feat: add Kubernetes manifests and Tiltfile integration for MCP server (#1209)

bjcoombs · web-flow · commit d7c15111ab1a · 2026-02-25T17:24:00.000Z
* feat: add Kubernetes manifests and Tiltfile integration for MCP server

Creates k8s manifests (configmap, secret, deployment, service) for the
MCP server in services/mcp-server/k8s/ and adds docker_build, k8s_yaml,
and k8s_resource entries to the Tiltfile for local development.

The MCP server runs SSE transport on port 8090, connects to the gateway
for all backend gRPC calls, and port-forwards on 18090 locally to avoid
conflict with the gateway's 8090 port-forward.

* fix: use TCP socket probes for MCP server health checks

The /sse endpoint is a long-lived SSE stream (it never sends a 200 and
returns), making it unsuitable as an httpGet probe target. Switch to
tcpSocket probes which verify the port is accepting connections without
coupling health checks to transport semantics.

* fix: correct labels and add gateway init container in mcp-server manifests

- Change component label from mcp-gateway to mcp-server across all manifests
- Change tier label from frontend to backend in deployment.yaml (MCP server
  is a backend API adapter, not a frontend component)
- Add wait-for-gateway init container to ensure gateway is ready before the
  MCP server starts (complements the existing wait-for-control-plane check)

* fix: add readOnlyRootFilesystem to init container security contexts

Harden init container security contexts to match the main container by
adding readOnlyRootFilesystem: true. The busybox nc command does not
require a writable root filesystem.

---------

Co-authored-by: Ben Coombs &lt;bjcoombs@users.noreply.github.com&gt;
diff --git a/Tiltfile b/Tiltfile
@@ -613,6 +613,49 @@ k8s_resource(
     labels=['gateway'],
 )
 
+# =============================================================================
+# MCP Server
+# =============================================================================
+# Model Context Protocol server for AI agent integration.
+# Exposes Meridian's transaction engine capabilities via MCP SSE transport.
+# Connects to the gateway for all backend gRPC service calls.
+
+# Standard build args for mcp-server
+mcp_server_build_args = {
+    'VERSION': 'dev',
+    'COMMIT': local('git rev-parse --short HEAD'),
+    'BUILD_DATE': get_build_date(),
+}
+
+# Build mcp-server Docker image
+docker_build(
+    'mcp-server',
+    context='.',
+    dockerfile='services/mcp-server/cmd/Dockerfile',
+    build_args=mcp_server_build_args,
+)
+
+# Deploy mcp-server K8s manifests
+k8s_yaml('services/mcp-server/k8s/secret.yaml')
+k8s_yaml('services/mcp-server/k8s/configmap.yaml')
+k8s_yaml('services/mcp-server/k8s/deployment.yaml')
+k8s_yaml('services/mcp-server/k8s/service.yaml')
+
+# Configure mcp-server resource
+k8s_resource(
+    'mcp-server',
+    port_forwards=['18090:8090'],  # MCP SSE endpoint (18090 to avoid conflict with gateway)
+    resource_deps=[
+        'generate-proto',   # Ensures proto files are generated before building
+        'gateway',          # MCP server routes all gRPC calls through the gateway
+        'control-plane',    # Wait for control-plane readiness (init container check)
+    ],
+    labels=['gateway'],
+    objects=[
+        'mcp-server-config:configmap',
+    ],
+)
+
 # =============================================================================
 # Resource Configuration
 # =============================================================================
@@ -948,6 +991,9 @@ Gateway:
   • HTTP Gateway           → localhost:8090 (subdomain routing)
     - Tenant resolution via TenantResolverMiddleware
     - Proxies to gRPC backends via Connect protocol
+  • MCP Server             → localhost:18090 (SSE transport)
+    - Model Context Protocol for AI agent integration
+    - Routes all gRPC calls through the HTTP gateway
 
