Validate Gateway Configuration
Use three different checks before a gateway rollout:
kt config validatechecks the declarative document structure.kt gateway checkresolves runtime configuration and provider credentials.kt policy testexecutes the config's policy test cases.
These checks answer different questions. Passing one does not imply that the others will pass.
Structural validation
Validate the default file:
kt config validate
Validate another file:
kt config validate --file configs/production.yaml
The command parses the document and runs declarative-config validation. In
text mode, validation errors produce a user error and nonzero exit status;
successful output reports the config version and Result: valid.
For CI, use JSON and assert that the returned valid field is true:
kt config validate \
--file configs/production.yaml \
--json
The JSON object contains:
filevalidconfig_versionschema_versionerrors
Current JSON mode prints a valid JSON result and exits successfully even when
valid is false. Do not treat its process exit status as the validation
gate; inspect valid and fail the job when it is not true. If an automation
environment can rely only on exit status, use text mode instead.
Runtime readiness
After structural validation, resolve the config as the gateway would:
kt gateway check --config configs/production.yaml
Add --verbose when diagnosing provider activation:
kt gateway check \
--config configs/production.yaml \
--verbose
gateway check reports the resolved config version and digest, active and
inactive providers, routing strategy, policy chain, and a final Ready or
Not Ready result. Required providers whose credentials cannot be resolved
make the check not ready.
Current gateway check output is human-readable and a Not Ready result does
not by itself make the process exit nonzero. Do not use its exit status alone
as a readiness gate; assert the reported result or run a wrapper that does so.
Run it with the same environment and secret-store access as the intended gateway service. A shell check can pass while an installed service fails if the service does not receive the same environment.
gateway check does not:
- start a gateway;
- contact a model provider with a sample inference;
- deploy a configuration to the control plane; or
- prove that application traffic reaches the gateway.
Policy behavior tests
Run pack and inline tests after the config is structurally valid:
kt policy test --pack-dir .
Use --json in automation. A failed test returns a nonzero exit status even
when the YAML itself is valid.
Recommended gate
Use this order locally and in deployment automation:
kt config validate --file policy-config.yaml --json
kt policy lint --mode runtime --file policy-config.yaml
kt policy test --pack-dir . --json
kt gateway check --config policy-config.yaml
In this sequence, explicitly assert valid == true for the first JSON result
and assert that gateway check reports Ready.
Then start a bound gateway and send a representative request through it:
kt gateway run \
--agent docs-validation \
--policy-config policy-config.yaml \
--listen 127.0.0.1:41002
Checking /healthz confirms only that the gateway process is healthy. Verify
an actual supported request family to prove provider routing and policy
behavior.
Choosing the right validator
| Question | Command |
|---|---|
| Is this declarative document structurally valid? | kt config validate |
| Is this file a valid runtime or IAM policy document? | kt policy lint --mode auto |
| Can provider credentials be resolved in this environment? | kt gateway check |
| Do the declared policy cases produce expected outcomes? | kt policy test |
| Is a running process alive? | GET /healthz |
| Does a real governed model request work? | Send a representative request through the gateway. |