Ram Vennam rvennam

Self-Hosted vLLM Embeddings with Agent Gateway

This workshop demonstrates how to route embedding requests through Agent Gateway to a self-hosted vLLM server running an OpenAI-compatible API. This is the Agent Gateway equivalent of a LiteLLM config like:

- model_name: qwen3
  litellm_params:
    model: hosted_vllm//apps/ecs_mounts/data/q3.6b
    api_key: $VLLM_API_KEY
    api_base: $VLLM_HOST_URL

MCP Header Forwarding with Agent Gateway

This workshop demonstrates how agent gateway forwards client HTTP headers (including Authorization: Bearer tokens) to upstream MCP servers. It covers two scenarios:

Without JWT auth — headers pass through by default, no configuration needed.
With JWT auth — the gateway validates and strips the Authorization header by default. Adding policies.auth.passthrough: {} to the backend re-attaches it.

Prerequisites

An EKS cluster with Solo Enterprise Agent Gateway installed

AWS Bedrock with IRSA (IAM Roles for Service Accounts)

This workshop configures Solo Enterprise Agent Gateway to access AWS Bedrock without storing AWS credentials as Kubernetes secrets. Instead, we use EKS IAM Roles for Service Accounts (IRSA) to let the agentgateway pod assume an IAM role natively.

Why IRSA?

No long-lived AWS access keys to manage or rotate
Credentials are short-lived and automatically refreshed
Fine-grained IAM permissions scoped to a single service account
Follows AWS security best practices for EKS workloads

	helm upgrade -i enterprise-agentgateway \
	-n enterprise-agentgateway \
	oci://us-docker.pkg.dev/solo-public/enterprise-agentgateway/charts/enterprise-agentgateway \
	--create-namespace \
	--version "$ENTERPRISE_AGW_VERSION" \
	--set-string licensing.licenseKey="$SOLO_TRIAL_LICENSE_KEY" \
	-f - <<'EOF'
	gatewayClassParametersRefs:
	enterprise-agentgateway:
	group: enterpriseagentgateway.solo.io

	# Step 1: AgentgatewayBackend — omit policies.auth to use IRSA
	apiVersion: agentgateway.dev/v1alpha1
	kind: AgentgatewayBackend
	metadata:
	name: bedrock
	namespace: enterprise-agentgateway
	spec:
	ai:
	provider:
	bedrock:

	# =====================================================
	# Auth0 JWKS Proxy Test Configuration
	# =====================================================
	# Test the proxy workaround concept with Auth0
	# Auth0 Domain: dev-qlf8ntg1.us.auth0.com
	# =====================================================

	---
	# 1. Proxy ConfigMap - Simple nginx that forwards to Auth0
	apiVersion: v1

	apiVersion: agentgateway.dev/v1alpha1
	kind: AgentgatewayBackend
	metadata:
	annotations:
	kubectl.kubernetes.io/last-applied-configuration: \|
	{"apiVersion":"agentgateway.dev/v1alpha1","kind":"AgentgatewayBackend","metadata":{"annotations":{},"name":"github-mcp-with-ca","namespace":"enterprise-agentgateway"},"spec":{"mcp":{"targets":[{"name":"mcp-target","static":{"host":"api.githubcopilot.com","path":"/mcp/","policies":{"tls":{"caCertificateRefs":[{"name":"github-ca-cert"}],"sni":"api.githubcopilot.com"}},"port":443}}]}}}
	creationTimestamp: "2026-02-11T19:49:21Z"
	generation: 1
	name: github-mcp-with-ca
	namespace: enterprise-agentgateway

	# ztunnel egress:
	# egressPolicies:
	# - namespaces: [common-infrastructure]
	# policy: Passthrough
	# - gateway: egress-gateway.common-infrastructure.svc.cluster.local
	# policy: Gateway
	# matchCidrs:
	# - 0.0.0.0/0
	# - ::/0

	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: stream-server
	namespace: streamtest
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: stream-server