TLS Support

Author: mtodor

charts/stackrox-mcp/README.md

@@ -126,9 +126,10 @@ The following table lists the configurable parameters of the StackRox MCP chart
 | Parameter | Description | Default |
 |-----------|-------------|---------|
 | `openshift.route.host` | Route hostname | `""` |
-| `openshift.route.tls.enabled` | Enable TLS for route | `true` |
-| `openshift.route.tls.termination` | TLS termination type | `edge` |
+| `openshift.route.TLSEnabled` | Enable TLS for route | `true` |
+| `openshift.route.tls.termination` | TLS termination type (auto: reencrypt if TLS enabled) | `reencrypt` |
 | `openshift.route.tls.insecureEdgeTerminationPolicy` | Policy for insecure edge traffic | `Redirect` |
+| `openshift.route.tls.destinationCACertificate` | CA certificate for pod verification | `""` |
 
 ### Scheduling
 
@@ -170,7 +171,10 @@ The following table lists the configurable parameters of the StackRox MCP chart
 | Parameter | Description | Default |
 |-----------|-------------|---------|
 | `config.server.address` | Server listen address | `0.0.0.0` |
-| `config.server.port` | Server listen port | `8080` |
+| `config.server.port` | Server listen port | `8443` |
+| `config.server.TLSEnabled` | Enable TLS/HTTPS on server | `true` |
+| `config.server.TLSCertPath` | Certificate path in container | `/certs/tls.crt` |
+| `config.server.TLSKeyPath` | Private key path in container | `/certs/tls.key` |
 
 #### Tools Configuration
 
@@ -223,6 +227,91 @@ The chart maintains security hardening on OpenShift:
 
 The chart is compatible with the `restricted-v2` SCC on OpenShift.
 
+### End-to-End TLS/HTTPS Configuration
+
+The chart supports end-to-end TLS encryption from client to pod, providing secure communication throughout the entire connection path.
+
+#### Architecture
+
+When TLS is enabled (`config.server.TLSEnabled: true`):
+```
+Client (HTTPS)
+  → LoadBalancer/Route (TLS passthrough/re-encryption)
+    → Service (HTTPS port 8443)
+      → Pod (HTTPS on port 8443)
+```
+
+When TLS is disabled:
+```
+Client (HTTPS)
+  → LoadBalancer/Route (TLS edge termination)
+    → Service (HTTP port 8080)
+      → Pod (HTTP on port 8080)
+```
+
+#### TLS Secret Configuration
+
+The chart provides two ways to configure TLS certificates:
+
+##### Option 1: Generate Secret from Certificate Data (Recommended)
+
+Provide certificate data in values.yaml and the chart will create the secret automatically:
+
+```yaml
+tlsSecret:
+  caCert: |
+    -----BEGIN CERTIFICATE-----
+    MIIDXTCCAkWgAwIBAgIJAK...
+    -----END CERTIFICATE-----
+  caKey: |
+    -----BEGIN PRIVATE KEY-----
+    MIIEvQIBADANBgkqhkiG9w0...
+    -----END PRIVATE KEY-----
+```
+
+Installation:
+```bash
+helm install stackrox-mcp charts/stackrox-mcp \
+  --namespace stackrox-mcp \
+  --create-namespace \
+  --set-file tlsSecret.caCert=/path/to/tls.crt \
+  --set-file tlsSecret.caKey=/path/to/tls.key \
+  --set-file openshift.route.tls.destinationCACertificate=/path/to/tls.crt
+```
+
+The chart creates a secret named `<release-name>-stackrox-mcp-tls` automatically.
+
+##### Option 2: Use Existing Secret
+
+Reference an existing Kubernetes TLS secret:
+
+```yaml
+tlsSecret:
+  existingSecretName: "my-existing-tls-secret"
+```
+
+Prerequisites:
+```bash
+kubectl create secret tls my-existing-tls-secret \
+  --cert=/path/to/tls.crt \
+  --key=/path/to/tls.key \
+  --namespace stackrox-mcp
+```
+
+**Important Notes:**
+- When `tlsSecret.existingSecretName` is set, `tlsSecret.caCert` and `tlsSecret.caKey` are ignored
+- Both `caCert` and `caKey` must be provided together
+- Use `--set-file` to load certificates from files (recommended over embedding in values)
+- Never commit certificate data to version control
+
+##### Generating Self-Signed Certificates
+
+For testing purposes, you can create a self-signed certificate:
+
+```bash
+openssl req -x509 -newkey rsa:2048 -days 365 -keyout tls.key -out tls.crt -nodes
+```
+
 ### High Availability Setup
 
 For high availability with multiple replicas:
@@ -298,8 +387,13 @@ Common issues:
 Test the health endpoint:
 
 ```bash
+# For HTTP (TLS disabled)
 kubectl run -i --tty --rm debug --image=curlimages/curl --restart=Never -- \
   curl http://stackrox-mcp.stackrox-mcp:8080/health
+
+# For HTTPS (TLS enabled)
+kubectl run -i --tty --rm debug --image=curlimages/curl --restart=Never -- \
+  curl -k https://stackrox-mcp.stackrox-mcp.svc.cluster.local:8443/health
 ```
 
