Skip to content

Commit 3a38536

Browse files
authored
ROX-32640: Add TLS Support (#30)
1 parent 78af324 commit 3a38536

File tree

12 files changed

+425
-40
lines changed

12 files changed

+425
-40
lines changed

README.md

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@ Configuration for connecting to StackRox Central.
7171
| Option | Environment Variable | Type | Required | Default | Description |
7272
|--------|---------------------|------|----------|---------|-------------|
7373
| `central.url` | `STACKROX_MCP__CENTRAL__URL` | string | Yes | central.stackrox:443 | URL of StackRox Central instance |
74-
| `central.auth_type` | `STACKROX_MCP__CENTRAL__AUTH_TYPE` | string | No | `passthrough` | Authentication type: `passthrough` (use token from MCP client headers) or `static` (use configured token) |
74+
| `central.auth_type` | `STACKROX_MCP__CENTRAL__AUTH_TYPE` | string | No | `passthrough` | Authentication type: `passthrough` (use token from MCP client headers) or `static` (use configured token). **Note**: Helm chart only supports `passthrough` mode. |
7575
| `central.api_token` | `STACKROX_MCP__CENTRAL__API_TOKEN` | string | Conditional | - | API token for static authentication (required when `auth_type` is `static`, must not be set when `passthrough`) |
7676
| `central.insecure_skip_tls_verify` | `STACKROX_MCP__CENTRAL__INSECURE_SKIP_TLS_VERIFY` | bool | No | `false` | Skip TLS certificate verification (use only for testing) |
7777
| `central.force_http1` | `STACKROX_MCP__CENTRAL__FORCE_HTTP1` | bool | No | `false` | Route gRPC traffic through the HTTP/1 bridge (gRPC-Web/WebSockets) for environments that block HTTP/2 |
@@ -96,7 +96,7 @@ HTTP server settings for the MCP server.
9696

9797
| Option | Environment Variable | Type | Required | Default | Description |
9898
|--------|---------------------|------|----------|---------|-------------|
99-
| `server.type` | `STACKROX_MCP__SERVER__TYPE` | string | No | `streamable-http` | Server transport type: `streamable-http` (HTTP server) or `stdio` (stdio transport). **Note**: stdio transport requires `central.auth_type` to be set to `static` |
99+
| `server.type` | `STACKROX_MCP__SERVER__TYPE` | string | No | `streamable-http` | Server transport type: `streamable-http` (HTTP server) or `stdio` (stdio transport). **Note**: stdio transport requires `central.auth_type` to be set to `static`. Helm chart only supports `streamable-http`. |
100100
| `server.address` | `STACKROX_MCP__SERVER__ADDRESS` | string | No | `0.0.0.0` | HTTP server listen address (only applies when `server.type` is `http`) |
101101
| `server.port` | `STACKROX_MCP__SERVER__PORT` | int | No | `8080` | HTTP server listen port (must be 1-65535, only applies when `server.type` is `http`) |
102102

@@ -273,6 +273,8 @@ See [.github/workflows/build.yml](.github/workflows/build.yml) for build pipelin
273273

274274
Deploy the StackRox MCP server to Kubernetes or OpenShift clusters using Helm.
275275

276+
> **For Kubernetes/OpenShift deployments, see the [Helm Chart README](charts/stackrox-mcp/README.md) for complete configuration options, authentication details, and deployment examples.**
277+
276278
### Prerequisites
277279

278280
- Kubernetes 1.19+ or OpenShift 4.x+
@@ -287,6 +289,9 @@ Deploy the StackRox MCP server to Kubernetes or OpenShift clusters using Helm.
287289
helm install stackrox-mcp charts/stackrox-mcp \
288290
--namespace stackrox-mcp \
289291
--create-namespace \
292+
--set-file tlsSecret.cert=/path/to/tls.crt \
293+
--set-file tlsSecret.key=/path/to/tls.key \
294+
--set-file openshift.route.tls.destinationCACertificate=/path/to/tls.crt \
290295
--set config.central.url=central.stackrox:443
291296
```
292297

@@ -306,6 +311,9 @@ Install with custom values:
306311
helm install stackrox-mcp charts/stackrox-mcp \
307312
--namespace stackrox-mcp \
308313
--create-namespace \
314+
--set-file tlsSecret.cert=/path/to/tls.crt \
315+
--set-file tlsSecret.key=/path/to/tls.key \
316+
--set-file openshift.route.tls.destinationCACertificate=/path/to/tls.crt \
309317
--values values.yaml
310318
```
311319

@@ -316,9 +324,17 @@ helm install stackrox-mcp charts/stackrox-mcp \
316324
--namespace stackrox-mcp \
317325
--create-namespace \
318326
--set config.central.url=central.stackrox:443 \
327+
--set-file tlsSecret.cert=/path/to/tls.crt \
328+
--set-file tlsSecret.key=/path/to/tls.key \
329+
--set-file openshift.route.tls.destinationCACertificate=/path/to/tls.crt \
319330
--set openshift.route.host=stackrox-mcp.apps.example.com
320331
```
321332

333+
**Important Notes for Helm Deployments:**
334+
- The Helm chart uses **passthrough authentication** only (`central.auth_type=passthrough`). Clients must provide API tokens.
335+
- The Helm chart uses **streamable-http transport** only (`server.type=streamable-http`). Stdio transport is not supported in Kubernetes.
336+
- See the [Helm Chart README](charts/stackrox-mcp/README.md) for details on authentication configuration, TLS setup, and advanced options.
337+
322338
### Managing the Deployment
323339

324340
**Upgrade an existing release:**

0 commit comments

Comments
 (0)