feat: add support for https when using streamable-http transport (#270)

mcp-go v0.39.0 adds support for https when using the streamable-http
transport. This commit adds support for configuring the server to
serve https using custom certificates via the CLI.

Fixes #244.

Author: sd2k

README.md

@@ -197,6 +197,45 @@ Scopes define the specific resources that permissions apply to. Each action requ
 | `get_assertions`                  | Asserts     | Get assertion summary for a given entity                           | Plugin-specific permissions             | Plugin-specific scopes                              |
 | `generate_deeplink`               | Navigation  | Generate accurate deeplink URLs for Grafana resources              | None (read-only URL generation)         | N/A                                                 |
 
+## CLI Flags Reference
+
+The `mcp-grafana` binary supports various command-line flags for configuration:
+
+**Transport Options:**
+- `-t, --transport`: Transport type (`stdio`, `sse`, or `streamable-http`) - default: `stdio`
+- `--address`: The host and port for SSE/streamable-http server - default: `localhost:8000`
+- `--base-path`: Base path for the SSE/streamable-http server
+- `--endpoint-path`: Endpoint path for the streamable-http server - default: `/`
+
+**Debug and Logging:**
+- `--debug`: Enable debug mode for detailed HTTP request/response logging
+
+**Tool Configuration:**
+- `--enabled-tools`: Comma-separated list of enabled tools - default: all tools enabled
+- `--disable-search`: Disable search tools
+- `--disable-datasource`: Disable datasource tools
+- `--disable-incident`: Disable incident tools
+- `--disable-prometheus`: Disable prometheus tools
+- `--disable-loki`: Disable loki tools
+- `--disable-alerting`: Disable alerting tools
+- `--disable-dashboard`: Disable dashboard tools
+- `--disable-oncall`: Disable oncall tools
+- `--disable-asserts`: Disable asserts tools
+- `--disable-sift`: Disable sift tools
+- `--disable-admin`: Disable admin tools
+- `--disable-pyroscope`: Disable pyroscope tools
+- `--disable-navigation`: Disable navigation tools
+
+**Client TLS Configuration (for Grafana connections):**
+- `--tls-cert-file`: Path to TLS certificate file for client authentication
+- `--tls-key-file`: Path to TLS private key file for client authentication
+- `--tls-ca-file`: Path to TLS CA certificate file for server verification
+- `--tls-skip-verify`: Skip TLS certificate verification (insecure)
+
+**Server TLS Configuration (streamable-http transport only):**
+- `--server.tls-cert-file`: Path to TLS certificate file for server HTTPS
+- `--server.tls-key-file`: Path to TLS private key file for server HTTPS
+
 ## Usage
 
 This MCP server works with both local Grafana instances and Grafana Cloud. For Grafana Cloud, use your instance URL (e.g., `https://myinstance.grafana.net`) instead of `http://localhost:3000` in the configuration examples below.
@@ -235,6 +274,21 @@ This MCP server works with both local Grafana instances and Grafana Cloud. For G
      docker run --rm -p 8000:8000 -e GRAFANA_URL=http://localhost:3000 -e GRAFANA_API_KEY=<your service account token> mcp/grafana -t streamable-http
      ```
 
+     For HTTPS streamable HTTP mode with server TLS certificates:
+
+     ```bash
+     docker pull mcp/grafana
+     docker run --rm -p 8443:8443 \
+       -v /path/to/certs:/certs:ro \
+       -e GRAFANA_URL=http://localhost:3000 \
+       -e GRAFANA_API_KEY=<your service account token> \
+       mcp/grafana \
+       -t streamable-http \
+       -addr :8443 \
+       --server.tls-cert-file /certs/server.crt \
+       --server.tls-key-file /certs/server.key
+     ```
+
    - **Download binary**: Download the latest release of `mcp-grafana` from the [releases page](https://github.com/grafana/mcp-grafana/releases) and place it in your `$PATH`.
 
    - **Build from source**: If you have a Go toolchain installed you can also build and install it from source, using the `GOBIN` environment variable
@@ -324,6 +378,19 @@ If you're using VSCode and running the MCP server in SSE mode (which is the defa
 }
 ```
 
+For HTTPS streamable HTTP mode with server TLS certificates:
+
+```json
+"mcp": {
+  "servers": {
+    "grafana": {
+      "type": "sse",
+      "url": "https://localhost:8443/sse"
+    }
+  }
+}
+```
+
 ### Debug Mode
 
 You can enable debug mode for the Grafana transport by adding the `-debug` flag to the command. This will provide detailed logging of HTTP requests and responses between the MCP server and the Grafana API, which can be helpful for troubleshooting.
@@ -510,6 +577,43 @@ grafanaConfig := mcpgrafana.GrafanaConfig{
 contextFunc := mcpgrafana.ComposedStdioContextFunc(grafanaConfig)
 ```
 
