removed additional mcp transport, streamlined MCP Auth resolution

[blublinsky]

Description

Type of change

• [ x] Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change

Related Tickets & Documents

• Related Issue #
  OLS-2275
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

[blublinsky]

/retest

[onmete]

Can we rename this to just headers? I understand we use it for auth purposes now, but it can be any other arbitrary headers.

[blublinsky]

We can, but this was original name. To do this, we also need to change operator. So unless you absolutely want this, I would prefer to leave it

[onmete]

Where? I see you changed it in one of the lcore func in operator, but this service accepts only headers in the current head.

[blublinsky]

in the operator internal/controller/appserver/assets.go, line 783

[onmete]

I'm not sure if that is the right reference: https://github.com/openshift/lightspeed-operator/blob/main/internal/controller/appserver/assets.go#L783C7-L783C122
Currently it produces this config:

mcp_servers:
  - name: "openshift"
    transport: "streamable_http"
    streamable_http:
      url: "http://localhost:8080/mcp"
      timeout: 60
      sse_read_timeout: 30
      headers:
        Authorization: "kubernetes"

The authorization_headers is used for lcore config.

[blublinsky]

fixed

[onmete]

The Field should work without the Ellipsis, eg. just

name: str = Field(
    title="MCP name",
    description="MCP server name that must be unique",
)

[blublinsky]

It is required field. Thats Pydantic convention to use Elipsees

[onmete]

It is required for pydantic < 2

[blublinsky]

fixed

[onmete]

Please move up to the rest of the class attributes - before the private attr and property

[blublinsky]

done

[onmete]

Have you tested other (smaller) models? Or we just use the same thing we already have available?

[blublinsky]

both

[onmete]

This doesn't need to be in this PR, right?

[blublinsky]

I am synching operator with service. Its question of 4 PRs vs 2

[onmete]

Are you confident that this config won't change with the actual implementation of the tool filtering? It would make sense to me to have this as part of the actual implementation, but if you tell me this is stable lets proceed.

[onmete]

Is it a feature of mcp servers or ols? Answer implies position in the config.

[blublinsky]

ols - tools filtering is an OLS property

[onmete]

Right, the lines were truncated in a way that it seems like it is under MCPConfig, my bad.

[onmete]

Should it also be case-insensitive for special values "kubernetes" and "client"?

[blublinsky]

Its using constants now

[onmete]

Would both of these work the same?

mcp_servers:
- name: openshift
  url: "http://localhost:8989/mcp"
  headers:
     bla: "kubernetes"

and

mcp_servers:
- name: openshift
  url: "http://localhost:8989/mcp"
  headers:
     bla: "KUBERNETES"

[asamal4]

Probably this should be a comment for operator changes.
is this going to be user facing ? We will probably end up using same embedding model what we package as part of RAG, considering on-prem scenario.

As far service is concerned, It is not aligned with the RAG embedding model property. This is in-consistent

[blublinsky]

This is a completely separate RAG. So technically here we can use a completely different model. In general I do not foresee users ever changing it, but just in case it is there. And of course it is aligned with the operator

[asamal4]

I am specifically talking about on-prem scenario where we can not download the model from huggingface. Model has to be picked from file-system/volume. For RAG use-case we are handling this. So similar processing we need to do for tool rag also. In this case we will provide a path to the embedding model..

[asamal4]

Regarding parameter name inconsistency in Service/API: Agree that this embedding model is for different purpose (and can be a different model), but IMO we should keep same parameter name in both places. For RAG the name is embeddings_model_path and here we are using embed_model. But this is not very critical. It's up to you.

[blublinsky]

fixed

[blublinsky]

/retest

[blublinsky]

ci/prow/e2e-ols-cluster failure is expected for the following tests:
azure_openai_tool_calling
openai_tool_calling
watsonx_tool_calling
These tests add MCP configuration, but the operator is still creating old configuration. As a result app server fails to start properly

[bparees]

nit, but maybe make this look more like a traditional header name?

[bparees]

describe what header(name, format) is passed to the MCP server when this is used.

[blublinsky]

It can apply to any header name. If you are asking that it has to be Authorization, the answer is no

[bparees]

So in the sample:

authorization_headers:
      Authorization: kubernetes

Authorization is the name of the header that will be passed to the mcp server? So can i write:

authorization_headers:
      my-custom-header: kubernetes

?

If so, there is a lot of implicit behavior here that I can't say i love.

Explicit behavior would be something like:

authorization_headers:
  k8s-token:
    headername: Authorization
  custom-header:
   headername: my-custom-header
   headervalue: /path/to/secret

(And if either of those subsections aren't populated, that behavior isn't enabled)

but at a minimum if you're going to keep it this way, more doc is needed please

[blublinsky]

header_name: kubernetes token

[bparees]

So in the sample:

authorization_headers:
      Authorization: kubernetes

Authorization is the name of the header that will be passed to the mcp server? So can i write:

authorization_headers:
      my-custom-header: kubernetes

?

If so, there is a lot of implicit behavior here that I can't say i love.

Explicit behavior would be something like:

authorization_headers:
  k8s-token:
    headername: Authorization
  custom-header:
   headername: my-custom-header
   headervalue: /path/to/secret

(And if either of those subsections aren't populated, that behavior isn't enabled)

but at a minimum if you're going to keep it this way, more doc is needed please

[bparees]

also how do multiple headers work? How do you specify more than one, and does each one have a different path to a file containing its token? how are they linked?

[blublinsky]

you can specify as many as you want, each with its own path. they are all added as headers to the MCP server calls

[bparees]

Yeah but how do you specify more than one? This example seems to imply it's not a yaml array, so what's the actual schema to do that?

[blublinsky]

ah. you are looking at the service, that is pure python executable driven by configuration. Yaml is used by the operator openshift/lightspeed-operator#1222

[blublinsky]

ah. you are looking at the service, that knows nothing about yaml. jaml is in the operator.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joshuawilson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[onmete]

Lets resolve pending comments and proceed with this.

[onmete]

So you kept it as headers, right? Can you please update the title and rest of the refs (docs) that are using authorization_headers?

[blublinsky]

done

[onmete]

Can you pretty please explain why we need to bring this to the OLS before we migrate to LCORE? Do you see a usecase/need prior to that?

[blublinsky]

because

1. We are making a change in the operator, which is not compatible with the old configuration. Its easier to make a change here to keep an operator clean
2. This makes the code smaller and more streamlined
3. It makes it simpler to wire tools RAG, next PRs
4. There is an important corner case in toolsRag implementation related to the client's headers. I would like to make sure I do it correctly here before moving it to LCore

[onmete]

I have my reservations here, but for the sake of progressing, let's move on.

[onmete]

So in the sample:

authorization_headers:
Authorization: kubernetes
Authorization is the name of the header that will be passed to the mcp server? So can i write:

authorization_headers:
my-custom-header: kubernetes
?

If so, there is a lot of implicit behavior here that I can't say i love.

Explicit behavior would be something like:

authorization_headers:
k8s-token:
headername: Authorization
custom-header:
headername: my-custom-header
headervalue: /path/to/secret
(And if either of those subsections aren't populated, that behavior isn't enabled)

but at a minimum if you're going to keep it this way, more doc is needed please

Why I can't just reply and continue the conversation as a thread here - github ux is driving me nuts...

Anyway, @bparees I agree that this would be more explicit for users. We can consider using this format in the user-facing OLSConfig CR. But changing this on the config level would require to also change it in LCORE side, which might (or might not) break someone else on LCORE that already uses it.
WDYT @blublinsky?

[blublinsky]

the user facing definition openshift/lightspeed-operator#1222 describes it clearer (I hope) and even contains examples

[openshift-ci]

@blublinsky: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-ols-cluster	38ab1d6	link	true	/test e2e-ols-cluster
ci/prow/ols-evaluation	38ab1d6	link	true	/test ols-evaluation

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.