You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Replace single *http.Client hairpin with HairpinClientPool that caches per-SNI clients
- Initialize uses the server HTTPRoute hostname as TLS ServerName so Envoy selects the correct filter chain
- Move routing header setup (router-key, mcp-init-host) from clients.Initialize to the caller, breaking an import cycle
- Add e2e tests for HTTPS hairpin and DestinationRule TLS origination
- Document supported TLS configurations in the install guide
Signed-off-by: craig <cbrookes@redhat.com>
The operator preserves user-added volumes, volume mounts, and command flags across reconciliations.
111
111
112
+
#### Supported TLS Configurations
113
+
114
+
The gateway uses TLS termination (`tls.mode: Terminate`) on HTTPS listeners. Envoy decrypts incoming TLS, processes the request (ext_proc, AuthPolicy), then forwards **plain HTTP** to backends. This affects which backend setups work:
115
+
116
+
**Fully supported — tool discovery and tool calls work:**
117
+
118
+
-**HTTP listener → HTTP backend** — no TLS involved.
119
+
-**HTTPS listener → HTTP backend** — Envoy terminates client TLS, forwards HTTP to backend. Requires `--gateway-ca-cert` if the listener uses a private CA.
120
+
-**HTTPS listener → external HTTPS backend (with DestinationRule)** — Envoy terminates client TLS, then a DestinationRule configures TLS origination to the external service. See [External MCP Servers](./external-mcp-server.md).
-**Any listener → internal HTTPS backend (`caCertSecretRef`)** — the broker connects directly to the backend using the CA cert, so tool discovery works. However, `tools/call` is routed through Envoy, which sends plain HTTP to the TLS backend after termination. The backend rejects the non-TLS connection. To enable `tools/call`, create an Istio DestinationRule with TLS origination for that service — the same pattern used for [external MCP servers](./external-mcp-server.md). See the [Istio documentation on destination rule TLS settings](https://istio.io/latest/docs/reference/config/networking/destination-rule/#ClientTLSSettings) for configuring `credentialName` with a custom CA certificate.
125
+
112
126
The `--mcp-gateway-public-host` flag tells the router which `Host` header to expect on incoming requests, so it avoids rewriting it during routing.
113
127
114
128
The **EnvoyFilter** is configured to intercept traffic on the listener's port and route it through the ext_proc (external processor) running on port 50051.
// Initialize will create a new initialize and initialized request and return the associated http client for connection management
38
-
// This method makes a request back to the gateway setting the target mcp server to initialize. We hairpin through the gateway to ensure any Auth applied to that host is triggered for the call.
39
-
// The initToken is a short-lived JWT bound to conf.Hostname that the router will validate when the hairpin request re-enters the gateway.
0 commit comments