ROX-33010: Add MCP Gateway integraton to Helm chart

[mtodor]

Description

Add opt-in MCP Gateway integration to the Helm chart, enabling StackRox MCP server registration with MCP Gateway for tool aggregation behind a centralized gateway endpoint.

When enabled (mcpGateway.enabled: true), the chart creates:

• HTTPRoute — routes /mcp traffic from the gateway to the StackRox MCP service
• MCPServerRegistration — registers the server with the gateway using a configurable tool prefix (stackrox_ by default)

The chart validates that the required CRDs (gateway.networking.k8s.io/v1 and mcp.kagenti.com/v1alpha1) are available on the cluster and fails with a descriptive error if they are not.

Files added:

• charts/stackrox-mcp/templates/http-route.yaml
• charts/stackrox-mcp/templates/mcp-server-registration.yaml
• docs/mcp-gateway-integration.md

Files modified:

• charts/stackrox-mcp/values.yaml — new mcpGateway section
• charts/stackrox-mcp/README.md — MCP Gateway configuration table

Validation

• Helm template renders correctly with MCP Gateway enabled and both API versions available
• Helm fails with descriptive error when Gateway API CRD is missing
• Helm fails with descriptive error when MCPServerRegistration CRD is missing
• No gateway resources rendered when mcpGateway.enabled: false (default)
• helm lint passes
• Deploy on OpenShift cluster with MCP Gateway installed

AI-assisted development prompts

This PR was developed with AI assistance. Below are the prompts used:

Prompt: "check https://redhat.atlassian.net/browse/ROX-33010 jira ticket (you can use acli command) and identify what needs to be done."
Response: Fetched the Jira ticket and its attached stackrox-mcp-registration.yaml example. Identified the three deliverables: Helm templates for HTTPRoute and MCPServerRegistration, configurable values, and documentation.

Prompt: "MCP Gateway integration should be opt-in for Helm chart. Also it would be good to check capabilities that MCPServerRegistration exists and if not, helm should fail. Create bead with implementation plan and output plan for review."
Response: Created a bead and produced a 6-step implementation plan covering values.yaml, two templates with CRD capability validation, helpers, documentation, and README updates.

Prompt: "We need some clarification: 1. We don't need route.pathPrefix (it will always be the same) 2. Why HTTPRoute uses container port? It would be better to use service."
Response: Verified the MCP handler registers at / so /mcp is hardcoded gateway convention. Confirmed Gateway API spec says backendRef targets Service and port is the Service port. Updated plan accordingly.

Prompt: "Looks good. You can start with implementation"
Response: Implemented all changes: values.yaml mcpGateway section, HTTPRoute and MCPServerRegistration templates with CRD validation, _helpers.tpl validation helper, integration docs, and README updates. Validated with helm template and helm lint.

Prompt: "❯ Code review comments:

• let's change mcpGateway.gateway.name to stackrox-mcp-gateway
• set mcpGateway.toolPrefix to stackrox_ by default
• would it be reasonable to move MCP gateway validation to resource related to MCP Gateway. Similar to what we have for: charts/stackrox-mcp/templates/secret.yaml ?
• in integration document we have Prerequisites where it's defined that CRDs should be available. Isn't that part of "MCP Gateway installed on the cluster" - looks redundant
• in integration document we have several types of Installations - Probably only basinc setup is sufficient. It is expected that experienced devops will check helm options
• Verification part can only onclude curl - single line for the full flow
• double check if backendRefs will actually use service instead of pods
• change file names to use -, similar to pattern to service-account.yaml

Create bead for review changes and show plan for review."
Response: Applied all 8 review comments: updated defaults, moved validation into each template (matching secret.yaml pattern), renamed files to http-route.yaml and mcp-server-registration.yaml, simplified docs to single install example and single curl verification, confirmed backendRef correctness.

