Skip to content

feat: add tls configuration in mcpserver#114

Merged
EItanya merged 1 commit intokagent-dev:mainfrom
DahuK:add-mcpserver-tls
Jan 30, 2026
Merged

feat: add tls configuration in mcpserver#114
EItanya merged 1 commit intokagent-dev:mainfrom
DahuK:add-mcpserver-tls

Conversation

@DahuK
Copy link
Contributor

@DahuK DahuK commented Jan 16, 2026

I tried to deploy an MCPServer. During the deployment, the kagent controller attempts to list tools from the MCP backend over HTTPS, but it fails with the following error:

"reconcileID":"c77f3b32-f68a-443d-8a1f-b56a1fe7d3a9","error":"failed to upsert tool server for remote mcp server default/dahu-mcp: failed to fetch tools for toolServer default/dahu-mcp: failed to initialize client for toolServer default/dahu-mcp: transport error: request failed with status 400: Client sent an HTTP request to an HTTPS server.\n"

To address this, I think we should enhance MCPServer by adding an HTTPTransportTLS field, so users can customize the TLS client configuration (e.g., client certificate/key and CA bundle) when connecting to the MCP server. An example:

apiVersion: kagent.dev/v1alpha1
kind: MCPServer
metadata:
  name: test-mcp
spec:
  transportType: http
  httpTransport:
    targetPort: 8443
    path: /
    tls:
      secretRef: test-tls-client   # Custom client certificate used to access the MCP server

  deployment:
    image: ghcr.io/test/test-mcp:v0.1.0
    port: 8443
    args:
      - --http-addr
      - :8443
      - --tls-cert
      - /etc/tls/tls.crt
      - --tls-key
      - /etc/tls/tls.key

    # Explicitly create the volume
    volumes:
      - name: tls-certs
        secret:
          secretName: test-tls-server
    volumeMounts:
      - name: tls-certs
        mountPath: /etc/tls
        readOnly: true

@DahuK DahuK force-pushed the add-mcpserver-tls branch from 7907d26 to 8d093ad Compare January 16, 2026 08:44
@DahuK DahuK mentioned this pull request Jan 16, 2026
Open
@DahuK
feat: add tls configuration in mcpserver
4d8aca9 
Signed-off-by: dahu.kdh <dahu.kdh@alibaba-inc.com>
@DahuK DahuK force-pushed the add-mcpserver-tls branch from 8d093ad to 4d8aca9 Compare January 22, 2026 13:09
EItanya
EItanya reviewed Jan 27, 2026
View reviewed changes
Copy link
Contributor

@EItanya EItanya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So my main issue with this PR is actually the fact that this config is NOT used by the MCPServer at all, but only by the Agent which references it in kagent. I understand the reason for this as we want a consistent way to access this resource, but it feels a little bit strange. Let me think a little bit on this.

@DahuK
Copy link
Contributor Author

DahuK commented Jan 28, 2026

So my main issue with this PR is actually the fact that this config is NOT used by the MCPServer at all, but only by the Agent which references it in kagent. I understand the reason for this as we want a consistent way to access this resource, but it feels a little bit strange. Let me think a little bit on this.

Agree. Perhaps defining the client certificate reference in the McpServerTool within agent types is also an option. Looking forward to your decision.

@EItanya EItanya merged commit 5865781 into kagent-dev:main Jan 30, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EItanya EItanya EItanya approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DahuK @EItanya