Merge pull request #183 from IBM/helm-notes

Helm NOTES.TXT

Author: crivetimihai

charts/README.md

@@ -269,3 +269,71 @@ For every setting see the [full annotated `values.yaml`](https://github.com/IBM/
 2. Update templates or `values.yaml`.
 3. Test with `helm lint` and `helm template`.
 4. Open a pull request-thank you!
+
+## Features
+
+* 🗂️ Multi-service stack – Deploys MCP Gateway (`n` replicas), Fast-Time-Server (`n` replicas), Postgres 17, Redis, PGAdmin 4 and Redis-Commander out of the box.
+* 🎛️ Idiomatic naming – All objects use helper templates (`mcp-stack.fullname`, chart labels) so release names and overrides stay collision-free.
+* 🔐 Secrets & credentials – `mcp-stack-gateway-secret` (Basic-Auth creds, JWT signing key, encryption salt, …) and `postgres-secret` (DB user / password / database name), both injected via `envFrom`.
+* ⚙️ Config as code – `mcp-stack-gateway-config` (\~40 tunables) and `postgres-config` for the DB name.
+* 🔗 Derived URLs – Pods build `DATABASE_URL` and `REDIS_URL` from explicit host/port/user/pass variables—no hard-coding.
+* ❤️‍🩹 Health management – Readiness and liveness probes on every deployment; the Gateway also has a startupProbe.
+* 🚦 Resource safeguards – CPU and memory requests/limits set for all containers.
+* 💾 Stateful storage – PV + PVC for Postgres (`/var/lib/postgresql/data`), storage class selectable.
+* 🌐 Networking & access – ClusterIP services, optional NGINX Ingress, and `NOTES.txt` with port-forward plus safe secret-fetch commands (password, bearer token, `JWT_SECRET_KEY`).
+* 📈 Replicas & availability – Gateway (3) and Fast-Time-Server (2) provide basic HA; stateful components run single-instance.
+* 📦 Helm best-practice layout – Clear separation of Deployments, Services, ConfigMaps, Secrets, PVC/PV and Ingress; chart version 0.2.0.
+
+---
+
+## TODO / Future roadmap
+
+1. 🔄 Post-deploy hook to register MCP Servers with MCP Gateway
+2. ⏳ Add startup probes for slow-booting services
+3. 🛡️ Implement Kubernetes NetworkPolicies to restrict internal traffic
+4. ⚙️ Add Horizontal Pod Autoscaler (HPA) support
+5. 📊 Expose Prometheus metrics and add scrape annotations
+6. 📈 Bundle Grafana dashboards via ConfigMaps (optional)
+7. 🔐 Integrate External Secrets support (e.g., AWS Secrets Manager)
+8. 🧪 Add Helm test hooks to validate deployments
+9. 🔍 Add `values.schema.json` for values validation and better UX
+10. 🧰 Move static configuration to templated `ConfigMaps` where possible
+11. 📁 Include persistent storage toggle in `values.yaml` for easier local/dev setup
+12. 🧼 Add Helm pre-delete hook for cleanup tasks (e.g., deregistering from external systems)
+13. 🧩 Package optional CRDs if needed in the future (e.g., for custom integrations)
+
+## Debug / start fresh (delete namespace)
+
+```bash
+# 0. Create and customize the values
+cp values.yaml my-values.yaml
+
+# 1. Verify the release name and namespace
+helm list -A | grep mcp-stack
+
+# 2. Uninstall the Helm release (removes Deployments, Services, Secrets created by the chart)
+helm uninstall mcp-stack -n mcp-private
+
+# 3. Delete any leftover PersistentVolumeClaims *if* you don't need the data
+kubectl delete pvc --all -n mcp-private
+
+# 4. Remove the namespace itself (skips if you want to keep it)
+kubectl delete namespace mcp-private
+
+# 5. Optional: confirm nothing is left
+helm list -A | grep mcp-stack   # should return nothing
+kubectl get ns | grep mcp-private  # should return nothing
+
+# 6. Re-create the namespace (if you deleted it)
+kubectl create namespace mcp-private
+
+# 7. Re-install the chart with your values file
+helm upgrade --install mcp-stack . \
+  --namespace mcp-private \
+  -f my-values.yaml \
+  --wait --timeout 15m --debug
+
+# 8. Check status
+kubectl get all -n mcp-private
+helm status mcp-stack -n mcp-private --show-desc
+```