[codecov-commenter]

❌ 2 Tests Failed:

Tests completed	Failed	Passed	Skipped
361	2	359	12

View the full list of 2 ❄️ flaky test(s)

::policy 1

Flake rate in main: 100.00% (Passed 0 times, Failed 40 times)

Stack Traces | 0s run time

- test violation 1
- test violation 2
- test violation 3

::policy 4

Flake rate in main: 100.00% (Passed 0 times, Failed 40 times)

Stack Traces | 0s run time

- testing multiple alert violation messages 1
- testing multiple alert violation messages 2
- testing multiple alert violation messages 3

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• The CRD capability checks use only the group/version string (e.g. gateway.networking.k8s.io/v1, mcp.kagenti.com/v1alpha1), but .Capabilities.APIVersions.Has typically expects full GVK-like identifiers (e.g. gateway.networking.k8s.io/v1/HTTPRoute and mcp.kagenti.com/v1alpha1/MCPServerRegistration), so you may want to update these keys to avoid false negatives on clusters where the CRDs are installed.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The CRD capability checks use only the group/version string (e.g. `gateway.networking.k8s.io/v1`, `mcp.kagenti.com/v1alpha1`), but `.Capabilities.APIVersions.Has` typically expects full GVK-like identifiers (e.g. `gateway.networking.k8s.io/v1/HTTPRoute` and `mcp.kagenti.com/v1alpha1/MCPServerRegistration`), so you may want to update these keys to avoid false negatives on clusters where the CRDs are installed.

## Individual Comments

### Comment 1
<location path="charts/stackrox-mcp/templates/mcp-server-registration.yaml" line_range="2-5" />
<code_context>
+{{- if .Values.mcpGateway.enabled }}
+{{- if not (.Capabilities.APIVersions.Has "mcp.kagenti.com/v1alpha1") }}
+{{- fail "MCP Gateway integration requires the MCPServerRegistration CRD (mcp.kagenti.com/v1alpha1). Install MCP Gateway (https://github.com/Kuadrant/mcp-gateway) before enabling mcpGateway." }}
+{{- end }}
+apiVersion: mcp.kagenti.com/v1alpha1
+kind: MCPServerRegistration
+metadata:
</code_context>
<issue_to_address>
**issue (bug_risk):** Double-check the MCPServerRegistration API group and version string

Both the capability check and `apiVersion` use `mcp.kagenti.com/v1alpha1`, but the upstream `github.com/Kuadrant/mcp-gateway` CRDs may use a different group (e.g. `mcp.kuadrant.io/v1alpha1`). If this doesn’t exactly match the installed CRD, the Helm capability check will fail or the API server will reject the resources. Please confirm the precise group/version from the installed CRD and update both the capabilities check and `apiVersion` accordingly.
</issue_to_address>

### Comment 2
<location path="charts/stackrox-mcp/README.md" line_range="155" />
<code_context>
+| `mcpGateway.hostname` | Hostname for the HTTPRoute | `""` |
+| `mcpGateway.toolPrefix` | Prefix for tools exposed via the gateway | `stackrox_` |
+
+**Note:** Requires [MCP Gateway](https://github.com/Kuadrant/mcp-gateway) to be installed on the cluster. The chart validates that the required CRDs (`gateway.networking.k8s.io/v1` and `mcp.kagenti.com/v1alpha1`) are available and fails with a descriptive error if they are not. See [MCP Gateway Integration](../../docs/mcp-gateway-integration.md) for details.
+
 ### Scheduling
</code_context>
<issue_to_address>
**issue (bug_risk):** The CRD group `mcp.kagenti.com/v1alpha1` appears to be misspelled or incorrect.

Since this integrates with `Kuadrant/mcp-gateway`, please confirm the correct API group for `MCPServerRegistration` (the `kagenti.com` domain looks wrong) and update this reference so the chart validates against the actual CRD group users should install.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[github-actions]

E2E Test Results

Commit: 33253fc
Workflow Run: View Details
Artifacts: Download test results & logs

=== Evaluation Summary ===

  ✓ list-clusters (assertions: 3/3)
  ✓ cve-detected-workloads (assertions: 3/3)
  ✓ cve-cluster-list (assertions: 3/3)
  ✓ cve-log4shell (assertions: 3/3)
  ✓ cve-multiple (assertions: 3/3)
  ✓ cve-cluster-does-not-exist (assertions: 3/3)
  ✓ cve-detected-clusters (assertions: 3/3)
  ~ rhsa-not-supported (assertions: 1/2)
      - MaxToolCalls: Too many tool calls: expected <= 4, got 8
  ~ cve-nonexistent (assertions: 2/3)
      - MaxToolCalls: Too many tool calls: expected <= 5, got 7
  ✓ cve-clusters-general (assertions: 3/3)
  ✓ cve-cluster-does-exist (assertions: 3/3)

