forked from Kuadrant/mcp-gateway
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmcp.kuadrant.io_mcpgatewayextensions.yaml
More file actions
255 lines (253 loc) · 11.8 KB
/
mcp.kuadrant.io_mcpgatewayextensions.yaml
File metadata and controls
255 lines (253 loc) · 11.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
creationTimestamp: null
name: mcpgatewayextensions.mcp.kuadrant.io
spec:
group: mcp.kuadrant.io
names:
kind: MCPGatewayExtension
listKind: MCPGatewayExtensionList
plural: mcpgatewayextensions
singular: mcpgatewayextension
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Ready status
jsonPath: .status.conditions[?(@.type=='Ready')].status
name: Ready
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
MCPGatewayExtension extends a Gateway API Gateway to handle the Model Context Protocol (MCP).
When created, the controller will:
- Deploy a broker-router Deployment and Service in the MCPGatewayExtension's namespace
- Create an EnvoyFilter in the Gateway's namespace to route MCP traffic to the broker
- Configure the Envoy proxy to use the external processor for MCP request handling
The broker aggregates tools from upstream MCP servers registered via MCPServerRegistration
resources, while the router handles MCP protocol parsing and request routing.
Cross-namespace references to Gateways require a ReferenceGrant in the Gateway's namespace.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: spec defines the desired state of MCPGatewayExtension
properties:
backendPingIntervalSeconds:
default: 60
description: backendPingIntervalSeconds specifies how often the broker
pings upstream MCP servers.
format: int32
maximum: 7200
minimum: 10
type: integer
httpRouteManagement:
default: Enabled
description: |-
httpRouteManagement controls whether the operator manages the gateway HTTPRoute.
Enabled: creates and manages the HTTPRoute (default).
Disabled: does not create an HTTPRoute.
enum:
- Enabled
- Disabled
type: string
privateHost:
description: |-
privateHost overrides the internal host used for hair-pinning requests
back through the gateway. Defaults to <gateway>-istio.<ns>.svc.cluster.local:<port>.
type: string
publicHost:
description: |-
publicHost overrides the public host derived from the listener hostname.
Use when the listener has a wildcard and you need a specific host.
type: string
sessionStore:
description: |-
sessionStore references a secret for redis-based session storage.
The secret must exist in the MCPGatewayExtension namespace and contain a CACHE_CONNECTION_STRING key.
The value is injected as CACHE_CONNECTION_STRING into the broker-router deployment.
When not set, in-memory session storage is used.
properties:
secretName:
description: |-
secretName is the name of the secret containing the CACHE_CONNECTION_STRING key.
The value should be a redis connection string: redis://<user>:<pass>@<host>:<port>/<db>
minLength: 1
type: string
required:
- secretName
type: object
targetRef:
description: |-
targetRef specifies the Gateway to extend with MCP protocol support.
The controller will create an EnvoyFilter targeting this Gateway's Envoy proxy.
properties:
group:
default: gateway.networking.k8s.io
description: group is the group of the target resource.
enum:
- gateway.networking.k8s.io
type: string
kind:
default: Gateway
description: kind is the kind of the target resource.
enum:
- Gateway
type: string
name:
description: name is the name of the target resource.
minLength: 1
type: string
namespace:
description: namespace of the target resource (optional, defaults
to same namespace)
type: string
sectionName:
description: |-
sectionName is the name of a listener on the target Gateway. The controller will
read the listener's port and hostname to configure the MCP Gateway instance.
Only one MCPGatewayExtension is allowed per namespace. MCPGatewayExtensions in
different namespaces may target different listeners on the same Gateway, provided
those listeners use different ports.
maxLength: 253
minLength: 1
type: string
required:
- name
- sectionName
type: object
trustedHeadersKey:
description: |-
trustedHeadersKey configures trusted-header key pair for JWT-based tool filtering.
When set, the public key secret is wired into the broker deployment.
properties:
generate:
default: Disabled
description: |-
generate controls whether the operator generates an ECDSA P-256 key pair.
Enabled: creates <secretName> (public key) and <secretName>-private (private key)
in the MCPGatewayExtension namespace with owner references.
Disabled: the secret must already exist (default).
Changing this field requires deleting the existing secrets first to ensure
the public and private keys are a matching pair.
enum:
- Enabled
- Disabled
type: string
secretName:
description: |-
secretName is the name of the secret containing the public key used by the broker
to verify trusted-header JWTs. The secret must have a data entry with key "key"
containing the PEM-encoded public key.
When Generate is Enabled, the operator creates this secret.
When Generate is Disabled, this secret must already exist in the namespace.
minLength: 1
type: string
required:
- secretName
type: object
required:
- targetRef
type: object
status:
description: status defines the observed state of MCPGatewayExtension
properties:
conditions:
description: |-
conditions represent the current state of the MCPGatewayExtension.
The Ready condition indicates whether the broker-router deployment is running
and the EnvoyFilter has been successfully applied to the target Gateway.
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null