charts/mcp-stack/templates/NOTES.txt

@@ -0,0 +1,119 @@
+{{- /*
+   NOTES.txt for the "mcp-stack" Helm chart
+   • Rendered after every install/upgrade.
+   • Surfaces endpoints, credentials and helper commands so you can
+     start interacting with the stack right away.
+   • Set showSecrets to show secrets.
+*/ -}}
+
+{{- $ns       := .Release.Namespace }}
+{{- $fullName := include "mcp-stack.fullname" . }}
+
+{{- /* ─── show / hide secrets ───────────────────────────── */}}
+{{- $showSecrets := false }}   {{/* set to true to reveal passwords & keys */}}
+
+{{- /* ─── Resource names (keep in sync with _helpers.tpl) ─ */}}
+{{- $gatewaySvc  := printf "%s-mcpgateway"            $fullName }}
+{{- $ftSvc       := printf "%s-mcp-fast-time-server"  $fullName }}
+{{- $postgresSvc := printf "%s-postgres"              $fullName }}
+{{- $redisSvc    := printf "%s-redis"                 $fullName }}
+{{- $pgadminSvc  := printf "%s-pgadmin"               $fullName }}
+
+{{- $gwSecret := printf "%s-gateway-secret" $fullName }}
+{{- $pgSecret := include "mcp-stack.postgresSecretName" . }}
+
+{{- /* ─── Secret look-ups (only used when $showSecrets=true) */}}
+{{- $basicAuthPass := "" }}
+{{- $jwtKey        := "" }}
+{{- $pgPass        := "" }}
+{{- if $showSecrets }}
+  {{- with (lookup "v1" "Secret" $ns $gwSecret) }}
+    {{- $basicAuthPass = index .data "BASIC_AUTH_PASSWORD" | b64dec }}
+    {{- $jwtKey        = index .data "JWT_SECRET_KEY"      | b64dec }}
+  {{- end }}
+  {{- with (lookup "v1" "Secret" $ns $pgSecret) }}
+    {{- $pgPass = index .data "POSTGRES_PASSWORD" | b64dec }}
+  {{- end }}
+{{- end }}
+
+{{- /* ─── Convenience ports ─────────────────────────────── */}}
+{{- $gwPort      := .Values.mcpContextForge.service.port | default 80 }}
+{{- $pgPort      := .Values.postgres.service.port        | default 5432 }}
+{{- $redisPort   := .Values.redis.service.port           | default 6379 }}
+{{- $pgAdminPort := .Values.pgadmin.service.port         | default 80 }}
+
+🎉  **{{ .Chart.Name }}** has been successfully deployed to namespace **{{ $ns }}**!
+
+{{- /* ════════════  MCP Gateway  ════════════ */}}
+🔗 **MCP Gateway**
+{{- if .Values.mcpContextForge.ingress.enabled }}
+  • Ingress URL  : https://{{ .Values.mcpContextForge.ingress.host }}{{ .Values.mcpContextForge.ingress.path | default "/" }}
+{{- else }}
+  • Service URL  : http://{{ $gatewaySvc }}.{{ $ns }}.svc.cluster.local:{{ $gwPort }}
+{{- end }}
+  • Basic-Auth :
+      user      = {{ .Values.mcpContextForge.secret.BASIC_AUTH_USER }}
+{{- if $showSecrets }}
+      password  = {{ $basicAuthPass }}
+{{- else }}
+      password  : <hidden>
+{{- end }}
+      (kubectl  = `kubectl -n {{ $ns }} get secret {{ $gwSecret }} -o jsonpath="{.data.BASIC_AUTH_PASSWORD}" | base64 -d`)
