feat(helm): add mcp server (#6586)

Author: wenxi-onyx

deployment/data/nginx/mcp.conf.inc.template

@@ -1,5 +1,6 @@
-# MCP Server - must come BEFORE /api location
-location /mcp {
+# MCP Server - Model Context Protocol for LLM integrations
+# Match /mcp, /mcp/, or /mcp/* but NOT /mcpserver, /mcpapi, etc.
+location ~ ^/mcp(/.*)?$ {
     # misc headers
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -17,6 +18,7 @@ location /mcp {
     proxy_read_timeout 300s;
 
     proxy_redirect off;
-    rewrite ^/mcp/?(.*)$ /$1 break;
-    proxy_pass http://mcp_server/;
+    rewrite ^/mcp(/.*)$ $1 break;
+    rewrite ^/mcp/?$ / break;
+    proxy_pass http://mcp_server;
 }

deployment/helm/charts/onyx/Chart.yaml

@@ -5,7 +5,7 @@ home: https://www.onyx.app/
 sources:
   - "https://github.com/onyx-dot-app/onyx"
 type: application
-version: 0.4.13
+version: 0.4.14
 appVersion: latest
 annotations:
   category: Productivity

deployment/helm/charts/onyx/templates/ingress-mcp.yaml

@@ -0,0 +1,28 @@
+{{- if and .Values.ingress.enabled .Values.mcpServer.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "onyx.fullname" . }}-ingress-mcp
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    cert-manager.io/cluster-issuer: {{ include "onyx.fullname" . }}-letsencrypt
+spec:
+  rules:
+    - host: {{ .Values.ingress.api.host }}
+      http:
+        paths:
+          - path: /mcp(/|$)(.*)
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: {{ include "onyx.fullname" . }}-mcp-server-service
+                port:
+                  number: {{ .Values.mcpServer.service.servicePort }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.api.host }}
+      secretName: {{ include "onyx.fullname" . }}-ingress-mcp-tls
+{{- end }}
+

deployment/helm/charts/onyx/templates/mcp-server-deployment.yaml

@@ -0,0 +1,108 @@
+{{- if .Values.mcpServer.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "onyx.fullname" . }}-mcp-server
+  labels:
+    {{- include "onyx.labels" . | nindent 4 }}
+    {{- with .Values.mcpServer.deploymentLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  replicas: {{ .Values.mcpServer.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "onyx.selectorLabels" . | nindent 6 }}
+      {{- if .Values.mcpServer.deploymentLabels }}
+      {{- toYaml .Values.mcpServer.deploymentLabels | nindent 6 }}
+      {{- end }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+      {{- with .Values.mcpServer.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "onyx.labels" . | nindent 8 }}
+        {{- with .Values.mcpServer.deploymentLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- with .Values.mcpServer.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "onyx.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.mcpServer.podSecurityContext | nindent 8 }}
+      {{- with .Values.mcpServer.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.mcpServer.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.mcpServer.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: mcp-server
+          securityContext:
+            {{- toYaml .Values.mcpServer.securityContext | nindent 12 }}
+          image: "{{ .Values.mcpServer.image.repository }}:{{ .Values.mcpServer.image.tag | default .Values.global.version }}"
+          imagePullPolicy: {{ .Values.global.pullPolicy }}
+          command: ["python", "onyx/mcp_server_main.py"]
+          ports:
+            - name: mcp-server-port
+              containerPort: {{ .Values.mcpServer.containerPorts.server }}
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: mcp-server-port
+            initialDelaySeconds: {{ .Values.mcpServer.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.mcpServer.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.mcpServer.livenessProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.mcpServer.livenessProbe.failureThreshold }}
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: mcp-server-port
+            initialDelaySeconds: {{ .Values.mcpServer.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.mcpServer.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.mcpServer.readinessProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.mcpServer.readinessProbe.failureThreshold }}
+          resources:
+            {{- toYaml .Values.mcpServer.resources | nindent 12 }}
+          envFrom:
+            - configMapRef:
+                name: {{ .Values.config.envConfigMapName }}
+          env:
+            - name: MCP_SERVER_ENABLED
+              value: "true"
+            - name: MCP_SERVER_PORT
+              value: "{{ .Values.mcpServer.containerPorts.server }}"
+            {{- if .Values.mcpServer.corsOrigins }}
+            - name: MCP_SERVER_CORS_ORIGINS
+              value: "{{ .Values.mcpServer.corsOrigins }}"
+            {{- end }}
+            # API server connection for authentication and proxying
+            - name: API_SERVER_BASE_URL
+              value: "http://{{ include "onyx.fullname" . }}-api-service:{{ .Values.api.service.servicePort }}"
+            {{- include "onyx.envSecrets" . | nindent 12 }}
+          {{- with .Values.mcpServer.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.mcpServer.volumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}
+

