Update Helm Chart to Use External Secrets

charts/mcp-stack/examples/values-aws-nlb.yaml

@@ -0,0 +1,109 @@
+# Example values for deploying mcp-stack with AWS Network Load Balancer (NLB)
+# This configuration demonstrates common AWS NLB settings
+
+mcpContextForge:
+  replicaCount: 2
+
+  service:
+    type: LoadBalancer
+    port: 80
+
+    # AWS NLB Configuration
+    annotations:
+      # Use Network Load Balancer
+      service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+
+      # Target type: "ip" for Fargate/EKS with CNI, "instance" for EC2 nodes
+      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
+
+      # Internet-facing or internal
+      service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+
+      # Enable cross-zone load balancing for better availability
+      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+
+      # Health check configuration
+      service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: "HTTP"
+      service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "4444"
+      service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: "/health"
+      service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: "10"
+      service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout: "5"
+      service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "2"
+      service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: "2"
+
+      # Connection settings
+      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
+
+      # Target group attributes for better performance
+      service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: |
+        deregistration_delay.timeout_seconds=30,
+        deregistration_delay.connection_termination.enabled=true,
+        preserve_client_ip.enabled=true
+
+      # Resource tags for cost tracking and organization
+      service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "Environment=production,Application=mcp-gateway,ManagedBy=helm"
+
+      # Optional: Specify subnets (replace with your subnet IDs)
+      # service.beta.kubernetes.io/aws-load-balancer-subnets: "subnet-xxxxx,subnet-yyyyy,subnet-zzzzz"
+
+      # Optional: Specify security groups (replace with your SG IDs)
+      # service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-xxxxx"
+
+      # Optional: Enable access logs (replace with your S3 bucket)
+      # service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: "true"
+      # service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: "my-nlb-logs-bucket"
+      # service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix: "mcp-gateway"
+
+    # Preserve client source IP (requires externalTrafficPolicy: Local)
+    externalTrafficPolicy: "Local"
+
+    # Optional: Restrict access to specific CIDR ranges
+    # loadBalancerSourceRanges:
+    #   - "10.0.0.0/8"
+    #   - "172.16.0.0/12"
+
+# Example with SSL/TLS termination at NLB
+# Uncomment and configure if you want HTTPS at the load balancer level
+#
+# mcpContextForge:
+#   service:
+#     type: LoadBalancer
+#     port: 443
+#     
+#     annotations:
+#       service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+#       service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
+#       service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+#       
+#       # SSL certificate from ACM
+#       service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
+#       service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
+#       service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
+#       service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
+#     
+#     additionalPorts:
+#       - name: http
+#         port: 80
+#         targetPort: 4444
+#         protocol: TCP
+
+# Example with static Elastic IPs
+# Useful for whitelisting or DNS records
+#
+# mcpContextForge:
+#   service:
+#     annotations:
+#       service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+#       service.beta.kubernetes.io/aws-load-balancer-eip-allocations: "eipalloc-xxxxx,eipalloc-yyyyy,eipalloc-zzzzz"
+
+# Example for internal NLB (private VPC only)
+#
+# mcpContextForge:
+#   service:
+#     annotations:
+#       service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+#       service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
+#       service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
+#       service.beta.kubernetes.io/aws-load-balancer-subnets: "subnet-private1,subnet-private2,subnet-private3"
+
+# Made with Bob