+{{- if $showSecrets }}
+  • JWT signing key (JWT_SECRET_KEY) = {{ $jwtKey }}
+{{- else }}
+  • JWT signing key (JWT_SECRET_KEY) : <hidden>
+{{- end }}
+      (kubectl  = `kubectl -n {{ $ns }} get secret {{ $gwSecret }} -o jsonpath="{.data.JWT_SECRET_KEY}" | base64 -d`)
+  • Port-forward : `kubectl -n {{ $ns }} port-forward svc/{{ $gatewaySvc }} 4444:{{ $gwPort }}`
+
+{{- /* ════════════  Fast-Time-Server  ════════════ */}}
+🔗 **Fast-Time-Server (SSE)**
+  • Cluster URL  : http://{{ $ftSvc }}.{{ $ns }}.svc.cluster.local
+  • Via Gateway  : {{- if .Values.mcpContextForge.ingress.enabled }} https://{{ .Values.mcpContextForge.ingress.host }}/fast-time {{- else }} http://localhost:4444/fast-time {{- end }}
+
+{{- /* ════════════  Datastores  ════════════ */}}
+💾 **Postgres**
+  • Host / Port  : {{ $postgresSvc }}.{{ $ns }}.svc.cluster.local:{{ $pgPort }}
+  • DB           : {{ .Values.postgres.credentials.database }}
+  • User         : {{ .Values.postgres.credentials.user }}
+{{- if $showSecrets }}
+  • Password     : {{ $pgPass | default "<secret-not-yet-created>" }}
+{{- else }}
+  • Password     : <hidden>
+{{- end }}
+      (kubectl  = `kubectl -n {{ $ns }} get secret {{ $pgSecret }} -o jsonpath="{.data.POSTGRES_PASSWORD}" | base64 -d`)
+
+🔑 **Redis**
+  • Host / Port  : {{ $redisSvc }}.{{ $ns }}.svc.cluster.local:{{ $redisPort }}
+
+📊 **PGAdmin**
+  • URL          : http://{{ $pgadminSvc }}.{{ $ns }}.svc.cluster.local:{{ $pgAdminPort }}
+  • Login        : {{ .Values.pgadmin.env.email }} / (same Postgres password)
+
+{{- /* ════════════  Quick-start  ════════════ */}}
+🚀 **Quick-start**
+
+```bash
+# 1) Forward the Gateway locally (skip if using ingress):
+kubectl -n {{ $ns }} port-forward svc/{{ $gatewaySvc }} 4444:{{ $gwPort }} &
+
+# 2) Obtain a JWT via Basic-Auth (requires 'jq'):
+{{- if $showSecrets }}
+export GW_TOKEN=$(curl -s -u '{{ .Values.mcpContextForge.secret.BASIC_AUTH_USER }}:{{ $basicAuthPass }}' \
+  -X POST http://localhost:4444/auth/login | jq -r '.access_token')
+{{- else }}
+# export GW_TOKEN=(fetch after you retrieve the password with kubectl)
+{{- end }}
+
+# 3) Register the Fast-Time-Server with the Gateway:
+curl -s -X POST \
+     -H "Authorization: Bearer $GW_TOKEN" \
+     -H "Content-Type: application/json" \
+     -d '{"name":"local_time","url":"http://{{ $ftSvc }}.{{ $ns }}.svc.cluster.local/sse"}' \
+     http://localhost:4444/gateways
+```
+
+📚 **Further reading**
+* [https://ibm.github.io/mcp-context-forge/deployment/helm/](https://ibm.github.io/mcp-context-forge/deployment/helm/)
+* [https://ibm.github.io/mcp-context-forge/testing/basic/](https://ibm.github.io/mcp-context-forge/testing/basic/)