Summary
The kubectl-mtv MCP server running in the CLI download pod currently requires --kube-insecure due to missing/incorrect CA trust. As a result, the operator default cli_download_mcp_kube_insecure is set to "true" at runtime, while CRD text implies the default is false.
Requested by: @yaacov
Context: PR #5970 adds MCP co-location and introduces cli_download_mcp_kube_insecure; see the discussion for why we can’t enable TLS verification yet.
Problem
- Without proper CA trust inside the pod, TLS verification for in-cluster Kubernetes API calls from the MCP server fails unless kube-insecure is enabled.
- The CRD description currently states “default: false”, which mismatches the actual runtime default and can surprise admins.
Proposed fix (follow-up)
- Ensure the MCP server can verify the in-cluster API:
- Confirm client-go InClusterConfig is used (reads SA CA from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt).
- If additional trust is needed, ensure the container trust store includes the cluster CA or wire the CA file explicitly if the binary supports it.
- Once CA trust works end-to-end, flip the operator default:
- operator/roles/forkliftcontroller/defaults/main.yml: set cli_download_mcp_kube_insecure: "false".
- Update CRD/CSV text accordingly and regenerate manifests.
- Optionally, remove the need to pass --kube-insecure in entrypoint.sh once the default is false.
Acceptance criteria
- MCP server successfully talks to the in-cluster Kubernetes API with TLS verification enabled (no --kube-insecure).
- Defaults set to "false" in role defaults and reflected in CRD/CSV descriptions.
- Entry point and templates no longer rely on insecure mode.
References
Affected areas (likely)
- build/forklift-cli-download/entrypoint.sh
- operator/roles/forkliftcontroller/defaults/main.yml
- operator/config/crd/bases/forklift.konveyor.io_forkliftcontrollers.yaml (description text only)
Summary
The kubectl-mtv MCP server running in the CLI download pod currently requires --kube-insecure due to missing/incorrect CA trust. As a result, the operator default cli_download_mcp_kube_insecure is set to "true" at runtime, while CRD text implies the default is false.
Requested by: @yaacov
Context: PR #5970 adds MCP co-location and introduces cli_download_mcp_kube_insecure; see the discussion for why we can’t enable TLS verification yet.
Problem
Proposed fix (follow-up)
Acceptance criteria
References
Affected areas (likely)