Merge pull request #361 from maleck13/session-store

Session mgmt revamp

Author: david-martin

Makefile

@@ -108,6 +108,12 @@ deploy-broker: install-crd ## Deploy only the broker/router (without controller)
 	kubectl apply -f config/mcp-system/deployment-broker.yaml
 	kubectl apply -k config/mcp-system/ --dry-run=client -o yaml | kubectl apply -f - -l app=mcp-gateway
 
+.PHONY: configure-redis
+configure-redis:  ## patch deployment with redis connection
+	kubectl apply -f config/mcp-system/redis-deployment.yaml
+	kubectl apply -f config/mcp-system/redis-service.yaml
+	kubectl patch deployment mcp-broker-router -n mcp-system --patch-file config/mcp-system/deployment-controller-redis-patch.yaml
+
 # Deploy only the controller
 deploy-controller: install-crd ## Deploy only the controller
 	kubectl apply -f config/mcp-system/namespace.yaml
@@ -148,6 +154,7 @@ deploy-example: install-crd ## Deploy example MCPServer resource
 	@kubectl wait --for=condition=ready pod -n mcp-test -l app=mcp-custom-path-server --timeout=60s 2>/dev/null || true
 	@kubectl wait --for=condition=ready pod -n mcp-test -l app=mcp-oidc-server --timeout=60s
 	@kubectl wait --for=condition=ready pod -n mcp-test -l app=everything-server --timeout=60s
+	@kubectl wait --for=condition=ready pod -n mcp-test -l app=mcp-custom-response --timeout=60s
 	@echo "All test servers ready, deploying MCPServer resources..."
 	kubectl apply -f config/samples/mcpserver-test-servers.yaml
 	@echo "Waiting for controller to process MCPServer..."
@@ -167,6 +174,8 @@ build-test-servers: ## Build test server Docker images locally
 	cd tests/servers/custom-path-server && $(CONTAINER_ENGINE) build $(CONTAINER_ENGINE_EXTRA_FLAGS) -t ghcr.io/kagenti/mcp-gateway/test-custom-path-server:latest .
 	cd tests/servers/oidc-server && $(CONTAINER_ENGINE) build $(CONTAINER_ENGINE_EXTRA_FLAGS) -t ghcr.io/kagenti/mcp-gateway/test-oidc-server:latest .
 	cd tests/servers/everything-server && $(CONTAINER_ENGINE) build $(CONTAINER_ENGINE_EXTRA_FLAGS) -t ghcr.io/kagenti/mcp-gateway/test-everything-server:latest .
+	cd tests/servers/custom-response-server && $(CONTAINER_ENGINE) build $(CONTAINER_ENGINE_EXTRA_FLAGS) -t ghcr.io/kagenti/mcp-gateway/custom-response-server:latest .	
+
 
 # Load test server images into Kind cluster
 kind-load-test-servers: kind build-test-servers ## Load test server images into Kind cluster
@@ -179,6 +188,7 @@ kind-load-test-servers: kind build-test-servers ## Load test server images into
 	$(call load-image,ghcr.io/kagenti/mcp-gateway/test-custom-path-server:latest)
 	$(call load-image,ghcr.io/kagenti/mcp-gateway/test-oidc-server:latest)
 	$(call load-image,ghcr.io/kagenti/mcp-gateway/test-everything-server:latest)
+	$(call load-image,ghcr.io/kagenti/mcp-gateway/custom-response-server:latest)
 
 # Deploy test servers
 deploy-test-servers: kind-load-test-servers ## Deploy test MCP servers for local testing

cmd/mcp-broker-router/main.go

@@ -18,6 +18,7 @@ import (
 	extProcV3 "github.com/envoyproxy/go-control-plane/envoy/service/ext_proc/v3"
 	"github.com/fsnotify/fsnotify"
 	"github.com/kagenti/mcp-gateway/internal/broker"
+	"github.com/kagenti/mcp-gateway/internal/clients"
 	config "github.com/kagenti/mcp-gateway/internal/config"
 	mcpRouter "github.com/kagenti/mcp-gateway/internal/mcp-router"
 	"github.com/kagenti/mcp-gateway/internal/session"
@@ -49,20 +50,25 @@ func init() {
 	_ = gatewayv1.Install(scheme)
 }
 
