Skip to content

cpage-pivotal/cloud-foundry-mcp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

50 Commits
.mvn/wrapper
.mvn/wrapper
 
 
images
images
 
 
src
src
 
 
.gitignore
.gitignore
 
 
CLAUDE.md
CLAUDE.md
 
 
FLOW.md
FLOW.md
 
 
README.md
README.md
 
 
manifest.yml
manifest.yml
 
 
mvnw
mvnw
 
 
mvnw.cmd
mvnw.cmd
 
 
pom.xml
pom.xml
 
 
service.yaml
service.yaml
 
 

Repository files navigation

Cloud Foundry MCP Server

This MCP Server provides an LLM interface for interacting with your Cloud Foundry foundation. It was built with the Spring AI MCP Server Boot Starter.

Sample

IMPORTANT

This MCP Server now uses the Streamable HTTP Transport, instead of SSE. If you are connecting to this server with Tanzu Platform Chat, be sure to consult the README for instructions on configuring the service binding for Streamable transport.

Authentication Modes

The server supports two mutually exclusive authentication modes, determined automatically at startup:

Mode When it activates MCP endpoint security CF API calls run as
Static Credentials CF_USERNAME and CF_PASSWORD are set, no OAuth2 issuer-uri Open (no auth required) The configured service account
OAuth 2.1 (SSO) spring.security.oauth2.resourceserver.jwt.issuer-uri is set (auto-configured on CF via the SSO tile) JWT bearer token required The authenticated user (token relay)

Static Credentials Mode

When CF_USERNAME and CF_PASSWORD environment variables are provided and no OAuth2 issuer is configured, the server disables HTTP security and uses the static credentials for all CF API calls. This is the simplest setup for local development and STDIO transport with tools like Claude Desktop.

OAuth 2.1 Mode

When deployed to Cloud Foundry with a Tanzu SSO tile binding, the java-cfenv-boot-pivotal-sso library auto-configures the JWT issuer-uri, activating OAuth2 resource server security. Every request to /mcp must include a valid bearer token. The server relays the user's token to the CF API so that operations execute under the user's own permissions and role-based access control. See FLOW.md for the full OAuth authorization flow.

Building the Server

./mvnw clean package

Running Locally with Static Credentials

Set the CF environment variables and run the jar directly. No OAuth infrastructure is needed.

export CF_APIHOST=api.sys.mycf.com
export CF_USERNAME=your-cf-username
export CF_PASSWORD=your-cf-password
export CF_ORG=your-org
export CF_SPACE=your-space

java -Dspring.ai.mcp.server.transport=stdio -jar target/cloud-foundry-mcp-0.0.1-SNAPSHOT.jar --server.port=8040

Or configure it in Claude Desktop's claude_desktop_config.json:

{
  "mcpServers": {
    "cloud-foundry": {
      "command": "java",
      "args": [
        "-Dspring.ai.mcp.server.transport=stdio",
        "-Dlogging.file.name=cloud-foundry-mcp.log",
        "-jar",
        "/path/to/cloud-foundry-mcp/target/cloud-foundry-mcp-0.0.1-SNAPSHOT.jar",
        "--server.port=8040"
      ],
      "env": {
        "CF_APIHOST": "api.sys.mycf.com",
        "CF_USERNAME": "your-cf-username",
        "CF_PASSWORD": "your-cf-password",
        "CF_ORG": "your-org",
        "CF_SPACE": "your-space"
      }
    }
  }
}

Deploying to Cloud Foundry

With OAuth 2.1 (SSO Tile)

The recommended deployment model. Bind the app to a p-identity (SSO) service instance and provide only CF_APIHOST. No static credentials are needed — each user authenticates via the SSO tile and operations execute under their own identity.

cf push

The manifest.yml is pre-configured with an sso service binding and the CF_APIHOST variable.

With Static Credentials (Variables File)

For environments without an SSO tile, use a variables file to inject static credentials. This approach keeps sensitive values out of your manifest and version control.

Create a file named vars.yaml:

CF_APIHOST: api.sys.mycf.com
CF_USERNAME: your-cf-username
CF_PASSWORD: your-cf-password
CF_ORG: your-org
CF_SPACE: your-space

IMPORTANT: The vars.yaml file contains sensitive credentials and should never be committed to Git. Add it to your .gitignore file:

echo "vars.yaml" >> .gitignore

Uncomment the static credential variables in manifest.yml, then deploy:

cf push --vars-file=vars.yaml

The manifest.yml references these variables using the ((variable-name)) syntax, which injects them as environment variables at deploy time.

Publishing to Tanzu Service Marketplace

You can publish this MCP server as a service in the Tanzu Platform marketplace using Tanzu Service Publisher. This allows other applications to bind to the MCP server and consume it as a service.

Prerequisites

Before publishing, ensure:

  • You have space developer privileges in the app's space
  • The MCP server application is running
  • A route is mapped to the app on the apps.internal domain using HTTP protocol

Service Definition

A service.yaml file is included in the root of this repository with the service configuration for publishing.

Publish the Service

Use the Tanzu cf CLI to publish the app:

cf publish-service cloud-foundry-mcp-server -f service.yaml

Check the publishing status:

cf published-service cloud-foundry-mcp-server

Wait until the status shows successful.

Enable Service Access

By default, new service offerings are disabled. An admin must enable access for the service to appear in the marketplace:

cf enable-service-access cloud-foundry-mcp

Create Service Instances

Once enabled, developers can create service instances:

cf create-service cloud-foundry-mcp default my-mcp-service

And bind them to applications:

cf bind-service my-app my-mcp-service

Capabilities

This MCP server exposes the following Cloud Foundry operations as tools:

Application Management (8 tools)

  • applicationsList - List all applications in a space
  • applicationDetails - Get detailed information about a specific application
  • cloneApplication - Clone an existing application
  • scaleApplication - Scale application instances, memory, or disk quota
  • startApplication - Start a stopped application
  • stopApplication - Stop a running application
  • restartApplication - Restart an application
  • deleteApplication - Delete an application

Organization & Space Management (7 tools)

  • organizationsList - List all organizations
  • organizationDetails - Get details about a specific organization
  • spacesList - List all spaces in an organization
  • getSpaceQuota - Get quota information for a space
  • createSpace - Create a new space
  • deleteSpace - Delete a space
  • renameSpace - Rename an existing space

Service Management (6 tools)

  • serviceInstancesList - List all service instances in a space
  • serviceInstanceDetails - Get details about a specific service instance
  • serviceOfferingsList - List available service offerings
  • bindServiceInstance - Bind a service instance to an application
  • unbindServiceInstance - Unbind a service instance from an application
  • deleteServiceInstance - Delete a service instance

Route Management (6 tools)

  • routesList - List all routes in a space
  • createRoute - Create a new route
  • deleteRoute - Delete a specific route
  • deleteOrphanedRoutes - Delete all unmapped routes
  • mapRoute - Map a route to an application
  • unmapRoute - Unmap a route from an application

Network Policy Management (3 tools)

  • addNetworkPolicy - Create network policy between applications
  • listNetworkPolicies - List all network policies
  • removeNetworkPolicy - Remove network policy between applications

Application Cloning (1 tool)

All tools support multi-context operations with optional organization and space parameters to target different environments.

About

Cloud Foundry MCP Server

Resources

Readme
Activity

Stars

10 stars

Watchers

4 watching

Forks

13 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages