|
1 | 1 | # openai-mcp-tunnel |
2 | 2 |
|
3 | | -   |
| 3 | +   |
4 | 4 |
|
5 | 5 | A Helm chart for running the OpenAI Secure MCP Tunnel client in Kubernetes. |
6 | 6 |
|
@@ -60,6 +60,29 @@ For Kubernetes production use, `mcp.serverUrl` is the safer default. OpenAI docu |
60 | 60 |
|
61 | 61 | The bootstrap stub is useful only as a first-step bring-up mechanism. It lets ChatGPT connect to the tunnel, but it does not expose your real MCP tools. Switch to `mcp.serverUrl` or `mcp.command` once the backend exists. |
62 | 62 |
|
| 63 | +## Internal MCP Authentication |
| 64 | + |
| 65 | +For internal MCP servers that require static technical authentication, prefer the dedicated Secret-backed header settings instead of raw `extraEnv`: |
| 66 | + |
| 67 | +- `mcp.auth.extraHeaders` for normal MCP HTTP requests |
| 68 | +- `mcp.auth.discoveryExtraHeaders` for startup probes, OAuth discovery, and MCP initialize probing |
| 69 | + |
| 70 | +The expected secret values are complete header values. For a bearer token, store the full string such as `Bearer eyJ...` in a secret key, then map the header name to that key. |
| 71 | + |
| 72 | +Example: |
| 73 | + |
| 74 | +```yaml |
| 75 | +mcp: |
| 76 | + serverUrl: https://internal-mcp.example.local/mcp |
| 77 | + auth: |
| 78 | + extraHeaders: |
| 79 | + existingSecretName: internal-mcp-auth |
| 80 | + headers: |
| 81 | + Authorization: authorization |
| 82 | +``` |
| 83 | +
|
| 84 | +If the MCP also requires auth during discovery or initialize probing, mirror the same mapping under `mcp.auth.discoveryExtraHeaders`. |
| 85 | + |
63 | 86 | ## Production Notes |
64 | 87 |
|
65 | 88 | For production rollouts, prefer one of these image supply-chain patterns: |
@@ -119,10 +142,16 @@ For production rollouts, prefer one of these image supply-chain patterns: |
119 | 142 | | controlPlane.tunnelId | string | `""` | Tunnel ID created in the OpenAI tunnels management UI or API. | |
120 | 143 | | controlPlane.baseUrl | string | `""` | Optional override for the control plane base URL. Leave empty to let `tunnel-client` use its built-in default (`https://api.openai.com`). | |
121 | 144 | | controlPlane.urlPath | string | `""` | Optional URL path prefix inserted before `/v1/...` routes, for example `/workspace/dev/us` behind an enterprise gateway. | |
122 | | -| mcp | object | `{"bootstrap":{"enabled":false},"command":"","connectionMaxTTL":"10m","maxConcurrentRequests":10,"serverUrl":""}` | Upstream MCP configuration. Set either `serverUrl` or `command`. | |
| 145 | +| mcp | object | `{"auth":{"discoveryExtraHeaders":{"createSecret":false,"existingSecretName":"","headers":{},"values":{}},"extraHeaders":{"createSecret":false,"existingSecretName":"","headers":{},"values":{}}},"bootstrap":{"enabled":false},"command":"","connectionMaxTTL":"10m","maxConcurrentRequests":10,"serverUrl":""}` | Upstream MCP configuration. Set either `serverUrl` or `command`. | |
123 | 146 | | mcp.bootstrap.enabled | bool | `false` | Start `tunnel-client` with the built-in stub MCP so the tunnel can come up before a real MCP backend is available. When `mcp.serverUrl` and `mcp.command` are both empty, the chart falls back to this stub automatically. | |
124 | 147 | | mcp.serverUrl | string | `""` | URL of the private MCP server reachable from the pod. | |
125 | 148 | | mcp.command | string | `""` | Command to launch a local stdio MCP server. `stdio` does not support MCP sessions. | |
| 149 | +| mcp.auth.extraHeaders.existingSecretName | string | `""` | Existing Secret whose keys contain complete header values such as `Bearer ...`. | |
| 150 | +| mcp.auth.extraHeaders.createSecret | bool | `false` | Create the Secret from values in this chart. | |
| 151 | +| mcp.auth.extraHeaders.values | object | `{}` | Secret data written when `createSecret=true`. Each key becomes one mounted file. | |
| 152 | +| mcp.auth.discoveryExtraHeaders.existingSecretName | string | `""` | Existing Secret whose keys contain complete discovery/probe header values. | |
| 153 | +| mcp.auth.discoveryExtraHeaders.createSecret | bool | `false` | Create the Secret from values in this chart. | |
| 154 | +| mcp.auth.discoveryExtraHeaders.values | object | `{}` | Secret data written when `createSecret=true`. Each key becomes one mounted file. | |
126 | 155 | | mcp.connectionMaxTTL | string | `"10m"` | Maximum lifetime of an upstream MCP connection. | |
127 | 156 | | mcp.maxConcurrentRequests | int | `10` | Maximum number of concurrent upstream MCP requests. | |
128 | 157 | | log | object | `{"format":"json","level":"info"}` | Runtime logging configuration. | |
|
0 commit comments