 Frontend:
   • Meridian Console       → http://localhost:5173 (Vite + React)
diff --git a/services/mcp-server/k8s/configmap.yaml b/services/mcp-server/k8s/configmap.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mcp-server-config
+  labels:
+    app: mcp-server
+    component: mcp-server
+data:
+  # Logging configuration
+  LOG_LEVEL: "info"
+
+  # MCP transport configuration
+  MCP_TRANSPORT: "sse"
+  MCP_SSE_PORT: "8090"
+  MCP_SERVER_NAME: "meridian-mcp"
+
+  # Meridian gateway address (single gRPC endpoint for all backend services)
+  MERIDIAN_API_URL: "gateway:8080"
+
+  # OpenTelemetry configuration
+  OTEL_SERVICE_NAME: "mcp-server"
+  OTEL_SAMPLING_RATE: "0.1"
diff --git a/services/mcp-server/k8s/deployment.yaml b/services/mcp-server/k8s/deployment.yaml
@@ -0,0 +1,164 @@
+# Port Configuration: See shared/platform/ports/ports.go for canonical port assignments.
+# This service uses port 8090 for SSE transport (MCP_SSE_PORT).
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mcp-server
+  labels:
+    app: mcp-server
+    component: mcp-server
+    tier: backend
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mcp-server
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        app: mcp-server
+        component: mcp-server
+        tier: backend
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65532
+        runAsGroup: 65532
+        fsGroup: 65532
+        seccompProfile:
+          type: RuntimeDefault
+      initContainers:
+      - name: wait-for-control-plane
+        image: busybox:1.36
+        command:
+        - sh
+        - -c
+        - |
+          echo 'Waiting for control-plane...'
+          until nc -z control-plane 50062; do
+            echo 'control-plane not ready, retrying in 2s'
+            sleep 2
+          done
+          echo 'control-plane is ready'
+        resources:
+          requests:
+            cpu: 10m
+            memory: 16Mi
+          limits:
+            cpu: 50m
+            memory: 32Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 65532
+          capabilities:
+            drop:
+            - ALL
+      - name: wait-for-gateway
+        image: busybox:1.36
+        command:
+        - sh
+        - -c
+        - |
+          echo 'Waiting for gateway...'
+          until nc -z gateway 8080; do
+            echo 'gateway not ready, retrying in 2s'
+            sleep 2
+          done
+          echo 'gateway is ready'
+        resources:
+          requests:
+            cpu: 10m
+            memory: 16Mi
+          limits:
+            cpu: 50m
+            memory: 32Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 65532
+          capabilities:
+            drop:
+            - ALL
+      containers:
+      - name: mcp-server
+        image: mcp-server:latest
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: sse
+          containerPort: 8090
+          protocol: TCP
+        envFrom:
+        - configMapRef:
+            name: mcp-server-config
+        env:
+        - name: MERIDIAN_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: mcp-server-secrets
+              key: MERIDIAN_API_KEY
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        resources:
+          requests:
+            cpu: 50m
+            memory: 64Mi
+          limits:
+            cpu: 200m
+            memory: 256Mi
+        livenessProbe:
+          tcpSocket:
+            port: sse
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 3
+          successThreshold: 1
+          failureThreshold: 3
+        readinessProbe:
+          tcpSocket:
+            port: sse
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          timeoutSeconds: 3
+          successThreshold: 1
+          failureThreshold: 3
+        startupProbe:
+          tcpSocket:
+            port: sse
+          initialDelaySeconds: 0
+          periodSeconds: 2
+          timeoutSeconds: 3
+          successThreshold: 1
+          failureThreshold: 30
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 65532
+          capabilities:
+            drop:
+            - ALL
+        volumeMounts:
+        - name: tmp
+          mountPath: /tmp
+      volumes:
+      - name: tmp
+        emptyDir: {}
+      terminationGracePeriodSeconds: 30
diff --git a/services/mcp-server/k8s/secret.yaml b/services/mcp-server/k8s/secret.yaml
@@ -0,0 +1,16 @@
+# SECURITY NOTE: This secret contains development credentials only.
+# For production deployments:
+# - Use external secret management (e.g., Sealed Secrets, External Secrets Operator)
+# - Rotate credentials regularly
+# - Use RBAC to restrict secret access
+# - Enable encryption at rest for secrets
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mcp-server-secrets
+  labels:
+    app: mcp-server
+type: Opaque
+stringData:
+  # Local development API key - replace with a real key in production
+  MERIDIAN_API_KEY: "dev-mcp-api-key"
diff --git a/services/mcp-server/k8s/service.yaml b/services/mcp-server/k8s/service.yaml
@@ -0,0 +1,18 @@
+# Port Configuration: See shared/platform/ports/ports.go for canonical port assignments.
+# This service uses port 8090 for SSE transport (MCP_SSE_PORT).
+apiVersion: v1
+kind: Service
+metadata:
+  name: mcp-server
+  labels:
+    app: mcp-server
+    component: mcp-server
+spec:
+  type: ClusterIP
+  ports:
+  - name: sse
+    port: 8090
+    targetPort: sse
+    protocol: TCP
+  selector:
+    app: mcp-server