+var (
+	mcpRouterAddrFlag         string
+	mcpBrokerAddrFlag         string
+	mcpConfigAddrFlag         string
+	mcpRoutePublicHost        string
+	mcpRoutePrivateHost       string
+	mcpRouterKey              string
+	cacheConnectionStringFlag string
+	mcpConfigFile             string
+	jwtSigningKeyFlag         string
+	sessionDurationInMins     int64
+	loglevel                  int
+	logFormat                 string
+	controllerMode            bool
+	enforceToolFilteringFlag  bool
+)
+
 func main() {
-	var (
-		mcpRouterAddrFlag        string
-		mcpBrokerAddrFlag        string
-		mcpConfigAddrFlag        string
-		mcpRoutePublicHost       string
-		mcpConfigFile            string
-		jwtSigningKeyFlag        string
-		sessionDurationInHours   int64
-		loglevel                 int
-		logFormat                string
-		controllerMode           bool
-		enforceToolFilteringFlag bool
-	)
+
 	flag.StringVar(
 		&mcpRouterAddrFlag,
 		"mcp-router-address",
@@ -81,6 +87,20 @@ func main() {
 		"",
 		"The public host the MCP Gateway is exposing MCP servers on. The gateway router will always set the :authority header to this value to ensure the broker component cannot be bypassed.",
 	)
+	flag.StringVar(
+		&mcpRoutePrivateHost,
+		"mcp-gateway-private-host",
+		"mcp-gateway-istio.gateway-system.svc.cluster.local:8080",
+		"The private host the MCP Gateway. The gateway router will use this to hairpin request to initialize MCP servers etc.",
+	)
+
+	// TODO ick not sure how to describe this
+	flag.StringVar(
+		&mcpRouterKey,
+		"mcp-router-key",
+		goenv.GetDefault("MCP_ROUTER_API_KEY", "secret-api-key"),
+		"this key is used to allow the router to send request through the gateway and be trusted by the router",
+	)
 	flag.StringVar(
 		&mcpConfigAddrFlag,
 		"mcp-broker-config-address",
@@ -99,9 +119,20 @@ func main() {
 		int(slog.LevelInfo),
 		"set the log level 0=info, 4=warn , 8=error and -4=debug",
 	)
+	flag.StringVar(&jwtSigningKeyFlag,
+		"session-signing-key",
+		goenv.GetDefault("JWT_SESSION_SIGNING_KEY", defaultJWTSigningKey),
+		"JWT signing key for session tokens (env: JWT_SESSION_SIGNING_KEY)",
+	)
+	//"redis://redis.mcp-system.svc.cluster.local:6379
+	flag.StringVar(&cacheConnectionStringFlag,
+		"cache-connection-string",
+		goenv.GetDefault("CACHE_CONNECTION_STRING", ""),
+		"redis based cache connection string redis://<user>:<pass>@localhost:6379/<db> (env: CACHE_CONNECTION_STRING). If not set defaults to  in memory storage",
+	)
 	flag.StringVar(&logFormat, "log-format", "txt", "switch to json logs with --log-format=json")
-	flag.StringVar(&jwtSigningKeyFlag, "session-signing-key", goenv.GetDefault("JWT_SESSION_SIGNING_KEY", defaultJWTSigningKey), "JWT signing key for session tokens (env: JWT_SESSION_SIGNING_KEY)")
-	flag.Int64Var(&sessionDurationInHours, "session-length", 24, "default session length with the gateway in hours")
+
+	flag.Int64Var(&sessionDurationInMins, "session-length", 60*24, "default session length with the gateway in minutes. Default 24h")
 	flag.BoolVar(&controllerMode, "controller", false, "Run in controller mode")
 	flag.BoolVar(&enforceToolFilteringFlag, "enforce-tool-filtering", false, "when enabled an x-authorized-tools header will be needed to return any tools")
 	flag.Parse()
@@ -140,6 +171,19 @@ func main() {
 	}
 