 Expected response: `{"status":"ok"}`

charts/stackrox-mcp/templates/NOTES.txt

@@ -24,4 +24,25 @@ StackRox MCP Server Configuration:
 
 To test connectivity:
   $ kubectl run -i --tty --rm debug --image=curlimages/curl --restart=Never -- \
-    curl http://{{ include "stackrox-mcp.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.port }}/health
+    curl -h {{ include "stackrox-mcp.portName" . }}://{{ include "stackrox-mcp.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.port }}/health
+
+{{- if and (eq (include "stackrox-mcp.isOpenshift" .) "true") .Values.config.server.TLSEnabled (ne .Values.openshift.route.tls.termination "reencrypt") }}
+WARN: OpenShift route TLS termination should be set to "reencrypt" if TLS encryption is enabled. You should set ".openshift.route.tls.termination" to "reencrypt".
+{{- end }}
+
+{{- if .Values.config.server.TLSEnabled }}
+
+TLS Configuration:
+  Secret Name: {{ include "stackrox-mcp.tlsSecretName" . }}
+  {{- if .Values.tlsSecret.existingSecretName }}
+  Status: Using existing secret "{{ .Values.tlsSecret.existingSecretName }}"
+  {{- else if and .Values.tlsSecret.caCert .Values.tlsSecret.caKey }}
+  Status: Generated secret with provided certificates
+  {{- else }}
+
+  WARNING: TLS is enabled but no certificate configuration found!
+  Please provide either:
+  - tlsSecret.existingSecretName (to use existing secret)
+  - tlsSecret.caCert and tlsSecret.caKey (to generate secret)
+  {{- end }}
+{{- end }}

charts/stackrox-mcp/templates/_helpers.tpl

@@ -62,3 +62,21 @@ Detect if running on OpenShift
 {{- define "stackrox-mcp.isOpenshift" -}}
 {{- .Capabilities.APIVersions.Has "route.openshift.io/v1" -}}
 {{- end }}
+
+{{/*
+Define application port name
+*/}}
+{{- define "stackrox-mcp.portName" -}}
+{{ if .Values.config.server.TLSEnabled }}https{{ else }}http{{ end }}
+{{- end }}
+
+{{/*
+TLS Secret name - returns existingSecretName if set, otherwise generates name
+*/}}
+{{- define "stackrox-mcp.tlsSecretName" -}}
+{{- if .Values.tlsSecret.existingSecretName }}
+{{- .Values.tlsSecret.existingSecretName }}
+{{- else }}
+{{- include "stackrox-mcp.fullname" . }}-tls
+{{- end }}
+{{- end }}

charts/stackrox-mcp/templates/configmap.yaml

@@ -22,11 +22,18 @@ data:
     global:
       read_only_tools: {{ .Values.config.global.readOnlyTools }}
 
-    # HTTP server configuration
+    # HTTP/HTTPS server configuration
     server:
       type: "streamable-http"
       address: {{ .Values.config.server.address | quote }}
       port: {{ .Values.config.server.port }}
+      {{- if .Values.config.server.TLSEnabled }}
+      tls_enabled: true
+      tls_cert_path: {{ .Values.config.server.TLSCertPath | quote }}
+      tls_key_path: {{ .Values.config.server.TLSKeyPath | quote }}
+      {{- else }}
+      tls_enabled: false
+      {{- end }}
 
     # MCP tools configuration
     {{- if not (or .Values.config.tools.vulnerability.enabled .Values.config.tools.configManager.enabled) }}

charts/stackrox-mcp/templates/deployment.yaml

@@ -65,7 +65,7 @@ spec:
           - --config
           - /config/config.yaml
         ports:
-        - name: http
+        - name: {{ include "stackrox-mcp.portName" . }}
           containerPort: {{ .Values.config.server.port }}
           protocol: TCP
         {{- with .Values.extraEnv }}
@@ -74,22 +74,53 @@ spec:
         {{- end }}
         {{- if .Values.livenessProbe.enabled }}
         livenessProbe:
-          {{- omit .Values.livenessProbe "enabled" | toYaml | nindent 10 }}
+          httpGet:
+            path: /health
+            port: {{ include "stackrox-mcp.portName" . }}
+            {{- if .Values.config.server.TLSEnabled }}
+            scheme: HTTPS
+            {{- end }}
+          initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.livenessProbe.successThreshold }}
+          failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
         {{- end }}
         {{- if .Values.readinessProbe.enabled }}
         readinessProbe:
-          {{- omit .Values.readinessProbe "enabled" | toYaml | nindent 10 }}
+          httpGet:
+            path: /health
+            port: {{ include "stackrox-mcp.portName" . }}
+            {{- if .Values.config.server.TLSEnabled }}
+            scheme: HTTPS
+            {{- end }}
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
         {{- end }}
         resources:
           {{- toYaml .Values.resources | nindent 10 }}
         volumeMounts:
         - name: config
           mountPath: /config
           readOnly: true
+        {{- if .Values.config.server.TLSEnabled }}
+        - name: tls-certs
+          mountPath: /certs
+          readOnly: true
+        {{- end }}
       volumes:
       - name: config
         configMap:
           name: {{ include "stackrox-mcp.configMapName" . }}
+      {{- if .Values.config.server.TLSEnabled }}
+      - name: tls-certs
+        secret:
+          secretName: {{ include "stackrox-mcp.tlsSecretName" . }}
+          defaultMode: 0440
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/stackrox-mcp/templates/route.yaml

