Add Dockerfile

Author: mtodor

.dockerignore

@@ -0,0 +1,27 @@
+# Git and jj files
+.git/
+.jj/
+.gitignore
+.gitattributes
+
+# CI/CD
+.github/
+
+# IDE and editor files
+.vscode/
+.idea/
+.DS_Store
+
+# Test coverage output
+/*.out
+
+# Build output
+/stackrox-mcp
+
+# Lint output
+/report.xml
+
+# Documentation
+*.md
+docs/
+LICENSE

Dockerfile

@@ -0,0 +1,55 @@
+# Multi-stage Dockerfile for StackRox MCP Server
+# Stage 1: Builder - Build the Go binary
+FROM registry.access.redhat.com/ubi10/ubi:latest AS builder
+
+# Build arguments for multi-arch support
+ARG TARGETOS=linux
+ARG TARGETARCH=amd64
+ARG VERSION=dev
+
+# Install Go 1.24
+RUN dnf install -y golang && dnf clean all
+
+# Set working directory
+WORKDIR /workspace
+
+# Copy go module files first for better layer caching
+COPY go.mod go.sum ./
+
+# Download dependencies (cached layer)
+RUN go mod download
+
+# Copy source code
+COPY . .
+
+# Build the binary with optimizations
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build \
+    -ldflags="-w -s" \
+    -trimpath \
+    -o stackrox-mcp \
+    ./cmd/stackrox-mcp
+
+# Stage 2: Runtime - Minimal runtime image
+FROM registry.access.redhat.com/ubi10/ubi-micro:latest
+
+# Set default environment variables
+ENV LOG_LEVEL=INFO
+
+# Set working directory
+WORKDIR /app
+
+# Copy binary from builder
+COPY --from=builder /workspace/stackrox-mcp /app/stackrox-mcp
+
+# Set ownership to non-root user
+RUN chown -R 4000:4000 /app
+
+# Switch to non-root user
+USER 4000
+
+# Expose port for MCP server
+EXPOSE 8080
+
+# Run the application
+ENTRYPOINT ["/app/stackrox-mcp"]

README.md

@@ -173,6 +173,34 @@ You: "Can you list all the clusters from StackRox?"
 Claude: [Uses list_clusters tool to retrieve cluster information]
 ```
 
+## Docker
+
+### Building the Docker Image
+
+Build the image locally:
+```bash
+docker build -t stackrox-mcp:test .
+```
+
+### Running the Container
+
+Run with default settings:
+```bash
+docker run -p 8080:8080 stackrox-mcp:test
+```
+
+### Build Arguments
+
+- `TARGETOS` - Target operating system (default: `linux`)
+- `TARGETARCH` - Target architecture (default: `amd64`)
+- `VERSION` - Application version (default: `dev`)
+
+### Image Details
+
+- **Base Image**: Red Hat UBI10-micro (minimal, secure)
+- **User**: Non-root user `mcp` (UID/GID 4000)
+- **Port**: 8080
+
 ## Development
 
 For detailed development guidelines, testing standards, and contribution workflows, see [CONTRIBUTING.md](.github/CONTRIBUTING.md).

internal/server/server.go

@@ -53,13 +53,15 @@ func NewServer(cfg *config.Config, registry *toolsets.Registry) *Server {
 func (s *Server) Start(ctx context.Context) error {
 	s.registerTools()
 
-	handler := mcp.NewStreamableHTTPHandler(
+	mcpHandler := mcp.NewStreamableHTTPHandler(
 		func(*http.Request) *mcp.Server {
 			return s.mcp
 		},
 		nil,
 	)
 
+	handler := s.withHealthEndpoint(mcpHandler)
+
 	addr := net.JoinHostPort(s.cfg.Server.Address, strconv.Itoa(s.cfg.Server.Port))
 	httpServer := &http.Server{
 		Addr:              addr,
@@ -118,3 +120,18 @@ func (s *Server) registerTools() {
 
 	slog.Info("Tools registration complete")
 }
+
+// withHealthEndpoint wraps an HTTP handler with a health check endpoint.
+func (s *Server) withHealthEndpoint(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(responseWriter http.ResponseWriter, request *http.Request) {
+		if request.URL.Path == "/health" {
+			responseWriter.Header().Set("Content-Type", "application/json")
+			responseWriter.WriteHeader(http.StatusOK)
+			_, _ = responseWriter.Write([]byte(`{"status":"ok"}`))
+
+			return
+		}
+
+		next.ServeHTTP(responseWriter, request)
+	})
+}

internal/server/server_test.go

@@ -166,3 +166,44 @@ func TestServer_Start(t *testing.T) {
 		t.Fatal("Server did not shut down within timeout period")
 	}
 }
+
+func TestServer_HealthEndpoint(t *testing.T) {
+	cfg := getDefaultConfig()
+	cfg.Server.Port = testutil.GetPortForTest(t)
+
+	registry := toolsets.NewRegistry(cfg, []toolsets.Toolset{})
+	srv := NewServer(cfg, registry)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	errChan := make(chan error, 1)
+
+	go func() {
+		errChan <- srv.Start(ctx)
+	}()
+
+	serverURL := "http://" + net.JoinHostPort(cfg.Server.Address, strconv.Itoa(cfg.Server.Port))
+	err := testutil.WaitForServerReady(serverURL, 3*time.Second)
+	require.NoError(t, err, "Server should start within timeout")
+
+	// Test health endpoint.
+	//nolint:noctx
+	resp, err := http.Get(serverURL + "/health")
+	require.NoError(t, err, "Health endpoint should be reachable")
+	require.NoError(t, resp.Body.Close())
+
+	assert.Equal(t, http.StatusOK, resp.StatusCode, "Health endpoint should return 200 OK")
+	assert.Equal(t, "application/json", resp.Header.Get("Content-Type"), "Health endpoint should return JSON")
+
+	// Trigger shutdown.
+	cancel()
+
+	// Wait for server to shut down.
+	select {
+	case <-errChan:
+		// Server shut down successfully
+	case <-time.After(ShutdownTimeout + time.Second):
+		t.Fatal("Server did not shut down within timeout period")
+	}
+}