 	ctx := context.Background()
+
+	sessionCache, err := session.NewCache()
+	if err != nil {
+		panic("failed to setup session cache" + err.Error())
+	}
+	if cacheConnectionStringFlag != "" {
+		logger.Info("session cache using external store")
+		sessionCache, err = session.NewCache(session.WithConnectionString(cacheConnectionStringFlag))
+		if err != nil {
+			panic("failed to setup session cache" + err.Error())
+		}
+	}
+
 	var jwtSessionMgr *session.JWTManager
 	if jwtSigningKeyFlag == "" {
 		panic("jwt session signing key is empty. Cannot proceed")
@@ -148,22 +192,24 @@ func main() {
 		logger.Warn("jwt session signing key is set to the default value. This is not recommended for production")
 	}
 
-	jwtmgr, err := session.NewJWTManager(jwtSigningKeyFlag, sessionDurationInHours, logger)
+	jwtmgr, err := session.NewJWTManager(jwtSigningKeyFlag, sessionDurationInMins, logger, sessionCache)
 	if err != nil {
 		panic("failed to setup jwt manager " + err.Error())
 	}
 	jwtSessionMgr = jwtmgr
 
 	configServer := setUpConfigServer(mcpConfigAddrFlag)
 	brokerServer, mcpBroker, mcpServer := setUpBroker(mcpBrokerAddrFlag, enforceToolFilteringFlag, jwtSessionMgr)
-	routerGRPCServer, router := setUpRouter(mcpBroker, logger, jwtSessionMgr)
+	routerGRPCServer, router := setUpRouter(mcpBroker, logger, jwtSessionMgr, sessionCache)
 	mcpConfig.RegisterObserver(router)
 	mcpConfig.RegisterObserver(mcpBroker)
 	if mcpRoutePublicHost == "" {
 		panic("--mcp-gateway-public-host cannot be empty. The mcp gateway needs to be informed of what public host to expect requests from so it can ensure routing and session mgmt happens. Set --mcp-gateway-public-host")
 	}
 
-	mcpConfig.MCPGatewayHostname = mcpRoutePublicHost
+	mcpConfig.MCPGatewayExternalHostname = mcpRoutePublicHost
+	mcpConfig.MCPGatewayInternalHostname = mcpRoutePrivateHost
+	mcpConfig.RouterAPIKey = mcpRouterKey
 
 	// Only load config and run broker/router in standalone mode
 	LoadConfig(mcpConfigFile)
@@ -296,20 +342,19 @@ func setUpConfigServer(address string) *http.Server {
 	}
 }
 
-func setUpRouter(broker broker.MCPBroker, logger *slog.Logger, jwtManager *session.JWTManager) (*grpc.Server, *mcpRouter.ExtProcServer) {
-	grpcSrv := grpc.NewServer()
+func setUpRouter(broker broker.MCPBroker, logger *slog.Logger, jwtManager *session.JWTManager, sessionCache *session.Cache) (*grpc.Server, *mcpRouter.ExtProcServer) {
 
+	grpcSrv := grpc.NewServer()
 	// Create the ExtProcServer instance
 	server := &mcpRouter.ExtProcServer{
 		RoutingConfig: mcpConfig,
-		// TODO this seems wrong. Why does the router need to be passed an instance of the broker?
-		Broker:     broker,
-		Logger:     logger,
-		JWTManager: jwtManager,
-	}
+		Logger:        logger,
+		JWTManager:    jwtManager,
+		InitForClient: clients.Initialize,
+		SessionCache:  sessionCache,
+		Broker:        broker, // TODO we shouldn't need a handle to broker in the router
 
