ROX-33010: Add MCP Gateway integraton to Helm chart

[mtodor]

Description

Add opt-in MCP Gateway integration to the Helm chart, enabling StackRox MCP server registration with MCP Gateway for tool aggregation behind a centralized gateway endpoint.

When enabled (mcpGateway.enabled: true), the chart creates:

• HTTPRoute — routes /mcp traffic from the gateway to the StackRox MCP service
• MCPServerRegistration — registers the server with the gateway using a configurable tool prefix (stackrox_ by default)

The chart validates that the required CRDs (gateway.networking.k8s.io/v1 and mcp.kagenti.com/v1alpha1) are available on the cluster and fails with a descriptive error if they are not.

Files added:

• charts/stackrox-mcp/templates/http-route.yaml
• charts/stackrox-mcp/templates/mcp-server-registration.yaml
• docs/mcp-gateway-integration.md

Files modified:

• charts/stackrox-mcp/values.yaml — new mcpGateway section
• charts/stackrox-mcp/README.md — MCP Gateway configuration table

Validation

• Helm template renders correctly with MCP Gateway enabled and both API versions available
• Helm fails with descriptive error when Gateway API CRD is missing
• Helm fails with descriptive error when MCPServerRegistration CRD is missing
• No gateway resources rendered when mcpGateway.enabled: false (default)
• helm lint passes
• Deploy on OpenShift cluster with MCP Gateway installed

AI-assisted development prompts

This PR was developed with AI assistance. Below are the prompts used:

Prompt: "check https://redhat.atlassian.net/browse/ROX-33010 jira ticket (you can use acli command) and identify what needs to be done."
Response: Fetched the Jira ticket and its attached stackrox-mcp-registration.yaml example. Identified the three deliverables: Helm templates for HTTPRoute and MCPServerRegistration, configurable values, and documentation.

Prompt: "MCP Gateway integration should be opt-in for Helm chart. Also it would be good to check capabilities that MCPServerRegistration exists and if not, helm should fail. Create bead with implementation plan and output plan for review."
Response: Created a bead and produced a 6-step implementation plan covering values.yaml, two templates with CRD capability validation, helpers, documentation, and README updates.

Prompt: "We need some clarification: 1. We don't need route.pathPrefix (it will always be the same) 2. Why HTTPRoute uses container port? It would be better to use service."
Response: Verified the MCP handler registers at / so /mcp is hardcoded gateway convention. Confirmed Gateway API spec says backendRef targets Service and port is the Service port. Updated plan accordingly.

Prompt: "Looks good. You can start with implementation"
Response: Implemented all changes: values.yaml mcpGateway section, HTTPRoute and MCPServerRegistration templates with CRD validation, _helpers.tpl validation helper, integration docs, and README updates. Validated with helm template and helm lint.

Prompt: "❯ Code review comments:

• let's change mcpGateway.gateway.name to stackrox-mcp-gateway
• set mcpGateway.toolPrefix to stackrox_ by default
• would it be reasonable to move MCP gateway validation to resource related to MCP Gateway. Similar to what we have for: charts/stackrox-mcp/templates/secret.yaml ?
• in integration document we have Prerequisites where it's defined that CRDs should be available. Isn't that part of "MCP Gateway installed on the cluster" - looks redundant
• in integration document we have several types of Installations - Probably only basinc setup is sufficient. It is expected that experienced devops will check helm options
• Verification part can only onclude curl - single line for the full flow
• double check if backendRefs will actually use service instead of pods
• change file names to use -, similar to pattern to service-account.yaml

Create bead for review changes and show plan for review."
Response: Applied all 8 review comments: updated defaults, moved validation into each template (matching secret.yaml pattern), renamed files to http-route.yaml and mcp-server-registration.yaml, simplified docs to single install example and single curl verification, confirmed backendRef correctness.

[codecov-commenter]

❌ 2 Tests Failed:

Tests completed	Failed	Passed	Skipped
361	2	359	12

View the full list of 2 ❄️ flaky test(s)

::policy 1

Flake rate in main: 100.00% (Passed 0 times, Failed 28 times)

Stack Traces | 0s run time

- test violation 1
- test violation 2
- test violation 3

::policy 4

Flake rate in main: 100.00% (Passed 0 times, Failed 28 times)

Stack Traces | 0s run time

- testing multiple alert violation messages 1
- testing multiple alert violation messages 2
- testing multiple alert violation messages 3

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• The CRD capability checks use only the group/version string (e.g. gateway.networking.k8s.io/v1, mcp.kagenti.com/v1alpha1), but .Capabilities.APIVersions.Has typically expects full GVK-like identifiers (e.g. gateway.networking.k8s.io/v1/HTTPRoute and mcp.kagenti.com/v1alpha1/MCPServerRegistration), so you may want to update these keys to avoid false negatives on clusters where the CRDs are installed.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The CRD capability checks use only the group/version string (e.g. `gateway.networking.k8s.io/v1`, `mcp.kagenti.com/v1alpha1`), but `.Capabilities.APIVersions.Has` typically expects full GVK-like identifiers (e.g. `gateway.networking.k8s.io/v1/HTTPRoute` and `mcp.kagenti.com/v1alpha1/MCPServerRegistration`), so you may want to update these keys to avoid false negatives on clusters where the CRDs are installed.

## Individual Comments

### Comment 1
<location path="charts/stackrox-mcp/templates/mcp-server-registration.yaml" line_range="2-5" />
<code_context>
+{{- if .Values.mcpGateway.enabled }}
+{{- if not (.Capabilities.APIVersions.Has "mcp.kagenti.com/v1alpha1") }}
+{{- fail "MCP Gateway integration requires the MCPServerRegistration CRD (mcp.kagenti.com/v1alpha1). Install MCP Gateway (https://github.com/Kuadrant/mcp-gateway) before enabling mcpGateway." }}
+{{- end }}
+apiVersion: mcp.kagenti.com/v1alpha1
+kind: MCPServerRegistration
+metadata:
</code_context>
<issue_to_address>
**issue (bug_risk):** Double-check the MCPServerRegistration API group and version string

Both the capability check and `apiVersion` use `mcp.kagenti.com/v1alpha1`, but the upstream `github.com/Kuadrant/mcp-gateway` CRDs may use a different group (e.g. `mcp.kuadrant.io/v1alpha1`). If this doesn’t exactly match the installed CRD, the Helm capability check will fail or the API server will reject the resources. Please confirm the precise group/version from the installed CRD and update both the capabilities check and `apiVersion` accordingly.
</issue_to_address>

### Comment 2
<location path="charts/stackrox-mcp/README.md" line_range="155" />
<code_context>
+| `mcpGateway.hostname` | Hostname for the HTTPRoute | `""` |
+| `mcpGateway.toolPrefix` | Prefix for tools exposed via the gateway | `stackrox_` |
+
+**Note:** Requires [MCP Gateway](https://github.com/Kuadrant/mcp-gateway) to be installed on the cluster. The chart validates that the required CRDs (`gateway.networking.k8s.io/v1` and `mcp.kagenti.com/v1alpha1`) are available and fails with a descriptive error if they are not. See [MCP Gateway Integration](../../docs/mcp-gateway-integration.md) for details.
+
 ### Scheduling
</code_context>
<issue_to_address>
**issue (bug_risk):** The CRD group `mcp.kagenti.com/v1alpha1` appears to be misspelled or incorrect.

Since this integrates with `Kuadrant/mcp-gateway`, please confirm the correct API group for `MCPServerRegistration` (the `kagenti.com` domain looks wrong) and update this reference so the chart validates against the actual CRD group users should install.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[github-actions]

E2E Test Results

Commit: 8ec36c9
Workflow Run: View Details
Artifacts: Download test results & logs

=== Evaluation Summary ===

  ✓ cve-cluster-does-exist (assertions: 3/3)
  ✓ list-clusters (assertions: 3/3)
  ✓ cve-detected-workloads (assertions: 3/3)
  ✓ rhsa-not-supported (assertions: 2/2)
  ✓ cve-clusters-general (assertions: 3/3)
  ✓ cve-detected-clusters (assertions: 3/3)
  ✓ cve-log4shell (assertions: 3/3)
  ✗ cve-nonexistent (assertions: 3/3)
      one or more verification steps failed
  ~ cve-cluster-list (assertions: 2/3)
      - MaxToolCalls: Too many tool calls: expected <= 5, got 6
  ✓ cve-cluster-does-not-exist (assertions: 3/3)
  ✓ cve-multiple (assertions: 3/3)

Tasks:      10/11 passed (90.91%)
Assertions: 31/32 passed (96.88%)
Tokens:     ~64377 (estimate - excludes system prompt & cache)
MCP schemas: ~12738 (included in token total)
Agent used tokens:
  Input:  18854 tokens
  Output: 25683 tokens
Judge used tokens:
  Input:  44600 tokens
  Output: 42701 tokens

[janisz]

what's this?

[mtodor]

I'm not sure if I fully understand your question.

Matches are required for HTTPRoute. Here is an example: https://docs.kuadrant.io/1.4.x/kuadrant-backstage-plugin/docs/getting-started/#step-2-create-the-gateway-and-httproute

Maybe we can change to /. But having only /mcp is also fine.