Skip to content

feat: support customized TLS configuration to mcpserver #1215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DahuK wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: support customized TLS configuration to mcpserver #1215

DahuK wants to merge 1 commit into from

Conversation

@DahuK
Copy link

@DahuK DahuK commented Jan 16, 2026

I tried to deploy an MCPServer. During deployment, the kagent controller attempts to list tools from the MCP backend over HTTPS, but it fails with the following error:

"reconcileID":"c77f3b32-f68a-443d-8a1f-b56a1fe7d3a9","error":"failed to upsert tool server for remote mcp server default/dahu-mcp: failed to fetch tools for toolServer default/dahu-mcp: failed to initialize client for toolServer default/dahu-mcp: transport error: request failed with status 400: Client sent an HTTP request to an HTTPS server.\n"

At the moment, MCPServer seems to only support calling the backend server over plain HTTP.

Therefore, I think we should allow users to configure a Secret reference in the MCPServer CRD for the certificates used to connect to the MCP server (I have already opened PR #114 in the kmcp project). The controller reconciler could then use the client certificate specified in the CRD when list tools. An example is shown below:

apiVersion: kagent.dev/v1alpha1
kind: MCPServer
metadata:
  name: test-mcp
spec:
  transportType: http
  httpTransport:
    targetPort: 8443
    path: /
    tls:
      secretRef: test-tls-client   # Custom client certificate used to access the MCP server

  deployment:
    image: ghcr.io/test/test-mcp:v0.1.0
    port: 8443
    args:
      - --http-addr
      - :8443
      - --tls-cert
      - /etc/tls/tls.crt
      - --tls-key
      - /etc/tls/tls.key

    # Explicitly create the volume
    volumes:
      - name: tls-certs
        secret:
          secretName: test-tls-server
    volumeMounts:
      - name: tls-certs
        mountPath: /etc/tls
        readOnly: true

These initial changes using a local go.mod replace of the kmcp package from #114. The final implementation will depend on the finalized definition in kmcp’s mcpserver_types.

@DahuK DahuK mentioned this pull request Jan 16, 2026
Open
3 tasks
EItanya
EItanya requested changes Jan 16, 2026
View reviewed changes
Copy link
Contributor

@EItanya EItanya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some initial changes necessary, can review more after these changes are made.

go/internal/controller/translator/agent/adk_api_translator.go
Copy link
Contributor

@EItanya EItanya Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR does not change the certs which the actual agents use to connect to the MCP server. You will need to update this translator to do that as well. You can see how it's done for the ModelConfig.

Copy link
Author

@DahuK DahuK Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I've already added some client certificate configuration logic for the interaction between ADK and MCP, and built an app image to complete preliminary validation of the MCP server configured with HTTPS in my test cluster.

go/internal/controller/translator/agent/adk_api_translator.go
if mcpServer.Spec.TransportType == v1alpha1.TransportTypeHTTP &&
mcpServer.Spec.HTTPTransport != nil &&
mcpServer.Spec.HTTPTransport.TLS != nil {
httpTLS := mcpServer.Spec.HTTPTransport.TLS
Copy link
Contributor

@EItanya EItanya Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where is this field coming from? Did you change kmcp?

Copy link
Author

@DahuK DahuK Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the changes were previously submitted in #114, please help review them, Thanks a lot!

@DahuK DahuK force-pushed the add-mcpserver-tls branch from 69a8510 to ab9e1e3 Compare January 22, 2026 12:02
@DahuK DahuK requested a review from peterj as a code owner January 22, 2026 12:02
@DahuK
feat: support customized TLS configuration to mcpserver
ca7b2aa 
Signed-off-by: dahu.kdh <dahu.kdh@alibaba-inc.com>
@DahuK DahuK force-pushed the add-mcpserver-tls branch from ab9e1e3 to ca7b2aa Compare January 22, 2026 12:55
@DahuK DahuK requested a review from EItanya January 22, 2026 12:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ilackarms ilackarms Awaiting requested review from ilackarms ilackarms is a code owner

@yuval-k yuval-k Awaiting requested review from yuval-k yuval-k is a code owner

@peterj peterj Awaiting requested review from peterj peterj is a code owner

@EItanya EItanya Awaiting requested review from EItanya EItanya is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DahuK @EItanya