-	// Setup the session cache with proper initialization
-	server.SetupSessionCache()
+	}
 
 	extProcV3.RegisterExternalProcessorServer(grpcSrv, server)
 	return grpcSrv, server

config/mcp-system/deployment-controller-redis-patch.yaml

@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mcp-broker-router
+  namespace: mcp-system
+spec:
+  template:
+    spec:
+      containers:
+        - name: mcp-broker-router
+          command:
+            - ./mcp_gateway
+            - --mcp-gateway-config=/config/config.yaml
+            - --mcp-broker-public-address=0.0.0.0:8080
+            - --mcp-broker-config-address=0.0.0.0:8181
+            - --mcp-gateway-public-host=mcp.127-0-0-1.sslip.io
+            - --mcp-router-address=0.0.0.0:50051
+            - --log-level=-4
+            - --cache-connection-string=redis://redis.mcp-system.svc.cluster.local:6379

config/mcp-system/redis-deployment.yaml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis
+  namespace: mcp-system
+  labels:
+    app: redis
+    component: cache
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+      component: cache
+  template:
+    metadata:
+      labels:
+        app: redis
+        component: cache
+    spec:
+      containers:
+        - name: redis
+          image: redis:7-alpine
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: redis
+              containerPort: 6379
+              protocol: TCP
+          resources:
+            requests:
+              memory: '64Mi'
+              cpu: '50m'
+            limits:
+              memory: '256Mi'
+              cpu: '200m'
+          livenessProbe:
+            tcpSocket:
+              port: 6379
+            initialDelaySeconds: 10
+            periodSeconds: 30
+          readinessProbe:
+            exec:
+              command:
+                - redis-cli
+                - ping
+            initialDelaySeconds: 5
+            periodSeconds: 10

config/mcp-system/redis-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  namespace: mcp-system
+  labels:
+    app: redis
+    component: cache
+spec:
+  type: ClusterIP
+  ports:
+    - port: 6379
+      targetPort: 6379
+      protocol: TCP
+      name: redis
+  selector:
+    app: redis
+    component: cache

config/samples/mcpserver-test-servers.yaml

@@ -5,7 +5,7 @@ metadata:
   name: test-server1
   namespace: mcp-test
   labels:
-    "kagenti/mcp": "true"
+    'kagenti/mcp': 'true'
 spec:
   # Tool prefix applied to all servers in this MCPServer
   toolPrefix: test_
@@ -21,7 +21,7 @@ metadata:
   name: test-server2
   namespace: mcp-test
   labels:
-    "kagenti/mcp": "true"
+    'kagenti/mcp': 'true'
 spec:
   toolPrefix: test2_
   targetRef:
@@ -36,7 +36,7 @@ metadata:
   name: test-server3
   namespace: mcp-test
   labels:
-    "kagenti/mcp": "true"
+    'kagenti/mcp': 'true'
 spec:
   toolPrefix: test3_
   targetRef:
@@ -51,7 +51,7 @@ metadata:
   name: api-key-server
   namespace: mcp-test
   labels:
-    "kagenti/mcp": "true"
+    'kagenti/mcp': 'true'
 spec:
   toolPrefix: apikey_
   targetRef:
@@ -69,7 +69,7 @@ metadata:
   name: custom-path-server
   namespace: mcp-test
   labels:
-    "kagenti/mcp": "true"
+    'kagenti/mcp': 'true'
 spec:
   # custom path - this server uses /v1/special/mcp instead of /mcp
   path: /v1/special/mcp
@@ -86,7 +86,7 @@ metadata:
   name: oidc-server
   namespace: mcp-test
   labels:
-    "kagenti/mcp": "true"
+    'kagenti/mcp': 'true'
 spec:
   # Validates OpenID Connect (OIDC) Bearer tokens issued by a configured OIDC provider
   toolPrefix: oidc_
@@ -104,11 +104,26 @@ metadata:
   name: everything-server
   namespace: mcp-test
   labels:
-    "kagenti/mcp": "true"
+    'kagenti/mcp': 'true'
 spec:
   toolPrefix: everything_
   targetRef:
     # MCP Everything Server - Typescript SDK based (prompts, tools, resources, sampling)
     group: gateway.networking.k8s.io
     kind: HTTPRoute
     name: everything-server-route
+---
+apiVersion: mcp.kagenti.com/v1alpha1
+kind: MCPServer
+metadata:
+  name: custom-response
+  namespace: mcp-test
+  labels:
+    'kagenti/mcp': 'true'
+spec:
+  toolPrefix: custom_resp_
+  targetRef:
+    # MCP Everything Server - Typescript SDK based (prompts, tools, resources, sampling)
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: mcp-custom-response-route