.resourceExists(ctx, &acp.Agent{}, namespace, req.Name)
 	if err != nil {
@@ -485,19 +497,19 @@ func validateMCPConfig(config MCPServerConfig) error {
 	// Default to stdio transport if not specified
 	transport := config.Transport
 	if transport == "" {
-		transport = "stdio"
+		transport = transportTypeStdio
 	}
 
 	// Validate the transport type
-	if transport != "stdio" && transport != "http" {
+	if transport != transportTypeStdio && transport != transportTypeHTTP {
 		return fmt.Errorf("invalid transport: %s", transport)
 	}
 
 	// Validate transport-specific requirements
-	if transport == "stdio" && (config.Command == "" || len(config.Args) == 0) {
+	if transport == transportTypeStdio && (config.Command == "" || len(config.Args) == 0) {
 		return fmt.Errorf("command and args required for stdio transport")
 	}
-	if transport == "http" && config.URL == "" {
+	if transport == transportTypeHTTP && config.URL == "" {
 		return fmt.Errorf("url required for http transport")
 	}
 
@@ -626,6 +638,40 @@ func defaultIfEmpty(val, defaultVal string) string {
 	return val
 }
 
+// ensureNamespaceExists checks if a namespace exists and creates it if it doesn't
+func (s *APIServer) ensureNamespaceExists(ctx context.Context, namespaceName string) error {
+	logger := log.FromContext(ctx)
+
+	// Check if namespace exists
+	var namespace corev1.Namespace
+	err := s.client.Get(ctx, client.ObjectKey{Name: namespaceName}, &namespace)
+	if err == nil {
+		// Namespace exists, nothing to do
+		return nil
+	}
+
+	if !apierrors.IsNotFound(err) {
+		// Error other than "not found" occurred
+		logger.Error(err, "Failed to check namespace existence", "namespace", namespaceName)
+		return fmt.Errorf("failed to check namespace existence: %w", err)
+	}
+
+	// Namespace doesn't exist, create it
+	namespace = corev1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: namespaceName,
+		},
+	}
+
+	if err := s.client.Create(ctx, &namespace); err != nil {
+		logger.Error(err, "Failed to create namespace", "namespace", namespaceName)
+		return fmt.Errorf("failed to create namespace: %w", err)
+	}
+
+	logger.Info("Created namespace", "namespace", namespaceName)
+	return nil
+}
+
 // updateAgent handles updating an existing agent and its associated MCP servers
 func (s *APIServer) updateAgent(c *gin.Context) {
 	ctx := c.Request.Context()
@@ -888,6 +934,13 @@ func (s *APIServer) createTask(c *gin.Context) {
 		namespace = "default"
 	}
 
+	// Ensure the namespace exists
+	if err := s.ensureNamespaceExists(ctx, namespace); err != nil {
+		logger.Error(err, "Failed to ensure namespace exists")
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to ensure namespace exists: " + err.Error()})
+		return
+	}
+
 	// Handle both responseURL and responseUrl fields (with responseURL taking precedence)
 	responseURL := req.ResponseURL
 	if responseURL == "" && req.ResponseUrl != "" {