+### Server TLS Configuration (Streamable HTTP Transport Only)
+
+When using the streamable HTTP transport (`-t streamable-http`), you can configure the MCP server to serve HTTPS instead of HTTP. This is useful when you need to secure the connection between your MCP client and the server itself.
+
+The server supports the following TLS configuration options for the streamable HTTP transport:
+
+- `--server.tls-cert-file`: Path to TLS certificate file for server HTTPS (required for TLS)
+- `--server.tls-key-file`: Path to TLS private key file for server HTTPS (required for TLS)
+
+**Note**: These flags are completely separate from the client TLS flags documented above. The client TLS flags configure how the MCP server connects to Grafana, while these server TLS flags configure how clients connect to the MCP server when using streamable HTTP transport.
+
+**Example with HTTPS streamable HTTP server:**
+
+```bash
+./mcp-grafana \
+  -t streamable-http \
+  --server.tls-cert-file /path/to/server.crt \
+  --server.tls-key-file /path/to/server.key \
+  -addr :8443
+```
+
+This would start the MCP server on HTTPS port 8443. Clients would then connect to `https://localhost:8443/` instead of `http://localhost:8000/`.
+
+**Docker example with server TLS:**
+
+```bash
+docker run --rm -p 8443:8443 \
+  -v /path/to/certs:/certs:ro \
+  -e GRAFANA_URL=http://localhost:3000 \
+  -e GRAFANA_API_KEY=<your service account token> \
+  mcp/grafana \
+  -t streamable-http \
+  -addr :8443 \
+  --server.tls-cert-file /certs/server.crt \
+  --server.tls-key-file /certs/server.key
+```
+
 ## Troubleshooting
 
 ### Grafana Version Compatibility

cmd/mcp-grafana/main.go

@@ -115,7 +115,16 @@ func newServer(dt disabledTools) *server.MCPServer {
 	return s
 }
 
-func run(transport, addr, basePath, endpointPath string, logLevel slog.Level, dt disabledTools, gc mcpgrafana.GrafanaConfig) error {
+type tlsConfig struct {
+	certFile, keyFile string
+}
+
+func (tc *tlsConfig) addFlags() {
+	flag.StringVar(&tc.certFile, "server.tls-cert-file", "", "Path to TLS certificate file for server HTTPS (required for TLS)")
+	flag.StringVar(&tc.keyFile, "server.tls-key-file", "", "Path to TLS private key file for server HTTPS (required for TLS)")
+}
+
+func run(transport, addr, basePath, endpointPath string, logLevel slog.Level, dt disabledTools, gc mcpgrafana.GrafanaConfig, tls tlsConfig) error {
 	slog.SetDefault(slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: logLevel})))
 	s := newServer(dt)
 
@@ -135,10 +144,15 @@ func run(transport, addr, basePath, endpointPath string, logLevel slog.Level, dt
 			return fmt.Errorf("server error: %v", err)
 		}
 	case "streamable-http":
-		srv := server.NewStreamableHTTPServer(s, server.WithHTTPContextFunc(mcpgrafana.ComposedHTTPContextFunc(gc)),
+		opts := []server.StreamableHTTPOption{
+			server.WithHTTPContextFunc(mcpgrafana.ComposedHTTPContextFunc(gc)),
 			server.WithStateLess(true),
 			server.WithEndpointPath(endpointPath),
-		)
+		}
+		if tls.certFile != "" || tls.keyFile != "" {
+			opts = append(opts, server.WithTLSCert(tls.certFile, tls.keyFile))
+		}
+		srv := server.NewStreamableHTTPServer(s, opts...)
 		slog.Info("Starting Grafana MCP server using StreamableHTTP transport", "version", mcpgrafana.Version(), "address", addr, "endpointPath", endpointPath)
 		if err := srv.Start(addr); err != nil {
 			return fmt.Errorf("server error: %v", err)
@@ -170,6 +184,8 @@ func main() {
 	dt.addFlags()
 	var gc grafanaConfig
 	gc.addFlags()
+	var tls tlsConfig
+	tls.addFlags()
 	flag.Parse()
 
 	if *showVersion {
@@ -188,7 +204,7 @@ func main() {
 		}
 	}
 
-	if err := run(transport, *addr, *basePath, *endpointPath, parseLevel(*logLevel), dt, grafanaConfig); err != nil {
+	if err := run(transport, *addr, *basePath, *endpointPath, parseLevel(*logLevel), dt, grafanaConfig, tls); err != nil {
 		panic(err)
 	}
 }

go.mod

@@ -15,7 +15,7 @@ require (
 	github.com/grafana/incident-go v0.0.0-20250211094540-dc6a98fdae43
 	github.com/grafana/pyroscope/api v1.2.0
 	github.com/invopop/jsonschema v0.13.0
-	github.com/mark3labs/mcp-go v0.38.0
+	github.com/mark3labs/mcp-go v0.39.0
 	github.com/prometheus/client_golang v1.23.0
 	github.com/prometheus/common v0.65.0
 	github.com/prometheus/prometheus v0.305.0

go.sum

@@ -180,6 +180,8 @@ github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4
 github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
 github.com/mark3labs/mcp-go v0.38.0 h1:E5tmJiIXkhwlV0pLAwAT0O5ZjUZSISE/2Jxg+6vpq4I=
 github.com/mark3labs/mcp-go v0.38.0/go.mod h1:T7tUa2jO6MavG+3P25Oy/jR7iCeJPHImCZHRymCn39g=
+github.com/mark3labs/mcp-go v0.39.0 h1:dQwaOADzUJ1ROslEJB8QV+4u/8XQCqH9ylB//x8cCEQ=
+github.com/mark3labs/mcp-go v0.39.0/go.mod h1:T7tUa2jO6MavG+3P25Oy/jR7iCeJPHImCZHRymCn39g=
 github.com/matryer/is v1.4.1 h1:55ehd8zaGABKLXQUe2awZ99BD/PTc2ls+KV/dXphgEQ=
 github.com/matryer/is v1.4.1/go.mod h1:8I/i5uYgLzgsgEloJE1U6xx5HkBQpAZvepWuujKwMRU=
 github.com/mattetti/filebuffer v1.0.1 h1:gG7pyfnSIZCxdoKq+cPa8T0hhYtD9NxCdI4D7PTjRLM=