Tasks:      11/11 passed (100.00%)
Assertions: 30/32 passed (93.75%)
Tokens:     ~57768 (estimate - excludes system prompt & cache)
MCP schemas: ~12562 (included in token total)
Agent used tokens:
  Input:  14424 tokens
  Output: 22224 tokens
Judge used tokens:
  Input:  72748 tokens
  Output: 52231 tokens

[mtodor]

@coderabbitai review

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• New Features

  • Added optional MCP Gateway integration capability supporting distributed MCP tool aggregation through conditional resource creation
  • New configuration values enabling gateway customization including resource references, hostnames, and tool prefixes

• Documentation

  • Added comprehensive MCP Gateway integration guide with setup requirements and verification instructions
  • Updated README with complete configuration reference and operational constraints

Walkthrough

This PR adds optional MCP Gateway integration to the StackRox MCP Helm chart. New configuration values enable the feature and reference a Kubernetes Gateway resource. Two conditional Helm templates create HTTPRoute and MCPServerRegistration resources with CRD and deployment constraint validation. Documentation explains the feature, configuration parameters, and architectural flow.

Changes

MCP Gateway Integration

Layer / File(s)	Summary
Configuration Values charts/stackrox-mcp/values.yaml	New mcpGateway block adds opt-in feature flag, gateway resource references (name, namespace), HTTPRoute hostname (defaulting to fullname + .mcp.local), and toolPrefix for tool naming isolation.
Helper Updates charts/stackrox-mcp/templates/_helpers.tpl	stackrox-mcp.image helper changes from printf to print for image reference construction, preserving registry, repository, and tag composition with Chart.AppVersion fallback.
Gateway Integration Templates charts/stackrox-mcp/templates/http-route.yaml, charts/stackrox-mcp/templates/mcp-server-registration.yaml	HTTPRoute template conditionally renders /mcp PathPrefix routing to backend service with CRD presence validation and replicaCount=1 enforcement. MCPServerRegistration template registers the HTTPRoute with MCP Gateway, also validating required CRD availability and failing gracefully with installation guidance if missing.
Documentation charts/stackrox-mcp/README.md, docs/mcp-gateway-integration.md	README adds MCP Gateway configuration section and high-availability constraint note. New integration guide covers prerequisites, Helm configuration (replicaCount=1 requirement), parameter reference table, curl-based verification, and architecture diagram showing client → Gateway → HTTPRoute → Service → Central API flow.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: adding MCP Gateway integration to the Helm chart, though it contains a typo ('integraton' instead of 'integration').
Description check	✅ Passed	The description is comprehensive and clearly related to the changeset, covering the feature implementation, validation, files changed, and the development process.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch mtodor/ROX-33010-add-mcp-gateway

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mtodor]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/stackrox-mcp/templates/mcp-server-registration.yaml`:
- Line 13: The template currently renders toolPrefix unquoted which can produce
invalid or coerced YAML for certain inputs; update the mcp-server-registration
template so the toolPrefix value is emitted as a quoted string by quoting the
.Values.mcpGateway.toolPrefix interpolation (i.e., ensure the rendered line uses
"toolPrefix: \"{{ .Values.mcpGateway.toolPrefix }}\"" style quoting) so
user-provided values are treated as strings and YAML parsing/coercion issues are
avoided.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: c9c8e2e1-c92f-498e-ac05-cc9a276a1a5d

📥 Commits

Reviewing files that changed from the base of the PR and between 1ae9a26 and 7b05e16.

📒 Files selected for processing (6)

• charts/stackrox-mcp/README.md
• charts/stackrox-mcp/templates/_helpers.tpl
• charts/stackrox-mcp/templates/http-route.yaml
• charts/stackrox-mcp/templates/mcp-server-registration.yaml
• charts/stackrox-mcp/values.yaml
• docs/mcp-gateway-integration.md

[coderabbitai]

CodeRabbit chat interactions are restricted to organization members for this repository. Ask an organization member to interact with CodeRabbit, or set chat.allow_non_org_members: true in your configuration.