diff --git a/charts/mcp-stack/examples/values-aws-nlb.yaml b/charts/mcp-stack/examples/values-aws-nlb.yaml new file mode 100644 index 000000000..f784c2329 --- /dev/null +++ b/charts/mcp-stack/examples/values-aws-nlb.yaml @@ -0,0 +1,109 @@ +# Example values for deploying mcp-stack with AWS Network Load Balancer (NLB) +# This configuration demonstrates common AWS NLB settings + +mcpContextForge: + replicaCount: 2 + + service: + type: LoadBalancer + port: 80 + + # AWS NLB Configuration + annotations: + # Use Network Load Balancer + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" + + # Target type: "ip" for Fargate/EKS with CNI, "instance" for EC2 nodes + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" + + # Internet-facing or internal + service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" + + # Enable cross-zone load balancing for better availability + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + + # Health check configuration + service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: "HTTP" + service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "4444" + service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: "/health" + service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: "10" + service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout: "5" + service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "2" + service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: "2" + + # Connection settings + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60" + + # Target group attributes for better performance + service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: | + deregistration_delay.timeout_seconds=30, + deregistration_delay.connection_termination.enabled=true, + preserve_client_ip.enabled=true + + # Resource tags for cost tracking and organization + service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "Environment=production,Application=mcp-gateway,ManagedBy=helm" + + # Optional: Specify subnets (replace with your subnet IDs) + # service.beta.kubernetes.io/aws-load-balancer-subnets: "subnet-xxxxx,subnet-yyyyy,subnet-zzzzz" + + # Optional: Specify security groups (replace with your SG IDs) + # service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-xxxxx" + + # Optional: Enable access logs (replace with your S3 bucket) + # service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: "true" + # service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: "my-nlb-logs-bucket" + # service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix: "mcp-gateway" + + # Preserve client source IP (requires externalTrafficPolicy: Local) + externalTrafficPolicy: "Local" + + # Optional: Restrict access to specific CIDR ranges + # loadBalancerSourceRanges: + # - "10.0.0.0/8" + # - "172.16.0.0/12" + +# Example with SSL/TLS termination at NLB +# Uncomment and configure if you want HTTPS at the load balancer level +# +# mcpContextForge: +# service: +# type: LoadBalancer +# port: 443 +# +# annotations: +# service.beta.kubernetes.io/aws-load-balancer-type: "nlb" +# service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" +# service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" +# +# # SSL certificate from ACM +# service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" +# service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" +# service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01" +# service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" +# +# additionalPorts: +# - name: http +# port: 80 +# targetPort: 4444 +# protocol: TCP + +# Example with static Elastic IPs +# Useful for whitelisting or DNS records +# +# mcpContextForge: +# service: +# annotations: +# service.beta.kubernetes.io/aws-load-balancer-type: "nlb" +# service.beta.kubernetes.io/aws-load-balancer-eip-allocations: "eipalloc-xxxxx,eipalloc-yyyyy,eipalloc-zzzzz" + +# Example for internal NLB (private VPC only) +# +# mcpContextForge: +# service: +# annotations: +# service.beta.kubernetes.io/aws-load-balancer-type: "nlb" +# service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" +# service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" +# service.beta.kubernetes.io/aws-load-balancer-subnets: "subnet-private1,subnet-private2,subnet-private3" + +# Made with Bob diff --git a/charts/mcp-stack/templates/deployment-mcpgateway.yaml b/charts/mcp-stack/templates/deployment-mcpgateway.yaml index a01fac844..9c82c17fb 100644 --- a/charts/mcp-stack/templates/deployment-mcpgateway.yaml +++ b/charts/mcp-stack/templates/deployment-mcpgateway.yaml @@ -55,16 +55,25 @@ spec: {{- if .Values.pgbouncer.enabled }} value: {{ printf "%s-pgbouncer" (include "mcp-stack.fullname" .) }} {{- else }} - value: {{ printf "%s-postgres" (include "mcp-stack.fullname" .) }} + valueFrom: + secretKeyRef: + name: {{ include "mcp-stack.postgresSecretName" . | trim }} + key: POSTGRES_HOST {{- end }} - name: POSTGRES_PORT {{- if .Values.pgbouncer.enabled }} value: "{{ .Values.pgbouncer.service.port }}" {{- else }} - value: "{{ .Values.mcpContextForge.env.postgres.port }}" + valueFrom: + secretKeyRef: + name: {{ include "mcp-stack.postgresSecretName" . | trim }} + key: POSTGRES_PORT {{- end }} - name: POSTGRES_DB - value: "{{ .Values.mcpContextForge.env.postgres.db }}" + valueFrom: + secretKeyRef: + name: {{ include "mcp-stack.postgresSecretName" . | trim }} + key: POSTGRES_DB - name: POSTGRES_USER valueFrom: secretKeyRef: @@ -116,6 +125,10 @@ spec: name: {{ include "mcp-stack.fullname" . }}-gateway-secret - configMapRef: name: {{ include "mcp-stack.fullname" . }}-gateway-config +{{- with .Values.mcpContextForge.externalSecret }} + - secretRef: + name: {{ . }} +{{- end }} ################################################################ # HEALTH & READINESS PROBES diff --git a/charts/mcp-stack/templates/job-migration.yaml b/charts/mcp-stack/templates/job-migration.yaml index 65a48f16a..379a11411 100644 --- a/charts/mcp-stack/templates/job-migration.yaml +++ b/charts/mcp-stack/templates/job-migration.yaml @@ -45,11 +45,20 @@ spec: env: # ---------- POSTGRES ---------- - name: POSTGRES_HOST - value: {{ printf "%s-postgres" (include "mcp-stack.fullname" .) }} + valueFrom: + secretKeyRef: + name: {{ include "mcp-stack.postgresSecretName" . | trim }} + key: POSTGRES_HOST - name: POSTGRES_PORT - value: "{{ .Values.mcpContextForge.env.postgres.port }}" + valueFrom: + secretKeyRef: + name: {{ include "mcp-stack.postgresSecretName" . | trim }} + key: POSTGRES_PORT - name: POSTGRES_DB - value: "{{ .Values.mcpContextForge.env.postgres.db }}" + valueFrom: + secretKeyRef: + name: {{ include "mcp-stack.postgresSecretName" . | trim }} + key: POSTGRES_DB - name: POSTGRES_USER valueFrom: secretKeyRef: diff --git a/charts/mcp-stack/templates/service-mcp.yaml b/charts/mcp-stack/templates/service-mcp.yaml index ad91ce6f5..5c0669a89 100644 --- a/charts/mcp-stack/templates/service-mcp.yaml +++ b/charts/mcp-stack/templates/service-mcp.yaml @@ -4,6 +4,10 @@ metadata: name: {{ include "mcp-stack.fullname" . }}-mcpgateway labels: {{- include "mcp-stack.labels" . | nindent 4 }} + {{- with .Values.mcpContextForge.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: type: {{ .Values.mcpContextForge.service.type }} selector: diff --git a/charts/mcp-stack/values.schema.json b/charts/mcp-stack/values.schema.json index eea3ead99..e77afa870 100644 --- a/charts/mcp-stack/values.schema.json +++ b/charts/mcp-stack/values.schema.json @@ -121,6 +121,14 @@ "minimum": 1, "maximum": 65535, "default": 80 + }, + "annotations": { + "type": "object", + "description": "Service annotations (e.g., for AWS NLB configuration)", + "additionalProperties": { + "type": "string" + }, + "default": {} } }, "additionalProperties": false @@ -252,6 +260,12 @@ "additionalProperties": false }, + "externalSecret": { + "type": "string", + "description": "Optional name of an external secret to inject additional environment variables. Leave empty to disable. Useful for secrets managed by External Secrets Operator, Sealed Secrets, or other external secret management tools.", + "default": "" + }, + "pluginConfig": { "type": "object", "description": "Plugin configuration via ConfigMap", @@ -402,7 +416,7 @@ "CACHE_TYPE": { "type": "string", "description": "Cache backend type", - "enum": ["redis", "memory", "database"], + "enum": ["redis", "memory", "none", "database"], "default": "redis" }, "CACHE_PREFIX": { diff --git a/charts/mcp-stack/values.yaml b/charts/mcp-stack/values.yaml index de5c7025f..95d0954af 100644 --- a/charts/mcp-stack/values.yaml +++ b/charts/mcp-stack/values.yaml @@ -11,6 +11,12 @@ global: # MCP CONTEXT-FORGE (Gateway / API tier) ######################################################################## mcpContextForge: + # --- External Secret Reference (Optional) ---# + # Name of an external secret to inject additional environment variables + # Leave empty to disable. Useful for secrets managed by External Secrets Operator, + # Sealed Secrets, or other external secret management tools. + externalSecret: "" + # --- Specific plugin file ----# pluginConfig: enabled: false