deployment/helm/charts/onyx/templates/mcp-server-service.yaml

@@ -0,0 +1,24 @@
+{{- if .Values.mcpServer.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "onyx.fullname" . }}-mcp-server-service
+  labels:
+    {{- include "onyx.labels" . | nindent 4 }}
+    {{- if .Values.mcpServer.deploymentLabels }}
+    {{- toYaml .Values.mcpServer.deploymentLabels | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .Values.mcpServer.service.type }}
+  ports:
+    - port: {{ .Values.mcpServer.service.servicePort }}
+      targetPort: {{ .Values.mcpServer.service.targetPort }}
+      protocol: TCP
+      name: {{ .Values.mcpServer.service.portName }}
+  selector:
+    {{- include "onyx.selectorLabels" . | nindent 4 }}
+    {{- if .Values.mcpServer.deploymentLabels }}
+    {{- toYaml .Values.mcpServer.deploymentLabels | nindent 4 }}
+    {{- end }}
+{{- end }}
+

deployment/helm/charts/onyx/templates/nginx-conf.yaml

@@ -1,3 +1,13 @@
+###############################################################################
+# NOTE: If you make changes to this file, increment the following in values.yaml
+# before running `helm upgrade` to trigger an automatic nginx restart:
+#
+#   nginx.controller.podAnnotations:
+#     onyx.app/nginx-config-version: "<new_version>"
+#
+# Otherwise, changes won't apply until you manually restart the nginx pods.
+###############################################################################
+
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -11,13 +21,41 @@ data:
     upstream web_server {
         server {{ include "onyx.fullname" . }}-webserver:{{ .Values.webserver.service.servicePort }} fail_timeout=0;
     }
+    {{- if .Values.mcpServer.enabled }}
+
+    upstream mcp_server {
+        server {{ include "onyx.fullname" . }}-mcp-server-service:{{ .Values.mcpServer.service.servicePort }} fail_timeout=0;
+    }
+    {{- end }}
 
   server.conf: |
     server {
         listen 1024;
         server_name $$DOMAIN;
 
         client_max_body_size 5G;
+        {{- if .Values.mcpServer.enabled }}
+
+        # MCP Server - Model Context Protocol for LLM integrations
+        # Match /mcp, /mcp/, or /mcp/* but NOT /mcpserver, /mcpapi, etc.
+        location ~ ^/mcp(/.*)?$ {
+            rewrite ^/mcp(/.*)$ $1 break;
+            rewrite ^/mcp/?$ / break;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host;
+            proxy_set_header Host $host;
+            proxy_http_version 1.1;
+            proxy_buffering off;
+            proxy_redirect off;
+            # timeout settings
+            proxy_connect_timeout {{ .Values.nginx.timeouts.connect }}s;
+            proxy_send_timeout {{ .Values.nginx.timeouts.send }}s;
+            proxy_read_timeout {{ .Values.nginx.timeouts.read }}s;
+            proxy_pass http://mcp_server;
+        }
+        {{- end }}
 
         location ~ ^/api(.*)$ {
             rewrite ^/api(/.*)$ $1 break;

deployment/helm/charts/onyx/values.yaml

@@ -175,6 +175,12 @@ nginx:
     containerPort:
       http: 1024
 
+    # NOTE: When onyx-nginx-conf changes, nginx pods need to restart.
+    # The ingress-nginx subchart doesn't auto-detect our custom ConfigMap changes.
+    # Workaround: Helm upgrade will restart if the following annotation value changes.
+    podAnnotations:
+      onyx.app/nginx-config-version: "1"
+
     # Propagate DOMAIN into nginx so server_name continues to use the same env var
     extraEnvs:
       - name: DOMAIN
@@ -693,6 +699,55 @@ slackbot:
   tolerations: []
   affinity: {}
 
+# Onyx Model Context Protocol (MCP) Server
+# Allows LLMs to use Onyx like invoking tools or accessing resources
+mcpServer:
+  enabled: false  # Disabled by default
+  replicaCount: 1
+  image:
+    repository: onyxdotapp/onyx-backend
+    tag: ""  # Overrides the image tag whose default is the chart appVersion.
+  # CORS origins for MCP clients (comma-separated)
+  # Example: "https://claude.ai,https://app.cursor.sh"
+  corsOrigins: ""
+  podAnnotations: {}
+  podLabels:
+    scope: onyx-backend
+    app: mcp-server
+  deploymentLabels:
+    app: mcp-server
+  containerPorts:
+    server: 8090
+  service:
+    type: ClusterIP
+    servicePort: 8090
+    targetPort: mcp-server-port
+    portName: mcp-server-port
+  podSecurityContext: {}
+  securityContext: {}
+  resources:
+    requests:
+      cpu: "250m"
+      memory: "256Mi"
+    limits:
+      cpu: "500m"
+      memory: "512Mi"
+  livenessProbe:
+    initialDelaySeconds: 10
+    periodSeconds: 30
+    timeoutSeconds: 5
+    failureThreshold: 3
+  readinessProbe:
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 3
+  volumes: []
+  volumeMounts: []
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+
 celery_worker_docfetching:
   replicaCount: 1
   autoscaling: