Add mcp inspector

ansible-roles/helm_charts/files/helmcharts/connectorhub/templates/config.yaml

@@ -1,12 +1,13 @@
-{{ if .Values.sdk.configMapName }}
+{{- if .Values.sdk.secretName }}
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
-  name: {{ .Values.sdk.configMapName }}
+  name: {{ .Values.sdk.secretName }}
   labels:
     {{- include "connectorhub.labels" . | nindent 4 }}
-data:
-  connectorhub.yaml: |
+type: Opaque
+stringData:
+  connectorhub.yaml: |-
     msp-id: {{ .Values.dlt.mspID }}
     user-id: {{ .Values.dlt.userID }}
     org-domain: {{ .Values.dlt.organization }}.{{ .Values.dlt.domain }}

ansible-roles/helm_charts/files/helmcharts/connectorhub/templates/deployment.yaml

@@ -15,6 +15,7 @@ spec:
         {{- include "connectorhub.labels" . | nindent 8 }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
+        rollout-nonce: {{ .Values.global.forceRedeployNonce | default "" | quote }}
     spec:
       securityContext:
         runAsUser: 6553
@@ -38,10 +39,14 @@ spec:
           secret:
             secretName: connectorhub-crypto-config
         {{- end }}
-        {{ if .Values.sdk.configMapName }}
+        {{- if .Values.sdk.secretName }}
+        - name: config
+          secret:
+            secretName: {{ .Values.sdk.secretName | quote }}
+        {{- else if .Values.sdk.configMapName }}
         - name: config
           configMap:
-            name: {{ .Values.sdk.configMapName }}
+            name: {{ .Values.sdk.configMapName | quote }}
         {{- end }}
       {{- if not .Values.local }}
       topologySpreadConstraints:
@@ -81,7 +86,7 @@ spec:
               mountPath: /tmp/msp
             - name: state-store
               mountPath: /tmp/state-store
-            {{ if .Values.sdk.configMapName }}
+            {{- if or .Values.sdk.secretName .Values.sdk.configMapName }}
             - name: config
               subPath: connectorhub.yaml
               mountPath: /tmp/fabric/connectorhub.yaml

ansible-roles/helm_charts/files/helmcharts/connectorhub/templates/rbac.yaml

@@ -0,0 +1,43 @@
+{{- if .Values.rbac.create }}
+
+# Grant connectorhub SA the ability to manage pods & subresources
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "connectorhub.fullname" . }}-launcher
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "connectorhub.labels" . | nindent 4 }}
+rules:
+  # Pods: create, delete, get/list/watch (for status)
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["create","delete","get","list","watch"]
+  # Pod subresources: exec, logs, attach
+- apiGroups: [""]
+  resources: ["pods/exec","pods/log","pods/attach"]
+  verbs: ["create","get"]
+  # Secrets: upsert your in-memory files
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get","list","watch","create","update","patch","delete"]
+
+---
+# Bind that Role to your ServiceAccount
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "connectorhub.fullname" . }}-launcher-binding
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "connectorhub.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "connectorhub.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "connectorhub.fullname" . }}-launcher
+  apiGroup: rbac.authorization.k8s.io
+
+{{- end }}

ansible-roles/helm_charts/files/helmcharts/connectorhub/values.yaml

@@ -19,7 +19,7 @@ dlt:
   chaincodeID: com_luthersystems_chaincode_substrate01
 
 sdk:
-  configMapName: connectorhub-config
+  secretName: connectorhub-config
 
 image:
   repository: luthersystems/connectorhub
@@ -75,6 +75,8 @@ serviceAccount:
   create: true
   annotations: {}
   name: ""
+rbac:
+  create: true
 
 nodeSelector: {}
 

ansible-roles/helm_charts/files/helmcharts/ingress/templates/ingress.yaml

@@ -9,18 +9,22 @@ metadata:
 {{ include "ingress.labels" . | indent 4 }}
   annotations:
     alb.ingress.kubernetes.io/ssl-policy: "ELBSecurityPolicy-TLS-1-2-Ext-2018-06"
-    alb.ingress.kubernetes.io/scheme: {{ .Values.loadBalancer.scheme }}
-    alb.ingress.kubernetes.io/target-type: {{ .Values.loadBalancer.targetType }}
-    alb.ingress.kubernetes.io/backend-protocol: {{ .Values.loadBalancer.backendProtocol }}
-    alb.ingress.kubernetes.io/certificate-arn: {{ .Values.loadBalancer.certificateARN }}
+    alb.ingress.kubernetes.io/scheme: {{ .Values.loadBalancer.scheme | quote }}
+    alb.ingress.kubernetes.io/target-type: {{ .Values.loadBalancer.targetType | quote }}
+    alb.ingress.kubernetes.io/backend-protocol: {{ .Values.loadBalancer.backendProtocol | quote }}
+    alb.ingress.kubernetes.io/certificate-arn: {{ .Values.loadBalancer.certificateARN | quote }}
     alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
     alb.ingress.kubernetes.io/ssl-redirect: '443'
     alb.ingress.kubernetes.io/tags: Project={{ .Values.global.partOf }},Environment={{ .Values.global.projectEnv }},Organization={{ .Values.global.orgName }},Component=app,Resource=alb
-    alb.ingress.kubernetes.io/load-balancer-attributes: {{ $albAttrs }}
-    {{- with .Values.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
+    alb.ingress.kubernetes.io/load-balancer-attributes: {{ $albAttrs | quote }}
+{{ if .Values.annotations }}
+{{ range $k, $v := .Values.annotations }}
+    {{ $k }}: {{- if kindIs "string" $v }} {{ $v | quote }} {{- else }} {{ toJson $v | quote }} {{- end }}
+{{ end }}
+{{ end }}
+{{- if and .Values.externalDNS (ne .Values.matchHost "") }}
     external-dns.alpha.kubernetes.io/hostname: {{ .Values.matchHost | quote }}
+{{- end }}
 spec:
   ingressClassName:  {{ .Values.loadBalancer.class }}
   rules:

ansible-roles/helm_charts/files/helmcharts/mcp-inspector/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+name: mcp-inspector
+description: "Supergateway (stdio -> HTTP/SSE) that can spawn any MCP server (default: AWS Pricing MCP via uvx)"
+version: 0.1.0
+appVersion: "latest"

ansible-roles/helm_charts/files/helmcharts/mcp-inspector/templates/_helpers.tpl

@@ -0,0 +1,49 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "mcpinspector.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "mcpinspector.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := include "mcpinspector.name" . -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "mcpinspector.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "mcpinspector.labels" -}}
+app.kubernetes.io/name: {{ include "mcpinspector.name" . }}
+helm.sh/chart: {{ include "mcpinspector.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/component: mcp-gateway
+{{- if .Values.global.partOf }}
+app.kubernetes.io/part-of: {{ .Values.global.partOf }}
+{{- end }}
+{{- end -}}
+
+{{- define "mcpinspector.labels.match" -}}
+app.kubernetes.io/name: {{ include "mcpinspector.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{- define "mcpinspector.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "mcpinspector.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end -}}

ansible-roles/helm_charts/files/helmcharts/mcp-inspector/templates/deployment.yaml

@@ -0,0 +1,80 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "mcpinspector.fullname" . }}
+  labels:
+    {{- include "mcpinspector.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount | default 1 }}
+  selector:
+    matchLabels:
+      {{- include "mcpinspector.labels.match" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "mcpinspector.labels" . | nindent 8 }}
+      annotations:
+        rollout-nonce: {{ .Values.global.forceRedeployNonce | default "" | quote }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "mcpinspector.serviceAccountName" . }}
+      containers:
+        - name: supergateway
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy | default "IfNotPresent" }}
+          args:
+            - "--stdio"
+            - "{{ .Values.stdioCommand }}"
+            - "--port"
+            - "{{ .Values.supergateway.port }}"
+            - "--ssePath"
+            - "{{ .Values.supergateway.ssePath }}"
+            - "--messagePath"
+            - "{{ .Values.supergateway.messagePath }}"
+            - "--healthEndpoint"
+            - "{{ .Values.supergateway.healthPath }}"
+            {{- if .Values.supergateway.baseUrl }}
+            - "--baseUrl"
+            - "{{ .Values.supergateway.baseUrl }}"
+            {{- end }}
+            {{- if .Values.supergateway.cors }}
+            - "--cors"
+            {{- end }}
+            {{- if .Values.supergateway.logLevel }}
+            - "--logLevel"
+            - "{{ .Values.supergateway.logLevel }}"
+            {{- end }}
+            {{- if .Values.supergateway.oauth2Bearer }}
+            - "--oauth2Bearer"
+            - "{{ .Values.supergateway.oauth2Bearer }}"
+            {{- end }}
+            {{- range $h := .Values.supergateway.headers }}
+            - "--header"
+            - "{{ $h }}"
+            {{- end }}
+          env:
+            {{- range $k, $v := .Values.env }}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+            {{- end }}
+          ports:
+            - name: http
+              containerPort: {{ ( .Values.supergateway.port | default 8000 ) | int }}
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: {{ .Values.supergateway.healthPath }}
+              port: {{ ( .Values.supergateway.port | default 8000 ) | int }}
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: {{ .Values.supergateway.healthPath }}
+              port: {{ ( .Values.supergateway.port | default 8000 ) | int }}
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}

ansible-roles/helm_charts/files/helmcharts/mcp-inspector/templates/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "mcpinspector.fullname" . }}
+  labels: {{- include "mcpinspector.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type | default "ClusterIP" }}
+  ports:
+    - name: http
+      port: {{ .Values.service.port | default 80 }}
+      targetPort: http
+      protocol: TCP
+  selector: {{- include "mcpinspector.labels.match" . | nindent 4 }}

ansible-roles/helm_charts/files/helmcharts/mcp-inspector/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "mcpinspector.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "mcpinspector.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

ansible-roles/helm_charts/files/helmcharts/mcp-inspector/values.yaml

@@ -0,0 +1,48 @@
+global:
+  partOf: app
+
+replicaCount: 1
+
+image:
+  # Use the Docker Hub image that includes uvx
+  repository: supercorp/supergateway
+  tag: uvx
+  pullPolicy: IfNotPresent
+
+# Command that Supergateway runs in stdio mode
+# This stays as ONE string arg after --stdio
+stdioCommand: "uvx awslabs.aws-pricing-mcp-server@latest"
+
+supergateway:
+  port: 8000
+  ssePath: /sse
+  messagePath: /message
+  healthPath: /healthz
+  baseUrl: "" # e.g., "http://0.0.0.0:8000" (optional)
+  cors: true # enable CORS; good for local/dev
+  logLevel: info
+  oauth2Bearer: "" # if you call out to remote SSE/HTTP servers
+  headers: [] # e.g., ["X-API-Key: abc123", "X-Another: value"]
+
+# Environment for the spawned MCP server (and/or gateway)
+# Typically you’ll set region + rely on IRSA via serviceAccount annotations.
+env:
+  AWS_REGION: "us-west-2"
+  FASTMCP_LOG_LEVEL: "INFO"
+
+service:
+  type: ClusterIP
+  port: 80
+
+resources: {}
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+nodeSelector: {}
+tolerations: []
+affinity: {}
+
+serviceAccount:
+  create: true
+  annotations: {}
+  name: ""

ansible-roles/helm_charts/files/helmcharts/shiroclient/templates/deployment.yaml

@@ -23,6 +23,7 @@ spec:
       annotations:
         phylum/version: {{ .Values.phylum.version }}
         checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
+        rollout-nonce: {{ .Values.global.forceRedeployNonce | default "" | quote }}
     spec:
       securityContext:
         runAsUser: 6553

ansible-roles/helm_charts/files/helmcharts/supergateway/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+name: supergateway
+description: "Supergateway (stdio -> HTTP/SSE) that can spawn any MCP server (default: AWS Pricing MCP via uvx)"
+version: 0.1.0
+appVersion: "latest"