Open
Conversation
Extract the MCP server from a sidecar container inside the agent service into its own Cloud Run service with ingress: internal. This enables independent scaling and lifecycle management while keeping the MCP server accessible only to the agent's service account via HTTPS. Security: - ingress: internal blocks all external traffic at the network level - Only the agent's service account has roles/run.invoker on the MCP service - Agent sends Google ID token via X-Serverless-Authorization header so Cloud Run IAM validates the caller without consuming the Authorization header, which carries the Red Hat SSO JWT for console.redhat.com Changes: - Create mcp-service.yaml with ingress: internal, maxScale: 4 - Remove MCP sidecar container block from service.yaml - Add deploy_mcp() function and --service mcp option to deploy.sh - Auto-discover MCP URL post-deployment and set MCP_SERVER_URL on agent - Add MCP service deletion to cleanup.sh - Update all documentation (architecture, mcp-integration, configuration, authentication, README, CLAUDE.md) to reflect separate service architecture and account for GMA SSO API, scope allowlists, SESSION_BACKEND, and other changes that landed in main Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add a Pydantic model validator that requires MCP_SERVER_URL to use HTTPS when transport mode is http or sse. Only http://localhost is allowed for local development. This ensures the Red Hat SSO JWT token forwarded to the MCP server is always transmitted over an encrypted connection. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add MCP_DEPLOY_MODE env var (service|sidecar, default: service) to control how the MCP server is deployed to Cloud Run: - service mode (default): MCP runs as a separate Cloud Run service with ingress: internal, HTTPS, and IAM restricted to the agent SA. Uses service.yaml + mcp-service.yaml. - sidecar mode: MCP runs as a second container inside the agent pod. Agent connects via http://localhost:8080 (no network hop). Uses service-sidecar.yaml (no separate MCP service needed). Changes: - Create service-sidecar.yaml with MCP container block (no ports) - deploy.sh: select YAML template based on MCP_DEPLOY_MODE, skip deploy_mcp() and MCP URL discovery in sidecar mode - cleanup.sh: skip MCP service deletion in sidecar mode - Update Cloud Run README with mode comparison table and examples - Add MCP_DEPLOY_MODE to .env.example - Add cross-reference comments in service.yaml header Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
| """ | ||
| if self.mcp_transport_mode in ("http", "sse"): | ||
| url = self.mcp_server_url | ||
| if not url.startswith(("https://", "http://localhost")): |
Collaborator
There was a problem hiding this comment.
Will reject if starting with "http://127.0.0.1". consider if worth including in validator.
| yaml_file="deploy/cloudrun/service.yaml" | ||
|
|
||
| # Warn if MCP service isn't deployed yet (agent needs its URL) | ||
| if ! gcloud run services describe "$MCP_SERVICE_NAME" \ |
Collaborator
There was a problem hiding this comment.
deploy.sh only checks if the MCP service exists, not if it's ready to accept traffic. Since MCP moved from sidecar to standalone Cloud Run service, the agent now has an external runtime dependency, consider adding a readiness probe.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Allow to run the MCP as a different cloudrun service, to enable different scaling than the agent