@@ -20,10 +20,13 @@ spec:
     kind: Service
     name: {{ include "stackrox-mcp.fullname" . }}
   port:
-    targetPort: http
+    targetPort: {{ include "stackrox-mcp.portName" . }}
   {{- if .Values.openshift.route.tls.enabled }}
   tls:
     termination: {{ .Values.openshift.route.tls.termination }}
     insecureEdgeTerminationPolicy: {{ .Values.openshift.route.tls.insecureEdgeTerminationPolicy }}
+    {{- if and .Values.config.server.TLSEnabled .Values.openshift.route.tls.destinationCACertificate }}
+    destinationCACertificate: {{ .Values.openshift.route.tls.destinationCACertificate | quote }}
+    {{- end }}
   {{- end }}
 {{- end }}

charts/stackrox-mcp/templates/secret.yaml

@@ -0,0 +1,16 @@
+{{- if and .Values.config.server.TLSEnabled (not .Values.tlsSecret.existingSecretName) }}
+{{- if not (and .Values.tlsSecret.caCert .Values.tlsSecret.caKey) }}
+{{- fail "Both tlsSecret.caCert and tlsSecret.caKey must be provided together" }}
+{{- end }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "stackrox-mcp.tlsSecretName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "stackrox-mcp.labels" . | nindent 4 }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ .Values.tlsSecret.caCert | b64enc }}
+  tls.key: {{ .Values.tlsSecret.caKey | b64enc }}
+{{- end }}

charts/stackrox-mcp/templates/service.yaml

@@ -11,10 +11,13 @@ metadata:
   {{- end }}
 spec:
   type: {{ .Values.service.type }}
+  {{- if eq .Values.service.type "LoadBalancer" }}
+  sessionAffinity: ClientIP
+  {{- end }}
   ports:
   - port: {{ .Values.service.port }}
-    targetPort: {{ .Values.service.targetPort }}
+    targetPort: {{ include "stackrox-mcp.portName" . }}
     protocol: TCP
-    name: http
+    name: {{ include "stackrox-mcp.portName" . }}
   selector:
     {{- include "stackrox-mcp.selectorLabels" . | nindent 4 }}

charts/stackrox-mcp/values.yaml

@@ -56,11 +56,19 @@ securityContext:
 
 # Service configuration
 service:
-  type: ClusterIP
+  type: LoadBalancer
   port: 8080
-  targetPort: 8080
   annotations: {}
 
+# TLS Secret configuration
+tlsSecret:
+  # Existing secret name can be provided if already existing secret with certificate and key is used
+  existingSecretName: ""
+  # CA Certificate
+  caCert: ""
+  # CA Key
+  caKey: ""
+
 # Resource limits and requests
 resources:
   limits:
@@ -73,9 +81,6 @@ resources:
 # Liveness probe configuration
 livenessProbe:
   enabled: true
-  httpGet:
-    path: /health
-    port: http
   initialDelaySeconds: 10
   periodSeconds: 10
   timeoutSeconds: 5
@@ -85,9 +90,6 @@ livenessProbe:
 # Readiness probe configuration
 readinessProbe:
   enabled: true
-  httpGet:
-    path: /health
-    port: http
   initialDelaySeconds: 5
   periodSeconds: 5
   timeoutSeconds: 3
@@ -113,9 +115,16 @@ openshift:
     host: ""
     tls:
       enabled: true
-      termination: edge
+
+      # Termination type: 'reencrypt' for end-to-end TLS, 'edge' for TLS termination at router
+      termination: reencrypt
       insecureEdgeTerminationPolicy: Redirect
 
+      # Destination CA certificate (optional)
+      # This is the CA that signed the pod's certificate
+      # If not provided, router will use its own CA bundle to verify pod certificate
+      destinationCACertificate: ""
+
 # StackRox MCP Configuration
 config:
   # Central connection configuration
@@ -148,13 +157,21 @@ config:
     # Allow only read-only MCP tools (default: true)
     readOnlyTools: true
 
-  # HTTP server configuration
+  # HTTP/HTTPS server configuration
   server:
     # Server listen address (default: 0.0.0.0)
     address: "0.0.0.0"
 
-    # Server listen port (1-65535, default: 8080)
-    port: 8080
+    # Server listen port (1-65535, default: 8443 for HTTPS, 8080 for HTTP)
+    port: 8443
+
+    # Enable TLS/HTTPS on the application server (default: true)
+    # When enabled, provides end-to-end encryption from client to pod
+    TLSEnabled: true
+
+    # Mount paths for certificates inside the container
+    TLSCertPath: "/certs/tls.crt"
+    TLSKeyPath: "/certs/tls.key"
 
   # MCP tools configuration
   # At least one tool must be enabled