charts/mcp-stack/templates/deployment-mcpgateway.yaml

@@ -55,16 +55,25 @@ spec:
               {{- if .Values.pgbouncer.enabled }}
               value: {{ printf "%s-pgbouncer" (include "mcp-stack.fullname" .) }}
               {{- else }}
-              value: {{ printf "%s-postgres" (include "mcp-stack.fullname" .) }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "mcp-stack.postgresSecretName" . | trim }}
+                  key: POSTGRES_HOST
               {{- end }}
             - name: POSTGRES_PORT
               {{- if .Values.pgbouncer.enabled }}
               value: "{{ .Values.pgbouncer.service.port }}"
               {{- else }}
-              value: "{{ .Values.mcpContextForge.env.postgres.port }}"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "mcp-stack.postgresSecretName" . | trim }}
+                  key: POSTGRES_PORT
               {{- end }}
             - name: POSTGRES_DB
-              value: "{{ .Values.mcpContextForge.env.postgres.db }}"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "mcp-stack.postgresSecretName" . | trim }}
+                  key: POSTGRES_DB
             - name: POSTGRES_USER
               valueFrom:
                 secretKeyRef:
@@ -116,6 +125,10 @@ spec:
                 name: {{ include "mcp-stack.fullname" . }}-gateway-secret
             - configMapRef:
                 name: {{ include "mcp-stack.fullname" . }}-gateway-config
+{{- with .Values.mcpContextForge.externalSecret }}
+            - secretRef:
+                name: {{ . }}
+{{- end }}
 
           ################################################################
           # HEALTH & READINESS PROBES

charts/mcp-stack/templates/job-migration.yaml

@@ -45,11 +45,20 @@ spec:
           env:
             # ---------- POSTGRES ----------
             - name: POSTGRES_HOST
-              value: {{ printf "%s-postgres" (include "mcp-stack.fullname" .) }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "mcp-stack.postgresSecretName" . | trim }}
+                  key: POSTGRES_HOST
             - name: POSTGRES_PORT
-              value: "{{ .Values.mcpContextForge.env.postgres.port }}"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "mcp-stack.postgresSecretName" . | trim }}
+                  key: POSTGRES_PORT
             - name: POSTGRES_DB
-              value: "{{ .Values.mcpContextForge.env.postgres.db }}"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "mcp-stack.postgresSecretName" . | trim }}
+                  key: POSTGRES_DB
             - name: POSTGRES_USER
               valueFrom:
                 secretKeyRef:

charts/mcp-stack/templates/service-mcp.yaml

@@ -4,6 +4,10 @@ metadata:
   name: {{ include "mcp-stack.fullname" . }}-mcpgateway
   labels:
     {{- include "mcp-stack.labels" . | nindent 4 }}
+  {{- with .Values.mcpContextForge.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   type: {{ .Values.mcpContextForge.service.type }}
   selector:

charts/mcp-stack/values.schema.json

@@ -121,6 +121,14 @@
               "minimum": 1,
               "maximum": 65535,
               "default": 80
+            },
+            "annotations": {
+              "type": "object",
+              "description": "Service annotations (e.g., for AWS NLB configuration)",
+              "additionalProperties": {
+                "type": "string"
+              },
+              "default": {}
             }
           },
           "additionalProperties": false
@@ -252,6 +260,12 @@
           "additionalProperties": false
         },
 
+        "externalSecret": {
+          "type": "string",
+          "description": "Optional name of an external secret to inject additional environment variables. Leave empty to disable. Useful for secrets managed by External Secrets Operator, Sealed Secrets, or other external secret management tools.",
+          "default": ""
+        },
+
         "pluginConfig": {
           "type": "object",
           "description": "Plugin configuration via ConfigMap",
@@ -402,7 +416,7 @@
             "CACHE_TYPE": {
               "type": "string",
               "description": "Cache backend type",
-              "enum": ["redis", "memory", "database"],
+              "enum": ["redis", "memory", "none", "database"],
               "default": "redis"
             },
             "CACHE_PREFIX": {

charts/mcp-stack/values.yaml

@@ -11,6 +11,12 @@ global:
 # MCP CONTEXT-FORGE (Gateway / API tier)
 ########################################################################
 mcpContextForge:
+  # --- External Secret Reference (Optional) ---#
+  # Name of an external secret to inject additional environment variables
+  # Leave empty to disable. Useful for secrets managed by External Secrets Operator,
+  # Sealed Secrets, or other external secret management tools.
+  externalSecret: ""
+
   # --- Specific plugin file ----#
   pluginConfig:
     enabled: false