Skip to content

feat: add tls configuration in mcpserver #114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DahuK wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add tls configuration in mcpserver #114

DahuK wants to merge 1 commit into from
+77 −0

Conversation

@DahuK
Copy link

@DahuK DahuK commented Jan 16, 2026

I tried to deploy an MCPServer. During the deployment, the kagent controller attempts to list tools from the MCP backend over HTTPS, but it fails with the following error:

"reconcileID":"c77f3b32-f68a-443d-8a1f-b56a1fe7d3a9","error":"failed to upsert tool server for remote mcp server default/dahu-mcp: failed to fetch tools for toolServer default/dahu-mcp: failed to initialize client for toolServer default/dahu-mcp: transport error: request failed with status 400: Client sent an HTTP request to an HTTPS server.\n"

To address this, I think we should enhance MCPServer by adding an HTTPTransportTLS field, so users can customize the TLS client configuration (e.g., client certificate/key and CA bundle) when connecting to the MCP server. An example:

apiVersion: kagent.dev/v1alpha1
kind: MCPServer
metadata:
  name: test-mcp
spec:
  transportType: http
  httpTransport:
    targetPort: 8443
    path: /
    tls:
      secretRef: test-tls-client   # Custom client certificate used to access the MCP server

  deployment:
    image: ghcr.io/test/test-mcp:v0.1.0
    port: 8443
    args:
      - --http-addr
      - :8443
      - --tls-cert
      - /etc/tls/tls.crt
      - --tls-key
      - /etc/tls/tls.key

    # Explicitly create the volume
    volumes:
      - name: tls-certs
        secret:
          secretName: test-tls-server
    volumeMounts:
      - name: tls-certs
        mountPath: /etc/tls
        readOnly: true

@DahuK DahuK force-pushed the add-mcpserver-tls branch from 7907d26 to 8d093ad Compare January 16, 2026 08:44
@DahuK DahuK mentioned this pull request Jan 16, 2026
Open
@DahuK
feat: add tls configuration in mcpserver
4d8aca9 
Signed-off-by: dahu.kdh <dahu.kdh@alibaba-inc.com>
@DahuK DahuK force-pushed the add-mcpserver-tls branch from 8d093ad to 4d8aca9 Compare January 22, 2026 13:09
EItanya
EItanya reviewed Jan 27, 2026
View reviewed changes
Copy link
Contributor

@EItanya EItanya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So my main issue with this PR is actually the fact that this config is NOT used by the MCPServer at all, but only by the Agent which references it in kagent. I understand the reason for this as we want a consistent way to access this resource, but it feels a little bit strange. Let me think a little bit on this.

@DahuK
Copy link
Author

DahuK commented Jan 28, 2026

So my main issue with this PR is actually the fact that this config is NOT used by the MCPServer at all, but only by the Agent which references it in kagent. I understand the reason for this as we want a consistent way to access this resource, but it feels a little bit strange. Let me think a little bit on this.

Agree. Perhaps defining the client certificate reference in the McpServerTool within agent types is also an option. Looking forward to your decision.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EItanya EItanya EItanya left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DahuK @EItanya